I have a virtual machine with Freepbx 10.13.66 installed on it. The SIP trunks to providers work just fine. However when a remote phone (Polycom) is trying to register to the server it replies back with ICMP “Destination unreachable/port unreachable” message. Phones are on the internet and the SIP server is being NATed to a public IP address. After waiting for hours, the extensions register but then they unregister themselves after some time.
Can someone guide me how to troubleshoot and resolve this issue?
Also, its strange that when I do tcpdump I see the SIP packets making it to the server. But when I do “sip debug set on”, I dont see those packets in the debug. Why is that?
Thanks for the reply. Changing the extension NAT setting to yes, did not help. The issue is the same. I cannot explain why the extensions register maybe every few hours and then unregister right away the same minute or the next minute.
I checked the iptables of the server and for some reason the server is adding below line in the iptables itself and so the phones get unregistered after registering.
And if you read that thread fully, you will see that I try to explain how iptables works, If you are using the Distros firewall’s various rules (possibly firewalld), that might be different as it is not easily available to non “Distro” users , but if it ultimately uses iptables then the same order of precedence pertains. An ACCEPT , before a REJECT short circuits, so the host would be allowed by that process, by whatever means you should protect your trusted hosts/networks. You need to do that before the fail2ban rules or add 'ignoreip ’ as necessary.
Fail2Ban uses a “rate limit” setup. That is to say, X amount attempts in Y amount of time. I think the default is like 8 attempts in 600 seconds. If you have more than once device at an IP, that means all their attempts in the Y amount of time is a problem. I.e. I have 10 devices at a location. When they all try to register at once that is 10 attempts in under 600 seconds, therefore I am banned.
No limiting or even counting is done on any logline that does not match one of the regexes in the jail’ filter or loglines originating from a host in your ignoreip= line.
The only way that that ip would get banned is if 9 out of the remote phones tried registering with bad passwords. If you trust the Host/network where your phones are, then as suggested ‘protect’ yourself from your own organizations ineptness by adding that host/network to your ignoreip line