Freepbx 10.13.66 extensions not able to register.(Destination Unreachable/Port unreachable)


I have a virtual machine with Freepbx 10.13.66 installed on it. The SIP trunks to providers work just fine. However when a remote phone (Polycom) is trying to register to the server it replies back with ICMP “Destination unreachable/port unreachable” message. Phones are on the internet and the SIP server is being NATed to a public IP address. After waiting for hours, the extensions register but then they unregister themselves after some time.

Can someone guide me how to troubleshoot and resolve this issue?



Also, its strange that when I do tcpdump I see the SIP packets making it to the server. But when I do “sip debug set on”, I dont see those packets in the debug. Why is that?

Could be that got banned.

Also, in the extension set NAT = Yes

Thanks for the reply. Changing the extension NAT setting to yes, did not help. The issue is the same. I cannot explain why the extensions register maybe every few hours and then unregister right away the same minute or the next minute.

If using chan_sip

sip set debug peer {ext}

( “sip debug set on” won’t work :slight_smile: )


When I do sip set debug peer , it gives me an error saying "Unable to get IP address of peer .

hehe, That’s because you did it when it wasn’t registered, you can

sip set debug ip ip.address.of.externalext

But I would look at any NAT’ing you have on both ends of the route, that is commonly a badly setup router at one or both ends.

I checked the iptables of the server and for some reason the server is adding below line in the iptables itself and so the phones get unregistered after registering.

fail2ban-SIP -s /32 -j REJECT --reject-with icmp-port-unreachable

Rest of my iptables look like below:

sudo iptables -S
-N fail2ban-BadBots
-N fail2ban-FTP
-N fail2ban-PBX-GUI
-N fail2ban-SIP
-N fail2ban-SSH
-N fail2ban-apache-auth
-N fail2ban-recidive
-A INPUT -p tcp -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -j fail2ban-BadBots
-A INPUT -p tcp -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p udp -m udp --dport 5353 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10000:40000 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -j ACCEPT
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-PBX-GUI -j RETURN
-A fail2ban-SIP -s X.X.X.X/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN

I changed the public IP address to X.X.X.X above. That is the rule server adding itself.

Do you know why its adding this rule? And how should I make it not do that? I tried deleting the rule,but it adds it again.


Sorry , I don’t use the packaged fail2ban so am unfamiliar with the fail2ban-SIP filter.

Thanks! I followed below thread and added the public IP address to the jail.conf file. I will monitor and see if this resolves the issue.

And if you read that thread fully, you will see that I try to explain how iptables works, If you are using the Distros firewall’s various rules (possibly firewalld), that might be different as it is not easily available to non “Distro” users , but if it ultimately uses iptables then the same order of precedence pertains. An ACCEPT , before a REJECT short circuits, so the host would be allowed by that process, by whatever means you should protect your trusted hosts/networks. You need to do that before the fail2ban rules or add 'ignoreip ’ as necessary.

Fail2Ban uses a “rate limit” setup. That is to say, X amount attempts in Y amount of time. I think the default is like 8 attempts in 600 seconds. If you have more than once device at an IP, that means all their attempts in the Y amount of time is a problem. I.e. I have 10 devices at a location. When they all try to register at once that is 10 attempts in under 600 seconds, therefore I am banned.

No limiting or even counting is done on any logline that does not match one of the regexes in the jail’ filter or loglines originating from a host in your ignoreip= line.

The only way that that ip would get banned is if 9 out of the remote phones tried registering with bad passwords. If you trust the Host/network where your phones are, then as suggested ‘protect’ yourself from your own organizations ineptness by adding that host/network to your ignoreip line

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.