Freepbx 10.13.66 extensions not able to register.(Destination Unreachable/Port unreachable)

shivani · June 28, 2018, 5:09pm

Hello,

I have a virtual machine with Freepbx 10.13.66 installed on it. The SIP trunks to providers work just fine. However when a remote phone (Polycom) is trying to register to the server it replies back with ICMP “Destination unreachable/port unreachable” message. Phones are on the internet and the SIP server is being NATed to a public IP address. After waiting for hours, the extensions register but then they unregister themselves after some time.

Can someone guide me how to troubleshoot and resolve this issue?

Thanks!

Shivani

shivani · June 28, 2018, 5:21pm

Also, its strange that when I do tcpdump I see the SIP packets making it to the server. But when I do “sip debug set on”, I dont see those packets in the debug. Why is that?

PitzKey · June 28, 2018, 6:07pm

Could be that got banned.

Also, in the extension set NAT = Yes

shivani · June 28, 2018, 6:46pm

Thanks for the reply. Changing the extension NAT setting to yes, did not help. The issue is the same. I cannot explain why the extensions register maybe every few hours and then unregister right away the same minute or the next minute.

dicko · June 28, 2018, 6:58pm

If using chan_sip

sip set debug peer {ext}

( “sip debug set on” won’t work )

shivani · June 28, 2018, 7:00pm

Hello,

When I do sip set debug peer , it gives me an error saying "Unable to get IP address of peer .

dicko · June 28, 2018, 7:13pm

hehe, That’s because you did it when it wasn’t registered, you can

sip set debug ip ip.address.of.externalext

But I would look at any NAT’ing you have on both ends of the route, that is commonly a badly setup router at one or both ends.

shivani · June 28, 2018, 8:26pm

I checked the iptables of the server and for some reason the server is adding below line in the iptables itself and so the phones get unregistered after registering.

fail2ban-SIP -s /32 -j REJECT --reject-with icmp-port-unreachable

Rest of my iptables look like below:

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-BadBots
-N fail2ban-FTP
-N fail2ban-PBX-GUI
-N fail2ban-SIP
-N fail2ban-SSH
-N fail2ban-apache-auth
-N fail2ban-recidive
-A INPUT -p tcp -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -j fail2ban-BadBots
-A INPUT -p tcp -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A INPUT -p udp -m udp --dport 5353 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10000:40000 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -j ACCEPT
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-PBX-GUI -j RETURN
-A fail2ban-SIP -s X.X.X.X/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -j RETURN

I changed the public IP address to X.X.X.X above. That is the rule server adding itself.

Do you know why its adding this rule? And how should I make it not do that? I tried deleting the rule,but it adds it again.

Thanks!

dicko · June 28, 2018, 8:48pm

Sorry , I don’t use the packaged fail2ban so am unfamiliar with the fail2ban-SIP filter.

shivani · June 28, 2018, 8:52pm

Thanks! I followed below thread and added the public IP address to the jail.conf file. I will monitor and see if this resolves the issue.

dicko · June 29, 2018, 1:54am

And if you read that thread fully, you will see that I try to explain how iptables works, If you are using the Distros firewall’s various rules (possibly firewalld), that might be different as it is not easily available to non “Distro” users , but if it ultimately uses iptables then the same order of precedence pertains. An ACCEPT , before a REJECT short circuits, so the host would be allowed by that process, by whatever means you should protect your trusted hosts/networks. You need to do that before the fail2ban rules or add 'ignoreip ’ as necessary.

BlazeStudios · June 30, 2018, 1:34pm

Fail2Ban uses a “rate limit” setup. That is to say, X amount attempts in Y amount of time. I think the default is like 8 attempts in 600 seconds. If you have more than once device at an IP, that means all their attempts in the Y amount of time is a problem. I.e. I have 10 devices at a location. When they all try to register at once that is 10 attempts in under 600 seconds, therefore I am banned.

dicko · June 30, 2018, 3:11pm

No limiting or even counting is done on any logline that does not match one of the regexes in the jail’ filter or loglines originating from a host in your ignoreip= line.

The only way that that ip would get banned is if 9 out of the remote phones tried registering with bad passwords. If you trust the Host/network where your phones are, then as suggested ‘protect’ yourself from your own organizations ineptness by adding that host/network to your ignoreip line

system · June 30, 2019, 3:18pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.