FreePBX Firewall - no matching endpoint found

FreePBX firewall is enabled but i kept getting these type of error. How can i make sure Responsive is working and show the status of this IP being blocked?

[2016-02-25 21:33:38] NOTICE[9724]: res_pjsip/pjsip_distributor.c:347 log_unidentified_request: Request from '"3001" <sip:[email protected]>' failed for '194.63.142.19:5074' (callid: 112420b6851f601038f06278f1af592d) - No matching endpoint found ip-110-110-110-13*CLI>

As you can see here, there is nothing being blocked.

This is not a firewall issue. You are attempting to register to PJSIP extension 3001 which does not appear to exist. Is 3001 perhaps a chan_sip extension?

there are a lot of similar messages of unknown IPs with different extensions trying to register their extensions. As mentioned in the KB, i have to open all ports and let Sangoma Responsive Firewall handle the traffic.

Ah, misunderstood what you were asking.

What do you have the SIP,IAX and PJSIP services set to on the Firewall, Services tab? If you are using responsive, they should be set to internal.

mine is set to external. will the remote phones and trunk connect if i set to internal?

Carefully read the Responsive Firewall page. The responsive firewall allows limited connections to specific services that would otherwise be blocked, but your services are not blocked.

1 Like

thanks @lgaetz for heading me at the right track.

1 Like

@lgaetz the responsive firewall is working properly now. attackers are being blocked.

prior to using Sangoma firewall, we were using a Sophos firewall. so after opening all ports, i start to see all sorts of messages related to attacks. Do you know what is this?

[2016-02-27 10:09:17] WARNING[15274]: chan_sip.c:4071 retrans_pkt: Timeout on fb402063c5e5aec6c301c19232c8051b on non-critical invite transaction.

Probably Asterisk trying to respond to a connection that your firewall has already blocked.

grep fb402063c5e5aec6c301c19232c8051b /var/log/asterisk/full

take the number of the call between VERBOSE[ thatnumber] (presumably 15274) and then

grep “VERBOSE[thatnumber]” /var/log asterisk/full

the IP of the connection should be exposed and you can check it is blocked with

iptables -L |grep thatip

1 Like

@dicko - nothing appear after typing this command

[[email protected] ~]# grep fb402063c5e5aec6c301c19232c8051b /var/log/asterisk/full [[email protected] ~]#

Here are new sets of messages shown this morning.

[2016-03-01 07:04:46] NOTICE[31510]: res_pjsip/pjsip_distributor.c:347 log_unidentified_request: Request from '"cisco" <sip:[email protected]>' failed for '85.25.43.76:5084' (callid: 48b2df65e3e419a500b4083f2830d3e3) - No matching endpoint found

[2016-03-01 07:33:46] NOTICE[11770]: res_pjsip/pjsip_distributor.c:347 log_unidentified_request: Request from '"1000" <sip:[email protected]>' failed for '85.25.43.76:5076' (callid: 537b4eb1c7b4d4e5e5e2748d01f7e937) - No matching endpoint found

[2016-03-01 08:03:05] NOTICE[30435]: res_pjsip/pjsip_distributor.c:347 log_unidentified_request: Request from '"admin" <sip:[email protected]>' failed for '85.25.43.76:5082' (callid: ce0079acfb4c1acc2caa031be87929f8) - No matching endpoint found

`[2016-03-01 07:48:20] ERROR[15247]: pjsip:0 <?>: sip_transport. Error processing 740 bytes packet from UDP 85.25.43.76:5076 : PJSIP syntax error exception when parsing ‘’ header on line 3 col 15:
INVITE sip:[email protected] SIP/2.0
To: 0041445209337<sip:[email protected] public IP>
From: @@@<sip:@@@@my public IP>;tag=dea54f08
Via: SIP/2.0/UDP 85.25.43.76:5076;branch=z9hG4bK-127e1a5f0068ee8fcc607cad258bba98;rport
Call-ID: 127e1a5f0068ee8fcc607cad258bba98
CSeq: 1 INVITE
Contact: sip:@@@@85.25.43.76:5076
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 278

v=0
o=sipcli-Session 1633611179 395379464 IN IP4 85.25.43.76
s=sipcli
c=IN IP4 85.25.43.76
t=0 0
m=audio 5078 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

– end of packet.
[2016-03-01 07:48:22] ERROR[15247]: pjsip:0 <?>: sip_transport. Error processing 744 bytes packet from UDP 85.25.43.76:5090 : PJSIP syntax error exception when parsing ‘’ header on line 3 col 15:
INVITE sip:[email protected] public IP SIP/2.0
To: 01141445209337<sip:[email protected] public IP>
From: @@@<sip:@@@@my public IP>;tag=bcb7d119
Via: SIP/2.0/UDP 85.25.43.76:5090;branch=z9hG4bK-62a4c2dcf2e6e67408f2281e339d5ee3;rport
Call-ID: 62a4c2dcf2e6e67408f2281e339d5ee3
CSeq: 1 INVITE
Contact: sip:@@@@85.25.43.76:5090
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 279

v=0
o=sipcli-Session 1598156514 1969578265 IN IP4 85.25.43.76
s=sipcli
c=IN IP4 85.25.43.76
t=0 0
m=audio 5096 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

– end of packet.
[2016-03-01 07:48:23] ERROR[15247]: pjsip:0 <?>: sip_transport. Error processing 747 bytes packet from UDP 85.25.43.76:5077 : PJSIP syntax error exception when parsing ‘’ header on line 3 col 15:
INVITE sip:[email protected] public IP SIP/2.0
To: 901141445209337<sip:[email protected] public IP>
From: @@@<sip:@@@@my public IP>;tag=4ef3c52f
Via: SIP/2.0/UDP 85.25.43.76:5077;branch=z9hG4bK-fdd72206ff9232f02e2bab2fc94d6c53;rport
Call-ID: fdd72206ff9232f02e2bab2fc94d6c53
CSeq: 1 INVITE
Contact: sip:@@@@85.25.43.76:5077
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 279

v=0
o=sipcli-Session 1682189457 1433596676 IN IP4 85.25.43.76
s=sipcli
c=IN IP4 85.25.43.76
t=0 0
m=audio 5079 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

– end of packet.
[2016-03-01 07:48:25] ERROR[15247]: pjsip:0 <?>: sip_transport. Error processing 747 bytes packet from UDP 85.25.43.76:5114 : PJSIP syntax error exception when parsing ‘’ header on line 3 col 15:
INVITE sip:[email protected] public IP SIP/2.0
To: 801141445209337<sip:[email protected] public IP>
From: @@@<sip:@@@@my public IP>;tag=493ac093
Via: SIP/2.0/UDP 85.25.43.76:5114;branch=z9hG4bK-79f99fe5b740266ef2a9cfb6e1fe6a06;rport
Call-ID: 79f99fe5b740266ef2a9cfb6e1fe6a06
CSeq: 1 INVITE
Contact: sip:@@@@85.25.43.76:5114
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 279

v=0
o=sipcli-Session 2065890829 1066421180 IN IP4 85.25.43.76
s=sipcli
c=IN IP4 85.25.43.76
t=0 0
m=audio 5115 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

– end of packet.`

can you let me know if i am doing the responsive firewall correctly as i see extensions from unknown IP trying to register. The request was blocked which means they can reach the pbx but when i tried with zoiper on iPhone (mobile LTE), i could not even register my extension. I will get an error - "transport failure: no transport left to try (503). the description of responsive firewall mentioned that i will be given a chance to register and if it is successful, my dynamic IP will be granted access. if i can’t reach i am not sure how these attackers are doing it.

You will have to be quicker than you were, the log files rotate on schedule defined in the files in /etc/logrotate.d/*

Sorry I can’t help you with the “responsive firewall” as it is as yet only responsive in some subset of FreePBX deployments, (which I am not included in yet :wink: )

There are a couple of current arguments as to whether to use PJSIP , one is it that it works perfectly, the other is that it is completely broken, I would suggest you use chan-sip, particularly for your trunks, If you use that I believe that the latest release of fail2ban from fail2ban.org would generally protect you ( It does for me )

Can you identify any servers you use hosted by Amazon or hosteurope.de?

@dicko, thanks for the help. i was able to get the responsive firewall working.

as for the chan-sip, the phones no longer want to register even when the port number is correct. there is a message that there is a wrong password. even generating a new password does not help. Is there a limit how many character chan-sip and pjsip can support?

Yes, it’s hosted by Amazon. how is this related to Amazon, if i may ask?

I don’t think either sip stack has that length limit but some hardware might, particularly Cisco’s (search the forum) for safety’s sake as yet I would personally stick with chan-sip I note that there is still a lot of “funkiness” with FreePBX’s implementation of the pjsip stack in various places for the while . . .

model and firmware of all phones are the same. we are able to register after reducing the password length when using chan-sip. if we switch back to pjsip and correct port, the phones simply re-register.

we’ll definitely want to change to chan-sip but it seems that it’s not an easy task.

thanks @dicko!

quite easy to disable pjsip, immediately from bash:-

rasterisk -x “module unload chan_pjsip”

then add

noload = chan_pjsip.so

to /etc/asterisk/modules.conf

for permanence over a restart , when chan_pjsip is all working , just delete that line.

just make sure that chan_sip is bound to your preferred port (5060 is probably your worse choice for any number of reasons)

There is no “correct port” neither for sip or pj-sip, the default ones of 5060/5061 will ALWAYS expose you to Chinese professors and knuckledraggers all over the world. been there done that . . .