FreePBX looks registered, but provider ignores call requests

TLDR:: Looks registered, but call requests ignored

Hello folks,
My ISP provides a “free” phone service with the cable internet service, but the catch is you MUST use an analog phone attached to their software crippled, low powered wifi router. By assorted devious means, I’ve extracted my SIP account username/password/proxy/domain, and they work fine in a softphone (PhonerLite) on my PC using a much better router I have full control of.

However . . . the same details do not work successfully when transferred into my FreePBX. Asterisk appears to register successfully, but call attempts fail, with a “critical response timeout”.

I’ve fired up Wireshark and observed some interesting behavior when FreePBX tries to register. The first REGISTER request gets a 200 OK response (!) from the ISP, and my Asterisk thinks all is good. This is not correct. The ISP should reply with a 401 UNAUTHORISED response to trigger a password exchange. This happens with the softphone and the ISP router, but not Asterisk. When Asterisk sends an INVITE to start a call, it is ignored, and gets no response at all, which is why I a get a “critical response timeout”

The only significant? difference between operational REGISTER requests of ISP router (and the softphone on my PC) and the non-functional requests of FreePBX is the inclusion of an Allow: field. According to the standard, this is optional and can be negotiated in later OPTION or INVITE requests. It’s not the non-standard port number I use, the softphone on my PC uses the same number and it work fine, and I’ve tried changing the user-agent so it does not say FPBX to no avail. I’m obviously missing something.

This is the FreePBX REGISTER request, it gets and immediate 200 OK reply, it should get a 401 UNAUTHORIZED to trigger the password exchange:-
xxxx – My public IP
nnnn = My phone number and user name.

Session Initiation Protocol (REGISTER)
    Request-Line: REGISTER SIP/2.0
        Method: REGISTER
            Request-URI Host Part:
        [Resent Packet: False]
    Message Header
        Via: SIP/2.0/UDP;branch=z9hG4bK4e8bb3f8;rport
            Transport: UDP
            Sent-by Address:
            Sent-by port: 8494
            Branch: z9hG4bK4e8bb3f8
            RPort: rport
        Max-Forwards: 70
        From: ;tag=as418133d5
            SIP from address: sip:[email protected]
                SIP from address User Part: +6129nnnnnnn
                E.164 number (MSISDN): 6129nnnnnnn
                    Country Code: Australia (61)
                SIP from address Host Part:
            SIP from tag: as418133d5
            SIP to address: sip:[email protected]
                SIP to address User Part: +6129nnnnnnn
                E.164 number (MSISDN): 6129nnnnnnn
                    Country Code: Australia (61)
                SIP to address Host Part:
        Call-ID: [email protected]
        [Generated Call-ID: [email protected]]
        CSeq: 102 REGISTER
            Sequence Number: 102
            Method: REGISTER
        Supported: replaces, timer
        User-Agent: FPBX-
        Expires: 1800
            Contact URI: sip:[email protected]:8494
                Contact URI User Part: +6129nnnnnnn
                E.164 number (MSISDN): 6129nnnnnnn
                Contact URI Host Part:
                Contact URI Host Port: 8494
        Content-Length: 0

Here is the first REGISTER Request the ISP’s router sends, it (correctly) gets a 401 Unauthorized response and proceeds to the password exchange.

Session Initiation Protocol (REGISTER)
    Request-Line: REGISTER SIP/2.0
        Method: REGISTER
            Request-URI Host Part:
        [Resent Packet: False]
    Message Header
        From: ;tag=7c9190-ea654972-13c4-6006-b-49167107-b
            SIP from address: sip:[email protected]
                SIP from address User Part: +6129nnnnnnn
                E.164 number (MSISDN): 6129nnnnnnn
                    Country Code: Australia (61)
                SIP from address Host Part:
            SIP from tag: 7c9190-ea654972-13c4-6006-b-49167107-b
            SIP to address: sip:[email protected]
                SIP to address User Part: +6129nnnnnnn
                E.164 number (MSISDN): 6129nnnnnnn
                    Country Code: Australia (61)
                SIP to address Host Part:
        Call-ID: 7dcaa0-ea654972-13c4-6006-b-59ac0ed9-b
        [Generated Call-ID: 7dcaa0-ea654972-13c4-6006-b-59ac0ed9-b]
        CSeq: 1 REGISTER
            Sequence Number: 1
            Method: REGISTER
        Via: SIP/2.0/UDP;rport;branch=z9hG4bK-b-2bdc-484b814d-7be440
            Transport: UDP
            Sent-by Address:
            Sent-by port: 5060
            RPort: rport
            Branch: z9hG4bK-b-2bdc-484b814d-7be440
        Max-Forwards: 70
        Session-ID: 889affa09ae91634df00465fa567d046
            sess-id: 889affa09ae91634df00465fa567d046
        Supported: replaces,path,199,100rel
        User-Agent: SAGEMCOM / FAST5366 / BCM63138 
        Expires: 3600
            Contact URI: sip:[email protected]:5060
                Contact URI User Part: +6129nnnnnnn
                E.164 number (MSISDN): 6129nnnnnnn
                    Country Code: Australia (61)
                Contact URI Host Part:
                Contact URI Host Port: 5060
        Content-Length: 0

FreePBX Configuration

Peer Details:

Register String:
[email protected]:secret:[email protected]:5060/+6129nnnnnnn

Any help/suggestions would be appreciated.

Try adding


to your sip [general] section perhaps?

I suspect an ALG in the path.

‘Better’ router make/model? Packet capture taken on LAN or WAN side? Does router get a public IPv4 address on its WAN interface? If not, please explain (daisy-chained through ISPs router, modem is a gateway, ISP does NAT, etc.) Time between REGISTER and bogus 200 (if very short, could indicate 200 was sent by something on your network)?

Just for laughs, I configured a trunk sending:

Reliably Transmitting (NAT) to
Via: SIP/2.0/UDP;branch=z9hG4bK1e2ebefd;rport
Max-Forwards: 70
From: <sip:[email protected]>;tag=as5cf23c25
To: <sip:[email protected]>
Call-ID: [email protected][::1]
Supported: replaces, timer
User-Agent: FPBX-
Expires: 120
Contact: <sip:[email protected]:5160>
Content-Length: 0

There was no response at all. Possibly, their firewall only accepts SIP packets from their own network.

It would be more interesting to see a comparison between (working) PhonerLite and (failing) FreePBX, since they are traversing the same network gear. If possible, capture on the WAN side.

To make it easier to analyze, please paste the SIP traces (just one line per header, without expansion) at and post the link here. If you post text directly, note that the forum software removes everything in <> so it should be properly quoted/escaped.


I see that your ISP’s agent indicates support of “path” in the registration request, which chan_sip does not. I think pjsip has more support for IMS related extensions like SIP Outbound. Try configuring it as a pjsip trunk instead. You may need to add options that are not in the GUI.

Edit: some light reading on the significance of “path” support

I’ll add in that IMS has not really been a focus in PJSIP, so any support or functionality is not specifically targeted for it.

Let’s also touch on the fact this is a free voice service attached to a Internet account from an ISP. They provided an all-in-one CPE that includes an ATA device for this. This would also indicate that this is not an account meant for SIP Trunking and connecting a PBX to.

Any ISP doing this and worth their salt is going to have measures in place so that free service is not being abused. It’s one thing to connect via a softphone client or another ATA because that means there is still one user connected generally. A PBX connected means multiple users, multiple calls, etc.

Based on that, this would mean the account they are providing is essentially an extension off a PBX system. That means this account will have voicemail, a ring timer setup at their side, etc, etc. All like you would setup an extension on your PBX.

Now here’s the kicker, since you are getting timeouts and other errors back from the ISP the next step would be to contact the ISP to confirm they are getting the requests and to verify why they are not replying (or why they are rejecting) to your requests. I’m guessing however that’s not something that can be done because it would expose that you’re trying to put a PBX on their free home services. Something they probably do not allow. Not to mention all they have to say is “Sorry, our voice services only work with our devices. Everything else is unsupported”.

So right now the ISP is clearly the one stopping you from making calls. Now we can sit here and do one-sided troubleshooting to try and get them to accept your calls but without know exactly how or why they are blocking/denying your calls it’s a guessing game. It’s also a game that has a “winning goal” of what seems to be a clear violation of their ToS and how devices can connect to their network.

This isn’t like this is an issue with some SIP trunking provider that just has horrible support. This is an ISP offering a free Resi level VoIP account that is meant for analog endpoints not IP-PBX systems. So in order to fix your issue we have to find a solution that basically bypasses what would be considered the ISP’s security and fraud policies/rules.

Tom makes a good point. You should also adjust your user-agent header to hide that you are using Asterisk/FreePBX. :grin:

(That’s a joke, son)

Thanks for the relevant questions.
Router: NETGEAR WNDR4500. “Better”, only in that I’m in complete control of it.
SIP ALG is disabled in my router.
Router gets an public IPv4 address on the WAN side.

FreePBX Network Chain (Fails):-
Phonerlite (FreePBX SIP Account setings) on PC -->LAN–>FreePBX–>MyRouter (Public IP)–>ISP Bridge

Phonerlite Network Chain (Works):-
Phonerlite (ISP SIP Account settings) on PC -->LAN–>MyRouter (public IP)–>ISP Bridge

ISP Router Setup:-
Analog Phone–>ISP Router (Public IP)–ISP Bridge
ISP Bridge is a ARRIS cable modem.

All the captures are on the WAN side of the the router.

FreePBX non-functional REGISTER and INVITE

911	20.742792	SIP	519	Request: REGISTER  (1 binding) | 
916	20.851561	SIP	633	Status: 200 OK  (1 binding) | 
928	21.042279	SIP	626	Request: OPTIONS | 
929	21.057264	SIP	412	Status: 403 Forbidden | 
3283	81.058682	SIP	626	Request: OPTIONS | 
3288	81.073812	SIP	412	Status: 403 Forbidden | 
4535	108.660347	SIP/SDP	1062	Request: INVITE sip:[email protected] | 
4537	108.759824	SIP/SDP	1062	Request: INVITE sip:[email protected] | 
4538	108.959984	SIP/SDP	1062	Request: INVITE sip:[email protected] | 
4540	109.360522	SIP/SDP	1062	Request: INVITE sip:[email protected] | 
4544	110.160571	SIP/SDP	1062	Request: INVITE sip:[email protected] | 
4975	111.760206	SIP/SDP	1062	Request: INVITE sip:[email protected] | 
5001	114.960328	SIP/SDP	1062	Request: INVITE sip:[email protected] | 

Phonerlite Successful REGISTER and INVITE

836   20.385905   114.xx.xx.xx   SIP 770 Request: REGISTER  (1 binding) | 
838   20.401448   114.xx.xx.xx    SIP 488 Status: 423 Interval Too Brief | 
839   20.402519   114.xx.xx.xx   SIP 771 Request: REGISTER  (1 binding) | 
846   20.582480   114.xx.xx.xx    SIP 683 Status: 401 Unauthorized 11030030330 | 
847   20.582482   114.xx.xx.xx   SIP 1068    Request: REGISTER  (1 binding) | 
847   20.582482   114.xx.xx.xx   SIP 1068    Request: REGISTER  (1 binding) | 
852   20.794300   114.xx.xx.xx    SIP 463 Status: 403 Forbidden | 
855   20.934800   114.xx.xx.xx    SIP 883 Status: 200 OK  (1 binding) | 
1714  35.821946   114.xx.xx.xx   SIP/SDP 1061    Request: INVITE sip:[email protected] | 
1715  36.039136   114.xx.xx.xx    SIP 410 Status: 100 Trying | 
1744  37.935331   114.xx.xx.xx    SIP/SDP 1123    Status: 183 Session Description | 
1745  37.937153   114.xx.xx.xx   SIP 670 Request: PRACK sip:[email protected];transport=udp | 
1745  37.937153   114.xx.xx.xx   SIP 670 Request: PRACK sip:[email protected];transport=udp | 
1748  38.001930   114.xx.xx.xx    SIP 651 Status: 200 OK | 
2761  46.525141   114.xx.xx.xx    SIP/SDP 1189    Status: 200 OK | 
2762  46.525143   114.xx.xx.xx   SIP 609 Request: ACK sip:[email protected];transport=udp | 
3434  52.437360   114.xx.xx.xx    SIP 883 Request: BYE sip:[email protected]:8494;gr=80BCCF98-EE16-EA11-A9EB-B4808226483A | 
3435  52.438349   114.xx.xx.xx   SIP 551 Status: 200 OK | 
3829  60.222330   114.xx.xx.xx   SIP 1039    Request: REGISTER  (remove 2 bindings) | 
3829  60.222330   114.xx.xx.xx   SIP 1039    Request: REGISTER  (remove 2 bindings) | 

I’m happy to dive into the detail of any/all out theres if it would help.

Thanks for the various replies.

alwaysauthreject will only change the how MY asterisk responds to requests. It does not change my requests or how they are handled by the ISP.

Hi Tom, Your points are well made, however, I would like to address some of them

First of all, it is not free. The price of the service and calls is bundled into the cost of the internet service. It is “free” in that there is not additional cost of most calls. This service terminates in my home and the intention is the make use of the call handing functionality provided by FreePBX, e.g. detailed call filtering (blacklist), voice mail and fax collection and forwarding to email, caller name presentation etc. such that my elderly parents can be more assured that it is not someone with evil intent when the phone rings.
I can (and have) achieved the required functionality by using a SIP to PSTN gateway to drive the ISPs analog PSTN phone line. The increased voice latency and dialing delay, along with the decreased voice quality and reliability of this totally unnecessary setup makes it unworkable.
Given the frequency of SCAM/SPAM calls received, and the total inaction of service providers to do anything about it, I must. I have no intention to defraud the ISP.

There will be only one household. No businesses involved.

Did you write their script? :grinning:

Interesting. For the FreePBX Registration attempt, I’d like to see the REGISTER packet payload as plain text (same format as in my previous post). If getting it from Wireshark, select the packet, right-click on the line in the panel below that says Session Initiation Protocol (REGISTER) and select Copy -> Copy Bytes as Printable Text.

For the attempt from PhonerLite, I’m intrigued by the two apparently simultaneous requests, both showing as packet #847 (this might be a Wireshark bug; I’d expect that if a packet got duplicated by the network stack it would show as separate packet numbers). Post the content as plain text (both packets if not identical). Also, please show the responses #852 and #855.

Paste all this stuff at and post a link here (or otherwise ensure that content in angle brackets gets through the forum properly).

Also, the failing case shows the public IP redacted to but the working case shows 114.xx.xx.xx – if these are not actually the same address, please explain.

The duplicate frame was my copy/paste error copying from Wireshark. It is not in the capture. Packet #852 is not a SIP packet (Its a DNS query), so if included the SUBSCRIBE and response. See packets captures below.
The 114 IP address was the same in both captures. It was my anonymizing find/replace that change. Sorry if it is confusing.

So Asterisk is a Back2Back User Agent which means that it allows other UAC’s (User Agent Clients) to register to it and send calls between it. It can also do outbound registration to another UAS (User Agent Server) for this. For the most part that makes Asterisk a UAS. Based on that I believe this is your issue:


All my UAC’s from Polycom’s, Yealinks to Cisco ATA’s all present either the Allow header or have the methods= tag in the Contact header which would contain the same information as the Allow header. This tells the UAS was methods are supported so it will only send messages for those methods.

All of my Asterisk based stuff, FreePBX or not, does not send an Allow header or add a methods= tag to the contact header on registration. This is a common UAS practice as while not having that header or tag doesn’t mean the UAS can’t allow those methods, it just doesn’t limit the methods allowed.

They very well could be doing a simple check against the SIP messages and looking for specific headers/tags that a UAC would send but a UAS would not, like the Allow header/method tags.

No, I spent a lot of my career at ISP’s and this is exactly what we did to stop businesses from getting an unlimited RESI account to try and run their PBX on because they wanted to save money and not pay the business rates.

Everything you described here is the reason for these checks in the first place. They are giving you a free RESI account already which has voicemail, CNAM and all the features a standard voice line would have. There is no need for an internal PBX to provide these services because they are already provided.

Some VoIP providers will send a fake 200 OK to a register request, if the previous registration is not near expiration. This is because it’s common to set a client to register frequently, e.g. every 60 or 120 seconds, to keep a NAT association open or to have a fresh indication of whether the server is up. However, that could cause a huge load on the server; 100,000 clients registering every minute is ~1667 registrations per second, each requiring four packets. So, the provider sets up some other system element (SBC, load balancer, firewall, etc.) to just send dummy 200s until the registration is actually near expiry. So, if you had the ISP’s router or PhonerLite registered shortly before FreePBX attempted to register, this could be an issue. Try waiting 40 minutes after taking these down before starting FreePBX. (It might still fail to register, but the fake 200 should be gone and with luck we’ll get a more meaningful error response.)

If that’s not it (you had already waited long enough or it doesn’t help), one obvious difference is that FreePBX is emulating being on a public IP while PhonerLite is using its private IP in Via and Contact. I’m not confident about this theory, because the ISP router’s registration is from a public IP and that gets accepted. If you still suspect this is happening, you could try adding to your Local Networks, confirm that Asterisk is using its private IP in Via and Contact, and see whether this makes a difference.

If both of the above fail, I would take the PhonerLite request that gave the 401, put it in a file and try sending it with sipsak or a similar tool. If you indeed get a 401 reply, then modify one header to match what FreePBX is sending and retest. Do this until you get the bogus 200. Then we’ll know which header is responsible and can think about how to make FreePBX send it like PhonerLite.

OK this is the part where I might start to sound righteous and that is mainly due to the fact I’ve spent my career on the ISP/ITSP side of all this. So as an ITSP I’m looking at this thread and seeing an OP who is trying to get around their provider’s network restrictions and security to put an unapproved IP-PBX on a residential service. I’m also seeing people trying to help the OP achieve this goal. So I guess I’m just curious as to why? Why are members of the community actively trying to help someone violate a provider’s ToS? Didn’t the whole Google Voice debacle teach a lesson?

See when I see threads like this I see them through my ITSP tinted glasses and think “Man, that could be my network these guys are helping to hack”. That’s just a bad vibe to have and I think in some ways hurts the community.

Perhaps the OP can post a link to the ToS for the account in question.

IMO, for each person like the OP there are 100 who are actually running a home business and abusing the service. Most providers have limits to prevent abuse, e.g. 3000 minutes per month or 100 unique contacts per month. Users who exceed these limits must upgrade to a business plan or get kicked off.

Assuming that the provider disallows e.g. more than 2 concurrent calls, I don’t believe that a PBX connection presents a serious issue for the VoSP.

I believe it’s quite useful for the community to help hobbyists playing with FreePBX and Asterisk at home. They are likely to recommend the platform to their employers or use it in a business they start. This helps Sangoma sell phones and software, and increases the number of experts who can maintain and develop for these systems.

It is quite clear that you have been on the other side of my issue.

Not so. All of the functions I want are for received call handling which “costs” the Service Provider nothing and provides no additional burden. They do not offer:-

  • forwarding voice mail/fax to email

  • to tagging incoming calls with familiar names like “Aunty Nancy”

  • comprehensive “black list” function

all of which I can provide and manage, at negligible capital cost and time. Even if I could get these services, the monthly cost would be more than the total setup cost of a FreePBX . . . unless its all about the money?

They are giving me nothing. As I said, it is not free, its bundled with the Internet service You make it sound as if if should be humbly grateful and satisfied with a POTS line when it can be so much more, with so little effort of my own effort That’s like the flour mill selling me flour on condition I don’t bake bread. After all. I should be happy with flour and water, it nutritious enough.

You are correct. The ToS state that you may only access the services using Service Provider’s equipment. There is also a story that goes with this. The service provider, for many years, provided a pre-crippled router ( Sagemcom [email protected] 3864) whose wifi performance and operational stability for so laughably poor that the ISP’s CSOs told folks, after multiple swapouts, that if they didn’t use the phone service, they could get their own router. The ToS only applied when it suits them and protects their revenue. As I have already stated, I mean no harm to the ISP. I seek help in these forums in order to do no harm.
I understand where you are coming from, and I think that you should be able to also see my point of view so I will comment no further.


I’m involved was involved with large infrastructure projects using and supporting several FreePBX systems (including associated Sangoma commercial modules) used to supply temporary communications networks during commissioning. It is indispensable.

Hi @Stewart1 and thank for the suggestion.
Good news and not good news.You were correct. I had no connection to the ISP overnight and when I enabled the FreePBX Trunk, we got a 403 UNAUTHORIZED, followed by and 200 OK, so your theory wrt an automatic 200 OK is probably correct. The Not so good news is the INVITES are still ignored. :disappointed: Capture below.

I noticed in the SDP Session name was “ASTERISK PBX” in the INVITE, so I changed that to SIPPER to no effect. Still ignored.

Please confirm that #129 is a response to OPTIONS and #131 is the response to REGISTER; otherwise it’s not properly registered and we need to fix that first.

Assuming that the above is OK, what happens on an incoming call? If it at least gets far enough to send an INVITE, we know that registration is correct and the contents of the INVITE may give a clue as to what we need to send on outbound calls.

Next, I’d like to compare the working INVITE sent by PhonerLite with the ignored one sent by Asterisk. Please post both on .

Your paste at is properly formatted; please use this format when you post the INVITEs. The most recent paste at underwent some unwanted garbling, for example the < characters were escaped to &lt; please ensure that this does not happen.

Correct #129 is a response to #128. #131 is the response to #123 REGISTER.

It’s a little difficult to test incoming calls. I have the line set to “Divert All Calls” at the moment and I would have to tear down the current router/LAN setup to send the necessary facility code to remove the diversion. I’ll try to do it in soon to see if the registration works in that direction.

This is the INVITE capture for FreePBX and PhonerLite for comparison.

Sorry the previous pastebin got screwed up. When I press the “raw” button, it seems to straighten it out.
Thanks for the help.