I have a physical FreePBX server located at a primary office. PTSN came in through PRI hand-off to a PCIe PRI card in the server using DAHDI. This office is on a LAN segment 192.168.1.0/24. A secondary office has it’s own high speed data connection, with a LAN segment of 192.168.2.0/24 and is connected to the primary site with an IKEv2 site-to-site VPN tunnel. Inbound and outbound calls worked flawlessly, inter-site call transfers, paging (on site and inter-site), voice mail retrievel, etc…
So, what’s the problem? The PRI card died last weekend. In order to get them back functional, I purchased a SIP Trunk and configured it on the server, setup Inbound and Outbound call routing and began testing. Everything seems to work great from the primary site. But users are unable to initiate calls from the remote site, and calls from the primary site to the remote site ring through and go to voicemail… Some of these extensions have Find Me/Follow Me configured with external numbers, those appear to initiate an outbound call, but the call never connects to the cell phones.
The problem is obviously PJSIP, but I have exhausted ideas at this time… I have 5060, 5061, and 10000-20000 UDP open on the external interfaces for both Primary and Secondary sites, I have set Firewall rules on both routers to allow ALL protocols between 192.168.1.0/24 and 192.168.2.0/24 in both directions. I am not seeing any changes. Does anyone have any ideas on what to look at?
First of all, if you have a site to site VPN, you should not be opening ports in order to connect to site 1 from site 2, that is the purpose of the site to site VPN: to establish a private connection without the need to open ports.
Site 2 has its own FreePBX server or phones on site 2 connect to FreePBX on site 1?
Answering the last question first: There is only one FreePBX (version 15) server running at the company. It is hosted at the Primary site. All phones at both locations are able to register to the server, update apps, and were previously able to make connections back to the server via DAHDI to send/receive calls (internal and external). The only thing that has changed is the addition of 4 SIP Trunks and PJSIP. Now that calls are being transported by PJSIP, we are unable to send internal or external calls to the secondary site. The secondary site receives dead air (silence) when they attempt a call to the primary site or external (which would transport via PJSIP through the tunnel).
As for the opening of the ports - Initially I opened the requisite ports on the primary router to allow connections to/from the Trunking provider. After I found the PJSIP issue, I thought the site-to-site may have been resulting in an asymetric route, and I opened the ports to allow the traffic to come in on the remote router. It has not had an effect, and will be removed once I have everything working.
Since now you are using SIP for external calls instead of DAHDI, please make sure that External IP has been correctly set on SIP settings and make sure to include both networks 192.168.1 and 192.168.2 as local networks on SIP settings. That should make it work
In ‘Settings→Asterisk SIP Settings’ under the ‘NAT Settings’ area I already have my external IP entered and both network segments added under Local Networks. I also made sure both network segments in ‘Connectivy→Firewall’ on the ‘Networks’ tab as ‘Trusted’ networks.
We have a similar 3 site VPN for one of our clients. you only need to open external ports for the primary site, not each remote site. Assuming the remote sites communicate back to the primary site for the phones, over the vpn.(split tunnel) and the regular internet traffic for everything else is direct out at each site, not back through the VPN.
This is essentially what would be assumed :
Site 1 - Primary 192.168.1.0 - FreePBX sitting at 192.168.1.20 (example)
Site 2 - 192.168.2.0 for the network and all phones IP’s,
but all phones should have the FreePBX server pointing to 192.168.1.20 (not the external IP address, if that is what you had)
Firewall / VPN for each site, points to the other as their exit point. So both sites can see each others network
My questions for you to check would include :
In FreePBX under Reports > Asterisk Info, can you see all of the remote phones registering ? I am assuming that since calling to the remote phones all go to voice mail, that the phones are not actually registering and this would indicate a VPN problem, not a FreePBX problem.
Do you do centralized file storage on your network ? Can users from site 2 access files and printers on site 1 ? If not, then again this seems like a VPN problem. If the VPN is set up correctly, then anyone from site 2 could print something to site 1, and the reverse, site 1 can print to site 2
Before the card died, Did you have the Site 2 phones server address set at the Site 1 FreePBX Lan IP, or the external Public IP address ?
HawaiianHopeOrg, Thanks for the response. My original config only had the SIP ports on the firewall open at ‘Site 1’. I opened them at ‘Site 2’ because I thought the phones may have been initiating some sort of asynchronous routing… it had no affect. In my case, the FreePBX Server is 192.168.1.5, all phones (both sites) are configured to point to the internal IP address (.5). My configuration is very similar to what you outline above, if not identical. Each site uses their HSD connection for internet access, the Site-to-Site VPN allows the two sites to communicate securely between the sites. The PC’s at both sites are Domain joined and connect to the DC’s at the Primary site (there is not a place to physically place a DC at the second site). All file services and print services are provided by ‘Site 1’, and before the PRI card died, the phones at ‘Site 2’ connected to and functioned through the FreePBX Server at ‘Site 1’.
Under ‘Reports→Asterisk Info’, all phones at ‘Site 1’ are showing ‘Online’ and logged in.
Yesterday afternoon, I went through every setting in the (FreePBX) Firewall, Inbound Routes, Outbound Routes, Advanced Settings and Asterisk SIP Settings. I compared the problematic PBX to several working PBX’s I manage… although this is the only PBX providing connectivity to phones through a Site-to-Site VPN. It is also the only site I manage that has Synology Routers at the sites.
After going through everything yesterday, I was able to get a call to ring through to ‘Site 2’, but there was no audio on either side after connecting. I had a user at ‘Site 2’ attempt an outbound call, and I saw NOTHING in the Asterisk Logfile, nothing. No handshake… nothing.
When I am logged into the phone web interface on a device at ‘Site 2’, I can ping IP’s at ‘Site 1’. The device shows it is logged in, and it pulls configs from the PBX at ‘Site 1’… the phones can also still access VoiceMail from ‘Site 1’, so they are communicating. It just appears PJSIP is not functioning properly.
Did you try restarting the site 2 network switches and such ? I am wondering if this might be a cache issue. I just posted on another topic here for someone else and what I thought was a FreePBX issue turned out to be a networking issue. Restarting everything from firewall in fixed it.
We have resolved the issue. After some troubleshooting we were able to get direct inbound calls (Inbound Routes) ring through with two-way voice, outbound calls are hitting the PBX, and go to a trunk, but never dialed out. I am pretty sure the issue was directly related to the UDP timeout of the router at the remote site. We enabled TCP for PJSIP and on each of the Trunks, in the ‘pjsip Settings’ tab, set the ‘Transport’ to ‘0.0.0.0-tcp’. That fixed it. Thanks to everyone that made suggestions, and I hope this helps someone else.
Anytime I have to setup phones behind a IPsec VPN I just add a static route on the PBX and its all I need. For OpenVPN I dont have to add static routes on the PBX. The OpenVPN protocol takes care of all the routing between the sites.