Incoming Call Dropped - Fail2Ban

Hi,

We are having an intermittent issue (every other call) whereby incoming calls are being rejected and the caller hears the number you have dialed cannot be reached.

When we examined the logs we say that fail2ban was rejecting the IP of the sip provider.

We have since whitelisted the IP list of the SIP provider (194.213.29.0/24) via System Intrusion and restarted by the problem remains.

Now, when I look at the logs the failed calls do not appear as log entries.

Any ideas on what I can check or do to rectify the issue?

Hi @kanky
I think you have wrong configuration on PBX FW configuration.
Pls check and change following settings.
PBX GUI --> Connectivity --> Firewall --> Interface Tab --> eh0 Internet (Default FW) Select
Networks Tab --> Add your Local Network and Sip Provide IP Address.
Save

Thanks Snazir,

My networks tab now has 3 entries. PC IP address, Lan Range (10.10.10.0/24) and SIP provider range (194.213.29.0/24) all of which are trusted (Exclude from Firewall) however the calls are still being dropped.

Ok, Check your Asterisk settings.
Modules --> Settings --> Asterisk SIP Settings --> General Settings Tab --> Add your Local Networks ( 10.10.10.0/24 ) if you want press to Detect Network Settings.
Then Check next Tab Chan Sip Settings --> NAT --> YES

Check your Router FW and Disable SIP ALG, Allow following ports and Allow from your Router FW SIP Trunk IP address
SIP - UDP 5060 5161
RTP - UDP 10000-20000

Thanks.

I have NAT enabled and local network added already. The RTP Port Range on General SIP is 10000-20000 already.

I looked at the Router FW (PFSense and it doesnt have SIP ALG running).

You can create on PfSense Alias for FreePBX ports.

Following link you can find important ports for FreePBX.
https://wiki.freepbx.org/display/PPS/Ports+used+on+your+PBX

Then you can create on PfSense Aliase
https://www.netgate.com/docs/pfsense/firewall/aliases.html

PFSense is notorious for handling SIP poorly. Make sure that Port Randomization is turned off. PFSense likes to not remember what is NAT’d, what NAT routes should be open and well it likes to change the NAT ports being used.

Thanks Guys.

The problem is still there.

I can see this in the PFSense Log:

Nov 28 16:31:37 WAN 194.213.29.62:16237 51.171.198.175:21302 UDP

However, if the traffic is being blocked by the Firewall then how is the caller able to hear the FreePBX mesage “The number you have called is not in service”?

Well, does the PBX show the call hitting it? If it does then clearly the firewall isn’t the issue, the call is hitting the PBX and you should see what is happening there.

If the call does not hit the PBX, then perhaps the issue is higher up and the provider is playing that back to the caller.

Does the CDR or logs show these calls hitting the PBX and the PBX playing that message back?

We need to see the log right before (say 10 seconds) Asterisk plays that message. If the call is rejected before the PBX, you will get the same message, so this should confirm a couple of things at the same time.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.