Incoming Call has no Outgoing Audio

Freshly installed FreePBX yesterday on a VM. I believe my firewall is properly configured and a packet capture seems to corroborate my story. I have successfully used these firewall rules in the past with FreePBX.

Situation is as follows:
I can successfully make an outgoing call with 2-way audio.
Incoming calls will only have 1 way audio - I can hear the external caller but they cannot hear me

In the past this was fixed by changing my NAT - however I have toggled all these options and nothing seems to be working. The packet captures and firewall states seem to show everything working properly so I am not sure what to do next. I have attached some packet capture and firewall screenshots showing the NAT properly working (they are not necessarily the same call).

Any help is appreciated - thanks.

some additional info:
10.0.1.19 is my computer
10.0.2.3 is FreePBX

Screenshot 2023-03-12 162052

The primary NAT settings are not toggles. The toggle ones are for working round cases where the remote end handles NAT badly.

The one that is probably wrong is the external media address. (Obsolete, chan_sip, driver has only one external address setting.)

‘External Address’ under ‘Asterisk SIP Settings’ matches my external address.

I was toggling ‘SIP NAT’ under ‘Advanced Settings’ Menu - which may very well be left behind from chan_sip.

edit: historically I have only ever been able to get chan_SIP working and not PJSIP.

Confirm that the VM is using bridged networking. Are 10.0.1.x and 10.0.2.x on the same subnet (you have 10.0.0.0/22 or larger)? If not, please explain. Confirm that in Asterisk SIP Settings, Local Networks covers both 10.0.1.x and 10.0.2.x.

In your router/firewall, confirm that you are forwarding the RTP port range (default is UDP 10000-20000) to 10.0.2.3. Also, confirm that any SIP ALG is disabled and that the firewall is not rewriting the source port numbers. This may be called ‘consistent NAT’, ‘disable source port rewriting’ or similar. If the firewall does not have a public IP address on its WAN interface, please explain (ISP’s modem is a gateway, ISP does CGNAT, etc.)

I don’t understand the States picture – none of the ports mentioned match those in the Wireshark capture.

If the above doesn’t help, play the RTP stream sent to 207.223.67.136 and confirm that sound is present. Also that the codec (presumably ulaw) and destination address/port matches what was requested in the SDP of the incoming INVITE. And, check that the source port matches what was specified in the SDP of the 200 OK that Asterisk sent.

If you still have trouble, capture traffic on the firewall WAN interface to check that audio is being passed and port numbers have been properly preserved.

If still no luck, how are you routing the call? If other than directly to an extension, try turning off Progress Inband in the trunk, and setting Signal Ringing and Pause Before Answer in the Inbound Route.

If all else fails, with pjsip logger enabled, make a failing call, paste the Asterisk log for the call at pastebin.freepbx.org and post the link here. If you are too new to post links, just post the last eight hex characters of the URL. Post router/firewall make/model and describe any VoIP-related settings.

Confirm that the VM is using bridged networking. Are 10.0.1.x and 10.0.2.x on the same subnet (you have 10.0.0.0/22 or larger)? If not, please explain. Confirm that in Asterisk SIP Settings, Local Networks covers both 10.0.1.x and 10.0.2.x.

Those are /24 subnets and firewall rules allow them to talk. Both subnets are listed in the ‘local networks’ section of the sip settings.

In your router/firewall, confirm that you are forwarding the RTP port range (default is UDP 10000-20000) to 10.0.2.3. Also, confirm that any SIP ALG is disabled and that the firewall is not rewriting the source port numbers. This may be called ‘consistent NAT’, ‘disable source port rewriting’ or similar. If the firewall does not have a public IP address on its WAN interface, please explain (ISP’s modem is a gateway, ISP does CGNAT, etc.)

I am forwarding 10000-10100 - I have updated the settings in FreePBX to limit the port range. I have not seen an instance where there was a call outside of the set range.

I am using Pfsense for a firewall and it does not appear to have SIP ALG. I have not seen evidence from my captures that it is rewriting the source port.

I don’t understand the States picture – none of the ports mentioned match those in the Wireshark capture.

That screen shot was not at the same time as the packet capture - I was trying to determine if I had a NAT issue so I turned on firewall state logging.

If the above doesn’t help, play the RTP stream sent to 207.223.67.136 and confirm that sound is present. Also that the codec (presumably ulaw) and destination address/port matches what was requested in the SDP of the incoming INVITE. And, check that the source port matches what was specified in the SDP of the 200 OK that Asterisk sent.

If you still have trouble, capture traffic on the firewall WAN interface to check that audio is being passed and port numbers have been properly preserved.

I captured at both the interface where the FreePBX server lives and the WAN interface (different calls because I can only sniff one interface at a time). I have confirmed the audio is present at all highlighted points.

note: 34.226.36.34 is a flowroute IP.

If still no luck, how are you routing the call? If other than directly to an extension, try turning off Progress Inband in the trunk, and setting Signal Ringing and Pause Before Answer in the Inbound Route.

If all else fails, with pjsip logger enabled, make a failing call, paste the Asterisk log for the call at [omitted link] and post the link here. If you are too new to post links, just post the last eight hex characters of the URL. Post router/firewall make/model and describe any VoIP-related settings.

Call is getting routed through inbound route directly to the extension.

The pastebin appears to be down at the moment.

here is the internal flow of data since I can only put 1 picture in a post at the moment:

In post 6, it appears that pfSense randomized the RTP source port to 58642, and I’m guessing that Peerless (Flowroute’s upstream) rejected the RTP because it was expecting it from port 10032 (that Asterisk presumably sent in the SDP of its 200 OK).

I know almost nothing about pfSense; perhaps
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html
will help you fix this (if it’s indeed the cause of your trouble).

I got it to work, thanks. Let me know if I can get you a beer!

Here is the new capture after adding the static mapping:

for future me, or anyone else that has this problem, here is the firewall rule needed:

This should be 10000-10099. With the current settings, one in 51 of your calls will get into difficulties. With the default range, which is also bad, the probability is 1 in 5,001, which most people won’t notice. Even ports are used for RTP and odd ports for RTCP.

Asterisk being a B2BUA make that 1 in 26 (or more) if all channels involved are SIP.

So one in 2501 for 10-20000 :wink:

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.