Known dialparties.agi issues with finding "parties"?

[Repost from my TrixBox forum post. Trying all avenues.]

hi all;

Does anyone know of issues with the latest “dialparties.agi” finding “extensions” to dial? I’m using 2.6.2 TB.

I had run through all the steps found in “change default password” (http://www.trixbox.org/forums/trixbox-forums/open-discussion/chan…), and also did a ‘yum -y update’ to bring everything up to latest rev.

At that point, calls no longer get sent from IVR to extensions. Started seeing “Connect attempt from ‘127.0.0.1’ unable to authenticate” error. Apparently dialparties.agl (/var/lib/asterisk/agi-bin/dialparties.agi) has problems using get_var:

$ampmgruser = get_var( $AGI, “AMPMGRUSER” );
$ampmgrpass = get_var( $AGI, “AMPMGRPASS” );

The extension is showing as registered:

trixbox1*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status

1030/1030 192.168.0.97 D N 36854 OK (11 ms)

27 sip peers [Monitored: 3 online, 24 offline Unmonitored: 0 online, 0 offline]

To work around the issue, I “hardcoded” the user / password, to allow dialparties.agl to execute all the way through, but now dialparties.agl is not finding the extension (1030), and returning "Returned from dialparties with no extensions to call and DIALSTATUS: ‘’ " (note the empty DIALSTATUS), even though the extension is registered and available:

– Executing [[email protected]:1] ExecIf(“SIP/networks-7871084-09a59510”, “0|dbDel|”) in new stack
– Executing [[email protected]:2] Set(“SIP/networks-7871084-09a59510”, “__NODEST=”) in new stack
– Executing [[email protected]:3] Goto(“SIP/networks-7871084-09a59510”, “from-did-direct|1030|1”) in new stack
– Goto (from-did-direct,1030,1)
– Executing [[email protected]:1] Macro(“SIP/networks-7871084-09a59510”, “exten-vm|1030|1030”) in new stack
– Executing [[email protected]:1] Macro(“SIP/networks-7871084-09a59510”, “user-callerid”) in new stack
– Executing [[email protected]:1] Set(“SIP/networks-7871084-09a59510”, “AMPUSER=+1XXXX”) in new stack
– Executing [[email protected]:2] GotoIf(“SIP/networks-7871084-09a59510”, “0?report”) in new stack
– Executing [[email protected]:3] ExecIf(“SIP/networks-7871084-09a59510”, “1|Set|REALCALLERIDNUM=+1XXXXX”) in new stack
– Executing [[email protected]:4] Set(“SIP/networks-7871084-09a59510”, “AMPUSER=”) in new stack
– Executing [[email protected]:5] Set(“SIP/networks-7871084-09a59510”, “AMPUSERCIDNAME=”) in new stack
– Executing [[email protected]:6] GotoIf(“SIP/networks-7871084-09a59510”, “1?report”) in new stack
– Goto (macro-user-callerid,s,11)
– Executing [[email protected]:11] GotoIf(“SIP/networks-7871084-09a59510”, “0?continue”) in new stack
– Executing [[email protected]:12] Set(“SIP/networks-7871084-09a59510”, “__TTL=64”) in new stack
– Executing [[email protected]:13] GotoIf(“SIP/networks-7871084-09a59510”, “1?continue”) in new stack
– Goto (macro-user-callerid,s,20)
– Executing [[email protected]:20] NoOp(“SIP/networks-7871084-09a59510”, “Using CallerID “+1XXXX” <+1XXXX>”) in new stack
– Executing [[email protected]:2] Set(“SIP/networks-7871084-09a59510”, “RingGroupMethod=none”) in new stack
– Executing [[email protected]:3] Set(“SIP/networks-7871084-09a59510”, “VMBOX=1030”) in new stack
– Executing [[email protected]:4] Set(“SIP/networks-7871084-09a59510”, “EXTTOCALL=1030”) in new stack
– Executing [[email protected]:5] Set(“SIP/networks-7871084-09a59510”, “CFUEXT=”) in new stack
– Executing [[email protected]:6] Set(“SIP/networks-7871084-09a59510”, “CFBEXT=”) in new stack
– Executing [[email protected]:7] Set(“SIP/networks-7871084-09a59510”, “RT=15”) in new stack
– Executing [[email protected]:8] Macro(“SIP/networks-7871084-09a59510”, “record-enable|1030|IN”) in new stack
– Executing [[email protected]:1] GotoIf(“SIP/networks-7871084-09a59510”, “1?check”) in new stack
– Goto (macro-record-enable,s,4)
– Executing [[email protected]:4] AGI(“SIP/networks-7871084-09a59510”, “recordingcheck|20090514-181538|1242339323.5”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/recordingcheck
recordingcheck|20090514-181538|1242339323.5: Inbound recording not enabled
– AGI Script recordingcheck completed, returning 0
– Executing [[email protected]:5] MacroExit(“SIP/networks-7871084-09a59510”, “”) in new stack
– Executing [[email protected]:9] Macro(“SIP/networks-7871084-09a59510”, “dial|15|tr|1030”) in new stack
– Executing [[email protected]:1] GotoIf(“SIP/networks-7871084-09a59510”, “1?dial”) in new stack
– Goto (macro-dial,s,3)
– Executing [[email protected]:3] AGI(“SIP/networks-7871084-09a59510”, “dialparties.agi”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/dialparties.agi
– AGI Script dialparties.agi completed, returning 0
– Executing [[email protected]:4] NoOp(“SIP/networks-7871084-09a59510”, "Returned from dialparties with no extensions to call and DIALSTATUS: ") in new stack

I’m kinda at a dead end here at the moment. Was hoping someone has a line on issues with dialparties.agi that aren’t already known (http://www.freepbx.org/forum/freepbx/users/logon-credentials-issu…), related to either changing the default password, or some bug in the current version of the code.

The next step is a fresh install, which I would dearly like to avoid, since I spent a lot of time getting this on the air (including replacing ethernet device driver for a dell vostro 220)…

ANY help, pointers, thoughts, ideas, magical incantations, etc would be very appreciated.

Thanks

-avi

Trixbox “forked” (spelling perhaps incorrect) FreePBX a while back and the version of FreePBX running on Trixbox is different from the one that is supported by this board.

The primary reason I started installing PBX in a Flash was Fonality’s updates. Every time I updated a box using their, then proper, update procedure, it screwed up the box and I ended up spending 1/2 a day getting it running again. It was after I had made that change that it was discovered that my Trixboxen were phoning home (to Fonality) without community knowledge.

I realize this doesn’t help resolve your problem, but the history may explain that support here will be tough to provide because your box is running a different FreePBX and the problem may be caused by the Yum Update rather than FreePBX.

sounds like you or trixbox yum may have screwed with your manager credentials. They are defined in amportal.conf, if they are correct then the gui will work, otherwise the gui will have problems. You need to then make sure you ‘Apply Configuration Changes’ by doing something (like go to the General Settings tab, hit submit then hit the apply changes bar).

This gets the proper credentials from amportal.conf into extensions_additional.conf and does a reload such that now Asterisk has the proper information to set in the channel where the dialparties.agi picks up that info.

Philippe;

indeed extensions_additional.conf DOESNT have the correct credential info for password.

Alas, while that is an interesting issue 1: the Freepbx portal appears to work fine. 2: the above actions didnt have any effect on changing the value to the proper one 3. I hardcoded the credential values into dialparties.agi, and while that allowed dialparties.ago to execute “fully”, as mentioned, it was UNABLE to find the registered and available extension.

I understand that fonality forked the FreePBX source, and so all bets are off, but was hoping you had some insight as to what would cause dialparties to behave this way.

thanks

-avi

extensions_additional.conf get’s those values set from amportal.conf. Once you “Apply Configuration Settings” it get changed. (Or your extensions_additional.conf isn’t getting updated).

after changing a couple of “pbx” values, and saving them couple of times, and extensions_additional.conf wasnt getting set.

However, after I changed a few more values a third time, and “applied”, THAT seemed to force the update. And dialparties.agi NOW seems to be working properly, so thanks for the suggestion.

My follow up questions, for contemplation are

  1. why wasn’t the hard coding of the credentials sufficient in dialparties.agi?
  2. why “improper” credentials would block the extension from being properly added to the extension map?
  3. why there isn’t a freepbx or command-line level app that changes ALL the myriad of passwords (which itself is not good) in one shot, rather than all the manual changes that must be made?

I suppose reading dialparties.agi code will answer the first two.

Thanks again

-avi

Hey Philippe;

The “PBX status” (astinfo function) is still not completing, and of course this also smells like a credentials issue. any suggestions where to look on that?

All variables are defined in /etc/amportal.conf, changing the settings and then running the amportal restart script will cause the variables to be reread.

If you have modified any other credentials for mySQL or the Asterisk user this could cause the status issue you are describing.

Hi Scott;

Understand that the vars are in /etc/amportal.conf, and have made changes to them as per the “Changing Default Password” post found at (http://www.trixbox.org/forums/trixbox-forums/open-discussion/change-default-sql-password-freepbx-version-2-6), and of course have done “amportal restart” and mysql restarts numerous times.

I would concur that the status issue IS related to some credential change though I have gone through them all again several times to ensure they were done as indicated. Its unfortunate that changing the “default” passwords requires so many manual steps including touching several SOURCE files (which is a fundamental code design flaw in my opinion), which makes the situation ripe for these problems.

Oddly enough, I have not seen anyone else run across this issue (or at least not post about it), so clearly this is something “unique” I did.

-avi

Over at the trix forum I have stated my opinion until I am blue in the face.

For the record I do not believe there is any reason to secure a phone system. No commercial phone vendor (Avaya,Cisco,Nortel at al) have any type of security. In fact if you exposed them to the Internet I am sure you would void your service contract.

Just because Asterisk is open why should best practices be tossed out the window?

If you want to have remote endpoints or receive calls at you SIP URI then simply run fail2ban. It will stop extensions hijacking (especially in conjunction with good passwords). PBXiaf and trix both have preconfigured fail2ban installers that won’t mess you up.

If you want to allow different users access to FreePBX simply change the authtype to database in amportal and you can set the permission structure for users.

If you want to allow access for ARI to outside users that’s what Squid is for, you can proxy off that service.

Even if you don’t trust your internal users and do not have an internal server DMZ VLAN the MySQL is not an issue since it will only respond to localhost (at least PBXiaf and trixbox set it up this way).

ALl this work to secure the box is a waste of time since it should not be on the Internet anyway.

Scott;

I have read and enjoyed many of your posts over at TB forum, though have not run across this opinion before, so I apologize for you having to repeat it here.

I would concur that the less “exposed” ANY system is to “logical” connectivity from the net, the more secure it is, and thus better for all. However, part of the benefit of the internet is being able to support a distributed working environment though, and remote extensions and ARI access is indeed required as is my need to connect to do “remote” (off-LAN) administration through FreePBX. I hadn’t thought about using a proxy server for ARI, but if you are implying that there is a known-to-work Squid-based setup to do this, I’d be up for that.

I personally didn’t think that the default passwords were “an issue” per se, since all the passwords I DO set (extension passwords, interface login etc) are non-trivial passwords, but since I’m not fully knowledgeable as to exactly WHAT is compromised by keeping the defaults, and the FreePBX interface kept “warning” me about them, as did some blog postings, I thought it would be good to change them, given that the machine is available via port 80, 22, and 21. If I knew the problems it would have caused, I would not have done so.

That said, things seem to be working except the “PBX status” (astinfo) under FreePBX, which means there is still some lingering credential issue. If you happen to be aware of what it might be, I would be most grateful.

Again apologies for missing the other posts.

-avi

This is not required at all. You should not expose port 80 to the Internet with trixbox or FreePBX. trixbox includes a setup script for the Hamachi VPN or you can use the VPN services of your firewall that is what they are for

With fail2ban and strong secrets there is no problem exposing SIP and RTP to the Internet

These should not be open on any system. Again VPN

Squid is a proxy, you point the inbound to the site you want to duplicate and it works. You could even run Squid on a windows machine.

You could also run it on the local machine and have the proxy listen on another port.