No audio on sip calls over VPN

amell2020 · October 4, 2021, 2:28pm

Hello,
i have a FreePBX (asterisk) system as my pbx. It is connected to my Mikrotik.
PBX: 10.0.0.210
Mikrotik: 10.0.0.1/24

I have two Mikrotik i have setup server l2tp VPN and client VPN.
Server Mikrotik VPN Adr local: 10.100.0.1
Client mikrotik VPN Remote Address: 10.100.0.2

Inside my internal lan, 10.0.0.0/24, everything is working fine as voip telephony concerned.
When i connected through VPN, i can register my sip phone and i can call every number i want (internal or external). The callee is ringing normally. But i cannot hear anything, he cannot hear anything. There is no audio even in our internal calls.

I am thinking i miss something … Are the RTP packets that are not passing through? Do i need a NAT rule? I tried to add firewall rule of accepting input chain the tcp 5060,5061 and the udp of my RTP port range but no success …

lgaetz · October 4, 2021, 2:32pm

VPN IP range defined as a local network in Asterisk SIP Settings? You may have to restart asterisk for changes to this setting to take effect.

david55 · October 4, 2021, 2:33pm

You may need to disable direct media (obsoletely called canreinvite in many chan_sip configurations). However, FreePBX tends to set up calls in a way that is incompatible with directmedia, so I’d expect it already to be disabled for most calls, in which case you need to use rtp set debug on to see where the RTP is getting lost.

amell2020 · October 4, 2021, 2:57pm

I add the ip VPN Asterisk SIP Settings as you recommend but it doesn’t work no audio.

amell2020 · October 4, 2021, 3:03pm

this sip set debug on:

<— SIP read from UDP:10.0.0.53:5060 —>
NOTIFY sip:10.0.0.210 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.53:5060;branch=z9hG4bK-62dc67c
From: “cobro II” sip:[email protected];tag=944584f276932f22o0
To: sip:10.0.0.210
Call-ID: [email protected]
CSeq: 10342 NOTIFY
Max-Forwards: 70
Contact: “cobro II” sip:[email protected]:5060
Event: keep-alive
User-Agent: Cisco/SPA508G-7.5.2c
Content-Length: 0

<------------->
— (11 headers 0 lines) —

<— Transmitting (NAT) to 10.0.0.53:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.0.0.53:5060;branch=z9hG4bK-62dc67c;received=10.0.0.53;rport=5060
From: “cobro II” sip:[email protected];tag=944584f276932f22o0
To: sip:10.0.0.210;tag=as4af9db1f
Call-ID: [email protected]
CSeq: 10342 NOTIFY
Server: FPBX-15.0.17.55(16.11.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

<------------>

david55 · October 4, 2021, 3:13pm

A NOTIFY is not useful for debugging RTP handling! You need a complete INVITE transaction. (However the NAT tag is slightly concerning, and might mean you have failed to declare the network as local.)

Also, as you said you are new to FreePBX, you should be using chan_pjsip, not chan_sip. chan_sip should be reserved for legacy systems, where upgrades would be too disruptive, or some special cases, in which case you should know you have one of them.

I hadn’t considered that you might have wrongly configured the Mikrotiks as being subject to NAT when I made my first answer. Whilst it is more common to have problems as the result of failing to compensate for NAT, you could also get no RTP as the result of compensating for it when that is not necessary. Local networks excludes networks from NAT compensation.

amell2020 · October 4, 2021, 3:56pm

Sin%20t%C3%ADtulo

Add Ip address vpn.
The mikrotik are well configured because I can see all my networks through VPN, without any problem, as I do a complete RTP debug_

gregarican · October 4, 2021, 4:00pm

SIP ALG disabled on the Mikrotik?

https://www.maxo.com.au/support/troubleshooting-articles/sip-alg/disabling-sip-alg--mikrotik-routers

amell2020 · October 4, 2021, 4:03pm

is Sip ALG is Enable, Thank’s

gregarican · October 4, 2021, 4:04pm

Try disabling???

amell2020 · October 6, 2021, 12:44pm

yesh , but not found, help?

gregarican · October 6, 2021, 12:47pm

I’m confused. You previously said that the SIP ALG feature is enabled in your router’s config. But now you say that this feature isn’t found? Wherever you went in and verified that it’s enabled is where you need to go in and try disabling the feature… See if this helps with the RTP traffic apparently failing.

amell2020 · October 6, 2021, 12:52pm

Sorry, in the previous answer it said that it is activated, then you wrote that I must turn off Sip ALG, then I deactivate it, and I still do not have audio in the extensions

gregarican · October 6, 2021, 12:56pm

Ahh I see now. What does the RTP debug output look like when you make test calls?

amell2020 · October 6, 2021, 1:12pm

<— SIP read from UDP:10.0.0.53:5060 —>
SIP/2.0 200 OK
To: sip:[email protected]:5060;tag=8612e76848729680i0
From: “FACTURACION SJ” sip:[email protected];tag=as0448b0c2
Call-ID: [email protected]:5060
CSeq: 103 BYE
Via: SIP/2.0/UDP 10.0.0.210:5060;branch=z9hG4bK095035ea
Server: Cisco/SPA508G-7.5.2c
Content-Length: 0

<------------->
— (8 headers 0 lines) —
Really destroying SIP dialog ‘[email protected]:5060’ Method: INVITE
Reliably Transmitting (NAT) to 10.0.10.141:5060:
OPTIONS sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 181.36.230.168:5060;branch=z9hG4bK16eb05d0;rport
Max-Forwards: 70
From: “Unknown” sip:[email protected];tag=as1c64a8bc
To: sip:[email protected]:5060
Contact: sip:[email protected]:5060
Call-ID: [email protected]:5060
CSeq: 102 OPTIONS
User-Agent: FPBX-15.0.17.55(16.11.1)
Date: Wed, 06 Oct 2021 13:05:15 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

[2021-10-06 13:05:15] SECURITY[2774]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-10-06T13:05:15.380+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f312400fda0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/53882”,UsingPassword=“0”,SessionTV=“2021-10-06T13:05:15.380+0000”
– <SIP/2002-000005a9>AGI Script agi://127.0.0.1/attendedtransfer-rec-restart.php completed, returning 0
– Executing [s@macro-hangupcall:7] Hangup(“SIP/2002-000005a9”, “”) in new stack
== Spawn extension (macro-hangupcall, s, 7) exited non-zero on ‘SIP/2002-000005a9’ in macro ‘hangupcall’
== Spawn extension (ext-local, h, 1) exited non-zero on ‘SIP/2002-000005a9’
Scheduling destruction of SIP dialog ‘[email protected]’ in 6400 ms (Method: INVITE)
Reliably Transmitting (NAT) to 10.0.10.239:5060:
BYE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 181.36.230.168:5060;branch=z9hG4bK7e61a574;rport
Max-Forwards: 70
From: sip:[email protected];tag=as6ab96486
To: “CAJA MSJ” sip:[email protected];tag=bf09c4febd13853bo1
Call-ID: [email protected]
CSeq: 102 BYE
User-Agent: FPBX-15.0.17.55(16.11.1)
Proxy-Authorization: Digest username=“2002”, realm=“asterisk”, algorithm=MD5, uri=“sip:10.0.0.210”, nonce=“145e6323”, response=“92273c99df0ccabfd1bc39cfbc4c188a”
X-Asterisk-HangupCause: No user responding
X-Asterisk-HangupCauseCode: 18
Content-Length: 0

== MixMonitor close filestream (mixed)
== End MixMonitor Recording SIP/2002-000005a9

<— SIP read from UDP:10.0.10.141:5060 —>
SIP/2.0 200 OK
To: sip:[email protected]:5060;tag=c8780e12c9cd382ci0
From: “Unknown” sip:[email protected];tag=as1c64a8bc
Call-ID: [email protected]:5060
CSeq: 102 OPTIONS
Via: SIP/2.0/UDP 181.36.230.168:5060;branch=z9hG4bK16eb05d0
Server: Cisco/SPA504G-7.5.2b
Content-Length: 0
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER, UPDATE
Supported: replaces

<------------->
— (10 headers 0 lines) —
Really destroying SIP dialog ‘[email protected]:5060’ Method: OPTIONS

<— SIP read from UDP:10.0.10.239:5060 —>
SIP/2.0 481 Call Leg/Transaction Does Not Exist
To: “CAJA MSJ” sip:[email protected];tag=bf09c4febd13853bo1
From: sip:[email protected];tag=as6ab96486
Call-ID: [email protected]
CSeq: 102 BYE
Via: SIP/2.0/UDP 181.36.230.168:5060;branch=z9hG4bK7e61a574
Server: Cisco/SPA504G-7.5.2
Content-Length: 0

<------------->
— (8 headers 0 lines) —
Really destroying SIP dialog ‘[email protected]’ Method: INVITE

<— SIP read from UDP:10.0.0.53:5060 —>
NOTIFY sip:10.0.0.210 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.53:5060;branch=z9hG4bK-947a622c
From: “cobro II” sip:[email protected];tag=2bce0b2182b54750o0
To: sip:10.0.0.210
Call-ID: [email protected]
CSeq: 233 NOTIFY
Max-Forwards: 70
Contact: “cobro II” sip:[email protected]:5060
Event: keep-alive
User-Agent: Cisco/SPA508G-7.5.2c
Content-Length: 0

<------------->
— (11 headers 0 lines) —

amell2020 · October 6, 2021, 1:16pm

Got RTP packet from 10.0.0.53:16488 (type 00, seq 002645, ts 239919672, len 000160)
Got RTP packet from 10.0.0.53:16488 (type 00, seq 002646, ts 239919832, len 000160)
Got RTP packet from 10.0.0.53:16488 (type 00, seq 002647, ts 239919992, len 000160)
Got RTP packet from 10.0.0.53:16488 (type 00, seq 002648, ts 239920152, len 000160)
Got RTP packet from 10.0.0.53:16488 (type 00, seq 002649, ts 239920312, len 000160)
Got RTP packet from 10.0.0.53:16488 (type 00, seq 002650, ts 239920472, len 000160)
[2021-10-06 13:05:15] WARNING[2754]: chan_sip.c:4142 retrans_pkt: Retransmission timeout reached on transmission [email protected] for seqno 102 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 6400ms with no response
[2021-10-06 13:05:15] WARNING[2754]: chan_sip.c:4166 retrans_pkt: Hanging up call [email protected] - no reply to our critical packet (see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions).
– Channel SIP/2002-000005a9 left ‘simple_bridge’ basic-bridge <10d5af5e-d4c8-4783-bc0d-2bb227b84802>
== Spawn extension (macro-dial-one, s, 56) exited non-zero on ‘SIP/2002-000005a9’ in macro ‘dial-one’
== Spawn extension (macro-exten-vm, s, 30) exited non-zero on ‘SIP/2002-000005a9’ in macro ‘exten-vm’
== Spawn extension (ext-local, 1004, 3) exited non-zero on ‘SIP/2002-000005a9’
– Executing [h@ext-local:1] Macro(“SIP/2002-000005a9”, “hangupcall,”) in new stack
– Executing [s@macro-hangupcall:1] GotoIf(“SIP/2002-000005a9”, “1?theend”) in new stack
– Goto (macro-hangupcall,s,3)
– Channel SIP/1004-000005aa left ‘simple_bridge’ basic-bridge <10d5af5e-d4c8-4783-bc0d-2bb227b84802>
Scheduling destruction of SIP dialog ‘[email protected]:5060’ in 6400 ms (Method: INVITE)
Reliably Transmitting (NAT) to 10.0.0.53:5060:
BYE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.210:5060;branch=z9hG4bK095035ea;rport
Max-Forwards: 70
From: “FACTURACION SJ” sip:[email protected];tag=as0448b0c2
To: sip:[email protected]:5060;tag=8612e76848729680i0
Call-ID: [email protected]:5060
CSeq: 103 BYE
User-Agent: FPBX-15.0.17.55(16.11.1)
X-Asterisk-HangupCause: No user responding
X-Asterisk-HangupCauseCode: 18
Content-Length: 0

gregarican · October 6, 2021, 1:26pm

So where is this 10.0.10.0 network coming from? If your LAN is 10.0.0.0 and your VPN is 10.100.0.0, I’m confused about this. Have the various 10.x.x.x networks been whitelisted in iptables?

amell2020 · October 7, 2021, 12:34pm

this network 10.0.10.0/24, is the network of the other workplace, the ip VPN 10.0.100.0 is briged Route with it with two Mikrotik

BlazeStudios · October 7, 2021, 12:44pm

I think the point trying to be made here is that 10.0.10.0/24 is not one of your local networks so the PBX doesn’t treat it as a local device. Try adding the subnet to your localnets.

Also, stop using Chan_SIP.

amell2020 · October 7, 2021, 1:33pm

this resolved thank’s all