No Outbound Calls with TLS

I am currently using a single Flowroute pjsip trunk on UDP transport. I want to convert to TLS for SIP signaling. I have the inbound from Flowroute on TLS functioning properly. All internal endpoints are also on TLS. When I change the trunk transport from “” to “”, all outbound calls immediately fail.

I am using the official Distro with Asterisk 16. System and modules are up to date. Certificates are not self-signed and are installed.

I assume the most relevant part of the Asterisk log is:

Could not create dialog to invalid URI 'flowroute'. Is endpoint registered and reachable?
[2018-12-17 14:10:21] ERROR[7035] chan_pjsip.c: Failed to create outgoing session to endpoint 'flowroute'
[2018-12-17 14:10:21] WARNING[7461][C-00000001] app_dial.c: Unable to create channel of type 'PJSIP' (cause 3 - No route to destination)

Is there a way to gain more detail on why the endpoint works on UDP but fails on TLS?

Show the trunk settings. That error is saying the URI is invalid.

Here are screen grabs

(Dial prefix redacted for security)

Thank you.

Yeah, you just can’t switch your transport to TLS, you need to switch the destination port as well.

Flowroute TLS doesn’t listen on 5060, it’s on 5061. Update your Server Port and switch to TLS.

Thank you. I have read Flowroute’s TLS requirements and FreePBX’s. Our firewall rules are all updated to accommodate both 5060 for UDP and 5061 for SIP signaling. I presume you mean change the SIP Server Port on the pjsip General Settings tab? I have done that every time I change to TLS. I apply changes, reboot the entire PBX, and physically rebooted all endpoints (cycle power to the PoE switch). The Inbound routes have been changed on Flowroute’s management portal. Inbounding works fine.

The destination port for your flowroute trunk

When I change the trunk to TLS I also change the port to 5061. I cleared all states on our pfSense firewall and can confirm that the outbound TCP connection to Flowroute is on port 5061 but is in a “FIN_WAIT_2” state. If I change my pjsip trunk back to port 5060 and UDP, outbound calls complete. The firewall shows a UDP connection from local port 5060 to remote port 5060.

When attempting to use TLS as a transport, TCP packets are sent from local port 5061 to remote port at Flowroute on 5061.

You may need to reach flowroute support if your trunk is correctly configured as instructed by them.

Thank you. I have been in communication with them as well. Trying to work from both ends to see what resolution can be found.

You have it setup for TLS/TCP on 5061 as well, just not UDP?

Yes. It is for TCP/UDP for Ports 5060-5061. I monitored states and can see traffic be transmitted properly in both scenarios, but as noted by @arielgrin, I likely need to inquire with Flowroute as to why they are rejecting the connection.

What type of router are you using?

pfSense 2.4.4_1 running on ESXi 6.7.0 Update 1 (FreePBX is a guest on the same VMware install)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.