No Outbound Calls with TLS

jasonsansone · December 17, 2018, 8:34pm

I am currently using a single Flowroute pjsip trunk on UDP transport. I want to convert to TLS for SIP signaling. I have the inbound from Flowroute on TLS functioning properly. All internal endpoints are also on TLS. When I change the trunk transport from “0.0.0.0-udp” to “0.0.0.0-tls”, all outbound calls immediately fail.

I am using the official Distro with Asterisk 16. System and modules are up to date. Certificates are not self-signed and are installed.

I assume the most relevant part of the Asterisk log is:

Could not create dialog to invalid URI 'flowroute'. Is endpoint registered and reachable?
[2018-12-17 14:10:21] ERROR[7035] chan_pjsip.c: Failed to create outgoing session to endpoint 'flowroute'
[2018-12-17 14:10:21] WARNING[7461][C-00000001] app_dial.c: Unable to create channel of type 'PJSIP' (cause 3 - No route to destination)

Is there a way to gain more detail on why the endpoint works on UDP but fails on TLS?

BlazeStudios · December 17, 2018, 8:57pm

Show the trunk settings. That error is saying the URI is invalid.

jasonsansone · December 17, 2018, 9:20pm

Here are screen grabs

(Dial prefix redacted for security)

Thank you.

BlazeStudios · December 17, 2018, 9:24pm

Yeah, you just can’t switch your transport to TLS, you need to switch the destination port as well.

Flowroute TLS doesn’t listen on 5060, it’s on 5061. Update your Server Port and switch to TLS.

jasonsansone · December 17, 2018, 9:28pm

Thank you. I have read Flowroute’s TLS requirements and FreePBX’s. Our firewall rules are all updated to accommodate both 5060 for UDP and 5061 for SIP signaling. I presume you mean change the SIP Server Port on the pjsip General Settings tab? I have done that every time I change to TLS. I apply changes, reboot the entire PBX, and physically rebooted all endpoints (cycle power to the PoE switch). The Inbound routes have been changed on Flowroute’s management portal. Inbounding works fine.

arielgrin · December 17, 2018, 10:11pm

The destination port for your flowroute trunk

jasonsansone · December 17, 2018, 11:31pm

When I change the trunk to TLS I also change the port to 5061. I cleared all states on our pfSense firewall and can confirm that the outbound TCP connection to Flowroute is on port 5061 but is in a “FIN_WAIT_2” state. If I change my pjsip trunk back to port 5060 and UDP, outbound calls complete. The firewall shows a UDP connection from local port 5060 to remote port 5060.

When attempting to use TLS as a transport, TCP packets are sent from local port 5061 to remote port at Flowroute on 5061.

arielgrin · December 17, 2018, 11:33pm

You may need to reach flowroute support if your trunk is correctly configured as instructed by them.

jasonsansone · December 17, 2018, 11:35pm

Thank you. I have been in communication with them as well. Trying to work from both ends to see what resolution can be found.

BlazeStudios · December 18, 2018, 4:10am

You have it setup for TLS/TCP on 5061 as well, just not UDP?

jasonsansone · December 18, 2018, 2:09pm

Yes. It is for TCP/UDP for Ports 5060-5061. I monitored states and can see traffic be transmitted properly in both scenarios, but as noted by @arielgrin, I likely need to inquire with Flowroute as to why they are rejecting the connection.

BlazeStudios · December 18, 2018, 2:41pm

What type of router are you using?

jasonsansone · December 18, 2018, 2:53pm

pfSense 2.4.4_1 running on ESXi 6.7.0 Update 1 (FreePBX is a guest on the same VMware install)

system · December 25, 2018, 2:53pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.