Number not in service after converting & updated PinF to FreePBX 6.12.65-32

OK I had an old PiaF distro, I did this conversion to get to the official FreePBX distro:
http://wiki.freepbx.org/display/PPS/Converting+PBXiaF+Distro+to+a+FreePBX+Distro
Script ran fine with no errors, I did test call and it worked.

I then ran all these scripts to go from 5.1 to 5.21:
http://wiki.freepbx.org/display/PPS/FreePBX-Distro-5.211.65
Scripts ran fine with no errors, I did test call and it worked.

I then ran all these scripts to go from 6.20 to 6.32:
http://wiki.freepbx.org/display/PPS/FreePBX-Distro-6.12.65
Scripts ran fine with no errors, I did test call and it says the number I’ve dialed isn’t in service.

Any ideas what would break it when going from 5 to 6?
Someone else setup the system so I don’t know much about the trunks.
I guess they’re going through Kazoo with some middleman in between.
None of the trunk info changed, it all got migrated, so why did my main in-bound number break?

OK I think I figured it out.
In the CLI I noticed this warning: "from-sip-external: "Rejecting unknown SIP connection from x.x.x.x"
I then turned on “Allow Anonymous Inbound SIP Calls” to get the existing trunks to work again. Is this a security risk?
Is there anywhere I can specify this IP address as where the calls should be coming from & then turn this setting back off?

A HUGE Security risk, especially if you aren’t using host-based authentication.

host=x.x.x.x

I have this in my trunk’s peer details:
host=xxxxx.s.zswitch.net
username=xxxxxxxx
secret=xxxxxxx
type=peer&friend
nat=force-rport
srvlookup=yes&yes
context=from-trunk
insecure=very
sendrpid=yes
trustrpid=yes

From what I understand it’s coming from Bandwidth: https://www.bandwidth.com
Is that still a HUGE security risk?
How do I get it to work with “Allow Anonymous Inbound SIP Calls” turned off?

First, you went through the effort to upgrade from an old system, but you stopped short of the current supported version. You should be running Distro firmware 10.13.66, or have a good reason why you can’t.

In and of itself, this need not be a security risk. You have configured your system to direct all inbound SIP requests to a specific context, so as long as you limit access to Asterisk SIP services to trusted hosts, there is no issue. Since you are running 12, you don’t have the benefit of the FreePBX Firewall, which means securing your system is harder than it could be if running 13.

I don’t have a good understanding of this parameter, but I believe ‘very’ is deprecated. Try setting:

insecure=port,invite

Then disable ‘allow anonymous’ and retest.

Thanks very much for the reply.
Actually, I did finish the update path. I’m now on: 10.13.66-17.
I think I forgot to mention that part as I noticed the trunk stopped working after version 6.
I now have FreePBX 13.0.190.11 running with the firewall on.
I’ll try changing the “insecure” parameter tonight after hours.
Thanks very much for the help.
I currently have Asterisk Version: 11.25.1 running.
What are the advantages/disadvantages of using the “asterisk-version-switch” command?
Should I switch to version 12 or 13?

There are no advantages or disadvantages, if you want to change major asterisk versions, run the script. It’s up to you what version to run:

  • 11 is in security fixes only, very mature and stable.
  • 12 is deprecated and not supported with the script.
  • 13 is the current supported version.

OK, I set “insecure=port,invite” & I could still call into the PBX, but when I turn ‘allow anonymous’ off, I still got “The number I’ve dialed is no longer in service”.
Just an FYI, I signed up for a free trial of SIPStation & it had “insecure=very” in the PEER details.

Another security issue I think I have is, my eth1 public IP address interface has to be set to “trusted”. If I change it to “External”, I don’t get anything at all when I call the PBX, just dead air.

Bump.
What happened? I was getting great support yesterday, then it all stopped.
I’m getting a tune of these in my CLI:

[2017-01-24 13:42:36] WARNING[8731][C-0000079c]: Ext. s:3 @ from-trunk: Friendly Scanner from 198.24.165.26
[2017-01-24 13:43:07] WARNING[31760]: chan_sip.c:4038 retrans_pkt: Retransmission timeout reached on transmission b04367a0700a872b75c8a8d8b318f9bb for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

If I turn off ‘Allow Anonymous Inbound SIP Calls’ I get “The number I’ve dialed is no longer in service”.
If I change my eth1 public facing interface to “External”, no calls are connected, nothing from the PBX…

Any help would be greatly appreciated.

If these two things are related, it probably means your trunk is misconfigured. Inbound calls from your provider are coming from an unrecognized host. The call appears to come from 198.24.165.26, does that IP correspond to any of the host settings for your trunk?

No that IP isn’t realted to our trunk.
I actully just banned it with iptables.
The trunk settings didn’t change when we upgrated from the old system to the latest.
Only when we swtiched from the old iptables to the new firewall system did these issues start.

I think it unlikely that the Firewall module is somehow causing your inbound calls to arrive as anonymous (but am prepared to be proven wrong), if you disable the Firewall does it solve anything? I am out of ideas, Asterisk thinks the calls are anonymous, and as far as I know, that is always trunk configuration.

OK, I guess these are 2 different issues.
When I disabled the firewall & turned off “Allow Anonymous Inbound SIP Calls” I still get "Number, not in service"
I guess I was just mentioning the firewall, because of all the “Friendly Scanner” messages I was getting.

I can’t help any further. At the asterisk CLI, if you run sip show peers you will see the IP addresses associated with your trunk peers. If an inbound SIP invite comes from a host other than that IP, then you will see what you are describing. My experience tells me this is trunk misconfig, but am heartily prepared to be wrong.

Friendly scanner has nothing to do with Firewall.

OK I think you might be right.
I setup a SIPStation acct/trunk.
I turned off “Allow Anonymous Inbound SIP Calls” & I put my public facing interface as “External”.
I called the PBX & everything worked fine.
Any way to compare the SIPStation vs. my existing trunk to figure out the diff.
Or is it an upstream issue?

SIPStation PEER:

disallow=all
allow=ulaw
context=from-pstn
type=peer
insecure=very
qualify=yes
sendrpid=yes
trustrpid=yes
dtmfmode=rfc2833
outofcall_message_context=sms-incoming
username=xxxxx
secret=xxxxx
host=trunk1.freepbx.com


Old PEER:
host=xxxxx.s.zswitch.net
username=xxxxx
secret=xxxxxxxxx
type=peer&friend
nat=force-rport
srvlookup=yes&yes
context=from-trunk
insecure=port,invite
sendrpid=yes
trustrpid=yes

I can see a few issues, the values for nat, type and srvlookup are not valid.

Your provider is not sending you the call from the same IP. Is your other PBX setup with all annoyounius calling.

I think they are aways sending the calls from the same IP.
If I turn off allow anonymous I get:

“Rejecting unknown SIP connection from 67.231.5.176”

This is Bandwidth’s IP, which is our provider.

Both these trunks are on the same PBX.

WOW, I think I got it fixed.
The old PEER had:

host=xxxxx.s.zswitch.net

I did a nslookup & it went to 166.78.105.67, a Rackspace IP.
but all the calls were coming from 67.231.5.176, Bandwidth.
So I changed to:

host=67.231.5.176

And turned off allow anonymous & everything works now… :wink:

1 Like