One-way Audio over Site-to-Site VPN at Remote Sites

I’m in the process of upgrading/consolidating 4 Asterisk PBXs running 1.8.28-cert2 at 4 separate sites into 1 FreePBX running 14.0.3.6 at a 5th Main Site. The 4 sites are connected to the Main Site over VPN connections.

FreePBX has been configured and SIP phones from each site are able to register to FreePBX over the VPN connections. My Main Site currently does not have access to the Public Switched Telephone Network so I have an IAX2 trunk between my Main Site and Site 1 which currently has the service (eventually, the Enterprise Session Border Controller will point directly to the FreePBX system). I have phones registered at the Main Site that can call one another and they are able to make calls to and receive calls from the PSTN via the IAX2 trunk to Site 1/ESBC. I also have phones registered back to FreePBX at the Main Site from each of the Remote Sites. However, I only have one-way audio (Remote Sites can hear Main Site but Main Site cannot hear Remote Sites) or no-way audio (Remote Sites cannot hear in either direction when they call one another). Remote Sites are able to make calls to and receive calls from the PSTN via the IAX2 trunk to Site 1/ESBC but have one-way audio only (Remote Sites can hear PSTN but PSTN cannot hear Remote Sites). I’m using the chan_pjsip driver because none of my Grandstream phones will register with the chan_sip driver.

The firewalls at each site are currently set with the default values to allow all traffic.

Digging around in my router configurations, I went back to the VPN setup for each peer. The Remote Sites each have the appropriate encryption, authentication, RemoteID/Pre-shared Key, Remote IP Address, and WAN Connectivity Priority settings to establish the peer connections to the Main Site and update routing information. I’m able to log into the phones at the Remote Sites from the Main Site and update the configurations of each phone but still don’t have two-way audio all around.

The router’s VPN has a NAT Mode option, so I decided to see what it would do. I changed the Main Site VPN configuration for each peer to use NAT Mode. Voila! I now have two-way audio between the Main Site and each of my Remote Sites because all of the traffic form the Remote Sites goes through NAT and uses the DHCP address provided by the Main Site. But wait, now I can’t log into any of the phones at the Remote Sites to configure them because all of the traffic is going through NAT and the Remote Site IP addresses are no longer accessible from the Main Site which in turn makes placing calls to or receiving calls from the PSTN impossible. So that solved one problem only to create others. Time to turn NAT Mode on the VPNs back off.

When I place a call from the Main Site to a Remote Site, I can see the Inbound and Outbound SIP traffic (ports 5060 and the RTP ports) in the router’s Active Sessions display traversing the VPN interface. However when I place a call from a Remote Site to the Main Site or another Remote Site, I see the Outbound SIP traffic (port 5060) go out over the Remote Sites WAN connection and not the VPN and there is no RTP port traffic displayed (hence the one-way audio).

I’m almost certain this is a FreePBX firewall or NAT configuration problem that I have but don’t know where to look to solve it. This is my first time using the FreePBX GUI so finding where some settings are located is a bit different from the console/text editor way I’ve been doing things for the past few years. I don’t believe it to be a router or VPN issue because I’ve been able to take a phone at my Main Site, register it to Asterisk 1.8.28-cert2 at a Remote Site over the VPN, and make calls with two-way audio to everywhere except the phones at the Remote Sites that are registered to FreePBX at my Main Site.

I can’t do too much at the Remote Sites because they are active networks that are used M-F and are each over 100 miles away but I’ve been able to create a Test Site in my lab at the Main Site with it’s own public IP and VPN connection to my Main Site to simulate all of the other Remote Sites. The results are the same one-way audio issues.

Thoughts???

Could really use some help with this if there is anyone out there with some ideas as to what the problem may be.

One way audio is usually NAT config. If your PBX has a Private LAN IP, then you want to set Settings, Asterisk SIP settings with NAT=yes, the external IP specified correctly, and then enter ALL the local subnets that are not natted.

The “standard” answer on all one-way audio questions is that there’s a NAT problem, but since you are using a VPN, there shouldn’t be any NAT going on.

Having said that, though, there is probably a misconfiguration somewhere that is causing the “return” address for your RTP traffic to get mis-routed.

Double check that the Intergrated Firewall has all of the addresses associated with your VPN set up correctly and make sure that all of the phones are set up to properly route your traffic back to the phones through a network route that is actually reachable.

In addition to all of the SIP DEBUG steps that you need to look at, you might try “traceroute” to the phone’s from the PBX console. You might find a routing error in one of your networks that’s keeping the return traffic from getting back to the phone.

Yes, my PBX has a private LAN IP- 10.0.250.60.

Settings-> Asterisk SIP Settings-> General SIP Settings

I know my network diagram shows additional networks but right now I’m just focused on getting it to work with my test network. Once I’ve found the issue, I can apply the changes accordingly for the other networks.

Settings-> Advanced Settings-> Device Settings

Since these sites are connected over a VPN, NAT should not be an issue. Calls from the Remote Sites are routing to the Main Site public IP address over the WAN connection and not the private IP address of my PBX over the VPN between the sites as I want them to. None of my phones will ever access the PBX from the public Internet so all traffic should be coming from/going out over the VPN connections (except for the traffic that needs to go to my trunk provider, obviously).

It is my understanding the RTP only occurs once the call is established and based on my configuration should be on ports 10000-20000. When I initiate a call from my Remote Sites, traffic shows as port 5060 going out over my WAN connection to the public IP address of my Main Site router but it should be going to the private address of my PBX. I’ve set my phones up to download a screensaver from an http server on the same private network as my PBX over the VPN and the downloads occur without any issues- currently configured to update every 5 minutes.

My Main Site and Test Site public address are on the same public subnet but I don’t think that should be an issue.

Connectivity-> Firewall-> Networks

Traceroute shows path to Remote Site phone is over the VPN

The SIP port (5060 in your case) is the “signaling” port. One of the things that it signals is the port for RTP to use to communicate with your PBX.

The fact that this traffic to your remote phones is trying to go through the firewall out to the Internet is an excellent indication that you have a routing problem (perhaps an open-jawed route) within your network configuration.

I’m at a loss then. What is telling the phone at the Remote Site to send the SIP port traffic over the WAN interface to the public IP of the Main Site while all other traffic for the phones traveling over the VPN (http, https, ftp, etc.)?

Call initiated by Main Site- No Receive audio at Main Site------- Receive Audio at Remote Site Works

Call initiated by Remote Site- No Receive audio at Main Site-------Receive Audio at Remote Site Works

Remote Site Phone Configuration

Nothing in the phone at the Remote Site says anything about the public IP address of the Main Site router.

The Remote Site router was factor reset for this test and the only configuration it has is the LAN and VPN settings.

The only common denominator between all of the sites is the VPN to the Main Site and FreePBX. Since I can reverse the setup and have phones at my Main Site register to an Asterisk PBX at a Remote Site and make calls without any issues, I’m inclined to believe it is not a router configuration, VPN, or phone configuration issue but is instead a FreePBX configuration problem. Something in my configuration is telling the phones to send port 5060 traffic to the public IP address of my Main Site network.

Ok, so after screwing around with this issue for over a week, I shut the server down to take a look at the RAM so I can order more for it and the other Dell R230 I have. When I powered it back up, I placed a test call and everything works as it intended. A simple reboot in conjunction with probably just one of the many configuration changes I’ve made in FreePBX, my routers, and phones did the trick. Now to go back through everything and see what changes were necessary and which ones were not.

So, I went back through the configuration of FreePBX and started reverting settings back to what they were originally before all of my troubleshooting attempts and it turns out my issue indeed was with
Settings->Asterisk SIP Settings->NAT Settings-> Local Networks I had my local network entered along with my Test network but the settings didn’t take place and allow two-way audio for remote phones until after I reboot the server. I confirmed this by removing my Test network from the NAT Settings-> Local Networks configuration, rebooting the server, re-entering the settings and placing another test call which resulted in one-way audio. It wasn’t until I rebooted the server once again that two-way audio worked. I further confirmed this by adding all of my other networks to the NAT Settings-> Local Networks settings and one-way audio persisted until I rebooted my once again.

This can’t be normal or intended. I find it hard to believe that each time a network is added there needs to be a reboot for the networks to be properly recognized by the software. Seems to me like a bug.

I ran into this same issue setting up a remote site with 7 extensions configured through a SSL VPN to the FreePBX server at the main office. it was driving me crazy. I think I mentioned it in a forum topic at the time. I discovered that it was necessary to reboot the PBX server quite by accident. There are other configuration changes that also don’t take effect until an actual reboot of the FreePBX server.

A full reboot is not necessary, but there are changes that require an Asterisk restart:

fwconsole restart

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.