PJSIP and Dynamic IP Addresses

paul_hadley · December 22, 2020, 11:37am

I am having a problem using PJSIP with Dynamic IP Addresses.

In a simple scenario, lets say I have PBX (A) Running PJSIP and PBX (B) running chan_sip (or any other system for that).

Both run behind a router that have dynamic IP addresses and use a Dynamic DNS service to provide the addressing between the two, that works fine and up dates in a minute of a router reboot.

I have a trunk between the two to provide the ability to call extensions on either side from either side.

On initially booting up the two PBX’s all works well. However at some point the router on PBX (B) reboots and gets a new IP, the Dynamic DNS service updates as it should.

Initially the status of PBX (B) changes to off-line and calls from PBX (A) to PBX (B) fail.

Tech Resource Status
PJSIP PBX (B) OFFLINE

Then however as the dynamic DNS service updates the status changes to ONLINE and calls go through again.

Tech Resource Status
PJSIP PBX (B) ONLINE

However the entry for “Match” never updates, so calls from PBX (B) to PBX (A) fail as they present from the new IP address and won’t match the one stored in PBX (A)

Endpoint: PBX (B) Not in use 0 of inf
Transport: 0.0.0.0-udp udp 3 96 0.0.0.0:5060
Identify: PBX(B)
Match: 86.13.148.XX/32

This then become a permanent failure that only a asterisk restart on PBX (A) will rectify.

Has anyone been able to deploy a successful PJSIP PBX solution that has some PBX’s behind dynamic addresses? and if so I appreciate some understanding of how you achieved it.

I have tried a number of solution so far and have failed, would certainly appreciate some advice.

As a point of interest, if I move the trunk on PBX (A) back to chan_sip then IP address changes are resolved within a couple of minutes and the system returns to full functionality. On chan_sip I have had six PBX’s running with inter PBX’s trunks for over 5 years, can’t actually think of a user complaint in that time, but with PJSIP the failure points and complaints are now continuous.

arielgrin · December 22, 2020, 12:58pm

You probably already thought about it and probably don’t want to go that way, otherwise you would have already done it, but if chan_sip works, why not use chan_sip on both ends just for the trunk?

paul_hadley · December 22, 2020, 1:25pm

I have put those trunks back onto chan_sip, but at some point that will disappear as its a legacy solution and PJSIP will be the only option, it would be good to have a long term supported solution.

I think its a poor upgrade from chan_sip to PJSIP if dynamic IP addresses can no longer be supported and the system is going backwards.

billsimon · December 22, 2020, 2:17pm

Instead of using match, you could use passwords.

cynjut · December 22, 2020, 7:13pm

I don’t think that’s going to solve this issue, though, since the IP address for the ‘remote’ server will fail the inbound address check and get dropped into the ‘anonymous’ call hole. It might, but my expectations are low.

One thing is certain - you can’t use IP auth (or even DynDNS hostname) on this connection without some additional juggling.

A different, and (for me) harder solution (for everyone else, this is super simple) would be to set up a server-to-server VPN between the two servers. That way, the ‘remote’ addresses become local and you avoid all of the network address ‘beating your head against the desk’ stuff.

billsimon · December 22, 2020, 7:41pm

I haven’t tested this, but I believe the configuration would be (based on Identifying an endpoint in PJSIP ⋆ Asterisk ),

putting “auth_username” in position 2 so that it is checked after IP address and before username (which would likely just be a caller ID) and before anonymous.

In the trunk settings, specifying auth credentials on both PBXes so that they can authenticate with each other:

That’s what I would try before setting up a VPN

avayax · December 22, 2020, 10:08pm

But isn’t the IP the problem?
After the IP address changes the call is rejected because address is not in the match field.

It would make more sense to prefer auth_username, not IP. Not globally, but under the Match Inbound Authentication setting for this trunk.

billsimon · December 22, 2020, 11:07pm

If the IP doesn’t match then it checks the auth username.

arielgrin · December 23, 2020, 12:58am

As far as I know, chan_sip is not going to disappear, just development will eventually stop. I might be wrong though.

paul_hadley · December 24, 2020, 11:05am

Thanks for that, looks like a good option. I will test that later.

paul_hadley · December 27, 2020, 3:57pm

That solution of changing over the authorisation method to Auth Username worked fine, set Username and Secret on PBX (B) matched that on PBX (A) in PJSIP settings and all is well.

Just a couple of points:-

Whats the difference between Username and Auth Username in the “Match Inbound Authentication” settings, my set up only worked by using Auth Username?
Is there any reason why Username is locked to the trunk name when “Authentication” is set to Inbound or Both?

billsimon · December 27, 2020, 4:22pm

Username is what is sent in the From header, usually a caller ID. Auth username refers to the security credential.

paul_hadley · December 28, 2020, 3:36am

Thanks for that information.

system · June 3, 2021, 11:00pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.