PJSIP anonymous trunks issue

When an incoming call comes my trunks come as ANONYMOUS. This prevents me from receiving the calls unless I allow “Allow anonymous inbound SIP calls” and “Allow SIP Guests”. I read that allowing anonymous inbound sip calls is a security risk, hence I would like to fix this issue as soon as possible. I’ve enabled this feature for now to allow my PBX to receive calls.

My trunks and extensions are using PJSIP using 5060 UDP. Asterisk 18.2.1.

I have ATAs to convert landline to IP, the ATAs are able to register and make outbound calls without an issue, however when an inbound call comes in, the trunk is identified as anonymous and I see this in the logs:

Executing [2012012011@from-sip-external:1] NoOp(“PJSIP/anonymous-00000000”, “Received incoming SIP connection from unknown peer to 2012012011”)

I have a number in Twilio, I’ve set up the trunks accordingly and this is the only number which doesn’t show up as ANONYMOUS. Does anyone have an idea as to why this is happening?

I’ve done multiple fresh installs and nothing seems to work. My network consists of the following: UDM Pro (Ubiquiti router), USW (Ubiquiti switch), PBX (VMware).

I’ve ran “fwconsole reload”, “fwconsole restart” in SSH. In the GUI, “core restart now”. Nothing seems to work.

Thank you in advance for the time and help.

I don’t think those are calls, that looks like a script kiddie trying to guess an extension on your PBX to gain access.

I am assuming that the PBX VMware guest is set for bridged networking (PBX has an IP address on the same subnet as the ATAs). If not, please explain.

As a possible quick fix, try setting Match (Permit) for the ATA trunk(s) to the IP address(es) of the ATAs.

If no luck, consider these trunk settings:

Trunk Name: (same as User Name in the ATA)
Secret: (same as Password in the ATA)
Authentication: Both
Registration: Receive
Match (Permit): (leave blank)
Match Inbound Authentication: Auth Username

If no luck, post ATA make/model, and paste the Asterisk log for a failing call at pastebin.com, with pjsip logger turned on. Post the link here.

You are correct it is set to bridged networking with its own IP from the same LAN and subnet. All of the equipment is in the same lan and subnet: PBX, ATAs, Phones.

-I’ve added the ATA’s IP to the specific Trunk under “Match (Permit)”. I tried the following formats and none worked: and ->specific IP. I reloaded and restarted the console.

-I tried the second recommendation too with no luck, it’s the same issue.

I have Obihai110 latest firmware 1.3.0. Here’s the link as requested:

Thank you for your help. I’ve been pulling my hair out for weeks.

The link has the complete logs:

Call is still anonymous even after Stewart1’s suggestions.

3791 [2023-12-15 23:29:29] VERBOSE[2510] res_pjsip_logger.c: <--- Received SIP request (546 bytes) from UDP: --->
3792	REGISTER sip: SIP/2.0	
3799 Via: SIP/2.0/UDP;branch=z9hG4bK-74200939;rport

So the OBi claims (in its Via header) that it sent the REGISTER from port 5060, but the PBX says it got it from port 61049, which may explain why the trunk is not being recognized.

In the OBi, the port it should have been sent from is the value of X_UserAgentPort for the SPx in question.

Something, somewhere modified the port number. I suspect VMware, though you could find out for sure by running tcpdump on both host and guest.

Do you have anything SIP related (other than FreePBX) on the VMware host or other guests?

Do you have any other networking elements, other than dumb switches, between the OBi and the VMware host?

X_UserAgentPort is set to 5060 and in the OBi it shows as registered to the PBX server and 5060 port on the GUI.

I only have the PBX in VMware. This server was previously working using chan_sip 5060. I converted everything to pjsip 5060 and it’s when the anonymous calls started happening. I’ve tried a fresh install with pjsip 5060 but the issue is always the same.

The setup is UDM Pro router->Ubiquiti switch->PBX and OBi. The setup is simple. There aren’t any other network elements at all.

I performed a tcpdump in the PBX server. The initial pair from the Obi to the PBX shows as 5060. When a call is placed, for some reason the Obi uses other ports instead of 5060. Here is the logs of the tcpdump from the PBX side: INITIAL REGISTRATION WHEN OBI RESTARTS16:25:39.564035 IP > pb - Pastebin.com

Sorry for the delayed reply by the way

Yes, the registration shows standard ports now, so something has changed in that regard.

However, the 172-byte packets are RTP, not SIP. It’s normal for them to be using different ports, though there is some strangeness there, too.

First, starting on line 15, OBi started sending RTP, with no preceding SIP. Are you are sure that the tcpdump was capturing continuously between 16:26:37 and 16:27:36? You show two registrations only 30 seconds apart, do you have RegistrationPeriod set to 30? But if so, I’d expect another REGISTER at about 16:27:08, but it’s not there.

Also, the RTP sent from the OBi shows source port 39886, but the ITSP Profile A RTP port range defaults to 16600 to 16798. Did you change those? If not, something rewrote the port number.

Then, when Asterisk started sending RTP back to the OBi, it was sent to port 10000. I have no idea where that came from, unless possibly from an OBi setting.

Please make a .pcap file with tcpdump:
tcpdump -w foo.pcap
Do the initial registration followed by a failing incoming call.
There will be no console output from tcpdump. Then type ctrl-C to stop tcpdump and it should show how many packets were captured. This forum will not allow a .pcap attachment, but it permits .tgz . So either create a .tgz containing the .pcap, or you can just rename the .pcap to a .tgz. Then, in your post, click the upload button to attach the .tgz file.

Yes the TCPDUMP was capturing continuously. I have registration set to 60 seconds in the Obihai.

Before proceeding with further troubleshooting, I changed the PJSIP trunk:

Username: [username that matches ATA’s username]
Auth username: [EMPTY]
Authentication: [password that matches ATA’s password]
Authentication: Outbound
Registration: None
Language Code: English
SIP Server: [ATA’s static IP address]
SIP Server Port: 5060
Context: from-pstn

I tried searching online on how to configure the Authentication and Registration fields specifically but couldn’t find something clear. From what I understand is that setting authentication to Outbound [authenticates to the provider in this case the ATA], and setting the registration to None [ignores the fields Username and Authentication, and instead uses SIP Server and SIP Server Port to authenticate against the ATA].

After setting my PJSIP trunk as mentioned above ^, the calls the PBX work, it no longer shows anonymous but instead the trunk name, and inbound calls are now successful. However, in the logs I see the following now:

WARNING[46446] res_pjsip_registrar.c: AOR ‘9732221313’ has no configured max_contacts. Endpoint ‘9732221313’ ( unable to register [where is the ATA]

My question are:
Is this configuration of the PJSIP trunk correct? I use Twilio and the way to setup their PJSIP trunks are identical to how I just did the ATA.
What is this new error message? Can it be ignored, how can it be resolved?

Thank you again for your help. If these settings are unsecure or wrong, I will get the logs as you had requested them and post them.

There is nothing wrong with IP Auth. In the OBi, turn off registration: For the SPx Service in question, uncheck X_RegisterEnable. Submit, Reboot and the error message should be gone.

However, this may make it tricky to use the Phone port of the OBi on the same PBX. If you are only using the Line side, this won’t be a problem.

I don’t use the Phone port of the Obi, so this solution will work just fine for me.
I’ve finished setting up all of my ATAs to do IP Auth. Thank you for your help!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.