I did an install of FreePBX 17 on Debian 12.
I cannot get anything to register SIP.
I get an auth error but looking at the packet capture it is actually “Destination Unreachable”.
It states Code: 3 (Port unreachable in the reply to the INVITE.
I’m sure it’s just a setting but I have setup two separate servers and they both react the same.
I can provide the packet captures if that would help.
I’m confused by the mixing of register and INVITE, in this report. However, I suspect that the destination unreachable is the result of fail2ban kicking in because of multiple authentication errors.
The IP where the phones are at is TRUSTED so Fail2Ban is not blocking.
I have also turned off the firewall temporarily and the same thing happens.
One thing that I have noticed is the Message header contains the natted IP Address at the phones location.
Internet Control Message Protocol
Type: Destination unreachable (3)
\[Expert Info (Note/Response): Type indicates an error\]
Code: 3 (Port unreachable)
Checksum: 0x80c9 \[correct\]
\[Checksum Status: Good\]
Unused: 00000000
Internet Protocol Version 4, Src: 76.XX.XX.XX, Dst: 45.XX.XX.XX
User Datagram Protocol, Src Port: 1066, Dst Port: 5060
Source Port: 1066
Destination Port: 5060
Length: 596
Checksum: 0x50ae \[unverified\]
\[Checksum Status: Unverified\]
\[Stream index: 5\]
UDP payload (520 bytes)
Session Initiation Protocol
Request-Line: REGISTER sip:{domain}.net:5060 SIP/2.0
Method: REGISTER
Request-URI: sip:{domain}.net:5060
Message Header
Via: SIP/2.0/UDP 192.168.10.35:5060;branch=z9hG4bK1346327960
From: “Cynthia” <sip:210@>{domain}<.net:5060>;tag=1346228870
To: “Cynthia” <sip:210@>{domain}<.net:5060>
Call-ID: [email protected]
\[Generated Call-ID: [email protected]\]
CSeq: 1 REGISTER
Contact: <sip:[email protected]:5060>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T53W 96.86.0.75
Expires: 3600
\[Expert Info (Warning/Malformed): Header has no colon after the name\]
With Chan-SIP there was a setting for the phone being behind NAT, I’m not sure I have found that in PJSIP.
The server is not behind NAT.
That means that the phone isn’t properly designed for use behind NAT
There are three setting for working around phones that are behind NAT, but do not compensate for that: force rport, symmetric RTP, and rewrite contact.
These are not obviously related to your port unreachable. That means that there is no process running on port 5060 on the addressed machine (or the firewall is pretending that is the case, to confuse blocked attakers).
The phones were working on a FreePBX 16 system for a year, at the same location.
Pretty much my idea but I need to know how to tell Debian or FreePBX to allow that.
I have checked and there is no default firewall running on the server.
This was installed using the standard script that they tell you to install on Debian 12, and I did.
We were able to get a phone to register on IAX2 but the carrier does not support that protocol.
I have installed 17 twice on two different server and they both show the same issue.
I can do an external UDP Port Scan and it shows open.
I imagine they showed the same failure to include the right address. FreePBX, I think as the default setting, does try to work round this, although there are some cases in which it won’t work (e.g. it requires the phone to send the first media in the call).
I have an older test bed Asterisk Server, running FreePBX 15.
It has PJSIP on it and I cannot register a SIP phone on it either.
I changed to CHAN-SIP and everything is fine. I changed no settings, just the driver.
It appears not Debian, not FreePBX 17, not the phones, not the location of the phones, not the network or anything else like that causing the issue but it’s some setting in PJSIP that eludes me.
PJSIP has been out for many years and I don’t understand why I can’t find many people out there that are having similar issues. And the posts I do find give no answers but end and expire without a conclusion. Did they fix it and not want to share the solution?