Problems with PJSIP extension, maybe NAT?

I have recently installed FreePBX (version in an attempt to migrate away from using Asterisk 13 with config files only.

The server is in a DC on a dedicated DMZ and a valid IPv4 address. I initially enabled the responsive firewall and configured the Cisco firewall to allow all traffic to the FreePBX host.

Initially I seemed to get on well; I created a PJSIP extension and then installed a softphone client (Zoiper 5) on a Windows PC that was running a VPN client, hence no NAT between the softphone and the FreePBX server. The softphone logged in successfully and I could call voicemail and was getting two-way audio (I could record a greeting successfully, etc.).

I then tried configuring a Cisco 8851 IP handset (running SIP firmware) to use the same extension (after killing Zoiper); however in this case I the phone is hidden behind NAT.

I have been unable to get the Cisco handset to log in via PJSIP, I have copied and pasted the password from the web interface and even tried changing it. With debugging enabled I can see the initial registration attempts coming from the phone, but no joy. In the debug packets I see the real IP address allocated to the handset in the caller-id as follows:

Call-ID: [email protected]

I then tried adding a chan_sip extension; configured nat in advanced settings (yes, force_rport, comedia) and then re-configured the Cisco handset to use the 5160 port on the FreePBX server and the new extension details. After a reboot it logged in straight away, but the moment I put the Cisco phone back to the PJSIP extension it fails.

I’ve found a few articles suggesting that PJSIP supports NAT without any additional settings, but I wanted to check here whether that is true?

I appreciate I could just switch over to chan_sip, but everything I have read suggests that pjsip is the future and it feels like I should work to get this up and running - any help offered here would be greatly appreciated!


There have been reports of Cisco phones in SIP mode not playing well with PJ-SIP. If it was me, once I got it working, I’d let it work.

1 Like

Thanks for the feedback!

I think I may have cracked it - the firewall outside of the Cisco phone is a Cisco ASA and I had a SIP security inspection rule left in place from yonks ago. As a bit of a stab I tried disabling this and the phone logged in first time, so it looks like something about PJSIP is triggering some form of blockage.

I will look to see if a newer version of the Cisco FW firmware is available, maybe the compatibility issue has been fixed by them…


The SIP Call-ID header has nothing to do with caller ID and is just a unique reference label for a particular call. On many devices, it doesn’t contain an IP address and in any case it does not affect signaling. The main headers relevant for signaling are Via and Contact, which contain IP addresses used for subsequent packets.

That said, it’s suspicious that any header sent from a phone on a private IP address would contain its public address, which the phone wouldn’t normally even know. If this was captured via a debug command or syslog directly from the phone, it was likely obtained e.g. by a STUN lookup; try turning off anything related to NAT or STUN in the phone’s configuration.

If the packet was captured at the PBX (with pjsip set logger on or with tcpdump), then it’s likely that a SIP ALG is in the path and it altered the Call-ID header. What is the make and model of the router/firewall at the phone’s location? If it has any settings related to SIP, try turning them off. Also, if the router is connected to an ISP-supplied gateway, that may also be acting as a router with a potentially troublesome SIP ALG.

If the above doesn’t help, you could try having pjsip bind to a non-standard port, e.g. in Asterisk SIP Settings, set Port to Listen on to 5260 and adjust the phone’s config accordingly.

Or, at the Asterisk console type
pjsip set logger on
have the phone attempt registration and post what appears in the Asterisk log.

(When you redact the log, use different values for the phone’s local IP, the phone’s public IP, the PBX local IP (if the DMZ is NAT) and the PBX public IP, so it’s clear what each address means.)

@4bn When you go into Settings -> Asterisk SIP Settings -> Chan_PJSIP and you look at your transport, what are the Local Network and External Media IP settings set to? Do they have the proper settings?

Hi Stewart1,

Thanks for the feedback and yes, I did discover shortly after posting that I’d left a SIP security feature enabled on the Cisco router/FW in the phone’s location. After disabling it I was able to log in without issue - it seems some compatibility issue with PJSIP that doesn’t exist with CHAN_SIP. The PBX is on a DMZ with valid IP addressing.

Thanks for the extra pointers; it is looking OK now but I really appreciate your help!


Hi Tom,

Thanks too for your help, the settings were correct in the Asterisk SIP settings. As mentioned above, it looks like a SIP security on the Cisco router/FW feature was causing my problem, all sorted now!


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.