Remote extensions and network

Ds5v50 · August 12, 2016, 5:40pm

Bare with me I’m by no means a Guru but here it goes. I have a pbx I have been taking care of for some time, there are 2 remote extensions on this PBX that up until Monday were working with no issue. Now suddenly all remote extensions register then immediately become unreachable. Here is a tcpdump showing what happens when I re-register my “remote” extension.

08:37:54.520773 IP cpe----31.columbus.res.rr.com.sip > 192.168.20.2.sip: SIP, length: 734
E…@.0…b.D…REGISTER sip:192.168.20.2:5060 SIP/2.0
Via: SIP/2.0/UDP ...31:5060;branch=z9hG4bK1037135263
From: “Phone Service” ;tag=1513167062
To: "Phone Service"
Call-ID: [email protected]
CSeq: 3 REGISTER
Contact:
Authorization: Digest username=“300”, realm=“asterisk”, nonce=“4887147e”, uri=“sip:..*.113:5060”, response=“3a958eaa3438cd8e017e000de7395f8c”, algorithm=MD5
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T48G 35.80.0.130
Expires: 0
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

08:37:54.521175 IP 192.168.20.2.sip > cpe----31.columbus.res.rr.com.sip: SIP, length: 543
E…;0…@…(…b.D…’} SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP ...31:5060;branch=z9hG4bK1037135263;received=..*.31;rport=5060
From: “Phone Service” ;tag=1513167062
To: “Phone Service” ;tag=as588f20e7
Call-ID: [email protected]
CSeq: 3 REGISTER
Server: Asterisk PBX 13.10.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="7a3cdb6c"
Content-Length: 0

Now for the brain killer, the remote extensions can call out, access voicemail, basically anything outgoing. But inbound calls, Voicemail notifications do not work, phone does not ring. Now if I turn off qualify in the extension settings the phone will ring but if you answer the calling party continues to ring. Eventually you get an Re transmission time out in the asterisk log. I’ve tried everything including disabling the firewall on the box. My biggest battle is that the box is behind a mikrotik with all ports forwarded to the pbx and then another hosts gateway that has specific ports forwarded.

Forwarded ports at the second host gateway.

21 (tcp)
22 (tcp)
25 (tcp)
80 (tcp)
443 (tcp)
2727 (tcp - udp)
5060 (tcp - udp)
5061 (tcp - udp)
10000 - 20000 (tcp - udp)

The pbx in question is

FreePBX 13.0.167
PBX Firmware: 10.13.66-14

with all available updates installed as of this morning Friday 08/11 @ 9:04am

Any help or thoughts will be most appreciated.

cynjut · August 12, 2016, 6:42pm

This isn’t about your problem, but nonetheless:
Unless your Yealink is using FTP, turn off 21 and 22.
If you are not running an SMTP service that allows remote hosts to attach (sending mail from Internet connected workstations or are running your domain mail server) turn off 25.
If you do not want to allow Host Web Access to the outside, turn off 80 and 443.
If you are not using MGCP from the Internet, turn off the forward for 2727.
Since you are forwarding PJ-SIP and Chan-SIP (5060 and 5061), you should turn on the adaptive firewall so that you can manage these connections.
Ports 10000-20000 should be UDP only (you shouldn’t forward all of those TCP ports).

You are having a password/IP Deny/etc. issue. Check your /var/log/asterisk/full logs to get the actual error.

Ds5v50 · August 12, 2016, 7:39pm

That is just it there are no errors in the /var/log/asterisk/full, it shows the extension registering.

[2016-08-12 15:40:44] VERBOSE[30472] chan_sip.c: Unregistered SIP ‘300’
[2016-08-12 15:40:50] VERBOSE[30472] chan_sip.c: Registered SIP ‘300’ at 0.0.0.*:5060

The phone registers as it is suppose to,

Ds5v50 · August 13, 2016, 2:48pm

I have resolved the issue but not solved it. Under "settings/asterisk sip settings’ it has a option for the “External address” , After removing the actual ip that is the wan IP and replacing it with an old ip the network use to have, both remote extensions came back online and are 100% functioning.

Now if someone has an idea as to why this is happening I would love to hear it I want to make my setup proper and use the proper ip in this feild. so any thoughts will be apreciated.

Ds5v50 · August 13, 2016, 4:18pm

I spoke to soon, now I have no audio to or from the remote extension

cynjut · August 16, 2016, 1:24pm

There is a serious problem with your network if this is working.

Something, somewhere, is hosed for sure, but without A LOT more information about your network, I’m not really sure I’d hazard a guess as to the actual problem.

The “External Address” is used as the redirection destination for your SIP transmissions. Basically, when you send a packet out to the phone, you tell it “I know the network address is <this>, but I want you to send your traffic to <External Address>”. The router at “<External Address>” needs to be set up to handle the NAT traversal and to send the packets that are coming to through to your PBX.

Ds5v50 · August 16, 2016, 7:52pm

I was able to finally solve my issue, As I said there are 2 separate networks that I have no control over so It hindered my troubleshooting, what ended up solving my issue was adding the public wan ip to general sip settings, and the internal wan ip of 192.168.99.2 to the chan sip settings of that same page. As I say it is solved but I do not know what started the issue seen as how it has been working flawlessly since the first of January… Thank you to all that helped me with this issue.