FreePBX | Register | Issues | Wiki | Portal | Support

S705 Freepbx 14 looses registration


(Dimitrios Manolis) #1

Hi,

I have a S705 phone with the latest firmware and latest update of Freepbx 14. I have configured the phone to use TLS for registration and SRTP for the media. Everything works for about 2 minutes then the phone looses registration. In order for it to work again i need to reboot it. This does not happen when not using TLS.

I also have a bunch of Polycom’s VVX’s under the same server and dont have that issue. The server is at a remote location.


(Itzik) #2

Please discribe your network setup, as well as if it’s a remote phone? NAT enabled? Etc.


(Tony Lewis) #3

What does latest firmware mean. Please state the firmware.


(Dimitrios Manolis) #4

Meraki MX450 Firewall doing 1 to 1 nat to the FreePBX 14. With the proper ports open as per wiki. Nat is enabled on the remote phone, Firmware version 3.0.4.55 on the phone.


(Dimitrios Manolis) #5

I changed a couple of settings on the Extensions page:
(Advanced Section)
Changed Port to 5061
Changed Transport to: TLS Only

Now the phone stays registered for good, but when making a call the first call will fail, But the Second call will go through.

I got Cisco Meraki on the phone and took a couple of packet captures, Looks like the phone is resetting the connection. I don’t know why it does that. But before it does that it receives and encrypted alert from the server.

Update on Network Topology

Remote Site ( Where phone is located )

Sangoma S705 --(172.16.40.2)-----> Meraki Switch ------> Meraki MX65W ----(Public IP) ----> Fios ONT

Server Side:

FreePBX Server 14 --------> Meraki Switch -------> Meraki MX450 ----(1:1 Nat for FreepBX-dedicated IP) ----- Fios ONT
MX450 Handling the entire /24 subnet of the Static IP’s assigned to our organization.

PS… One more thing I noticed is when this happens and I Press the DND key the Presence wont light up red and the DND when the Reset is done. But on the Second call if I press the DND key both DND and Presence will light up Red.


(Itzik) #6

Which cert are you using?


(Dimitrios Manolis) #7

LetsEncrypt as I cannot use a Comodo certificate at all with the Sangoma phones. That’s another issue I am having Sangoma phones won’t work with Comodo Certificate and Yealinks won’t work with LetsEncrypt. Polycom phones work with phone if there on firmware 4.0.12 and above.


(Dimitrios Manolis) #8

Looks like i narrowed down the problem to the routers. Now I still cannot get the Sangoma Phone to work with any other certificate then Lets Encrypt. But on to the Routers.

Routers that phone works perfectly no glitches:
All Meraki Routers from Z1 - MX450

Routers that phone experiences issues with TLS enabled.

All Watchguards
All Ubiquiti Unifi and Edgemax Routers
and Sonicwalls.

Phones will only work great without TLS enabled on the routers above.


(Tom Ray) #9

How are you installing this cert? Just via the Cert Manager in FreePBX? Where are you installing this cert? It should just be on the PBX, that’s it.

You are using a cert with a public trusted CA. The cert needs to be installed on the PBX, then the channel drivers need to be told to use the cert under Asterisk SIP Settings. The only thing that should be done with the phone is pointing the Host/Proxy/Server (whatever they call it) to use the TLS port. So if you are you 5061 then the Host would be IP:5061 (or FQDN:5061) in the phones. The phones do not need the cert installed on them when it is a pubic trusted CA.

So what is the actual TLS setup on FreePBX and the phones. Detail how you set up all of those to use TLS. As well, show a full debug of one of these calls that fail the first time but go through the second time. And by debug I mean the following:

Step 1: asterisk -rvvvvvvvvvv
Step 2: Start the debug logging for your channel driver
Step 2a: If PJISP: pjsip set logger on
Step 2b: If Chan_SIP: sip set debug on
Step 3: Make call that fails.
Step 4: Make second call that doesn’t fail
Step 5: Copy ALL THE OUTPUT from the start of call. That means all the way back to where it said “debugging enabled”.
Step 6: Post that here. Not in a post but in a file that we can open and view.