Sangoma P310

Ive got an odd one here…

I have the latest (as of oct '21) version of FreePBX running locally. I have number of softphones (Linphone) running on PCs, Mobiles, and its fine. I have set the configs to require encryption on all calls (both in the soft phone configs and the pbx). Calling with soft phones works flawlessly.

I started to add Sangoma phones P310 and sent one to someone out of state. Sent them the basic sip settings and they were able to connect no problem.

when I tried the same model phone internally with same config, it will not make a call. The only thing I get is a “fast busy”.

The asterisk logs show only:
ERROR[6453]: res_pjsip_session.c:937 handle_incoming_sdp: 1800: Couldn’t negotiate stream 0:audio-0:audio:sendrecv (nothing)

Which I know to be related to unable to handle/setup secure RTP, which lead me to focus on TLS.

The other soft phones connect via TLS both internally and externally, without issue. either on the local wifi or on the mobile network (LTS for example) they have zero problems connecting…

Free PBX - Internally hosted, ports forwarded and working internally and externally with a “lets encrypt” certs to FGDN… SSL verified with https connection to website both internally and externally. so when the internal clients connect the external DNS routes them to the external interface and SSL cert etc all is working. I thought maybe these phones didn’t want to handle coming in through the external addy, but only the internal one, so knowing that the cert needed a hostname to that internal IP, I setup an internal DNS bind9 and set the phones to use that to give the same hostname so it would pickup the cert and use ssl on the internal IP. This works fine with a web browser confirmed to connect the internal IP with the hostname and SSL checks out.

so any ideas?

  • softphones work internal and external, local wifi and internet
  • external P310 works fine.
  • compared the extension settings on the working and not working they are the same
  • checked the EPM settings though the other external phone worked without it…

ideas?
where to get DETAILED sip logs?
working with Wireshark, still trying to get them decoded, SSLKEYLOGGING seems not to work…

thanks

Chris

Got some logs here... seems I've got a mismatch in supported encryption

SIP/2.0 488 Not Acceptable Here

17852	[2021-10-21 11:50:22] VERBOSE[2782] res_pjsip_logger.c: <--- Received SIP request (1418 bytes) from TLS:192.168.1.254:25061 --->	
17853	INVITE sip:[email protected]:25061;transport=tls SIP/2.0	
17854	Via: SIP/2.0/TLS 192.168.1.254:25061;rport;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias	
17855	Max-Forwards: 70	
17856	From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47	
17857	To: <sip:[email protected].COM>	
17858	Contact: <sip:[email protected]:25061;transport=TLS;ob>	
17859	Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd	
17860	CSeq: 7294 INVITE	
17861	Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS	
17862	Supported: replaces, 100rel, timer, norefersub	
17863	Session-Expires: 1800	
17864	Min-SE: 90	
17865	User-Agent: Sangoma P310 3_5_1	
17866	Authorization: Digest username="1800", realm="asterisk", nonce="1634835022/3a7b2f2beef837f256c12907eb3a231c", uri="sip:[email protected]:25061;transport=tls", response="3c01bc8410183d8c9679a3d834c4eb95", algorithm=md5, cnonce="987f647c-c29b-4dc1-afb7-212826226cd5", opaque="2152d8d96d66c9d5", qop=auth, nc=00000001	
17867	Content-Type: application/sdp	
17868	Content-Length: 392	
17869		
17870	v=0	
17871	o=- 330206311 330206311 IN IP4 192.168.1.146	
17872	s=digphn	
17873	b=AS:84	
17874	t=0 0	
17875	a=X-nat:0	
17876	m=audio 4008 RTP/AVP 0 8 9 111 96	
17877	c=IN IP4 192.168.1.146	
17878	b=TIAS:64000	
17879	a=rtcp:4009 IN IP4 192.168.1.146	
17880	a=sendrecv	
17881	a=rtpmap:0 PCMU/8000	
17882	a=rtpmap:8 PCMA/8000	
17883	a=rtpmap:9 G722/8000	
17884	a=rtpmap:111 G726-32/8000	
17885	a=rtpmap:96 telephone-event/8000	
17886	a=fmtp:96 0-16	
17887	a=ssrc:1869879436 cname:0939a29b027a4b74	
17888		
17889	[2021-10-21 11:50:22] VERBOSE[15816] res_pjsip_logger.c: <--- Transmitting SIP response (398 bytes) to TLS:192.168.1.254:25061 --->	
17890	SIP/2.0 100 Trying	
17891	Via: SIP/2.0/TLS 192.168.1.254:25061;rport=25061;received=192.168.1.254;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias	
17892	Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd	
17893	From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47	
17894	To: <sip:[email protected]>	
17895	CSeq: 7294 INVITE	
17896	Server: FPBX-15.0.17.55(16.17.0)	
17897	Content-Length: 0	
17898		
17899		
17900	[2021-10-21 11:50:22] ERROR[15816] res_pjsip_session.c: 1800: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)	
17901	[2021-10-21 11:50:22] VERBOSE[15816] res_pjsip_logger.c: <--- Transmitting SIP response (452 bytes) to TLS:192.168.1.254:25061 --->	
17902	SIP/2.0 488 Not Acceptable Here	
17903	Via: SIP/2.0/TLS 192.168.1.254:25061;rport=25061;received=192.168.1.254;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias	
17904	Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd	
17905	From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47	
17906	To: <sip:[email protected]>;tag=5d1f5d0c-e5fc-4709-92b8-2d22b4840820	
17907	CSeq: 7294 INVITE	
17908	Server: FPBX-15.0.17.55(16.17.0)	
17909	Content-Length: 0	
17910		
17911		
17912	[2021-10-21 11:50:22] VERBOSE[2782] res_pjsip_logger.c: <--- Received SIP request (433 bytes) from TLS:192.168.1.254:25061 --->	
17913	ACK sip:[email protected]:25061;transport=tls SIP/2.0	
17914	Via: SIP/2.0/TLS 192.168.1.254:25061;rport;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias	
17915	Max-Forwards: 70	
17916	From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47	
17917	To: <sip:[email protected]>;tag=5d1f5d0c-e5fc-4709-92b8-2d22b4840820	
17918	Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd	
17919	CSeq: 7294 ACK	
17920	Content-Length: 0

The INVITE, while being sent over TLS, is not using SRTP. If the Asterisk side is configured for SRTP then it would fail like you’re seeing.

ive double checked the extension settings and sip settings and media encryption is required. I don’t see anywhere on the phone itself to force this. It only allows SIP addy, port and protocol… nothing about SRTP…

is there another place besides the web interface to check for this?

Chris

Maybe this will help?
https://wiki.freepbx.org/display/phon/tls+and+srtp

thanks for that, it is setup correctly according to this article. As my rather long (sorry for that) description states, its is working properly with soft phones… I did do some of the “D” series phones settings but it made no difference.

I’ve since configured the phones for Syslog so I can see them boot and noticed this in the messages…

> Oct 21 15:39:55 192.168.1.63 core[350]: middleman: processAccount: transport=tls  media_encryption=no
> Oct 21 15:39:55 192.168.1.63 core[350]: middleman: processAccount: alt_transport=tls  alt_media_encryption=no
> Oct 21 15:39:55 192.168.1.63 core[350]: middleman: Checking firmware for 3_5_1 P310
> Oct 21 15:39:55 192.168.1.63 core[350]: middleman: firmware_blacklist model=P310 minimum_version=3_2_7 specific_version=
> Oct 21 15:39:55 192.168.1.63 core[350]: middleman: firmware_blacklist model=P315 minimum_version=3_2_7 specific_version

You’ll notice that its showing “media_encryption=no” so Im looking for a setting to confirm this on the phone. Is it possible to set this via the web interface or is it only via the EPM?

anything you set directly on the phone will be overwritten by EPM if the phone reboots I believe.

update:

Ive gone down a rabbit hole trying to get these phones provisioned. The issue still remains…

Ive been working with EPM to get these provisioned and using SRTP, but that’s turned out to be troubles also… (see post EPM Sangoma P310 but only "Digium P310" exists in EPM, won't get config)

I have 3 of these phones, haven’t been able to get a single one working with encryption. We originally thought an external one was working with encryption, but an audit (packet capture) showed it was NOT encrypted which turned out to be an issue in the extension config.

SO… I have a Freepbx system which works 100% perfectly with soft phones (Linphone) on OS X, Windows, iOS and Android, but my initial purchase of 3 Sangoma P310 phones all fail.

How can I enable SRTP on this phone?

  • Web interface has NO settings for SRTP, only TLS
  • is there a way to format the SIP (line settings) in the Web interface to force it to use SRTP?

Where to go from here??

Filed an official support request with Sangoma because they are all brand new phones, ill touch back here if any solution comes back…

No, media encryption is not one of the settings that’s exposed via the phone’s web interface.
SDES SRTP is controlled only via the media_encryption attribute of the host_primary and/or host_alternate children of the account object.

so the only way to use these in what ill call…“Sip Account mode” (for lack of a better way) is unencrypted?

don’t you think that is a HUUUUGE miss?

There is a better way. Configure the phones using the better method of feeding them a configuration file that contains the settings that they should use. Using the Web UI to configure the phones is the least preferred method and gets the least development attention, because the primary audience for these telephones is administrators who configure lots of them.
These administrators are configuring the phones via some sort of provisioning system: EPM provides one, Switchvox provides one, admins outside of those environments usually roll their own.
It’s not how you’re trying to configure the phone. If you’re using the phone with FreePBX and/or PBXact, you should probably use EPM to configure the phone. EPM should provide an option for most things; and for those that don’t appear as button controls, you’ve got access to edit the configuration templates themselves.