Ive got an odd one here…
I have the latest (as of oct '21) version of FreePBX running locally. I have number of softphones (Linphone) running on PCs, Mobiles, and its fine. I have set the configs to require encryption on all calls (both in the soft phone configs and the pbx). Calling with soft phones works flawlessly.
I started to add Sangoma phones P310 and sent one to someone out of state. Sent them the basic sip settings and they were able to connect no problem.
when I tried the same model phone internally with same config, it will not make a call. The only thing I get is a “fast busy”.
The asterisk logs show only:
ERROR: res_pjsip_session.c:937 handle_incoming_sdp: 1800: Couldn’t negotiate stream 0:audio-0:audio:sendrecv (nothing)
Which I know to be related to unable to handle/setup secure RTP, which lead me to focus on TLS.
The other soft phones connect via TLS both internally and externally, without issue. either on the local wifi or on the mobile network (LTS for example) they have zero problems connecting…
Free PBX - Internally hosted, ports forwarded and working internally and externally with a “lets encrypt” certs to FGDN… SSL verified with https connection to website both internally and externally. so when the internal clients connect the external DNS routes them to the external interface and SSL cert etc all is working. I thought maybe these phones didn’t want to handle coming in through the external addy, but only the internal one, so knowing that the cert needed a hostname to that internal IP, I setup an internal DNS bind9 and set the phones to use that to give the same hostname so it would pickup the cert and use ssl on the internal IP. This works fine with a web browser confirmed to connect the internal IP with the hostname and SSL checks out.
so any ideas?
- softphones work internal and external, local wifi and internet
- external P310 works fine.
- compared the extension settings on the working and not working they are the same
- checked the EPM settings though the other external phone worked without it…
where to get DETAILED sip logs?
working with Wireshark, still trying to get them decoded, SSLKEYLOGGING seems not to work…
Got some logs here... seems I've got a mismatch in supported encryption
SIP/2.0 488 Not Acceptable Here
17852 [2021-10-21 11:50:22] VERBOSE res_pjsip_logger.c: <--- Received SIP request (1418 bytes) from TLS:192.168.1.254:25061 --->
17853 INVITE sip:[email protected]:25061;transport=tls SIP/2.0
17854 Via: SIP/2.0/TLS 192.168.1.254:25061;rport;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias
17855 Max-Forwards: 70
17856 From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47
17857 To: <sip:[email protected].COM>
17858 Contact: <sip:[email protected]:25061;transport=TLS;ob>
17859 Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd
17860 CSeq: 7294 INVITE
17861 Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
17862 Supported: replaces, 100rel, timer, norefersub
17863 Session-Expires: 1800
17864 Min-SE: 90
17865 User-Agent: Sangoma P310 3_5_1
17866 Authorization: Digest username="1800", realm="asterisk", nonce="1634835022/3a7b2f2beef837f256c12907eb3a231c", uri="sip:[email protected]:25061;transport=tls", response="3c01bc8410183d8c9679a3d834c4eb95", algorithm=md5, cnonce="987f647c-c29b-4dc1-afb7-212826226cd5", opaque="2152d8d96d66c9d5", qop=auth, nc=00000001
17867 Content-Type: application/sdp
17868 Content-Length: 392
17871 o=- 330206311 330206311 IN IP4 192.168.1.146
17874 t=0 0
17876 m=audio 4008 RTP/AVP 0 8 9 111 96
17877 c=IN IP4 192.168.1.146
17879 a=rtcp:4009 IN IP4 192.168.1.146
17881 a=rtpmap:0 PCMU/8000
17882 a=rtpmap:8 PCMA/8000
17883 a=rtpmap:9 G722/8000
17884 a=rtpmap:111 G726-32/8000
17885 a=rtpmap:96 telephone-event/8000
17886 a=fmtp:96 0-16
17887 a=ssrc:1869879436 cname:0939a29b027a4b74
17889 [2021-10-21 11:50:22] VERBOSE res_pjsip_logger.c: <--- Transmitting SIP response (398 bytes) to TLS:192.168.1.254:25061 --->
17890 SIP/2.0 100 Trying
17891 Via: SIP/2.0/TLS 192.168.1.254:25061;rport=25061;received=192.168.1.254;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias
17892 Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd
17893 From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47
17894 To: <sip:[email protected]>
17895 CSeq: 7294 INVITE
17896 Server: FPBX-126.96.36.199(16.17.0)
17897 Content-Length: 0
17900 [2021-10-21 11:50:22] ERROR res_pjsip_session.c: 1800: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
17901 [2021-10-21 11:50:22] VERBOSE res_pjsip_logger.c: <--- Transmitting SIP response (452 bytes) to TLS:192.168.1.254:25061 --->
17902 SIP/2.0 488 Not Acceptable Here
17903 Via: SIP/2.0/TLS 192.168.1.254:25061;rport=25061;received=192.168.1.254;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias
17904 Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd
17905 From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47
17906 To: <sip:[email protected]>;tag=5d1f5d0c-e5fc-4709-92b8-2d22b4840820
17907 CSeq: 7294 INVITE
17908 Server: FPBX-188.8.131.52(16.17.0)
17909 Content-Length: 0
17912 [2021-10-21 11:50:22] VERBOSE res_pjsip_logger.c: <--- Received SIP request (433 bytes) from TLS:192.168.1.254:25061 --->
17913 ACK sip:[email protected]:25061;transport=tls SIP/2.0
17914 Via: SIP/2.0/TLS 192.168.1.254:25061;rport;branch=z9hG4bKPj23f5d931-1633-4dd4-a560-cbd8d8e2f767;alias
17915 Max-Forwards: 70
17916 From: "1800P" <sip:[email protected]>;tag=300d5b45-75d5-4415-9785-1c3dc4d40c47
17917 To: <sip:[email protected]>;tag=5d1f5d0c-e5fc-4709-92b8-2d22b4840820
17918 Call-ID: 3b9bfdd6-25df-4112-b3eb-b4bf34e8a9bd
17919 CSeq: 7294 ACK
17920 Content-Length: 0
The INVITE, while being sent over TLS, is not using SRTP. If the Asterisk side is configured for SRTP then it would fail like you’re seeing.
ive double checked the extension settings and sip settings and media encryption is required. I don’t see anywhere on the phone itself to force this. It only allows SIP addy, port and protocol… nothing about SRTP…
is there another place besides the web interface to check for this?
thanks for that, it is setup correctly according to this article. As my rather long (sorry for that) description states, its is working properly with soft phones… I did do some of the “D” series phones settings but it made no difference.
I’ve since configured the phones for Syslog so I can see them boot and noticed this in the messages…
> Oct 21 15:39:55 192.168.1.63 core: middleman: processAccount: transport=tls media_encryption=no
> Oct 21 15:39:55 192.168.1.63 core: middleman: processAccount: alt_transport=tls alt_media_encryption=no
> Oct 21 15:39:55 192.168.1.63 core: middleman: Checking firmware for 3_5_1 P310
> Oct 21 15:39:55 192.168.1.63 core: middleman: firmware_blacklist model=P310 minimum_version=3_2_7 specific_version=
> Oct 21 15:39:55 192.168.1.63 core: middleman: firmware_blacklist model=P315 minimum_version=3_2_7 specific_version
You’ll notice that its showing “media_encryption=no” so Im looking for a setting to confirm this on the phone. Is it possible to set this via the web interface or is it only via the EPM?
anything you set directly on the phone will be overwritten by EPM if the phone reboots I believe.
Ive gone down a rabbit hole trying to get these phones provisioned. The issue still remains…
Ive been working with EPM to get these provisioned and using SRTP, but that’s turned out to be troubles also… (see post EPM Sangoma P310 but only "Digium P310" exists in EPM, won't get config)
I have 3 of these phones, haven’t been able to get a single one working with encryption. We originally thought an external one was working with encryption, but an audit (packet capture) showed it was NOT encrypted which turned out to be an issue in the extension config.
SO… I have a Freepbx system which works 100% perfectly with soft phones (Linphone) on OS X, Windows, iOS and Android, but my initial purchase of 3 Sangoma P310 phones all fail.
How can I enable SRTP on this phone?
- Web interface has NO settings for SRTP, only TLS
- is there a way to format the SIP (line settings) in the Web interface to force it to use SRTP?
Where to go from here??
Filed an official support request with Sangoma because they are all brand new phones, ill touch back here if any solution comes back…
No, media encryption is not one of the settings that’s exposed via the phone’s web interface.
SDES SRTP is controlled only via the media_encryption attribute of the host_primary and/or host_alternate children of the account object.
so the only way to use these in what ill call…“Sip Account mode” (for lack of a better way) is unencrypted?
don’t you think that is a HUUUUGE miss?
There is a better way. Configure the phones using the better method of feeding them a configuration file that contains the settings that they should use. Using the Web UI to configure the phones is the least preferred method and gets the least development attention, because the primary audience for these telephones is administrators who configure lots of them.
These administrators are configuring the phones via some sort of provisioning system: EPM provides one, Switchvox provides one, admins outside of those environments usually roll their own.
It’s not how you’re trying to configure the phone. If you’re using the phone with FreePBX and/or PBXact, you should probably use EPM to configure the phone. EPM should provide an option for most things; and for those that don’t appear as button controls, you’ve got access to edit the configuration templates themselves.