Sangoma Phone with TLS Encryption works but shows as unreachable

gwntc · July 25, 2019, 4:28am

I finally got TLS configured and working to allow encrypted communication between a remote telephone and our PBX however it is still showing UNREACHABLE in the Endpoint Manager.

I did change the TLS port to a non-standard port of 5062 however it shows 5060 in EM.

Anyone know how to resolve this? I’d like to have it show up as being registered to facilitate troubleshooting.

gwntc · July 25, 2019, 4:41am

The other thing that I’ve notice

I can make outbound calls
I cannot receive calls. It won’t ring.

I am seeing a lot of these messages as well

tcptls.c:1102 ast_tcptls_client_start: Unable to connect SIP socket to 10.10.113.165:5060: Connection refused

PitzKey · July 25, 2019, 9:47am

The picture here is not Endpoint Manager, this is the peers section, and the port there is the local port, not the port it’s trying to register on.

Ok. Can you explain the process what you did to get your phones TLS done?
Also, is 5062 forwarded to your PBX?

lgaetz · July 25, 2019, 12:00pm

TLS/SRTP with Sangoma phones is all managed thru EPM:
https://wiki.freepbx.org/display/PHON/TLS+and+SRTP

gwntc · July 25, 2019, 12:39pm

Certificates were already setup - we have Zulu working presently

Followed the process to enable TLS for Chan SIP here TLS and SRTP - Phones - Documentation

Change SIP Settings to enable TLS, change port to 5062
Set to no for Don’t check server
Change Endpoint manager > global settings > external IP address to match FQDN name associated with our certificate.

Opened TCP port 5062 in Firewall going to the FreePBX server

Set the extension Transport to TLS Only, Enable Encryption: Yes (SRTP only)
Rebuild the provisioning profile
Factory reset the phone - have it provision via HTTPS provisioning by way of DHCP option 66

You are correct, the picture was of the SIP Peers. See the picture below of the Endpoint Manager

Thanks for the help

gwntc · July 25, 2019, 12:42pm

Here are the extension settings for the phone

gwntc · July 25, 2019, 12:49pm

Chan SIP Settings > TLS Settings
Note: blurred out the certificate name but it is FQDN

Chan SIP Settings > Advanced General Settings

PitzKey · July 25, 2019, 9:49pm

Where did you change that?

gwntc · July 25, 2019, 11:34pm

PitzKey · July 26, 2019, 9:11am

Did you restart Asterisk after making that change?

gwntc · July 26, 2019, 11:37am

I did fwconsle restart

gwntc · July 26, 2019, 7:14pm

I restarted the entire PBX this morning as well

BlazeStudios · July 26, 2019, 10:19pm

Show an actual call to the device.

asterisk -r
sip set debug on

call the device and copy and paste the output to pastebin and give us the link.

gwntc · July 31, 2019, 2:53am

I will do that as soon as I can

Thanks!

system · August 7, 2019, 2:53am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.