FreePBX | Register | Issues | Wiki | Portal | Support

Sangoma Phone with TLS Encryption works but shows as unreachable


#1

I finally got TLS configured and working to allow encrypted communication between a remote telephone and our PBX however it is still showing UNREACHABLE in the Endpoint Manager.

I did change the TLS port to a non-standard port of 5062 however it shows 5060 in EM.

Anyone know how to resolve this? I’d like to have it show up as being registered to facilitate troubleshooting.


#2

The other thing that I’ve notice

  • I can make outbound calls
  • I cannot receive calls. It won’t ring.

I am seeing a lot of these messages as well

tcptls.c:1102 ast_tcptls_client_start: Unable to connect SIP socket to 10.10.113.165:5060: Connection refused


(Itzik) #3

The picture here is not Endpoint Manager, this is the peers section, and the port there is the local port, not the port it’s trying to register on.

Ok. Can you explain the process what you did to get your phones TLS done?
Also, is 5062 forwarded to your PBX?


(Lorne Gaetz) #4

TLS/SRTP with Sangoma phones is all managed thru EPM:
https://wiki.freepbx.org/display/PHON/TLS+and+SRTP


#5

Certificates were already setup - we have Zulu working presently

Followed the process to enable TLS for Chan SIP here https://wiki.freepbx.org/display/PHON/TLS+and+SRTP

Change SIP Settings to enable TLS, change port to 5062
Set to no for Don’t check server
Change Endpoint manager > global settings > external IP address to match FQDN name associated with our certificate.

Opened TCP port 5062 in Firewall going to the FreePBX server

Set the extension Transport to TLS Only, Enable Encryption: Yes (SRTP only)
Rebuild the provisioning profile
Factory reset the phone - have it provision via HTTPS provisioning by way of DHCP option 66

You are correct, the picture was of the SIP Peers. See the picture below of the Endpoint Manager

Thanks for the help


#6

Here are the extension settings for the phone


#7

Chan SIP Settings > TLS Settings
Note: blurred out the certificate name but it is FQDN

Chan SIP Settings > Advanced General Settings


(Itzik) #8

Where did you change that?


#9


(Itzik) #10

Did you restart Asterisk after making that change?


#11

I did fwconsle restart


#12

I restarted the entire PBX this morning as well


(Tom Ray) #13

Show an actual call to the device.

asterisk -r
sip set debug on

call the device and copy and paste the output to pastebin and give us the link.


#14

I will do that as soon as I can

Thanks!


(system) closed #15

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.