[SOLVED] Cannot register when connecting via a VLAN

I currently have a working system - FreePBX 12 and many Polycom IP phones.

Right now, everything is on the default VLAN 1 (192.168.1.x).

For testing purposes, I moved 1 phone to a different VLAN 12 (192.168.12.x). At this point, communication between VLAN 1 and 12 is wide open. There are no restrictions and everybody can communicate with everybody else.

When I boot the test phone on VLAN 12, it grabs the right IP address, it can connect to the provisioning server, grabs the correct settings, it gets the phone background, and it grabs the current time. The only thing it will not do is register the line.

I can ping the phone from VLAN 1 and even connect to the phones web interface. I hooked up a laptop on VLAN 12 and I can ping the FreePBX server and login to the admin interface.

I have 192.168.1.x and 192.168.12.x listed as local networks under Settings -> Asterisk SIP Settings -> General SIP Settings -> NAT Settings -> Local Networks

If I switch the phone back to VLAN 1, the line registers fine.

What am I missing?

Might have got banned under intrusion detection.
If it is, whitelist and restart the service.

If not, what do you see in the logs when it attempts to register?

Intrusion detection is currently turned off.

The log on the phone shows:
sip |4|03|Registration failed User: 100, Error Code:480 Temporarily not available

I looked at freepbx.log but didn’t see anything that looked useful. And nothing mentioning registration failure, or the specific extension or IP.

Is there another log I should be looking at?


Assuming the PBX firewall is disabled as well

I couldn’t find anything in the “full” log. Although, I am not sure exactly what I am looking for.

Does FreePBX 12 have a firewall? I couldn’t find it. Wasn’t it introduced in a later version?

cd /var/log/asterisk

ll | grep full

Does that return anything?

No it does not.

Sorry, I wasn’t clear. I can access the full log, I just couldn’t find anything in there that looked useful.

I can see in the log an entry when I change from VLAN 1 to VLAN 12. “Peer ‘100’ is now UNREACHABLE! Last qualify: 14”

But after that, nothing about ext 100 or registration errors, etc.

Then your phone isn’t reaching the PBX for some reason.

Can you put the Laptop on the VLAN 12 network again and run nmap against the PBX IP and see if the PBX responds on 5060?

You can also try to setup a softphone on your Laptop (X-lite and Zoiper are free) and try a manual registration.

Port 5060 (UDP) is open, but nmap lists it as “open|filtered”. The other TCP ports are just listed as “open”

Can you register a softphone?

Monitor the full log while you do so.

I can register a softphone on VLAN 1, but not VLAN 12. I get Request Timeout code 408. But nothing shows in the full log during the registration attempt.

I feel like this “open|filtered” result in nmap has something to do with it.

I can SSH into the server from VLAN 12, I can telnet into the server on port 81.

I tried using PortQry to connect to UDP port 5060 and the result was also “Listening or Filtered”

Double check if exists in the Asterisk SIP Settings.

Next I would try two things:
In the extension set nat = Yes.
Try a Asterisk restart.

Double-checked and are both listed under Local Networks in the SIP Settings page.

Changed the extension to nat = yes

Restarted asterisk using amportal restart. During the restart, “Stopping fail2ban” failed and “Starting fail2ban” failed. But, asterisk started anyways.

Still can’t register from VLAN 12 :exploding_head:

Correct me if I’m wrong, if the PBX would reject the registration you’d get a different error, not a 408.

So I assume there’s a routing misconfiguration on your network.

The next step would be to use Wireshark on your Laptop or tcpdump on the PBX. (Or if you have sngrep installed use that)

It’s solved.

The FreePBX server had iptables running and only listed the network.

I added the network with the following command and now everything connects fine.

iptables -I INPUT 2 -s -j ACCEPT

As a note, when nmap says “open|filtered” this does NOT mean open. All it means is that it didn’t specifically get denied. It sent a request and nothing came back. So it’s assuming that it’s open. In this case, iptables was filtering the requests from anything other than the network listed.

The last rule in iptables was to DROP all non-matching port 5060 packets. If this rule was set to REJECT instead, nmap might of listed the port as “closed” instead of “open|filtered”. I would test this theory but I have already spent too much time on this anyways.

Hopefully this post helps somebody else out in the future.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.