- SOLVED - Remote ext, and SIP trunks unreachable


Never seen this before, the only thing different in this setup than a dozen other ones I’ve done, is the version of FreePBX

I have another identical setup running FreePBX - no problems
Same hardware, same firewall, same SIP provider

I’ve had the SIP provider look at it too. The symptoms:

Remote extension connecting over VPN, can dial out fine, but inbound calls ring straight to VM, because the phone is shown as “unavailable”.

SIP trunk, inbound calls work fine, but outbound calls fail (congestions) due to trunk unavailable. The SIP provider see the registration as up.

when you run "sip show peers"
username, port, status “unreachable”

CLI output
WARNINGe[0m[5729]: e[1;37mapp_dial.ce[0m:e[1;37m2341e[0m e[1;37mdial_exec_fulle[0m: Unable to create channel of type ‘SIP’ (cause 20 - Subscriber absent)
Executing [[email protected]:23] e[1;36mNoOpe[0m(“e[1;35mSIP/199-00000649e[0m”, “e[1;35mDial failed for some reason with DIALSTATUS = CHANUNAVAIL and HANGUPCAUSE = 20e[0m”)
(sorry for the garbage, output got garbled some)

I bet that fail2ban blocked it. Have you tried stopping iptables and fail2ban?

/etc/init.d/fail2ban stop
/etc/init.d/iptables stop

confirmed both stopped

/etc/init.d/fail2ban status
/etc/init.d/iptables status

(have not restarted asterisk - did reload SIP, and disabled the trunk, and reenabled)
Still the same thing. The SIP SHOW PEERS shows “unreachable” forceport does show “N”

Misc. CLI
[2013-06-10 10:50:13] NOTICE[1798]: chan_sip.c:26502 sip_poke_noanswer: Peer ‘SIP-Trunk’ is now UNREACHABLE! Last qualify: 0
[2013-06-10 10:50:13] NOTICE[1798]: chan_sip.c:26502 sip_poke_noanswer: Peer ‘SIP-Trunk’ is now UNREACHABLE! Last qualify: 0

What happens if you do a tcpdump src x.x.x.x -s 512 where x.x.x.x is the source ip address of the device you are getting unreachable on.

Also when it makes a call what IP/port shows up in sip show channels?

You may have a split horizon or NAT issue.

1 Like

tcpdump from the IP address of the SIP trunk provider = inbound call show
IP address of SIP provider.sip>PBX hostname.SIP

tcpdump from the IP address of the remote phone = inbound call show
01:20:38.846745 IP {IP of Phone}.cap > {hostname of pbx}.sip: SIP, length: 397
01:20:39.092677 IP {IP of Phone}.hbci > {hostname of pbx}.11844: UDP, length 172
I added { }, and omitted a bunch redundant data

That show me, the SIP setup, then the RTP audio, then the SIP tear down
basically nothing - the phone contacts the PBX, the PBX replies “no outbound route”, call terminates

The sip show channels - didn’t seem to show relevant data
Sip show peer {sip trunk user ID} - shows the host name as correct, and IP address:5060 {correct IP to the host name}
01:21:58.765289 IP {IP of Phone}.cap > {hostname of pbx}.sip: SIP, length: 655

You said the phone is showing unavailable. That indicates that SIP registration not making it to Asterisk.

What is the results of the sip debug in Asterisk on SIP register message?

Also what if you program the IP of the phone statically in host field? Does it work then?

The SIP qualify is failing for both extension connected via VPN, or SIP trunks. (I’ve tried a few different SIP providers) So its the Option packet that is failing, and being retransmitted, over and over again. Sip Poke noanswer peer unreachable (Local phones, on the same subnet work/register fine)

That would indicate a NAT/Firewall issue.

The SIP trunks and the VPN extension are registered, just no status because the SIP qualify fails.

I’ve screwed with:

  • NAT, Route, No Nat
  • UDP timeouts on firewall (TCP too)
  • Firewall rules
  • changed the qualify time, and turned it off

The firewall does have a different firmware, and it’s a different version of FreePBX. The firewall is very simple, I can’t see that is the problem, but whatever, I’ll replace the firewall at this point.

I did have some issues with the TDM at first build (r4fxo), I had to change the echo cancellation

Wonder what would happen if I turn SIP Qualify off the SIP trunk, it would then be unmonitored, but would an outbound call then work?

Is the SIP ALG off on the firewall? What kind of firewall?

Netgear FVS 338. I’ve been using these firewalls with SIP trunks for 6years. Small entry level firewall. There are no VOIP settings - no SIP ALG.

check the session timeout settings in the firewall - even this old firewall should have them. the issue is most likely that the firewall is closing the udp session. set the udp timer to a high value. look under the firewall/security settings - you should find the tcp and udp timer values there

OK the firmware for this firewall is 3.0.5-24

which appears to possibly be some oddball firmware, that may possibly enable SIP ALG, but not have any setting showing it. Previous versions did not do this, and later versions have the setting visable

I am going to upgrade the firmware, or replace the firewall with one that has a more usable firmware (whichever is easier)

I took another Netgear FVS 338, and put firmware 3.0.2-21 on it (a lower version, that I know works fine), then I saved the config from the 338 in service, restored the config. to the new 338 with 3.0.2-21 firmware, replaced the firewall (plug and play) all SIP trunks came immediately up.

So … it appears from experience and from what I’ve read firmware 3.0.5-24 implements SIP ALG but does not have any option to turn it off.

(I opted to use a lower firmware that doesnt implement SIP ALG, instead of a newer one with the option to turn it off)