Trouble with AMI over private IP address

I am using asterisk-java to connect to my FreePBX server (, when I connect over the public IP address, everything works perfectly, but when I am connecting over the internal IP address, I am getting this error.

15	[2021-03-25 15:34:48] NOTICE[30671] manager.c: failed to pass IP ACL as 'myconnection'	
16	[2021-03-25 15:34:48] NOTICE[30671] manager.c: failed to authenticate as 'myconnection'

I have the AMI user set up with the following config, set up via the Settings -> Asterisk Manager Users

secret =  
read = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,dtmf,reporting,cdr,dialplan,originate
writetimeout = 100

Is there an ACL somewhere else that I need to configure so that I can use the AMI? Any help would be appreciated.


EDIT: The secret is not blank in the actual config. But I have it blank here because I know not to post information like that online.

You need a secret. Allowing the whole internet with or without a password is not recommended

I do have a secret, I just removed it for an example.

The server is limited on what IP can access it from the public internet so I am not super worried about that, and I will lock down the AMI user as soon as I am able to connect over its internal IP address.

What is bindaddr set to in /etc/asterisk/manager.conf? If not set to you will only be able to access from the specified interface.


Here is a copy of my manager.conf

enabled = yes
port = 5038
bindaddr =
displayconnects=no ;only effects 1.6+

secret = REMOVED
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000

#include manager_additional.conf
#include manager_custom.conf

It does look like bindaddr is set to what should it be set to to allow connections from other servers? How do I set it? means it binds to all your network interfaces, so it’s good but you can set it to listen on your lan address if you want to so limit access. Given then Your [myconnection] in manager_additional.conf and would be thus set to permit = no need to deny anything. BTW, writetimeout is in milliseconds.

I am a little confused about where I need to be looking to get this to work.

I am not able to have a null value for deny, FreePBX gives me an error when I do not have an ip address and subnet in that field.

My current value for Deny is

You are denying no-one, what should work is

bindaddr =
permit =

Assuming you PBX is at, to deny everything but your local PBX itself and all hosts in your LAN

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.