Trying to connect a spa942 as a remote phone

PBX Version:

14.0.16.11

PBX Distro:

12.7.8-2203-2.sng7

Asterisk Version:

13.38.3

All the phones worked without a hitch, but now I have some people working remotely, so I placed the FreePBX server on the dmz and enabled the firewall. I modified the sip settings in the phone with the public IP address on the router where the server is and set the phone for NAT. SIP connects just fine, and the phones ring in and out, but there is no audio either way.

I did some troubleshooting and for some reason, rtp keeps trying to connect to the spa942 on it’s private IP address in the satellite office. SIP routes fine, but RTP doesn’t. Any suggestions?

The SIPSTATION firewall test fails. I can see the phone on the correct IP address in the endpoint manager. Thsi phone used to be on the inside with the others, it’s now on a completely different network. The inside network is 192.168.1.x and the phone is on 192.168.254.x

The phones are set for chan_SIP, but chan_sip settings, it says it’s working on port 5160 even though the phones are at 5060 (in the office). But I put this phone on 5160 which is the way the system provistioned it.

quite strange. Be aware that you may open extentions and your pbx to the world.
If using chan_sip (5160), the phones register for such a long time, until the other one registers. Therefore the registered phones change e.g every 300 secs.
You should use pjsip for the respective extension and increase the number of possible phones/connects from 1 to - lets say - 3. I usually set 5 during the corona home-office situation. Latest registrations are usually not cleared immediately. It takes some minutes until max contacts is free again. Set allowed IP-ranges on the extension-settings to reduce the risk of hacking a little bit. However better solution maybe:
Allow home-users a VPN-connect to the router, which is in front of your pbx and define IP-ranges the home-user can get, once connected via VPN. And leave your PBX behind the routers firewall and not in demilitarized section. So, external users come in like internal users.
The VPN-connect should be configured between home-users router and your office router. So you do not need not to make specific settings on the physical phone. Just plug it in, and the routers will handle the connection. PJSIP on 5060 is better since more than one phone can register at the same time.

VPN isn’t an option. I don’t have control over their routers/modems and some of them don’t have the VPN capability. I’m on Frontier and the modem they gave me doesn’t have VPN. I don’t know how good the firewall in freePBX works, but I’ve been using a couple of publicly hosted machines without an issue.

I’ve never had any luck with PJSIP, but I’ll give that a try.

Same issue with PJSIP. No audio. This has to be a routing issue but I can’t find any setting where RTP doesn’t follow the same route that SIP follows. I turned on rtp debug. I can see it routing all the RTP traffic to the private IP address of the phone, but there’s no path without a VPN. It should be going to the public IP address of the remote phone so NAT translation can take place, but it isn’t.

It confuses me why one port goes one way and the other port goes another.

If the phone isn’t properly set up for NAT, or can’t be, Asterisk will not be able to send media to it until it has received media from it, and even then, for that to work, symmetric_rtp must be enabled. Asterisk will, initially, obey the standards, and send media to the address in the c= line in the SDP. Only with the conditions above will it violate the standards and use the address from which it is receiving media.

Note if Asterisk is behind NAT and its media address and local networks are not properly set, you will end up with a stalemate, even if the other side has the equivalent of symmetric RTP enabled. One side has to send a usable address in its c= line for media to work when both are behind different NATs (ignoring the possibility of using ICE).

I’m using a STUN server on both the server and the phone. NAT is enabled on both ends and symmetric
RTP is enabled on the phone. RTP traffic continues to be routed to the private IP address of the phone. I’m using the public google stun server.

Please provide the c= lines sent by both sides.

Actually it is best if you provide the complete INVITE, 200 OK and ACK message, as you may be getting away with private addresses for more than just the media. You can replace the addresses with public-phone-ip, private-phone-ip, public-asterisk-ip, and private-asterisk-ip.

1 Like

As @david55 said. Until you can upgrade to at least Asterisk 16, I don’t recommend switching to pjsip, unless we discover a specific problem where it might help.

Please confirm that in Asterisk SIP Settings (General tab), External Address and Local Networks are correctly set. Media Transport Settings should all be blank. On the chan_sip tab, you should have NAT set to yes, IP Configuration set to Static IP, Override External IP left blank. If you change any of these, after Submit and Apply Config you must restart Asterisk.

In the router on the server side, forward UDP ports 10000-20000 to the LAN address of the PBX.

If no luck, at the Asterisk command prompt, type
sip set debug on
make a failing test call, paste the Asterisk log for the call at pastebin.freepbx.org and post the link here. If you are too new to post links, just post the last eight hex characters of the URL.

I hope this works. Trying to use pastebin

2022/05/11 12:45:14.942760 47.xxx.xxx.xxx:5060 -> 192.168.1.15:5060
INVITE sip:*[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.254.134:5060;branch=z9hG4bK-ef9fb1ea
From: "102" <sip:[email protected]>;tag=2a75709720605462o0
To: "Voice Mail" <sip:*[email protected]>
Call-ID: [email protected]
CSeq: 101 INVITE
Max-Forwards: 70
Contact: "102" <sip:[email protected]:5060>
Expires: 240
User-Agent: Linksys/SPA942-6.1.5(a)
Content-Length: 403
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Supported: replaces
Content-Type: application/sdp

v=0
o=- 1782158 1782158 IN IP4 192.168.254.134
s=-
c=IN IP4 192.168.254.134

2022/05/11 12:45:14.985050 47.xxx.xxx.xxx:5060 -> 192.168.1.15:5060
ACK sip:*[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.254.134:5060;branch=z9hG4bK-ef9fb1ea
From: "102" <sip:[email protected]>;tag=2a75709720605462o0
To: "Voice Mail" <sip:*[email protected]>;tag=z9hG4bK-ef9fb1ea
Call-ID: [email protected]
CSeq: 101 ACK
Max-Forwards: 70
Contact: "102" <sip:[email protected]:5060>
User-Agent: Linksys/SPA942-6.1.5(a)
Content-Length: 0



2022/05/11 12:45:15.056384 192.168.1.15:5060 -> 47.xxx.xxx.xxx:5060
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.254.134:5060;rport=5060;received=47.xxx.xxx.xxx;branch=z9hG4bK-fc0baa96
Call-ID: [email protected]
From: "102" <sip:[email protected]>;tag=2a75709720605462o0
To: "Voice Mail" <sip:*[email protected]>;tag=c76546b6-a9ca-4e93-89b8-56b3a4ba6555
CSeq: 102 INVITE
Server: FPBX-14.0.16.11(13.38.3)
Contact: <sip:47.229.25.30:5060>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
P-Asserted-Identity: "My Voicemail" <sip:[email protected]>
Content-Type: application/sdp
Content-Length:   282

v=0
o=- 1782158 1782160 IN IP4 47.229.25.30
s=Asterisk
c=IN IP4 47.229.25.30
t=0 0
m=audio 15500 RTP/AVP 0 8 2 101

It worked. I went to check the phone output and noticed that the google stun server was failing, so I used a different stun server and it worked.

Actually, I’m only halfway there. I was able to dial into voicemail which I couldn’t do before, but trying to call an outside line, I still couldn’t hear audio either way. Still troubleshooting.

I set everything up as you suggested. I haven’t looked at the RTP debug info since the phones started working between extensions and to voicemail. Here’s my log SIP log

The remote extension is 102. I dumped everything to a file during the test so there’s other activity in the log.

Ok. So, either no one knows what’s going on with my routing issue or I said something to make everything think I fixed it… Not sure which but I can see this is a dead thread.

As I continue to update this job. I have updated my FreePBX server to 16
PBX Version:16.0.19
PBX Distro:12.7.8-2204-1.sng7
Asterisk Version:13.38.3

With no change in operation. I converted my one extension to PJSIP. I even deleted the extension and re added it which required the newly generated password to be saved in the phone and the phone connects. I can call voicemail and I can call other extensions in the office, but I can’t get any audio when I’m making calls to public numbers. No in bound audio and no outbound audio, but the phone I’m dialing does ring.

The only think I thought was odd, but I don’t know what’s going on anyway, is when the phone I’m calling answers (I’m letting it go to voicemail so I can see if there is any outbound audio), the FreePBX server takes over the line and creates a bridge?? from the phone number on the FreePBX server to the number I called. I assume that’s normal, but this is what I get using sngrep,

Remote-Party-ID: “Outbound Call” sip:[email protected];party=calling;privacy=off;screen=no

v=0
o=Sonus_UAC 979799 731745 IN IP4 67.231.13.111
s=SIP Media Capabilities
c=IN IP4 67.231.13.24
t=0 0
m=audio 32178 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

Those IP addresses aren’t associated to my phone or to FreePBX at all. I don’t know where they came from. They aren’t my private IP address and they aren’t my public addresses on the server or my phone.

Any ideas?

I figured it out. My router in DMZ mode was not properly NAT’ing traffic. When I turned off DMZ and used port forwarding the phones worked to make calls to outside numbers and inside numbers.

What happened when you tried that four days ago?

My intent was to make the server available to phones on the public internet. I’ve been using this system for about 6 years, but all the phones were on the local network with the server. I didn’t want to expose 5060 to the outside world because of hackers, but now I needed to.

So, that port forwarding worked for the phones on the inside but, following recommendations in FreePBX’s firewall instructions, I put the server in the DMZ thinking all the forwarding would be taken care of. That isn’t what happened. All of this would be avoided if I had just added 5060 to port forwarding.

I’m not sure how this will affect other things I setup. for example, I’m pretty sure my let’s encrypt updates will fail because port 80 is not exposed and of course, I can no longer administer the server from outside because the 443 isn’t exposed and provisioning won’t work now either (even though the phone never provisioned from the server from the outside. Since I have the phone with me, I was able to provision it manually which isn’t always an easy task.

I hope that answers your question.

On second reading, I see that you recommended that. I didn’t do that because my server was on a DMZ, what purpose would port forwarding serve? Does port forwarding work even if the server is on the DMZ? I never thought of that.

99.9% of all ‘hacks’ are directed at UDP/5060, There are 100 reasons NOT to use that for registrations and invites and pretty well 0 FOR using it.

To use HTTP-01 as a protocol for LE is required but only for a few seconds of exposure every 60 days and that to a relatively easily protected URL Switching to DNS-01 if feasible requires no exposure ever to port 80,

  • Given a proper certification port 443 is relatively protected but a few firewall rules can further protect.

  • Given that certification, switching to TLS/5061 is recommended for your external endpoints, failing that using TCP/(random unused port in the high thousands) will further limit access

Are you suggesting that I use a different port number? If that’s all that was needed, I’ve moved it.

I’m not sure what DNS-01 is

I’m not sure spa942 will handle that, but I’ll look into it.

Thanks for the information.