Trying to connect a spa942 as a remote phone

If the phone isn’t properly set up for NAT, or can’t be, Asterisk will not be able to send media to it until it has received media from it, and even then, for that to work, symmetric_rtp must be enabled. Asterisk will, initially, obey the standards, and send media to the address in the c= line in the SDP. Only with the conditions above will it violate the standards and use the address from which it is receiving media.

Note if Asterisk is behind NAT and its media address and local networks are not properly set, you will end up with a stalemate, even if the other side has the equivalent of symmetric RTP enabled. One side has to send a usable address in its c= line for media to work when both are behind different NATs (ignoring the possibility of using ICE).

I’m using a STUN server on both the server and the phone. NAT is enabled on both ends and symmetric
RTP is enabled on the phone. RTP traffic continues to be routed to the private IP address of the phone. I’m using the public google stun server.

Please provide the c= lines sent by both sides.

Actually it is best if you provide the complete INVITE, 200 OK and ACK message, as you may be getting away with private addresses for more than just the media. You can replace the addresses with public-phone-ip, private-phone-ip, public-asterisk-ip, and private-asterisk-ip.

1 Like

As @david55 said. Until you can upgrade to at least Asterisk 16, I don’t recommend switching to pjsip, unless we discover a specific problem where it might help.

Please confirm that in Asterisk SIP Settings (General tab), External Address and Local Networks are correctly set. Media Transport Settings should all be blank. On the chan_sip tab, you should have NAT set to yes, IP Configuration set to Static IP, Override External IP left blank. If you change any of these, after Submit and Apply Config you must restart Asterisk.

In the router on the server side, forward UDP ports 10000-20000 to the LAN address of the PBX.

If no luck, at the Asterisk command prompt, type
sip set debug on
make a failing test call, paste the Asterisk log for the call at pastebin.freepbx.org and post the link here. If you are too new to post links, just post the last eight hex characters of the URL.

I hope this works. Trying to use pastebin

2022/05/11 12:45:14.942760 47.xxx.xxx.xxx:5060 -> 192.168.1.15:5060
INVITE sip:*[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.254.134:5060;branch=z9hG4bK-ef9fb1ea
From: "102" <sip:[email protected]>;tag=2a75709720605462o0
To: "Voice Mail" <sip:*[email protected]>
Call-ID: [email protected]
CSeq: 101 INVITE
Max-Forwards: 70
Contact: "102" <sip:[email protected]:5060>
Expires: 240
User-Agent: Linksys/SPA942-6.1.5(a)
Content-Length: 403
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Supported: replaces
Content-Type: application/sdp

v=0
o=- 1782158 1782158 IN IP4 192.168.254.134
s=-
c=IN IP4 192.168.254.134

2022/05/11 12:45:14.985050 47.xxx.xxx.xxx:5060 -> 192.168.1.15:5060
ACK sip:*[email protected] SIP/2.0
Via: SIP/2.0/UDP 192.168.254.134:5060;branch=z9hG4bK-ef9fb1ea
From: "102" <sip:[email protected]>;tag=2a75709720605462o0
To: "Voice Mail" <sip:*[email protected]>;tag=z9hG4bK-ef9fb1ea
Call-ID: [email protected]
CSeq: 101 ACK
Max-Forwards: 70
Contact: "102" <sip:[email protected]:5060>
User-Agent: Linksys/SPA942-6.1.5(a)
Content-Length: 0



2022/05/11 12:45:15.056384 192.168.1.15:5060 -> 47.xxx.xxx.xxx:5060
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.254.134:5060;rport=5060;received=47.xxx.xxx.xxx;branch=z9hG4bK-fc0baa96
Call-ID: [email protected]
From: "102" <sip:[email protected]>;tag=2a75709720605462o0
To: "Voice Mail" <sip:*[email protected]>;tag=c76546b6-a9ca-4e93-89b8-56b3a4ba6555
CSeq: 102 INVITE
Server: FPBX-14.0.16.11(13.38.3)
Contact: <sip:47.229.25.30:5060>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
P-Asserted-Identity: "My Voicemail" <sip:[email protected]>
Content-Type: application/sdp
Content-Length:   282

v=0
o=- 1782158 1782160 IN IP4 47.229.25.30
s=Asterisk
c=IN IP4 47.229.25.30
t=0 0
m=audio 15500 RTP/AVP 0 8 2 101

It worked. I went to check the phone output and noticed that the google stun server was failing, so I used a different stun server and it worked.

Actually, I’m only halfway there. I was able to dial into voicemail which I couldn’t do before, but trying to call an outside line, I still couldn’t hear audio either way. Still troubleshooting.

I set everything up as you suggested. I haven’t looked at the RTP debug info since the phones started working between extensions and to voicemail. Here’s my log SIP log

The remote extension is 102. I dumped everything to a file during the test so there’s other activity in the log.

Ok. So, either no one knows what’s going on with my routing issue or I said something to make everything think I fixed it… Not sure which but I can see this is a dead thread.

As I continue to update this job. I have updated my FreePBX server to 16
PBX Version:16.0.19
PBX Distro:12.7.8-2204-1.sng7
Asterisk Version:13.38.3

With no change in operation. I converted my one extension to PJSIP. I even deleted the extension and re added it which required the newly generated password to be saved in the phone and the phone connects. I can call voicemail and I can call other extensions in the office, but I can’t get any audio when I’m making calls to public numbers. No in bound audio and no outbound audio, but the phone I’m dialing does ring.

The only think I thought was odd, but I don’t know what’s going on anyway, is when the phone I’m calling answers (I’m letting it go to voicemail so I can see if there is any outbound audio), the FreePBX server takes over the line and creates a bridge?? from the phone number on the FreePBX server to the number I called. I assume that’s normal, but this is what I get using sngrep,

Remote-Party-ID: “Outbound Call” sip:[email protected];party=calling;privacy=off;screen=no

v=0
o=Sonus_UAC 979799 731745 IN IP4 67.231.13.111
s=SIP Media Capabilities
c=IN IP4 67.231.13.24
t=0 0
m=audio 32178 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

Those IP addresses aren’t associated to my phone or to FreePBX at all. I don’t know where they came from. They aren’t my private IP address and they aren’t my public addresses on the server or my phone.

Any ideas?

I figured it out. My router in DMZ mode was not properly NAT’ing traffic. When I turned off DMZ and used port forwarding the phones worked to make calls to outside numbers and inside numbers.

What happened when you tried that four days ago?

My intent was to make the server available to phones on the public internet. I’ve been using this system for about 6 years, but all the phones were on the local network with the server. I didn’t want to expose 5060 to the outside world because of hackers, but now I needed to.

So, that port forwarding worked for the phones on the inside but, following recommendations in FreePBX’s firewall instructions, I put the server in the DMZ thinking all the forwarding would be taken care of. That isn’t what happened. All of this would be avoided if I had just added 5060 to port forwarding.

I’m not sure how this will affect other things I setup. for example, I’m pretty sure my let’s encrypt updates will fail because port 80 is not exposed and of course, I can no longer administer the server from outside because the 443 isn’t exposed and provisioning won’t work now either (even though the phone never provisioned from the server from the outside. Since I have the phone with me, I was able to provision it manually which isn’t always an easy task.

I hope that answers your question.

On second reading, I see that you recommended that. I didn’t do that because my server was on a DMZ, what purpose would port forwarding serve? Does port forwarding work even if the server is on the DMZ? I never thought of that.

99.9% of all ‘hacks’ are directed at UDP/5060, There are 100 reasons NOT to use that for registrations and invites and pretty well 0 FOR using it.

To use HTTP-01 as a protocol for LE is required but only for a few seconds of exposure every 60 days and that to a relatively easily protected URL Switching to DNS-01 if feasible requires no exposure ever to port 80,

  • Given a proper certification port 443 is relatively protected but a few firewall rules can further protect.

  • Given that certification, switching to TLS/5061 is recommended for your external endpoints, failing that using TCP/(random unused port in the high thousands) will further limit access

Are you suggesting that I use a different port number? If that’s all that was needed, I’ve moved it.

I’m not sure what DNS-01 is

I’m not sure spa942 will handle that, but I’ll look into it.

Thanks for the information.

I found your post on Let’s encrypt here: Let's Encrypt, DNS challenge, and scripting? - #2 by lgaetz

I’m looking to implement it.

Thanks

TLS didn’t fly. Getting wrong version number, but that’s a different issue. I’m back to UDP. I’ll work out the TLS issue or open another ticket.

Thanks for the info though.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.