Trying to upgrade from 16 to 17, phones will not connect

tonyg · March 21, 2025, 8:54pm

hi, i have a distro install of 16 in production. I have built a new server with debian 12 and installed freepbx 17 on it, this all seemed to go smooth. i took a back of the old system and restored to the new system, again that seemed to go ok.
however, on the new system, none of the phones connect. my 2 SIP trunks seem to connect fine, but not the phones.

as a test, i disabled the firewalls but this did not help
where can i look to see why the phones are not connecting. tcpdump shows them attempting but i am using siptls so i cannot read the packets easily. is there a utility that can show me the conversation between the phone and server?

thanks in advance

penguinpbx · March 21, 2025, 10:56pm

You might be able to load the private certificate from your server into wireshark and then decrypt the pcap. See: TLS - Wireshark Wiki

SamShomi · March 22, 2025, 1:57am

sngrep is what you are looking for. Just type that in at the linux cli logged in as root.

tonyg · March 22, 2025, 3:12pm

yes, that was it. when i used the util, i saw nothing. so i went back to wireshark and i see that there is a tls error and it fails to negotiate the tls connection. it is throwing an error 70, which seems to be this:

protocol_version The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.

anyone know where the protocols for siptls are set in freepbx?

tonyg · March 22, 2025, 5:54pm

FYI, i know about sip settings/pjsip settings/ssl method, but that just sets the default tls/ssl version. i have a feeling this is a cipher suite issue. and i am wondering if restoring the backup restored some old cipher suite settings that the new debian server will not tolerate?

Eris · March 22, 2025, 6:43pm

I don’t think this command will work straight up with TLS, it’ll only show tcp or UDP traffic afaik.

Eris · March 22, 2025, 6:43pm

you can use “asterisk -rx ‘pjsip set logger on’” and then watch asterisk -rvvvv to see the sip trace (asterisk -rx ‘pjsip set logger off’) afterwards.

That should show you normal sip messaging. If there’s nothing, you can do a tcpdump, but your certificate is probably not set up on that TLS interface, or, your device doesn’t trust the CA. Could also be the TLS version you are using your phone does not support depending on age of phone.

tonyg · March 22, 2025, 7:49pm

Eris,
Fyi I’m coming from a working config on a version 16 free PBX distro install. So all of this can works on the old server and when I power the old server back on all the phones connect immediately. I’ve double-checked and the cert came over in the backup on 17 so it’s using the same cert. I don’t think that’s the issue. I keep coming back to the TCP dump error protocol 70 which seems to indicate that there’s a the client is requesting a protocol that the server can’t use

system · April 22, 2025, 7:49pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.