Upgrade to Asterisk 13 went swimmingly, now phones go offline

We switched from asterisk 11 to 13 last Saturday uisng the procedure outlined on the FreePBX wiki.

 3811  2017-01-28 09:14:38: asterisk -x "core show version"
 3812  2017-01-28 09:14:54: asterisk-version-switch

Everything went smoothly. Remarkably smoothly.

Until Monday morning. Shortly after 08:00 local all of the phones attached to our PBX were rendered inoperative. No dial tone, nothing. Viewing the Asterisk log files I saw this:

[2017-01-30 08:23:30] ERROR[2092] tcptls.c: Unable to connect SIP socket to Connection refused
[2017-01-30 08:23:30] ERROR[2093] tcptls.c: Unable to connect SIP socket to Connection refused
[2017-01-30 08:23:30] ERROR[2095] tcptls.c: Unable to connect SIP socket to Connection refused

There was no evident cause for this but I noted that the FreePBX dashboard had reported that all of the phones were in use and then dropped to 0. On a hunch I stopped IPTABLES on the FreePBX machine and the phones began to work again. I restarted IPTABLES and the phones continued to work. Problem solved.

Until today. Shortly after 14:00 today all our phones again lost the ability to call each other or to call out. The FreePBX dashboard again reported an instantaneous spike in the number of active calls equal to the number of connected extensions followed by an immediate drop to zero. The number of online users remained unchanged.

However the SIP socket errors of Monday past were not repeated.

This time stopping and starting IPTABLES had no effect and I had to restart Asterisk to clear the problem. Until we moved to Asterisk 13 we never experienced this behaviour. Has anyone else encountered this sort of thing or has any idea as to what is happening?

Sounds like your Integrated Firewall has gotten in the way.

This is a new feature if FreePBX 13. You need to identify the “safe” and “wild west” networks.

Go into the firewall module and set up the options so that your local network is trusted (not the interface, just the network). The default condition for the firewall is “enabled” so if you changed anything in the config and reset the machine, it will revert the firewall “on” and override your manual commands.

After that, go into the Admin module and set up the trusted and untrusted networks in there as well (to make fail2ban work better).

We did that ages ago. Here is what is in our config:

System Admin
Intrusion Detection

IP's that are currently banned.
No Banned IP's

Nonetheless, we got these again. However, we had to restart the server to clear the issue this time.

tcptls.c: Unable to connect SIP socket to Connection refused


Where is the ‘Firewall’ Module found?

What version of FreePBX are you running?

cat /etc/schmooze/pbx-version
Asterisk 13.13.1