I had this same issue with a test installation I have.
SSL 1.2 or 1.3 would fail with the same error using a Let’s Encrypt Certificate,
But when I set MinProtocol = TLSv1.1 in /etc/ssl/openssl.cnf, I was able to get a connection.
However, versions 1.0 & 1.1 are considered insecure now.
Show your TLS config.
Can you test something? Make these changes in openssl.cnf
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=2
See if that makes a difference. This is putting the MinProtocol back to what it was originally set to but it raises the level of security in the CipherString, which will remove some older ciphers.
Hey, it registered with SSL v1.2
Thanks for the tip!
But still having an issue with STRP.
[2025-01-03 10:02:18] ERROR[693154]: res_pjsip_session.c:946 handle_incoming_sdp: 2098: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
The following is from a Fanvil phone
It’s not a TLS issue, I registered the phone to port 5060 UDP and still having the same issue
I take that back It is a SRTP issue, I did not disable STRP on the phone.
Yes, thanks @billsimon I was looking for a SRTP on the extension settings, not Media Encryption
Now a new odd issue has started. I have been trying to connect to TLS port 5061, but the phone keeps timing out. pjsip debugger is showing nothing, but tcpdump is showing the endpoint trying to connect.
Since I am doing some testing with this, I do not have the Firewall running, and show the following:
pjsip show transports
Transport: <TransportId........> <Type> <cos> <tos> <BindAddress....................>
==========================================================================================
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061
Transport: 0.0.0.0-udp udp 3 96 0.0.0.0:5060
netstat -tunlp | grep asterisk
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 1734/asterisk
tcp 0 0 127.0.0.1:8088 0.0.0.0:* LISTEN 1734/asterisk
tcp 0 0 0.0.0.0:1720 0.0.0.0:* LISTEN 1734/asterisk
tcp 0 0 127.0.0.1:5038 0.0.0.0:* LISTEN 1734/asterisk
tcp6 0 0 :::8089 :::* LISTEN 1734/asterisk
udp 0 0 0.0.0.0:47476 0.0.0.0:* 1734/asterisk
udp 0 0 0.0.0.0:4520 0.0.0.0:* 1734/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:* 1734/asterisk
udp 0 0 0.0.0.0:5000 0.0.0.0:* 1734/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 1734/asterisk
udp6 0 0 :::55047 :::* 1734/asterisk
I have tried reload, restart, and reboot
This is so weird.
Well pjsip logger will only show things making it into Asterisk while tcpdump will show things hitting the interface. Are you sure fail2ban isn’t running and has caught the IP?
Post the tcpdump output.
I am logged in the same IP address as the endpoint, and no issue with connecting on UDP port 5060
tcpdump -i eth0 tcp port 5061 -vv
3:25:24.665770 IP (tos 0x60, ttl 64, id 16404, offset 0, flags [DF], proto TCP (6), length 103)
racknerd-815d665.sip-tls > dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425: Flags [P.], cksum 0x69a6 (incorrect -> 0xd521), seq 18092:18143, ack 1459, win 501, options [nop,nop,TS val 486873997 ecr 939945], length 51
13:25:24.666180 IP (tos 0x60, ttl 64, id 16405, offset 0, flags [DF], proto TCP (6), length 83)
racknerd-815d665.sip-tls > dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425: Flags [P.], cksum 0x6992 (incorrect -> 0x3191), seq 18143:18174, ack 1459, win 501, options [nop,nop,TS val 486873997 ecr 939945], length 31
13:25:24.666207 IP (tos 0x60, ttl 64, id 16406, offset 0, flags [DF], proto TCP (6), length 52)
racknerd-815d665.sip-tls > dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425: Flags [F.], cksum 0x6973 (incorrect -> 0x33f5), seq 18174, ack 1459, win 501, options [nop,nop,TS val 486873997 ecr 939945], length 0
13:25:24.735365 IP (tos 0x28, ttl 55, id 13841, offset 0, flags [DF], proto TCP (6), length 52)
dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425 > racknerd-815d665.sip-tls: Flags [.], cksum 0x2c4a (correct), seq 1459, ack 18143, win 2488, options [nop,nop,TS val 939953 ecr 486873997], length 0
13:25:24.735366 IP (tos 0x28, ttl 55, id 13842, offset 0, flags [DF], proto TCP (6), length 52)
dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425 > racknerd-815d665.sip-tls: Flags [.], cksum 0x2c2c (correct), seq 1459, ack 18174, win 2487, options [nop,nop,TS val 939953 ecr 486873997], length 0
13:25:24.741026 IP (tos 0x28, ttl 55, id 13843, offset 0, flags [DF], proto TCP (6), length 645)
dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425 > racknerd-815d665.sip-tls: Flags [P.], cksum 0x8854 (correct), seq 1459:2052, ack 18175, win 2487, options [nop,nop,TS val 939953 ecr 486873997], length 593
13:25:24.741076 IP (tos 0x28, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
racknerd-815d665.sip-tls > dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425: Flags [R], cksum 0xd27d (correct), seq 3094389327, win 0, length 0
13:25:24.750030 IP (tos 0x28, ttl 55, id 13844, offset 0, flags [DF], proto TCP (6), length 52)
dsl-187-156-232-216-dyn.prod-infinitum.com.mx.1425 > racknerd-815d665.sip-tls: Flags [R.], cksum 0x29d4 (correct), seq 2052, ack 18175, win 2488, options [nop,nop,TS val 939954 ecr 486873997], length 0
Can you get a real pcap? You can use sngrep?
sngrep -O capture.pcap port 5061
That will open the sngrep display and capture the register attempts on port 5061 and write it out to the capture.pcap file.
Nothing is showing up on SNGREP and why I did not include it, but here you go:
sngrep -O capture.pcap port 5061
capture.tar.tgz (2 KB)
Oh, duh…TLS. You can try opening that pcap in wireshark but you’re going to need the private key of the cert to put in Wireshark to decode it.
You can do the same thing with tcpdump, write it out to a file but you’ll need the key to decrypt it and actually view it.
And you’re 100% sure iptables isn’t running or fail2ban caught something?
fail2ban is running, but my IP address is not in showing up as I start with 187…:
iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Fri Jan 3 14:28:34 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-PBX-GUI - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-api - [0:0]
:fail2ban-openvpn - [0:0]
:fail2ban-recidive - [0:0]
:fail2ban-sshd - [0:0]
-A INPUT -j fail2ban-recidive
-A INPUT -p udp -m multiport --dports 1194 -j fail2ban-openvpn
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-api
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -j fail2ban-apache-auth
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-sshd
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-PBX-GUI -s 192.175.127.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-PBX-GUI -s 190.111.111.64/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-PBX-GUI -j RETURN
-A fail2ban-SIP -s 80.94.93.211/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -s 217.160.139.134/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-api -j RETURN
-A fail2ban-openvpn -j RETURN
-A fail2ban-recidive -s 94.23.166.27/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-recidive -s 199.204.97.14/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-recidive -s 195.154.44.98/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-recidive -s 190.111.111.66/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-recidive -s 188.165.141.12/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-recidive -s 178.32.140.36/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-recidive -j RETURN
-A fail2ban-sshd -j RETURN
COMMIT
# Completed on Fri Jan 3 14:28:34 2025
It does seem like a firewall issue, but I am not seeing it.
But I am not seeing any responses from the server when I do tcpdump from the CLI, thus the timeout on the endpoint
Are you able to get any logs / diagnostic info from the phone, to see if it has an opinion of what’s wrong?
This is from a new attempt to register:
I/allPagesDefault_PostHandler: | reboot flag=0, buttontype=0 postValid=1 result=0
I/sip | line[1] enableRegister=[1]
I/sip | line=[1] number=[2098] Unregisterring!
W/sip | trans dialog is NULL.
I/sip | sipEventRegsterStatusChanged: line=1; registerCode=[0]
W/vcore.am.traffic | amPendingClear: Line Info Not Find! line=[2].
I/vcore.am.dialogInfo | amBlfDialogInfoClear: line=[2] number=[null]
I/vcore.pfm.feature | pfmFeatureConfigChangedProcess: type=[2]
I/vcore.pui.powerLed | puiPowerLedSetLed: value=[slow]
I/vcore.pfm.feature | pfmFeatureConfigChangedProcess: type=[0]
I/vcore.dsskey.main | dss Receive msg type= app state changed ;
W/vcore.pfm.agent | pfmAgentRegisterStateUpdate: Number not match!
W/sip | line[1] failback socket already closed.
I/UI_LOG | {winDestory widgets End End}
I/vcore.dsskey.main | dss Receive msg type= line register state changed;
I/vcore.dsskey.led | ***set led: index=6; type = [mwi], state = [no mwi]
I/vcore.dsskey.uicallback | dsskeyKeyStateChanged: inform UI key[6] type=[3] state changed
E/vcore.dm.led | dmLedCtl: the Led 22 is not supported.
I/vcore.dsskey.led | ***set led: index=10; type = [mwi], state = [no mwi]
I/vcore.dsskey.uicallback | dsskeyKeyStateChanged: inform UI key[10] type=[3] state changed
E/vcore.dm.led | dmLedCtl: the Led 26 is not supported.
I/sip | line=[21] number=[2098] Unregisterring!
W/sip | line[21] failback socket already closed.
I/UI_LOG | winIdleCreate: widget link list has been established, return...
W/vcore.pfm.smsDb | smsSearch: num==0
I/vcore.cfm.eventProcess | cfmProcessPhoneAudioDevModeSet: set phone audio dev = none, oldDev=none
I/vcore.cfm.request | setCallControllerState: set call control state=1, oldState=0
W/sip | line[1] socket already closed.
I/sip | line[1].
W/sip | transport=[3] port=[0] fd=38, closed.
W/sip | line[21] socket already closed.
I/sip | line[21] socket already closed.
I/sip | line[1] enableRegister=[1]
W/sip | port[5060] create success, ver=[1] fd=38!
I/sip | line=[1] listen socket=[38]
I/vcore.dsskey.main | dss Receive msg type= config changed ;
W/vcore.cfg.save | --Code Plan List-- : should be add to sn2name map table.
E/vcore.cfg.save | There is no valid item in this module[].
E/vcore.cfg.save | There is no valid item in this module[].
W/vcore.cfg.save | --Dsskey Config1--: should be add to sn2name map table.
W/vcore.cfg.save | --Dsskey Config2--: should be add to sn2name map table.
W/vcore.cfg.save | --Dsskey Config3--: should be add to sn2name map table.
W/vcore.cfg.save | --Dsskey Config4--: should be add to sn2name map table.
W/vcore.cfg.save | --Dsskey Config5--: should be add to sn2name map table.
W/vcore.cfg.save | --SoftDss Config-- : should be add to sn2name map table.
W/vcore.cfg.save | --SSL Mode-- : should be add to sn2name map table.
E/vcore.cfg.save | There is no valid item in this module[].
E/vcore.cfg.save | There is no valid item in this module[].
E/vcore.cfg.save | There is no valid item in this module[].
E/vcore.cfg.save | There is no valid item in this module[].
I/sip | line=[1] number=[2098] Registerring!
I/sip | send REGISTER message!
I/sip | sipEventRegsterStatusChanged: line=1; registerCode=[100]
W/vcore.am.traffic | amPendingClear: Line Info Not Find! line=[2].
I/vcore.am.dialogInfo | amBlfDialogInfoClear: line=[2] number=[null]
I/vcore.pfm.feature | pfmFeatureConfigChangedProcess: type=[2]
I/vcore.pui.powerLed | puiPowerLedSetLed: value=[slow]
I/vcore.pfm.feature | pfmFeatureConfigChangedProcess: type=[0]
I/vcore.dsskey.main | dss Receive msg type= app state changed ;
W/vcore.pfm.agent | pfmAgentRegisterStateUpdate: Number not match!
I/sip | expires=[3600] fd=[0]!
I/vcore.dsskey.main | dss Receive msg type= line register state changed;
I/vcore.dsskey.led | ***set led: index=6; type = [mwi], state = [no mwi]
I/vcore.dsskey.uicallback | dsskeyKeyStateChanged: inform UI key[6] type=[3] state changed
E/vcore.dm.led | dmLedCtl: the Led 22 is not supported.
I/vcore.dsskey.led | ***set led: index=10; type = [mwi], state = [no mwi]
I/vcore.dsskey.uicallback | dsskeyKeyStateChanged: inform UI key[10] type=[3] state changed
E/vcore.dm.led | dmLedCtl: the Led 26 is not supported.
W/resolv.lib | recordListFree, type [1] is not free.
I/sip | line=[1] proxyIndex=[0] ipIdex=[0] ttl=[1389] [0xc31d90]
I/platform.sdev.fs | sdevFsIoctl: open [/userdata/etc/default/cert/client/custom] directory error.
W/certManager | certMGetFileFullPath: sdevName[/etc/default/cert/client/custom] file[*.pem] not exist.
E/sip | recvLen=[-1] errNo=[0]
W/resolv.lib | recordListFree, type [1] is not free.
W/resolv.lib | recordListFree, type [1] is not free.
W/resolv.lib | recordListFree, type [1] is not free.
W/resolv.lib | recordListFree, type [1] is not free.
I/sip | Receive failure err:-110, call=[beb3b0] failback=[0] failuretime=[0]
I/sip | fail message is [REGISTER].
I/sip | sipEventRegsterStatusChanged: line=1; registerCode=[-60]
W/vcore.am.traffic | amPendingClear: Line Info Not Find! line=[2].
I/vcore.am.dialogInfo | amBlfDialogInfoClear: line=[2] number=[null]
I/vcore.pfm.feature | pfmFeatureConfigChangedProcess: type=[2]
I/vcore.pui.powerLed | puiPowerLedSetLed: value=[slow]
I/vcore.pfm.feature | pfmFeatureConfigChangedProcess: type=[0]
I/vcore.dsskey.main | dss Receive msg type= app state changed ;
W/vcore.pfm.agent | pfmAgentRegisterStateUpdate: Number not match!
W/sip | line = [1]
W/sip | socket already closed.
W/sip | line = [1]
W/sip | socket already closed.
I/vcore.dsskey.main | dss Receive msg type= line register state changed;
I/vcore.dsskey.led | ***set led: index=6; type = [mwi], state = [no mwi]
I/vcore.dsskey.uicallback | dsskeyKeyStateChanged: inform UI key[6] type=[3] state changed
E/vcore.dm.led | dmLedCtl: the Led 22 is not supported.
I/vcore.dsskey.led | ***set led: index=10; type = [mwi], state = [no mwi]
I/vcore.dsskey.uicallback | dsskeyKeyStateChanged: inform UI key[10] type=[3] state changed
E/vcore.dm.led | dmLedCtl: the Led 26 is not supported.
I/vcore.cfm.request | setCallControllerState: set call control state=0, oldState=1
I/sip | send REGISTER message!
I/sip | transaction id=[215]!
I/platform.sdev.fs | sdevFsIoctl: open [/userdata/etc/default/cert/client/custom] directory error.
W/certManager | certMGetFileFullPath: sdevName[/etc/default/cert/client/custom] file[*.pem] not exist.
E/sip | recvLen=[-1] errNo=[0]
W/resolv.lib | recordListFree, type [1] is not free.
W/resolv.lib | recordListFree, type [1] is not free.
W/resolv.lib | recordListFree, type [1] is not free.
W/resolv.lib | recordListFree, type [1] is not free.