Will Cisco 7961 phones work over a VPN with FreePBX

That doesn’t have the sip: tags either…


This exert is taken directly from the Full log in asterisk which I downloaded over SSH and then opened in notepad and pasted into pastebin.
Is there something I’m missing?

Now the tags are showing up! But these are just OPTIONS packets. :joy:


Are these any more useful?

Yes. The phone is not sending the username and password. It just keeps on sending the register without credentials.

The phone is not handling the REGISTER properly at all, that was clear in the first debug that was claimed to be eaten up by HTML

This should be REGISTER – 401 Challenge Reply – REGISTER (most important, it’s a NEW request) – 200 OK (for valid register) or 403 Forbidden, etc.

Now based on that outline above, the first REGISTER request you send to the PBX has: CSeq: 101 REGISTER and the 401 Challenge shows CSeq: 101 REGISTER in it’s reply. That is all good, that is correct. However, you will notice the second REGISTER that follows the 401 Challenge also has CSeq: 101 REGISTER <-- That is WRONG. That should be CSeq: 102 REGISTER.

A 401 Auth Challenge automatically forces the endpoint to reply with a new REGISTER message, this time with the auth/www digest inside of it (which holds the credentials)

The bottom line is the Cisco 79XX are garbage SIP phones. They are EOL, unsupported and have so many feature loses not being on the CUCM that in order to get some of them back, you have to patch the crap out of Asterisk and each new Asterisk updates breaks the previous patch.

So to recap, these phones are screwing up the simple REGISTER flow. This is not a FreePBX/Asterisk issue this is completely the 79XX.

It was eaten up by the HTML; it’s just that the problem was more obvious than I thought. :slight_smile:

Ok, thanks for the help.
Considering that the phone works locally, can I assume that the phone does not receive the challenge from the Asterisk server?
And considering that the softphone works ok over the same VPN, I believe that the replies are getting through, it’s just that the phone is ignoring them, probably because they come from an unexpected source (a router IP)

The phone does have an option within the config file for NATenable, where an IP can be specified (I have tried using the routers IP in here amongst others shouldn’t this cure the problem outlined above?.

If you were able to get some logs from the phone you might have a better understanding of why it’s choosing not to authenticate.

Hi, I have tried to get logs from the phone, I logged into it’s web portal and then looked at the logs there, unfortunately There just seemed to be timeouts on it’s register outward requests.

That along with the server logs suggests that the phone is not receiving the 401 Unauthorized back from Asterisk. So it just keeps sending the original register request. Now you have something to go on. Check your vpn routing.

Thanks, I will double check everything.
Because the softphone works ok, as well as Windows networking, cameras and other things I guess the routing is going to be correct.
Meaning the phone drops anything from outside it’s subnet.
If anyone has experience of these phones operating over a different subnet to the Asterisk server on SIP, then please let me know.

These phones were notoriously bad at handling crap over NAT. Again, these were phones built for the Cisco CallManager platform which was an on-premises solution, like generally all of Cisco’s stuff. They didn’t have high expectations of being behind NAT nor being attached to a non-CallManager platform.

I’m not sure how long you’ve spent working on this before and after you made this post but I can tell you that you could have ordered new (or used) SIP phones, had them shipped and installed in the last 8 days and none of this would be an issue anymore.

People tend to stick on the “They where cheap” or “It’s what we had and it costs to much to buy new phones”. The reality is, when you step back and look at the cost of time and resources you put into making these POS phones work and the fact that time was taken away from other projects or other revenue-generating tasks the costs of getting new phones is never really that much of a difference and in most cases actually cheaper over all.

Because the other cost/time take you have to throw into this equation is the fact you have to SUPPORT these phones now. Phones that are End of Life, End of Support from Cisco. Every time a feature that should work doesn’t, you have to deal with it. Every time these phones have an issue or you have to install new phones you have to deal with it. If you patch Asterisk so you can have as much functionality out of these phones as possible, then you have to find the last Asterisk version that was patched for this. That alone puts you into a position of running out-dated and possible bugs (well until 13.17.1 there was an RTP bug) that you’re stuck dealing with.

At the end of the day, is it all worth that? Polycom SoundPoints sell used cheap, the Cisco SPA series (actual SIP phones) are cheap new even cheaper used. Hell even Yealink’s are a better option. I’ve watched numerous people tear their hair out over these phones and them dump them finally and get real phones. All while complaining about how much it’s cost/been a pain to deal with the 79XX.

These phones use random high ports for signalling in SIP mode, if I remember rightly, great in a flat network, not so good when not.Is your VPN on same subnet or completely different firewalled subnet? Former should be fine, latter, not so much.

We run about 150 7941’s across 4 VPN’s using FreePBX and they run great, but this is site to site VPN’s with a fully accessible simple subnetted network. ie 192.168.x.0 at HQ and 192.168.y.0 at another site and so on. Admittedly our home user are on soft-phones, but they work great over site-to-site.

We are now buying 7970’s, big colour screened ones, cheap and work great for us.

OK, many thanks that is really interesting.
Our VPN is hardware using Sophos UTM and Sophos RED site to site and simple and and so on
So I should be able to replicate your setup and get them working.
I was aware of the high port reply, as far as I know these phones send out using a random high port, but need a reply on 5060, which I think is what is happening according to my SIP debug above.
I’d be most grateful if you could supply any more info about your setup.

What do your remote registers look like? Does Asterisk reply to the received port (Router)?
Within Asterisk/FreePBX are your extensions Chan_SIP?
Do your extensions have NAT set to no, never or something else?
In your phone config files do you have NATenabled set to true or false? if true to what IP?

I know gathering this info would be a bummer but I really am struggling with this one. Thanks again.


Ok in terms of NAT settings, I am set to No in Chan_sip settings with my external IP set to static, in the general SIP settings I have my external set again and all my subnets listed.

Phones are all chan_sip, as PjSIP doesnt really work with these, without big head scratching!

On an extension, NAT is set to no.

What actual phones do you have? what SIP firmware are you running?

I have my config pretty much down perfect now as a template, can you share one of yours, and I can try and debug it for you?



I appreciate your time, here is the SEP mac.cfg

Phones are Cisco 7961 running SIP 8.5.4
Working system locally, working softphones only over the VPN

We are 8.5.4 too, 9 goes TCP and this firmware is a sweetspot for us as it forwards the right number to the phone on transfer rather than showing the person who transferred it, which is pretty useless for recording numbers etc!

This is from one of mine:


I have nothing in the NAT settings in the sip profile section, I also have proxies set, don’t know if thats it?

I have this basic config working in 4 locations with the server being at one of the sites, over watchguard firewalls.

Only thing I can suggest is that your firewall is blocking something important?

Try copying your config details into my template, and testing it on a phone. Mine seems a lot simpler than yours!

Also watch the asterisk cli to see if you get any messages

Hope it helps


Thanks, I will look into this over the weekend.
Do you alter this config for phones which are outside the local subnet or are all config files the same (other than usernames, passwords and extension numbers)?
I’m interested in your use of the backup proxy, I suspect this might be integral, why a backup proxy and not just use proxy settings?
Why does this phone register to two Chan_sip extensions 571 and 1571?

Same config for all phones, no matter what site they are on.

I do not know if that proxy setting along with the nat settings having no setting is the secret sauce. I have been tweaking it for 5 years now, and the reasons for certain things have been lost in the mists of sleeping and beer! Do your extensions match what I have with nat being set at no, and the main nat setting in sip settings set to no as well?

everyone has their main line, say 5xx for one site, 6xx for another, 2xx and so on, then they have a paging extension set on the second button, that is set to auto-answer to the speaker for paging purposes, it is 15xx as the dialplan doesn’t allow 4 digit extensions, so people can’t just page a colleague for funsies! We use it for lockdown procedures, basically, someone dials a pin number say 161, this is a custom extension which runs a script on the server, this finds all registered 1xxx extensions(so it doesn’t waste time trying to send to phones that aren’t connected), and then plays a prerecorded message to all those extensions. One pin code tells people to lock down, lock doors and hide, another one is a partial that means they should be wary and take prompts from the fire wardens. 3 pins per centre, full, partial and lockdown over. One of my better ideas, was helped by the good people on here on how to achieve it. Basically free Paging Pro on steroids!