Wrong ip address in SDPe

I operate a FreePBX with version 16 in the cloud directly connected to the public IP. The phones are connected via the Internet and are located behind a firewall. They are all registered with the customer’s public IP address, each with the same IP address but with a different port number.

Now the SDP sometimes contains the internal IP address instead of the public IP address when the phone says 200 OK. As a result, the audio stream does not arrive.

The extension is configured with RTP Symmetric yes, Rewrite Contact yes and Force rport yes. Transport ist UDP.

Does anyone know the problem? How can this be prevented? As mentioned, it is not always, only sometimes.

Could you please post a packet capture of a sample call so we can further look?

I have traces, one for each whole day, but first I have to clarify whether I can pass them on.

This is strange. The usual setup is to do NAT traversal on the Asterisk side. The phone doesn’t know its public IP and should always send its private address in Via, Contact and SDP.

Phones usually have an option to use STUN or get its public IP from the Via received tag; with Asterisk, this is generally undesirable.

The remote router/firewall may have a SIP ALG that substitutes its public IP in various fields; these are notoriously buggy and should generally be disabled.

Force rport tells Asterisk to ignore the private address in the Via header of (for example) a REGISTER request, and send the reply to whatever IP and port the request was received from.

Rewrite Contact tells Asterisk to ignore the private address in the Contact header and send INVITEs for incoming calls to the IP/port from which the REGISTER request came.

Asterisk sends the INVITE with its public IP and an appropriate port (default between 10000 and 20000) in the SDP. When it receives the 200 OK from the phone (containing a private address in the SDP), it will indeed send a few RTP packets to an unroutable address; this is useless but harmless. But as soon as it starts receiving RTP from the phone, it will start sending RTP to whatever IP and port the incoming RTP is coming from. That’s what Symmetric RTP means.

Even if the remote router/firewall rewrote the source port on the RTP from the phone, the RTP that Asterisk sends should reach the phone, because the router/firewall sees these packets as replies to the phone’s RTP.

After disabling any ALG in the path, if you still have trouble, can the caller hear the callee? If not, troubleshoot that first – this has nothing to do with SDP sent by the callee. If yes, find out why the returned packets aren’t reaching or being played by the phone.

If you can’t fix this by yourself, please paste the Asterisk log for a failing call, with pjsip logger turned on, at pastebin.com and post the link here. If you redact any data, make it clear what each item represents (Asterisk public IP, phone public IP, called number, calling number, trunk username, etc.)

1 Like

I have observed this behavior, which is described in the section on Symmetric RTP, and I am completely confused. Thanks for the explanation.

SIP-ALG is disabled on the firewall.

What I have seen in the firewall log is that there are some connection errors with UDP packets. So no blocks from the firewall, but IP connection errors (ip-conn). It is a FortiGate. The port is random, in any case it is open on both sides.

I have now changed the transport protocol for the extensions from UDP to TCP. This seems to help, as far as I know the problem has not occurred again, although the IP connection errors still occur.

Could I also set RTP over TCP? I have tried it, but as soon as I set the voice to run over TCP on a Snom phone, I can no longer even dial *43.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.