X-Lite unable to Connect across Subnet to PBXinaFlash

ENV: PBXinaF v1.7.5.5, FreePBX v2.8.1.3, Asterisk v1.8.3.2

        PBXinaFlash on eth0 w/ ( ==> NET1
        Endpoint/Phones on ( ==> NET2

PROBLEM SUMMARY: Unable to Connect to PBX when Endpoint/phone is on a separate subnet.
PROBLEM: If the endpoint/phone is on the same subnet as the PBX itself, I can successfully connect; However, if the endpoint is on a separate subnet, the connection attempt fails (X-Lite error log included below)

     - Endpoint/PCs on NET2 can successfully ping, traceroute, access FreePBX
     - For troubleshooting purpose, the IPTABLES/firewall was disabled
     - Under FreePBX Web => Extenstions  =>
           * deny field set to the default:
           * allow field set to the default
       I had also tried several permutations for the value of the above two 
       fields (eg: deny=, allow=
                   deny= allow=
                   deny= allow=
     - The User account/credentials are verified/correct by looking at the 
       password/secret for the given extension.   

ERROR LOG (X-LITE V4): => "SIP registration failed; reason: 'SipError'; SIP error-code: 403; error-phrase: 'Forbidden (Bad auth)'"|psi::AccountImpl::OnRegistrationStatusChanged
Any help/guidance would be greatly appreciated.


If you do a ‘sip show settings’ from the Asterisk CLI you can be assured the settings are working.

I think they are stored in /etc/asterisk/sip_general_additional.conf

‘sip show settings’ output confirms that the two internal subnets are considered “localnets” by asterisk:

Network Settings:

SIP address remapping: Enabled using externhost
Externhost: pbx.xyz.com
externaddr: <ISP.ASSIGNED.PUBLIC.IP>:0
Externrefresh: 120

The problem seems to be something different than NAT.

Going back to the X-Lite Log Entry:

=> "SIP registration failed; reason: 'SipError'; SIP error-code: 403; error-phrase: 'Forbidden (Bad auth)'"|psi::AccountImpl::OnRegistrationStatusChanged

I wonder which SIP module/component is returning “‘Forbidden (Bad auth)’” (which seems to be a bogus error since the sip credentials are correct).

That auth error is almost always a symptom of a bad NAT transform. Is the externhost correct?

Are you sure there is no ALG between the two networks? What is the gateway between the two networks? Is it a router or a firewall?

- The externhost is verified & correct. That is, the FQDN specified in the
  Externhost field resolves to the correct IP. 
- There is no ALG between the two subnets.
- A Layer-3 switch exists between the two subnets for inter VLAN routing.
- No Firewall exists (at present) between the two subnets (other than the one
  installed on the PinaF itself during installation).  For testing purposes, 
  I had even disabled iptables on the PBX server.  But no go.

How can I enable detailed debugging logs to see what’s happening (something more than the SIP 403)?

Note, if I put a laptop w/ X-Lite on the same subnet as the PBX – I can successfully login & make/receive calls. In this scenario, I do not get any auth/403 errors. It’s only when I move the sipclient/laptop to another subnet I get auth errors.

Well the next step I would take is to remove all the permit and deny statements out, you don’t need them.

You already have SIP debugging on. You can turn on full Asterisk debug with ‘core set debug 255’

Thank you for your continued help on this.

I’m assuming that you’re referring to the FreePBX->Extensions/<Ext#>/Permit|Deny settings. If so, I had already tried the following combination:

- EMPTY permit/deny values
- Permit, Deny=EMPTY
- Permit (sip-client subnet), Deny=EMPTY

However, changing permit/deny settings seems to have no effect on the sip-client login issue (auth/403).

I’ll work on turning on the full debug and report back.

Thank you.

This is caused by NAT between the subnets. If you have an externip defined make sure you create another localnet statement for the adjacent private network.


I am not sure how/where to define localnet so NAT is not applied by Asterisk. Could you please explain?

As per suggestion, I added the localnets information from FreePBX GUI (Submitted & Applied Changes). However, still no go. That is, I am not able to connect to the PBX across subnet.

One interesting observation was that even though I made changes through the FreePBX->Tools->Asterisk SIP Settings, it doesn’t look like the underlying file: /etc/asterisk/sip.conf got changed with the localnet entries. I’m guessing that localnet entries are saved some place else as the FreePBX GUI does show the added localnets; it’s just the sip.conf file that doesn’t have the localnet entries.


Thanks for responding, SkykingOH.

There is no NAT between the two (NET1 & NET2) subnets.

Here’s what the network looks like:

ISP <-----> [AP/RTR]
   NET1 (PinaF)        NET2 (Endpoints)

*Note: Only the [AP/RTR] in the above illustration does the NAT’ting for the
internal/private subnets.

I already answered your question, you need to define a localnet so NAT is not applied by Asterisk for that network.