18.5.1 to 18.10.1 Upgrade and PJSIP Remote Trunking Endpoint Identification Match Change / Failure

gerickson · March 14, 2022, 9:02pm

I recently attempted to upgrade from Asterisk 18.5.1 (and earlier to 14.6.2) to 18.10.1 to address the recently-identified CVEs in PJSIP/PJProject.

In testing that upgrade, I found that my Twilio Elastic SIP trunking that had worked fine for external, inbound call termination under 18.5.1 was no longer working under 18.10.1. Internal, outcall call origination continued to work in either case.

Digging in a bit more deeply, I found that external, inbound call termination was generating the following log messages under 18.10.1:

res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:+1XXXXXXXXX@host.pstn.twilio.com;isup-oli=00;pstn-params=908481808882>' failed for '54.244.51.2:44651' (callid: c78fc8da571462291988a456bc65b9f7@0.0.0.0) - No matching endpoint found`

Debugging further, I noted that the output from pjsip show endpoint twilio-na-us changes between 18.5.1 and 18.10.1. Under 18.5.1, I find:

  Transport:  tls-nat-ipv4-transport     tls      3     96  192.168.5.2:5061
   Identify:  twilio-na-us-identify/twilio-na-us
        Match: 54.172.60.0/32
        Match: 54.172.60.1/32
        Match: 54.172.60.3/32
        Match: 54.172.60.2/32
        Match: 54.244.51.2/32
        Match: 54.244.51.1/32
        Match: 54.244.51.0/32

whereas under 18.10.1, I find:

  Transport:  tls-nat-ipv4-transport     tls      3     96  192.168.5.2:5061
   Identify:  twilio-na-us-identify/twilio-na-us
        Match: 54.172.60.0:5061/32
        Match: 54.172.60.1:5061/32
        Match: 54.172.60.3:5061/32
        Match: 54.172.60.2:5061/32
        Match: 54.244.51.2:5061/32
        Match: 54.244.51.1:5061/32
        Match: 54.244.51.0:5061/32

In short, it looks like 18.10.1 includes the port from the wizard remote_hosts= entry whereas 18.5.1 does not.

My pjsip_wizard.conf remote template for Twilio is:

;;
;; Remote Templates
;;

[twilio-template](!)
type=wizard
transport=tls-nat-ipv4-transport
accepts_registrations=no
sends_registrations=no
accepts_auth=no
sends_auth=yes
aor/qualify_frequency=60
endpoint/allow=!all,ulaw
endpoint/context=from-twilio
endpoint/direct_media=no
endpoint/dtmf_mode=rfc4733
endpoint/force_rport=yes
endpoint/language=en
endpoint/media_encryption=sdes
endpoint/rewrite_contact=yes
endpoint/rtp_symmetric=yes
outbound_auth/username=<redacted>
outbound_auth/password=<redacted>

;
; Remote Template Instantiations
;

; Twilio Elastic SIP Trunking

[twilio-na-us](twilio-template)
remote_hosts=host.pstn.us2.twilio.com:5061,host.pstn.us1.twilio.com:5061

Is the recommended approach under 18.10.1 to just drop the port from the remote_hosts= wizard entry or use one of the *_pattern= entries to wildcard or provide a range of ports? Twilio states that firewall rules should allow for the following SIP and RTP inbound termination interactions:

description "Twilio North America Virginia SIP"
destination {
	port 5060,5061
}
protocol tcp_udp
source {
	address 54.172.60.0/30
	port 10000-20000
}

description "Twilio North America Virginia 1 RTP"
protocol udp
source {
	address 54.172.60.0/23
	port 10000-20000
}

description "Twilio North America Oregon SIP"
destination {
	port 5060,5061
}
protocol tcp_udp
source {
	address 54.244.51.0/30
}

description "Twilio North America Oregon RTP"
protocol udp
source {
	address 54.244.51.0/24
	port 10000-20000
}

david551 · March 14, 2022, 9:31pm

Most, or all, of these are in PJSUA, which is not used by Asterisk.

system · April 13, 2022, 9:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.