Apparent Nat Issues

Asterisk Asterisk General
1

Hi all,
I am having an issue that appear to act like NAT but most of the traditional NAT fixes are not addressing the issue. I am using Asterisk 13 18.3 with PJSIP

The setup
Phone1 (ext 702) ->>
Phone_Server (ip: 10.10.1.47) --> Public_IP1 = Public_IP2 <-- Phone2 (ext 186)

The problem: When i make a make a call from phone 1 to the phone server everything is fine (as it should be they are on the same LAN). But when I try to make a call from phone 2 or the phone server I get no audio. I Suspect the issue is related to the registration as when things dont go through firewall1 they look better and work

Non working config
uri user_agent qualify_timeout authenticate_qualify via_addr via_port endpoint
sip:702@10.10.1.25:5060 Aastra 6867i/4.2.0.2023 3 no 10.10.1.25 5060 702
sip:186@Public_IP2:32658^3Brinstance=ffccbaf40665d202 X-Lite release 5.1.0 stamp 89322 3 no 192.168.43.82 61946 186

Working config
uri user_agent qualify_timeout authenticate_qualify via_addr via_port endpoint
sip:702@10.10.1.25:5060 Aastra 6867i/4.2.0.2023 3 no 10.10.1.25 5060 702
sip:186@Public_IP2:32658^3Brinstance=ffccbaf40665d202 X-Lite release 5.1.0 stamp 89322 3 no Public_ip2 61946 186

My Transport appears as:
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0
local_net=10.10.1.0/22
local_net=127.0.0.1/32
allow_reload=yes
external_media_address=Public_IP1
external_signaling_address=Public_IP1

My Endpoints: (both are the same)

Endpoint: 186 Not in use 0 of inf
InAuth: 186/186
Aor: 186 10
Contact: 186/sip:186@public_ip2:32658;rinstance 1aa255fd26 Unknown nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

ParameterName : ParameterValue

100rel : yes
accountcode :
acl :
aggregate_mwi : true
allow : (ulaw)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : 186
asymmetric_rtp_codec : false
auth : 186
bind_rtp_to_media_address : false
call_group :
callerid :
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
contact_acl :
context : from-Phone
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
ice_support : false
identify_by : username
inband_progress : false
incoming_mwi_mailbox :
language :
mailboxes :
media_address :
media_encryption : no
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_suggest : default
mwi_from_user :
mwi_subscribe_replaces_unsolicited : false
named_call_group :
named_pickup_group :
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth :
outbound_proxy :
pickup_group :
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : true
rpid_immediate : false
rtcp_mux : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : true
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_diversion : true
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
subscribe_context :
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport : transport-udp
trust_id_inbound : false
trust_id_outbound : false
use_avpf : false
use_ptime : false
user_eq_phone : false
voicemail_extension :

Here is my registration on the no working conneciton

[0K<— Received SIP request (542 bytes) from UDP:Public_IP2:3467 —>
REGISTER sip:Public_IP1 SIP/2.0

Via: SIP/2.0/UDP 192.168.43.82:50770;branch=z9hG4bK-524287-1—9f5ddc59455c5674;rport

Max-Forwards: 70

Contact: sip:186@192.168.43.82:50770;rinstance=825588bfbf119967

To: "Test_lap1"sip:186@Public_IP1

From: "Test_lap1"sip:186@Public_IP1;tag=0816683b

Call-ID: 89322OTI0OGQ3MjVmYjdiZmJiNmY1MTg0ZGFlNTczNzhlOTE

CSeq: 1 REGISTER

Expires: 3600

Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE

User-Agent: X-Lite release 5.1.0 stamp 89322

Content-Length: 0

[0K<— Transmitting SIP response (553 bytes) to UDP:Public_IP2:3467 —>
SIP/2.0 401 Unauthorized

Via: SIP/2.0/UDP 192.168.43.82:50770;rport=3467;received=Public_IP2;branch=z9hG4bK-524287-1—9f5ddc59455c5674

Call-ID: 89322OTI0OGQ3MjVmYjdiZmJiNmY1MTg0ZGFlNTczNzhlOTE

From: “Test_lap1” sip:186@Public_IP1;tag=0816683b

To: “Test_lap1” sip:186@Public_IP1;tag=z9hG4bK-524287-1—9f5ddc59455c5674

CSeq: 1 REGISTER

WWW-Authenticate: Digest realm=“asterisk”,nonce=“1513710457/f607d1ed2c2d9f4972c4fb3c51789aa1”,opaque=“3421a4040440bac6”,algorithm=md5,qop=“auth”

Server: Asterisk PBX 13.18.3

Content-Length: 0

Here is my registration on the Working one

[0K<— Received SIP request (817 bytes) from UDP:Public_IP2:61694 —>
REGISTER sip:Public_IP1 SIP/2.0

Via: SIP/2.0/UDP 192.168.43.82:58806;branch=z9hG4bK-524287-1—15a95a509a801b58;rport

Max-Forwards: 70

Contact: sip:186@Public_IP2:61694;rinstance=bc00805d342416a7;expires=0

To: "Test_lap"sip:186@Public_IP1

From: "Test_lap"sip:186@Public_IP1;tag=9ae0f434

Call-ID: 89322OGRkNjI4YTFlMDljYzBlYjAwZTQyOTY5MjNjNDFmN2E

CSeq: 5 REGISTER

Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE

User-Agent: X-Lite release 5.1.0 stamp 89322

Authorization: Digest username=“186”,realm=“asterisk”,nonce=“1513710159/9c11e2611bf72d48765daf897b4368cb”,uri=“sip:Public_IP1”,response=“702d6e75b4d961bc30f2c99c94ffd3ea”,cnonce=“7e81db88f1ee64a004f7cc4d03465fbc”,nc=00000004,qop=auth,algorithm=md5,opaque=“7ae2b2f6275085a3”

Content-Length: 0

[0K<— Transmitting SIP response (565 bytes) to UDP:Public_IP2:61694 —>
SIP/2.0 401 Unauthorized

Via: SIP/2.0/UDP 192.168.43.82:58806;rport=61694;received=Public_IP2;branch=z9hG4bK-524287-1—15a95a509a801b58

Call-ID: 89322OGRkNjI4YTFlMDljYzBlYjAwZTQyOTY5MjNjNDFmN2E

From: “Test_lap” sip:186@Public_IP1;tag=9ae0f434

To: “Test_lap” sip:186@Public_IP1;tag=z9hG4bK-524287-1—15a95a509a801b58

CSeq: 5 REGISTER

WWW-Authenticate: Digest realm=“asterisk”,nonce=“1513710243/8284c715aa37d14d13584111873dd552”,opaque=“53c5d9300aaeb178”,stale=true,algorithm=md5,qop=“auth”

Server: Asterisk PBX 13.17.2

Content-Length: 0

I would prefer to have things behind the firewall so any assistance would be appreciated

2

I have managed to lock this issue down. All 3 of the following fixes will address the issue:

1.) Disable SIP ALG helper on the firewall of your local device.

2.) on the external phone you can use force rport (Be advised even if this option shows on your phone it may have no effect not all phones are created equal??)

3.) On the external phone use a STUN server.

Obviously fix one is the recommended option however on some firewalls even when it says its off its not really off. This was my case. it took tech support and a reboot of my firewall to correct this