Asterisk 13.3.2 - PJSIP strange behavior under TLS

Hello everyone!

I will really appreciate your help…

I’m experiencing a problem when I set up TLS on my asterisk.
The scenario goes like this:

-The Asterisk is behind NAT.
-Phone A is in the same network as the Asterisk server.
-Phone B is directly connected to internet and has a public ip address.

I can call from A to B and from B to A. I have two-way audio. Everything works fine.
If phone B hangs up, phone A gets automatically disconnected from the call (that’s ok, isn’t it? )
The problem happens if phone A is the one who hangs up. In such a case, phone B remains connected.

If I change the setup to TCP, everything works fine. It doesn’t matter what phone hangs up first, both get disconnected.

For simplicity and troubleshooting, I disabled the firewall on the server, and setup the router to forward every port to the Asterisk server. This is a testing environment.

The following is the basic configuration of the server pjsip.conf

[simpletrans]
type=transport
protocol=tls
bind=192.168.103.13:23450
local_net=192.168.103.0/24
external_media_address=181.X.X.X (intentionally removed )
external_signaling_address=181.X.X.X (intentionally removed )
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[8023]
type=endpoint
context=internal
disallow=all
allow=ulaw
auth=auth8023
aors=8023
rtp_symmetric=yes
direct_media=no

[auth8023]
type=auth
auth_type=userpass
password=8023
username=8023

[8023]
type=aor
max_contacts=1
remove_existing=yes
qualify_frequency=60

[8022]
type=endpoint
context=internal
disallow=all
allow=ulaw,gsm
auth=auth8022
aors=8022
direct_media=no
rtp_symmetric=yes

[auth8022]
type=auth
auth_type=userpass
password=8022
username=8022

[8022]
type=aor
max_contacts=1
remove_existing=yes
qualify_frequency=60

Any ideas?

Also, I have another question… may be I should post it on a new topic… but… Is there any equivalence to the “externhost” parameter? I need something like that to use it on pjsip.conf.

Thanks!

Kia ora,

You likely need to set “rewrite_contact=yes” on your endpoint. This will cause the existing TLS connection to get reused instead of trying to establish a new one. Many SIP endpoints don’t accept the incoming connection.

[quote=“jcolp”]Kia ora,

You likely need to set “rewrite_contact=yes” on your endpoint. This will cause the existing TLS connection to get reused instead of trying to establish a new one. Many SIP endpoints don’t accept the incoming connection.[/quote]

Thank you very much Joshua! I’ll try that setting and post the results.

Regards.

Gaston.

[quote=“gtheaded”][quote=“jcolp”]Kia ora,

You likely need to set “rewrite_contact=yes” on your endpoint. This will cause the existing TLS connection to get reused instead of trying to establish a new one. Many SIP endpoints don’t accept the incoming connection.[/quote]

Thank you very much Joshua! I’ll try that setting and post the results.
Gaston.[/quote]

Well, I tried the rewrite_contact line, but it didn’t take any effect.

I am thinking there could be a problem with the path of the communication from my internal network.
The Asterisk’s TLS certificate was created using the Public FQDN so my phones (primarily iphones) can point to the PBX without taking care of its public IP.

The phones in my local network use the same certificate of the phones that are outside, and server address they are using is the same FQDN that the external phones use because if I don’t use the same address, the certificate doesn’t match. May be this is the problem, because packets from inside are going to the external interface of my router and coming back again to Asterisk… I thing the router is not managing well this kind of hairpinnig. This is not a problem to establish a TLS connection, but if I want to encrypt also the voice packets, the FQDN must match with the one of the server.

I am thinking about adding a kind of split brain DNS so the internal endpoints can use the external FQDN but going directly to the internal IP of the Asterisk server…

Thank you!

Without an actual log I can’t really say one way or the other what could be the problem after using “rewrite_contact=yes”. I can say that I’ve used TLS in PJSIP and tested it against other implementations at SIPit.

What log do you recommend me to check?

Thanks again!

The output of “pjsip set logger on” and a “core set debug 9” with debug going to a file or the console would be useful. Knowing where things are coming from and going to is the important part for understanding what is going on the TLS scenario.