Asterisk 13.5 - PJSIP problems with TLS

Hi everyone!

I’m trying to get Asterisk 13.5 work with PJSIP and TLS with my snom370 VoIP phones, but it doesn’t work like I want it to and I can’t find my mistake(s).

Additional info: I have two servers running, both using the same OS Version, the same Asterisk version, the same phone models and firmware, the only difference is the protocol – SIP or PJSIP. The SIP server works totally fine.

I really hope you can help me.

This is my current setup:

[transport-tls]
bind=0.0.0.0:5061
ca_list_file=/etc/asterisk/keys/ca.crt
ca_list_path=/etc/asterisk/keys
cert_file=/etc/asterisk/keys/asterisk.crt
method=tlsv1 / sslv23 (I tried both)
priv_key_file=/etc/asterisk/keys/asterisk.key
protocol=tls
type=transport

  Aor:  <Aor..............................................>  <MaxContact>
Contact:  <Aor/ContactUri.................................>  <Status....>  <RTT(ms)..>

=========================================================================================

  Aor:  935852                                               1
Contact:  935852/sip:935852@172.16.5.15:1222;transport=TLS;  Unknown               nan

ParameterName : ParameterValue

authenticate_qualify : false
contact : sip:935852@172.16.5.15:1222;transport=TLS;line=e8mthjh8
default_expiration : 3600
mailboxes :
max_contacts : 1
maximum_expiration : 540
minimum_expiration : 60
outbound_proxy :
qualify_frequency : 0
qualify_timeout : 3.000000
remove_existing : true
support_path : false

I/OAuth: <AuthId/UserName…>

 Auth:  935852/935852

ParameterName : ParameterValue

auth_type : userpass
md5_cred :
nonce_lifetime : 32
password : …
realm :
username : 935852

Endpoint: <Endpoint/CID…> <State…> <Channels.>
I/OAuth: <AuthId/UserName…>
Aor: <Aor…>
Contact: <Aor/ContactUri…> <Status…> <RTT(ms)…>
Transport: <TransportId…> <BindAddress…>
Identify: <Identify/Endpoint…>
Match: <ip/cidr…>
Channel: <ChannelId…> <State…> <Time(sec)>
Exten: <DialedExten…> CLCID: <ConnectedLineCID…>

Endpoint: 935852/52 Not in use 0 of inf
InAuth: 935852/935852
Aor: 935852 1
Contact: 935852/sip:935852@172.16.5.15:1221;transport=TL Unknown nan
Transport: transport-tls tls 0 0 0.0.0.0:5061

ParameterName : ParameterValue

100rel : yes
accountcode :
aggregate_mwi : true
allow : (alaw)
allow_subscribe : true
allow_transfer : true
aors : 935852
auth : 935852
call_group :
callerid : “PJSIP-RECHTS” <52>
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
context : area901
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
force_avp : false
force_rport : false
from_domain :
from_user :
g726_non_standard : false
ice_support : false
identify_by : username
inband_progress : false
language : de
mailboxes :
media_address :
media_encryption : no
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_suggest : default
mwi_from_user :
named_call_group :
named_pickup_group :
one_touch_recording : false
outbound_auth :
outbound_proxy :
pickup_group :
record_off_feature : automixmon
record_on_feature : automixmon
rewrite_contact : true
rpid_immediate : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : false
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_diversion : true
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport : transport-tls
trust_id_inbound : false
trust_id_outbound : false
use_avpf : false
use_ptime : false
user_eq_phone : false

I use the certificate and CA which can be made by the ast_tls_cert script -> these do work with TLS with SIP.

In the snom webinterface I activated the tls feature, accepted the certificate the server sends and added “…:5061;transport=tls” to the outbound proxy, like I did in SIP.

Now, every time I make a call, these messages occur:

[Oct 16 08:47:25] ERROR[1779]: pjsip:0 <?>: tlsc0x7faffc03 TLS connect() error: Connection refused [code=120111]
[Oct 16 08:47:25] WARNING[1779]: pjsip:0 <?>: tsx0x7faffc036 Failed to send Request msg NOTIFY/cseq=14187 (tdta0x7faffc046750)! err=120111 (Connection refused)

These messages also occur when I re-register the phones.

When I trace the network traffic, the calls are encrypted via TLS, but I can’t decrypt them with the certificate. So I think the whole encryption via my certificate doesn’t work at all and the encryption is only done by the phone itself -> this is not want I want.

I really would appreciate your help!

Best Regards

Please provide the complete console output and the PJSIP logger output (pjsip set logger on) of a registration to confirm the ports and connections in use.

Hi,
here the console output:

<— Received SIP request (776 bytes) from TLS:172.16.1.61:1091 —>
REGISTER sip:de-edv-vm-ast01 SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1091;branch=z9hG4bK-5ouqgp8opsrg;rport
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=bohgtgndit
To: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01
Call-ID: 313434343938363739333339353535-bv7tch8nmjur
CSeq: 297 REGISTER
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1091;transport=tls;line=tni8lpjp;reg-id=1;q=1.0;+sip.instance=“urn:uuid:e09574e0-39a7-41bf-868a-0004132EEE50”;audio;mobility=“fixed”;duplex=“full”;description=“snom370”;actor=“principal”;events=“dialog”;methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
Allow-Events: dialog
X-Real-IP: {x-snom-adr}
Supported: path, gruu
Expires: 3600
Content-Length: 0

<— Transmitting SIP response (537 bytes) to TLS:172.16.1.61:1091 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 172.16.1.61:1091;rport=1091;received=172.16.1.61;branch=z9hG4bK-5ouqgp8opsrg
Call-ID: 313434343938363739333339353535-bv7tch8nmjur
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=bohgtgndit
To: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=z9hG4bK-5ouqgp8opsrg
CSeq: 297 REGISTER
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1445236526/ac7dddd6af16745d554f4a173395633e”,opaque=“466b31be6f87ef6d”,algorithm=md5,qop="auth"
Server: Asterisk PBX 13.5.0
Content-Length: 0

<— Received SIP request (1035 bytes) from TLS:172.16.1.61:1091 —>
REGISTER sip:de-edv-vm-ast01 SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1091;branch=z9hG4bK-52116iz2nt8f;rport
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=bohgtgndit
To: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01
Call-ID: 313434343938363739333339353535-bv7tch8nmjur
CSeq: 298 REGISTER
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1091;transport=tls;line=tni8lpjp;reg-id=1;q=1.0;+sip.instance=“urn:uuid:e09574e0-39a7-41bf-868a-0004132EEE50”;audio;mobility=“fixed”;duplex=“full”;description=“snom370”;actor=“principal”;events=“dialog”;methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
Allow-Events: dialog
X-Real-IP: {x-snom-adr}
Supported: path, gruu
Authorization: Digest username=“935851”,realm=“asterisk”,nonce=“1445236526/ac7dddd6af16745d554f4a173395633e”,uri=“sip:de-edv-vm-ast01”,qop=auth,nc=00000001,cnonce=“311d066e”,response=“5237eb422325da0210aa14ca84e4b40f”,opaque=“466b31be6f87ef6d”,algorithm=MD5
Expires: 3600
Content-Length: 0

Contact 935851/sip:935851@172.16.1.61:1091;transport=TLS;line=tni8lpjp has been created
– Added contact ‘sip:935851@172.16.1.61:1091;transport=TLS;line=tni8lpjp’ to AOR ‘935851’ with expiration of 3600 seconds
Contact 935851/sip:935851@172.16.1.61:1090;transport=TLS;line=tni8lpjp has been deleted
<— Transmitting SIP response (513 bytes) to TLS:172.16.1.61:1091 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 172.16.1.61:1091;rport=1091;received=172.16.1.61;branch=z9hG4bK-52116iz2nt8f
Call-ID: 313434343938363739333339353535-bv7tch8nmjur
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=bohgtgndit
To: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=z9hG4bK-52116iz2nt8f
CSeq: 298 REGISTER
Date: Mon, 19 Oct 2015 06:35:26 GMT
Contact: sip:935851@172.16.1.61:1091;transport=TLS;line=tni8lpjp;expires=3599
Expires: 3600
Server: Asterisk PBX 13.5.0
Content-Length: 0

<— Received SIP request (500 bytes) from TLS:172.16.1.61:1091 —>
SUBSCRIBE sip:52@de-edv-vm-ast01;user=phone SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1091;branch=z9hG4bK-p16xefc3m1yg;rport
From: sip:935851@de-edv-vm-ast01;tag=e9jbn90ufq
To: sip:52@de-edv-vm-ast01;user=phone
Call-ID: 313434353233363531343137373432-npvayvc8865b
CSeq: 3 SUBSCRIBE
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1091;transport=tls;line=tni8lpjp;reg-id=1
Event: dialog
Accept: application/dialog-info+xml
Expires: 3600
Content-Length: 0

<— Transmitting SIP response (509 bytes) to TLS:172.16.1.61:1091 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 172.16.1.61:1091;rport=1091;received=172.16.1.61;branch=z9hG4bK-p16xefc3m1yg
Call-ID: 313434353233363531343137373432-npvayvc8865b
From: sip:935851@de-edv-vm-ast01;tag=e9jbn90ufq
To: sip:52@de-edv-vm-ast01;user=phone;tag=z9hG4bK-p16xefc3m1yg
CSeq: 3 SUBSCRIBE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1445236528/c9d83e8a06aa0b399f6b146ecea647fb”,opaque=“7c4cd1ae378f79db”,algorithm=md5,qop="auth"
Server: Asterisk PBX 13.5.0
Content-Length: 0

<— Received SIP request (773 bytes) from TLS:172.16.1.61:1091 —>
SUBSCRIBE sip:52@de-edv-vm-ast01;user=phone SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1091;branch=z9hG4bK-dtrljwhalc5x;rport
From: sip:935851@de-edv-vm-ast01;tag=e9jbn90ufq
To: sip:52@de-edv-vm-ast01;user=phone
Call-ID: 313434353233363531343137373432-npvayvc8865b
CSeq: 4 SUBSCRIBE
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1091;transport=tls;line=tni8lpjp;reg-id=1
Event: dialog
Accept: application/dialog-info+xml
Authorization: Digest username=“935851”,realm=“asterisk”,nonce=“1445236528/c9d83e8a06aa0b399f6b146ecea647fb”,uri=“sip:52@de-edv-vm-ast01;user=phone”,qop=auth,nc=00000001,cnonce=“6143095b”,response=“c97a6140d8c8f4465473a19c6c0f30f2”,opaque=“7c4cd1ae378f79db”,algorithm=MD5
Expires: 3600
Content-Length: 0

<— Transmitting SIP response (590 bytes) to TLS:172.16.1.61:1091 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 172.16.1.61:1091;rport=1091;received=172.16.1.61;branch=z9hG4bK-dtrljwhalc5x
Call-ID: 313434353233363531343137373432-npvayvc8865b
From: sip:935851@de-edv-vm-ast01;tag=e9jbn90ufq
To: sip:52@de-edv-vm-ast01;user=phone;tag=84b693bd-6b96-4454-baa3-4ceba3436954
CSeq: 4 SUBSCRIBE
Expires: 3600
Contact: sip:172.16.15.20:5061;transport=TLS
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 13.5.0
Content-Length: 0

<— Transmitting SIP request (924 bytes) to TLS:172.16.1.61:1091 —>
NOTIFY sip:935851@172.16.1.61:1091;transport=TLS;line=tni8lpjp SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:57860;rport;branch=z9hG4bKPjafbd1eb6-66a0-425f-974c-26cbd47a49b1;alias
From: sip:52@de-edv-vm-ast01;user=phone;tag=84b693bd-6b96-4454-baa3-4ceba3436954
To: sip:935851@de-edv-vm-ast01;tag=e9jbn90ufq
Contact: sip:172.16.15.20:57860;transport=TLS
Call-ID: 313434353233363531343137373432-npvayvc8865b
CSeq: 29693 NOTIFY
Event: dialog
Subscription-State: active;expires=3599
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 263

<?xml version="1.0" encoding="UTF-8"?> terminated

[Oct 19 08:35:28] ERROR[18676]: pjsip:0 <?>: tlsc0x21842e8 TLS connect() error: Connection refused [code=120111]
[Oct 19 08:35:28] WARNING[18676]: pjsip:0 <?>: tsx0x2188718 Failed to send Request msg NOTIFY/cseq=29693 (tdta0x2194870)! err=120111 (Connection refused)

Best Regards

Try removing the “rewrite_contact=yes” option from the endpoint configuration. It may be that the Snom doesn’t want to reuse the connection.

After removing “rewrite contact” I wasn’t able to make a call anymore.
Even after setting it back to “yes”, no calls possible.

I had to completely disable TLS and restart the whole server to be able to call again.

The logger output while trying to call:

<— Received SIP request (1198 bytes) from TLS:172.16.1.61:1118 —>
INVITE sip:52@de-edv-vm-ast01;user=phone SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1118;branch=z9hG4bK-j32te3zxyqhd;rport
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone
Call-ID: 31343435323539393633313830-70vghat0deus
CSeq: 1 INVITE
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1118;transport=tls;line=fff1yg5i;reg-id=1
X-Serialnumber: 0004132EEE50
P-Key-Flags: resolution=“31x13”, keys="4"
Accept: application/sdp
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE
Allow-Events: talk, hold, refer, call-info
Supported: timer, 100rel, replaces, from-change
Session-Expires: 3600
Min-SE: 90
Content-Type: application/sdp
Content-Length: 401

v=0
o=root 1848713250 1848713250 IN IP4 172.16.1.61
s=call
c=IN IP4 172.16.1.61
t=0 0
m=audio 51852 RTP/AVP 9 0 8 3 99 112 18 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:99 G726-32/8000
a=rtpmap:112 AAL2-G726-32/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=sendrecv

<— Transmitting SIP response (519 bytes) to TLS:172.16.1.61:1118 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 172.16.1.61:1118;rport=1118;received=172.16.1.61;branch=z9hG4bK-j32te3zxyqhd
Call-ID: 31343435323539393633313830-70vghat0deus
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone;tag=z9hG4bK-j32te3zxyqhd
CSeq: 1 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1445259964/9d29f7e9282fc9caa585d19f23735cf9”,opaque=“171bbff329db6335”,algorithm=md5,qop="auth"
Server: Asterisk PBX 13.5.0
Content-Length: 0

<— Received SIP request (459 bytes) from TLS:172.16.1.61:1118 —>
ACK sip:52@de-edv-vm-ast01;user=phone SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1118;branch=z9hG4bK-j32te3zxyqhd;rport
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone;tag=z9hG4bK-j32te3zxyqhd
Call-ID: 31343435323539393633313830-70vghat0deus
CSeq: 1 ACK
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1118;transport=tls;line=fff1yg5i;reg-id=1
Content-Length: 0

<— Received SIP request (1471 bytes) from TLS:172.16.1.61:1118 —>
INVITE sip:52@de-edv-vm-ast01;user=phone SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1118;branch=z9hG4bK-ynkz1idd1qcv;rport
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone
Call-ID: 31343435323539393633313830-70vghat0deus
CSeq: 2 INVITE
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1118;transport=tls;line=fff1yg5i;reg-id=1
X-Serialnumber: 0004132EEE50
P-Key-Flags: resolution=“31x13”, keys="4"
Accept: application/sdp
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE
Allow-Events: talk, hold, refer, call-info
Supported: timer, 100rel, replaces, from-change
Session-Expires: 3600
Min-SE: 90
Authorization: Digest username=“935851”,realm=“asterisk”,nonce=“1445259964/9d29f7e9282fc9caa585d19f23735cf9”,uri=“sip:52@de-edv-vm-ast01;user=phone”,qop=auth,nc=00000001,cnonce=“584c0d2e”,response=“3cd7a433f447fa7474a9b165401cf0a6”,opaque=“171bbff329db6335”,algorithm=MD5
Content-Type: application/sdp
Content-Length: 401

v=0
o=root 1848713250 1848713250 IN IP4 172.16.1.61
s=call
c=IN IP4 172.16.1.61
t=0 0
m=audio 51852 RTP/AVP 9 0 8 3 99 112 18 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:99 G726-32/8000
a=rtpmap:112 AAL2-G726-32/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=sendrecv

<— Transmitting SIP response (341 bytes) to TLS:172.16.1.61:1118 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 172.16.1.61:1118;rport=1118;received=172.16.1.61;branch=z9hG4bK-ynkz1idd1qcv
Call-ID: 31343435323539393633313830-70vghat0deus
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone
CSeq: 2 INVITE
Server: Asterisk PBX 13.5.0
Content-Length: 0

-- Executing [52@area901:1] Dial("PJSIP/935851-00000002", "PJSIP/935852")
-- Called PJSIP/935852

<— Transmitting SIP request (992 bytes) to TLS:172.16.5.15:1247 —>
INVITE sip:935852@172.16.5.15:1247;transport=tls;line=cozcxpzo SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:57948;rport;branch=z9hG4bKPje44ca379-10bb-4dc7-b3cb-84c57808a15a;alias
From: “PJSIP-LINKS” sip:51@172.16.15.20;tag=19f46806-966a-409f-84e4-62811a7a1a82
To: sip:935852@172.16.5.15;line=cozcxpzo
Contact: sip:1693aec8-85bd-49d5-ad06-2470b0fbb8cc@172.16.15.20:57948;transport=TLS
Call-ID: 251908f2-4221-4f33-9ba6-9158260f4863
CSeq: 8711 INVITE
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/sdp
Content-Length: 237

v=0
o=- 1703500070 1703500070 IN IP4 172.16.15.20
s=Asterisk
c=IN IP4 172.16.15.20
t=0 0
m=audio 16376 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f287001 TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f2870023 Failed to send Request msg INVITE/cseq=8711 (tdta0x7f286c0f1ee0)! err=120111 (Connection refused)
== Everyone is busy/congested at this time (1:0/1/0)
– Auto fallthrough, channel ‘PJSIP/935851-00000002’ status is ‘CONGESTION’
<— Transmitting SIP response (419 bytes) to TLS:172.16.1.61:1118 —>
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/TLS 172.16.1.61:1118;rport=1118;received=172.16.1.61;branch=z9hG4bK-ynkz1idd1qcv
Call-ID: 31343435323539393633313830-70vghat0deus
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone;tag=3e0cc711-d33b-4060-93dc-11269cfd8567
CSeq: 2 INVITE
Server: Asterisk PBX 13.5.0
Reason: Q.850;cause=34
Content-Length: 0

<— Transmitting SIP request (922 bytes) to TLS:172.16.5.15:1238 —>
NOTIFY sip:935852@172.16.5.15:1238;transport=tls;line=o7h3c5b2 SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:57513;rport;branch=z9hG4bKPj763c30fb-34a1-44fd-a3e3-1a42672db419;alias
From: sip:51@de-edv-vm-ast01;user=phone;tag=59102f14-1f73-40ba-b22b-5f1ad6affc67
To: sip:935852@de-edv-vm-ast01;tag=gkcvqkwo9g
Contact: sip:172.16.15.20:57513;transport=TLS
Call-ID: 313434353235383337303630393932-tj6oyvwk2xhc
CSeq: 7170 NOTIFY
Event: dialog
Subscription-State: active;expires=2006
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 262

<?xml version="1.0" encoding="UTF-8"?> confirmed

<— Transmitting SIP request (921 bytes) to TLS:172.16.5.15:1240 —>
NOTIFY sip:935852@172.16.5.15:1240;transport=tls;line=mcswb9k4 SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:58339;rport;branch=z9hG4bKPj81e30a16-4db4-480b-bbd0-3142584ad113;alias
From: sip:51@de-edv-vm-ast01;user=phone;tag=2567d807-0873-4c3d-82c3-cd1d3fc01b58
To: sip:935852@de-edv-vm-ast01;tag=j899z3im4r
Contact: sip:172.16.15.20:58339;transport=TLS
Call-ID: 3134343532353837333236303036-eqx5p4cwldce
CSeq: 25985 NOTIFY
Event: dialog
Subscription-State: active;expires=2366
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 262

<?xml version="1.0" encoding="UTF-8"?> confirmed

<— Transmitting SIP request (923 bytes) to TLS:172.16.5.15:1234 —>
NOTIFY sip:935852@172.16.5.15:1234;transport=tls;line=6z2hr1ff SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:40509;rport;branch=z9hG4bKPj295d7f23-5a93-4172-aa61-ea1e9fe2b5c3;alias
From: sip:51@de-edv-vm-ast01;user=phone;tag=7d3746b8-ecdd-46b2-b3b0-9dccb290b207
To: sip:935852@de-edv-vm-ast01;tag=kf61z0vuis
Contact: sip:172.16.15.20:40509;transport=TLS
Call-ID: 313434353235383236373230353835-bshi0rczf3es
CSeq: 25700 NOTIFY
Event: dialog
Subscription-State: active;expires=1898
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 262

<?xml version="1.0" encoding="UTF-8"?> confirmed

[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f286c0d TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f286c0f2 Failed to send Request msg NOTIFY/cseq=7170 (tdta0x7f286c0f1ee0)! err=120111 (Connection refused)
[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f286c03 TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f2870023 Failed to send Request msg NOTIFY/cseq=25985 (tdta0x7f287001fd30)! err=120111 (Connection refused)
[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f286c01 TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f2874002 Failed to send Request msg NOTIFY/cseq=25700 (tdta0x7f2874003160)! err=120111 (Connection refused)
<— Transmitting SIP request (923 bytes) to TLS:172.16.5.15:1238 —>
NOTIFY sip:935852@172.16.5.15:1238;transport=tls;line=o7h3c5b2 SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:34771;rport;branch=z9hG4bKPjb4e7a883-4594-4dc2-8b59-7877a6e6d6c1;alias
From: sip:51@de-edv-vm-ast01;user=phone;tag=59102f14-1f73-40ba-b22b-5f1ad6affc67
To: sip:935852@de-edv-vm-ast01;tag=gkcvqkwo9g
Contact: sip:172.16.15.20:34771;transport=TLS
Call-ID: 313434353235383337303630393932-tj6oyvwk2xhc
CSeq: 7171 NOTIFY
Event: dialog
Subscription-State: active;expires=2006
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 263

<?xml version="1.0" encoding="UTF-8"?> terminated

<— Transmitting SIP request (922 bytes) to TLS:172.16.5.15:1240 —>
NOTIFY sip:935852@172.16.5.15:1240;transport=tls;line=mcswb9k4 SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:50699;rport;branch=z9hG4bKPj398efa2f-1041-499d-a18b-34e2268a548d;alias
From: sip:51@de-edv-vm-ast01;user=phone;tag=2567d807-0873-4c3d-82c3-cd1d3fc01b58
To: sip:935852@de-edv-vm-ast01;tag=j899z3im4r
Contact: sip:172.16.15.20:50699;transport=TLS
Call-ID: 3134343532353837333236303036-eqx5p4cwldce
CSeq: 25986 NOTIFY
Event: dialog
Subscription-State: active;expires=2366
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 263

<?xml version="1.0" encoding="UTF-8"?> terminated

<— Transmitting SIP request (924 bytes) to TLS:172.16.5.15:1234 —>
NOTIFY sip:935852@172.16.5.15:1234;transport=tls;line=6z2hr1ff SIP/2.0
Via: SIP/2.0/TLS 172.16.15.20:59280;rport;branch=z9hG4bKPj4643e593-8d0b-4b62-935e-398a19f58423;alias
From: sip:51@de-edv-vm-ast01;user=phone;tag=7d3746b8-ecdd-46b2-b3b0-9dccb290b207
To: sip:935852@de-edv-vm-ast01;tag=kf61z0vuis
Contact: sip:172.16.15.20:59280;transport=TLS
Call-ID: 313434353235383236373230353835-bshi0rczf3es
CSeq: 25701 NOTIFY
Event: dialog
Subscription-State: active;expires=1898
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.5.0
Content-Type: application/dialog-info+xml
Content-Length: 263

<?xml version="1.0" encoding="UTF-8"?> terminated

[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f287001 TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f2874002 Failed to send Request msg NOTIFY/cseq=7171 (tdta0x7f2874003160)! err=120111 (Connection refused)
[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f287400 TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f2870023 Failed to send Request msg NOTIFY/cseq=25986 (tdta0x7f287001fd30)! err=120111 (Connection refused)
[Oct 19 15:06:04] ERROR[1520]: pjsip:0 <?>: tlsc0x7f286c0d TLS connect() error: Connection refused [code=120111]
[Oct 19 15:06:04] WARNING[1520]: pjsip:0 <?>: tsx0x7f286c0f2 Failed to send Request msg NOTIFY/cseq=25701 (tdta0x7f286c0f1ee0)! err=120111 (Connection refused)
<— Received SIP request (475 bytes) from TLS:172.16.1.61:1118 —>
ACK sip:52@de-edv-vm-ast01;user=phone SIP/2.0
Via: SIP/2.0/TLS 172.16.1.61:1118;branch=z9hG4bK-ynkz1idd1qcv;rport
From: “51 PJSIP-LINKS” sip:935851@de-edv-vm-ast01;tag=q1qm2kund3
To: sip:52@de-edv-vm-ast01;user=phone;tag=3e0cc711-d33b-4060-93dc-11269cfd8567
Call-ID: 31343435323539393633313830-70vghat0deus
CSeq: 2 ACK
Max-Forwards: 70
User-Agent: snom370/8.7.5.17
Contact: sip:935851@172.16.1.61:1118;transport=tls;line=fff1yg5i;reg-id=1
Content-Length: 0

Aha! I rechecked your configuration. Remove the “transport=” line from the endpoint configuration and put “rewrite_contact=yes” back in.

Okay, now TLS works.
But there are two other problems now.

  1. I can’t decrypt the TLS traffic via Wireshark despite the fact that I added the asterisk.pem to the SSL profile --> this worked with SIP/TLS

  2. The phones lose their registration every 10 minutes, with no info in the console (even with pjsip set logger on) at all

Remediation:
Problem 1 is solved now.

I checked the Wireshark debug file and noticed that with PJSIP it is not enough to restart the server and re-register the phones to fulfill the handshake again.
After manually deleting the contacts and then re-registering the phones again, the handshake was done and I am now able to decrypt the calls.

So there is only problem 2 left.

Remediation 2:
Problem 2 is solved now as well. I found out that PJSIP does send keepalives for the TCP session, but ignores them and cancels the connection after 10 minutes of idle-time.
So I just added a qualify every 60 seconds to the aors and the problem is done.

But unfortunately:

The main problem of this thread is back again and I found the reason. It is connected to subscriptions. Adding a subscription to the phones causes the error messages.

Does anybody have an idea how to bypass this errors?

Best regards