Asterisk 16 PJSIP and SRTP problems

I have moved from Asterisk 13 to Asterisk 16 in the past couple months. I am having problems with RTP traffic related to SRTP.
I have Yealink phone registered behind NAT to my public IP server. The Yealink works if “RTP Encryption(SRTP)” is set to Optional or Compulsory.

Below is the ps_endpoints database values:
| id | transport | aors | auth | context | disallow | allow | direct_media | connected_line_method | direct_media_method | direct_media_glare_mitigation | disable_direct_media_on_nat | dtmf_mode | external_media_address | force_rport | ice_support | identify_by | mailboxes | moh_suggest | outbound_auth | outbound_proxy | rewrite_contact | rtp_ipv6 | rtp_symmetric | send_diversion | send_pai | send_rpid | timers_min_se | timers | timers_sess_expires | callerid | callerid_privacy | callerid_tag | 100rel | aggregate_mwi | trust_id_inbound | trust_id_outbound | use_ptime | use_avpf | media_encryption | inband_progress | call_group | pickup_group | named_call_group | named_pickup_group | device_state_busy_at | fax_detect | t38_udptl | t38_udptl_ec | t38_udptl_maxdatagram | t38_udptl_nat | t38_udptl_ipv6 | tone_zone | language | one_touch_recording | record_on_feature | record_off_feature | rtp_engine | allow_transfer | allow_subscribe | sdp_owner | sdp_session | tos_audio | tos_video | sub_min_expiry | from_domain | from_user | mwi_from_user | dtls_verify | dtls_rekey | dtls_cert_file | dtls_private_key | dtls_cipher | dtls_ca_file | dtls_ca_path | dtls_setup | srtp_tag_32 | media_address | redirect_method | set_var | cos_audio | cos_video | message_context | force_avp | media_use_received_transport | accountcode | user_eq_phone | moh_passthrough | media_encryption_optimistic | rpid_immediate | g726_non_standard | rtp_keepalive | rtp_timeout | rtp_timeout_hold | bind_rtp_to_media_address | voicemail_extension | mwi_subscribe_replaces_unsolicited | deny | permit | acl | contact_deny | contact_permit | contact_acl | subscribe_context | fax_detect_timeout | contact_user | preferred_codec_only | asymmetric_rtp_codec | rtcp_mux | allow_overlap | refer_blind_progress | notify_early_inuse_ringing | max_audio_streams | max_video_streams | webrtc | dtls_fingerprint | incoming_mwi_mailbox | bundle | dtls_auto_generate_cert | follow_early_media_fork | accept_multiple_sdp_answers | suppress_q850_reason_headers | trust_connected_line | send_connected_line | ignore_183_without_sdp |
±----±--------------±-----±-----±-----------±---------±------±-------------±----------------------±--------------------±------------------------------±----------------------------±----------±-----------------------±------------±------------±------------±----------±------------±--------------±---------------±----------------±---------±--------------±---------------±---------±----------±--------------±-------±--------------------±---------±-----------------±-------------±-------±--------------±-----------------±------------------±----------±---------±-----------------±----------------±-----------±-------------±-----------------±-------------------±---------------------±-----------±----------±-------------±----------------------±--------------±---------------±----------±---------±--------------------±------------------±-------------------±-----------±---------------±----------------±----------±------------±----------±----------±---------------±------------±----------±--------------±------------±-----------±---------------±-----------------±------------±-------------±-------------±-----------±------------±--------------±----------------±--------±----------±----------±----------------±----------±-----------------------------±------------±--------------±----------------±----------------------------±---------------±------------------±--------------±------------±-----------------±--------------------------±--------------------±-----------------------------------±-----±-------±-----±-------------±---------------±------------±------------------±-------------------±-------------±---------------------±---------------------±---------±--------------±---------------------±---------------------------±------------------±------------------±-------±-----------------±---------------------±-------±------------------------±------------------------±----------------------------±-----------------------------±---------------------±--------------------±-----------------------+
| 214 | transport-udp | 214 | 214 | extensions | all | g729 | no | NULL | invite | NULL | yes | rfc4733 | NULL | yes | no | ip,username | 214 | DNS | NULL | NULL | yes | NULL | yes | NULL | NULL | NULL | NULL | NULL | NULL | Jaco | NULL | NULL | NULL | NULL | NULL | NULL | NULL | no | no | NULL | NULL | NULL | 1 | 1 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0xb8 | 0xb8 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | no | NULL | NULL | NULL | NULL | no | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | yes | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |

Media_encryption is set to “no” but it doesn’t effect the endpoint inside asterisk:

ParameterName : ParameterValue

100rel : yes
accept_multiple_sdp_answers : false
accountcode :
acl :
aggregate_mwi : true
allow : (g729)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : 214
asymmetric_rtp_codec : false
auth : 214
bind_rtp_to_media_address : false
bundle : true
call_group :
callerid : Jaco
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
contact_acl :
context : extensions
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : true
dtls_auto_generate_cert : Yes
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : actpass
dtls_verify : Yes
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
follow_early_media_fork : true
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
ice_support : true
identify_by : ip,username
ignore_183_without_sdp : false
inband_progress : false
incoming_mwi_mailbox :
language :
mailboxes : 214
max_audio_streams : 1
max_video_streams : 1
media_address :
media_encryption : dtls
media_encryption_optimistic : false
media_use_received_transport : true
message_context :
moh_passthrough : false
moh_suggest : DNS
mwi_from_user :
mwi_subscribe_replaces_unsolicited : no
named_call_group : 1
named_pickup_group : 1
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth :
outbound_proxy :
pickup_group :
preferred_codec_only : false
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : true
rpid_immediate : false
rtcp_mux : true
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : true
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_connected_line : yes
send_diversion : true
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
subscribe_context :
suppress_q850_reason_headers : false
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 184
tos_video : 184
transport : transport-udp
trust_connected_line : yes
trust_id_inbound : false
trust_id_outbound : false
use_avpf : true
use_ptime : false
user_eq_phone : false
voicemail_extension :
webrtc : yes

We have allot of clients using soft phone, for example Linphone or Microsip and none of them work when receiving calls, making calls the audio works perfectly fine:

RTP debug shows the following:
Outgoing call:
Sent RTP packet to 197.245.218.31:12216 (type 18, seq 025989, ts 329330560, len 000020)
Got RTP packet from 197.245.218.31:12216 (type 18, seq 030746, ts 010080, len 000020)
Sent RTP packet to 197.245.218.31:7078 (type 18, seq 009816, ts 010080, len 000020)
Got RTP packet from 197.245.218.31:7078 (type 18, seq 000045, ts 329330725, len 000020)
Sent RTP packet to 197.245.218.31:12216 (type 18, seq 025990, ts 329330720, len 000020)
Got RTP packet from 197.245.218.31:12216 (type 18, seq 030747, ts 010240, len 000020)
Sent RTP packet to 197.245.218.31:7078 (type 18, seq 009817, ts 010240, len 000020)
Got RTP packet from 197.245.218.31:7078 (type 18, seq 000046, ts 329330885, len 000020)
Sent RTP packet to 197.245.218.31:12216 (type 18, seq 025991, ts 329330880, len 000020)

Incoming call:
Sent RTP packet to 192.168.88.12:7078 (type 18, seq 010641, ts 013920, len 000020)
Got RTP packet from 197.245.218.31:12224 (type 18, seq 020030, ts 014080, len 000020)
Sent RTP packet to 192.168.88.12:7078 (type 18, seq 010642, ts 014080, len 000020)
Got RTP packet from 197.245.218.31:12224 (type 18, seq 020031, ts 014240, len 000020)
Sent RTP packet to 192.168.88.12:7078 (type 18, seq 010643, ts 014240, len 000020)

So even with direct_media = false the audio still wants to transmit directly to the IP behind NAT.

If any one can assist, I am using custom Asterisk dial plan with Realtime PJSIP.

You have “webrtc” set to “yes”. WebRTC mandates DTLS, which is why it is on.

Thank you, that sorted out all my problems. I need to test my snom phones again and see it also gets resolved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.