Asterisk 16 PJSIP and SRTP problems

Asterisk Asterisk SIP
#1

I have moved from Asterisk 13 to Asterisk 16 in the past couple months. I am having problems with RTP traffic related to SRTP.
I have Yealink phone registered behind NAT to my public IP server. The Yealink works if “RTP Encryption(SRTP)” is set to Optional or Compulsory.

Below is the ps_endpoints database values:
| id | transport | aors | auth | context | disallow | allow | direct_media | connected_line_method | direct_media_method | direct_media_glare_mitigation | disable_direct_media_on_nat | dtmf_mode | external_media_address | force_rport | ice_support | identify_by | mailboxes | moh_suggest | outbound_auth | outbound_proxy | rewrite_contact | rtp_ipv6 | rtp_symmetric | send_diversion | send_pai | send_rpid | timers_min_se | timers | timers_sess_expires | callerid | callerid_privacy | callerid_tag | 100rel | aggregate_mwi | trust_id_inbound | trust_id_outbound | use_ptime | use_avpf | media_encryption | inband_progress | call_group | pickup_group | named_call_group | named_pickup_group | device_state_busy_at | fax_detect | t38_udptl | t38_udptl_ec | t38_udptl_maxdatagram | t38_udptl_nat | t38_udptl_ipv6 | tone_zone | language | one_touch_recording | record_on_feature | record_off_feature | rtp_engine | allow_transfer | allow_subscribe | sdp_owner | sdp_session | tos_audio | tos_video | sub_min_expiry | from_domain | from_user | mwi_from_user | dtls_verify | dtls_rekey | dtls_cert_file | dtls_private_key | dtls_cipher | dtls_ca_file | dtls_ca_path | dtls_setup | srtp_tag_32 | media_address | redirect_method | set_var | cos_audio | cos_video | message_context | force_avp | media_use_received_transport | accountcode | user_eq_phone | moh_passthrough | media_encryption_optimistic | rpid_immediate | g726_non_standard | rtp_keepalive | rtp_timeout | rtp_timeout_hold | bind_rtp_to_media_address | voicemail_extension | mwi_subscribe_replaces_unsolicited | deny | permit | acl | contact_deny | contact_permit | contact_acl | subscribe_context | fax_detect_timeout | contact_user | preferred_codec_only | asymmetric_rtp_codec | rtcp_mux | allow_overlap | refer_blind_progress | notify_early_inuse_ringing | max_audio_streams | max_video_streams | webrtc | dtls_fingerprint | incoming_mwi_mailbox | bundle | dtls_auto_generate_cert | follow_early_media_fork | accept_multiple_sdp_answers | suppress_q850_reason_headers | trust_connected_line | send_connected_line | ignore_183_without_sdp |
±----±--------------±-----±-----±-----------±---------±------±-------------±----------------------±--------------------±------------------------------±----------------------------±----------±-----------------------±------------±------------±------------±----------±------------±--------------±---------------±----------------±---------±--------------±---------------±---------±----------±--------------±-------±--------------------±---------±-----------------±-------------±-------±--------------±-----------------±------------------±----------±---------±-----------------±----------------±-----------±-------------±-----------------±-------------------±---------------------±-----------±----------±-------------±----------------------±--------------±---------------±----------±---------±--------------------±------------------±-------------------±-----------±---------------±----------------±----------±------------±----------±----------±---------------±------------±----------±--------------±------------±-----------±---------------±-----------------±------------±-------------±-------------±-----------±------------±--------------±----------------±--------±----------±----------±----------------±----------±-----------------------------±------------±--------------±----------------±----------------------------±---------------±------------------±--------------±------------±-----------------±--------------------------±--------------------±-----------------------------------±-----±-------±-----±-------------±---------------±------------±------------------±-------------------±-------------±---------------------±---------------------±---------±--------------±---------------------±---------------------------±------------------±------------------±-------±-----------------±---------------------±-------±------------------------±------------------------±----------------------------±-----------------------------±---------------------±--------------------±-----------------------+
| 214 | transport-udp | 214 | 214 | extensions | all | g729 | no | NULL | invite | NULL | yes | rfc4733 | NULL | yes | no | ip,username | 214 | DNS | NULL | NULL | yes | NULL | yes | NULL | NULL | NULL | NULL | NULL | NULL | Jaco | NULL | NULL | NULL | NULL | NULL | NULL | NULL | no | no | NULL | NULL | NULL | 1 | 1 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0xb8 | 0xb8 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | no | NULL | NULL | NULL | NULL | no | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | yes | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL |

Media_encryption is set to “no” but it doesn’t effect the endpoint inside asterisk:

ParameterName : ParameterValue

100rel : yes
accept_multiple_sdp_answers : false
accountcode :
acl :
aggregate_mwi : true
allow : (g729)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : 214
asymmetric_rtp_codec : false
auth : 214
bind_rtp_to_media_address : false
bundle : true
call_group :
callerid : Jaco
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
contact_acl :
context : extensions
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : true
dtls_auto_generate_cert : Yes
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : actpass
dtls_verify : Yes
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
follow_early_media_fork : true
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
ice_support : true
identify_by : ip,username
ignore_183_without_sdp : false
inband_progress : false
incoming_mwi_mailbox :
language :
mailboxes : 214
max_audio_streams : 1
max_video_streams : 1
media_address :
media_encryption : dtls
media_encryption_optimistic : false
media_use_received_transport : true
message_context :
moh_passthrough : false
moh_suggest : DNS
mwi_from_user :
mwi_subscribe_replaces_unsolicited : no
named_call_group : 1
named_pickup_group : 1
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth :
outbound_proxy :
pickup_group :
preferred_codec_only : false
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : true
rpid_immediate : false
rtcp_mux : true
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : true
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_connected_line : yes
send_diversion : true
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
subscribe_context :
suppress_q850_reason_headers : false
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 184
tos_video : 184
transport : transport-udp
trust_connected_line : yes
trust_id_inbound : false
trust_id_outbound : false
use_avpf : true
use_ptime : false
user_eq_phone : false
voicemail_extension :
webrtc : yes

We have allot of clients using soft phone, for example Linphone or Microsip and none of them work when receiving calls, making calls the audio works perfectly fine:

RTP debug shows the following:
Outgoing call:
Sent RTP packet to 197.245.218.31:12216 (type 18, seq 025989, ts 329330560, len 000020)
Got RTP packet from 197.245.218.31:12216 (type 18, seq 030746, ts 010080, len 000020)
Sent RTP packet to 197.245.218.31:7078 (type 18, seq 009816, ts 010080, len 000020)
Got RTP packet from 197.245.218.31:7078 (type 18, seq 000045, ts 329330725, len 000020)
Sent RTP packet to 197.245.218.31:12216 (type 18, seq 025990, ts 329330720, len 000020)
Got RTP packet from 197.245.218.31:12216 (type 18, seq 030747, ts 010240, len 000020)
Sent RTP packet to 197.245.218.31:7078 (type 18, seq 009817, ts 010240, len 000020)
Got RTP packet from 197.245.218.31:7078 (type 18, seq 000046, ts 329330885, len 000020)
Sent RTP packet to 197.245.218.31:12216 (type 18, seq 025991, ts 329330880, len 000020)

Incoming call:
Sent RTP packet to 192.168.88.12:7078 (type 18, seq 010641, ts 013920, len 000020)
Got RTP packet from 197.245.218.31:12224 (type 18, seq 020030, ts 014080, len 000020)
Sent RTP packet to 192.168.88.12:7078 (type 18, seq 010642, ts 014080, len 000020)
Got RTP packet from 197.245.218.31:12224 (type 18, seq 020031, ts 014240, len 000020)
Sent RTP packet to 192.168.88.12:7078 (type 18, seq 010643, ts 014240, len 000020)

So even with direct_media = false the audio still wants to transmit directly to the IP behind NAT.

If any one can assist, I am using custom Asterisk dial plan with Realtime PJSIP.

#2

You have “webrtc” set to “yes”. WebRTC mandates DTLS, which is why it is on.

#3

Thank you, that sorted out all my problems. I need to test my snom phones again and see it also gets resolved.

#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.