Asterisk behind Cloudflare proxy - no RTP for wss extension

idan.ih2 · March 30, 2026, 3:29pm

Asterisk version: 18.20.1

Hello,

I’m developing my own system (web interface) where the browser connects to the server via websocket on port 443 (nginx - /ws endpoint) to an extension in the Asterisk (extension transport is wss).
nginx is making a reverse proxy to port 8867, where I have the mini HTTP server of the Asterisk listening with the /ws endpoint.

The server has a proxied sub domain record on Cloudflare.

The issue that I’m having is that only sometimes I have audio when making a call with this setup..

Log from a call with no audio:

0x7f57e40383c0 – Strict RTP learning after remote address set to: 31.31.31.31:56623
– Channel PJSIP/OUT-Kamailio-00000003 joined ‘simple_bridge’ basic-bridge <76ab4f80-87e7-4f3b-a930-98d0cc771b05>
– Channel PJSIP/899-00000002 joined ‘simple_bridge’ basic-bridge <76ab4f80-87e7-4f3b-a930-98d0cc771b05>
0x7f57e40383c0 – Strict RTP learning after ICE completion
0x7f57e40383c0 – Strict RTP learning after remote address set to: 222.222.222.222:56623
[2026-03-30 15:00:13] WARNING[431778][C-00000002]: res_rtp_asterisk.c:3230 __rtp_recvfrom: 1774882810.2: DTLS packet from 222.222.222.222:56623 dropped. Source not in ICE active candidate list.
[2026-03-30 15:00:14] WARNING[431778][C-00000002]: res_rtp_asterisk.c:3230 __rtp_recvfrom: 1774882810.2: DTLS packet from 222.222.222.222:56623 dropped. Source not in ICE active candidate list.
[2026-03-30 15:00:15] WARNING[431778][C-00000002]: res_rtp_asterisk.c:3230 __rtp_recvfrom: 1774882810.2: DTLS packet from 222.222.222.222:56623 dropped. Source not in ICE active candidate list.
[2026-03-30 15:00:16] WARNING[431778][C-00000002]: res_rtp_asterisk.c:3230 __rtp_recvfrom: 1774882810.2: DTLS packet from 222.222.222.222:56623 dropped. Source not in ICE active candidate list.
0x7f57e40872f0 – Strict RTP learning complete - Locking on source address 111.111.111.111:21538

Any ideas?

Thank you

jcolp · March 30, 2026, 3:30pm

I mean, it is what it says:

[2026-03-30 15:00:15] WARNING[431778][C-00000002]: res_rtp_asterisk.c:3230 __rtp_recvfrom: 1774882810.2: DTLS packet from 222.222.222.222:56623 dropped. Source not in ICE active candidate list.

Media doesn’t flow over Websocket, and you haven’t explained how media is supposed to work in the setup.

idan.ih2 · March 30, 2026, 3:53pm

Thanks for the quick reply!

Media should flow between client (browser) to the asterisk server, from the asterisk server to the trunk.

jcolp · March 30, 2026, 3:55pm

I would suggest looking at a packet capture to examine the ICE negotiation, and the ICE candidates in the SDP plus where DTLS is flowing from. See where there is a mismatch, and possibly why.

idan.ih2 · March 30, 2026, 4:11pm

Will do, thank you!

PitzKey · April 15, 2026, 10:14am

What Cloudflare Proxy are you using? a simple CF proxy or a tunnel?

If the former, Cloudfare doesn’t allow you to proxy non HTTP/S ports.

Can you please describe your entire setup? It seems like you also have a Kamailio server somewhere.

Topic		Replies	Views
JsSip, Sip.js or even SipMl5 works fine with ws(local) but when it's comes to wss(external ip) it doesn't play audio on both side Asterisk WebRTC	9	2486	December 24, 2021
Asterisk 16.4 & WebRTC = no audio Asterisk WebRTC	13	4560	May 17, 2020
WebRTC on standalone asterisk - no audio Asterisk Support	0	1314	February 24, 2015
No audio over WebRTC with Asterisk 11.7 Asterisk Support	8	434	December 10, 2013
SIP-session established... RTP-flow not Asterisk Support	1	618	June 26, 2009

Asterisk behind Cloudflare proxy - no RTP for wss extension

Related topics