Asterisk behind Firewall at home , try to call from my mobile

Asterisk Asterisk SIP
1

Hi,

I have an asterisk at home on 192.168.0.12,
From my home network i am able to call from my laptop to my android mobile with zoiper

Now i want to do the same, call from my laptop to my mobile when i am on internet outside my home .?

please help me to configure asterisk ?
Do i have to use stun server ?

Best regards

2

You need to port foward the following ports

5060 UDP (Signaling)
10-20 K UDP (Media stream )

Make sure on your Asterisk server you have the correct configuration when dealing with NAT for example

On chan sip
nat=rtp_force,comedia
localnet=192.168.0.0/255.255.0.0 ; your network address
externaddr = your public IP
directmedia=no

On remote devices if they are not capable to to determine the public IP you will need to define an stun server

1 Like
3

Thanks you for your help
now i am able to call from my local network to my mobile (connected to internet)
(i use a stun server in my configuration)

but 2 things:

1/ it takes 30sec to dial , i mean when i call my mobile , i have to wait 30 sec before my mobile is ringing ? do you know why .? how can i speed up?

2/ now that my 5060 TCP port is open on my home firewall, i can see many people trying to connect to my asterisk server ==>
[Nov 22 21:29:59] WARNING[18753]: chan_sip.c:4130 retrans_pkt: Timeout on 232621738-1266029159-1617450487 on non-critical invite transaction.
[Nov 22 21:30:10] WARNING[18753]: chan_sip.c:4130 retrans_pkt: Timeout on 1887129905-1786151876-1668574652 on non-critical invite transaction.
[Nov 22 21:30:16] WARNING[18753]: chan_sip.c:4130 retrans_pkt: Timeout on 1001109221-1029072030-1551431203 on non-critical invite transaction.
[Nov 22 21:30:17] WARNING[18753]: chan_sip.c:4130 retrans_pkt: Timeout on 901037280-95022746-288107919 on non-critical invite transaction.
[Nov 22 21:30:19] WARNING[18753]: chan_sip.c:4130 retrans_pkt: Timeout on 1558416838-359065282-645499110 on non-critical invite transaction.
[Nov 22 21:30:24] NOTICE[18753]: chan_sip.c:28499 handle_request_register: Registration from ‘“505” sip:505@88.127.168.122’ failed for ‘37.49.231.16:5632’ - Wrong password

Do you know how to avoid this call ?

thanks

4

Need to see the console , this could be DNS issue adding this kind of dealy

This message is related to firewall and NAT issue, mybe not reciving the ACK

https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

IPTABLES to restrict access based on IP range if you cant do it by IP range use fail2ban to block those request after x amount of failed attemps

5

A non-critical re-invite would be a Re-INVITE. That suggests a broken soft phone, that doesn’t respond at all to re-INVITEs (should at least reject them).

1 Like
6

I’d agree that this is a DNS problem. It is typical of a DNS server that is not responding, and can be the result of not having a way of resolving a local address, combined with a lack of a valid DNS server to at least reject it quickly.

7

maybe it should be a good idea to collect log to show you ?
do you know how i can collect log ?

thanks

8

hi again

i modify my dns setting in /etc/resolv.conf
i put google dns i think like this
root@raspberrypi:/var/log/asterisk# cat /etc/resolv.conf
nameserver 8.8.8.8

i restarted asterisk but after dial and call it takes always 20 to 30 sec before my softphone is ring

I would like to send you the log, i the /var/log/asterisk/messages nothing more thant that :slight_smile:

[Nov 23 10:01:13] NOTICE[29045] chan_sip.c: Registration from ‘“6600” sip:6600@88.127.168.122’ failed for ‘217.61.98.231:5147’ - Wrong password
[Nov 23 10:01:17] WARNING[29045] chan_sip.c: Timeout on 395917108-99567382-640869298 on non-critical invite transaction.
[Nov 23 10:01:21] WARNING[29045] chan_sip.c: Timeout on 1652629929-562387633-43748418 on non-critical invite transaction.
[Nov 23 10:01:29] WARNING[29045] chan_sip.c: Timeout on 286342226-1881130930-812063161 on non-critical invite transaction.
[Nov 23 10:01:29] WARNING[29045] chan_sip.c: Timeout on 1619930026-100549159-1365559532 on non-critical invite transaction.
[Nov 23 10:01:38] WARNING[29045] chan_sip.c: Timeout on 619486612-1029766645-1720088236 on non-critical invite transaction.
[Nov 23 10:01:44] WARNING[29045] chan_sip.c: Timeout on 1342348565-2005516965-77143717 on non-critical invite transaction.
[Nov 23 10:01:48] WARNING[29045] chan_sip.c: Timeout on 1546305970-1102856121-270566878 on non-critical invite transaction.
[Nov 23 10:01:51] WARNING[29045] chan_sip.c: Timeout on 1582745837-1965663962-1912713670 on non-critical invite transaction.
[Nov 23 10:01:54] NOTICE[29045] chan_sip.c: Registration from ‘“200” sip:200@88.127.168.122’ failed for ‘217.61.98.231:5072’ - Wrong password
[Nov 23 10:01:54] WARNING[29045] chan_sip.c: Timeout on 1449558293-1321482307-2069473858 on non-critical invite transaction.
[Nov 23 10:01:55] WARNING[29045] chan_sip.c: Timeout on 1788819727-1164495186-2092470904 on non-critical invite transaction.
[Nov 23 10:01:57] WARNING[29045] chan_sip.c: Timeout on 1326497110-1187754295-1682525180 on non-critical invite transaction.

thanks for your help

9

[Nov 23 10:01:54] NOTICE[29045] chan_sip.c: Registration from ‘“200” sip:200@88.127.168.122’ failed for ‘217.61.98.231:5072’ - Wrong password

Firewall your system against port 5060 from anything other than your ITSP and your local network.

10

[Nov 23 10:01:54] NOTICE[29045] chan_sip.c: Registration from ‘“200” sip:200@88.127.168.122’ failed for ‘217.61.98.231:5072’ - Wrong password

Use sip set debug on to find out which INVITE transaction is broken. Check that the correct addresses are appearing in headers.

Try disabling the feature (e.g directmedia, sendrpid, or session timers, that is causing the INVITE, in case it is smply a case of a broken peer that drops re-invites on the floor.

Note, for DNS, you should generally use two or three name servers from the list provided by your ITSP, oet your router do this and use the router, or use your own machine to run named, and the full DNS protocol, starting from the root name server hints file. In the last case, local devices can be in local zone files for named. Otherwise, make sure that all local addresses appear in /etc/hosts.

11

Hi again
i put 3 dns in /etc/resolv.conf

root@raspberrypi:~# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 4.4.4.4
nameserver 1.1.1.1

i used : sip set debug on
then make a call from 6004 (laptop on my home network) to 6001 (mobile on internet)
it took again 30sec to ring
i use sip set debug on i have those messages:

[Nov 23 15:55:07] NOTICE[30454]: chan_sip.c:17169 check_auth: Correct auth, but based on stale nonce received from ‘<sip:60
04@88.127.168.122;transport=UDP>;tag=7e313714’

<— SIP read from UDP:37.164.168.132:48540 —>
REGISTER sip:88.127.168.122:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 37.164.168.132:48540;branch=z9hG4bK-524287-1—70a4cadfbc383db8;rport
Max-Forwards: 70
Contact: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
To: sip:6001@88.127.168.122:5060;transport=UDP
From: sip:6001@88.127.168.122:5060;transport=UDP;tag=be1f6e50
Call-ID: rNPZv_zESBXqJj2UhUqmyA…
CSeq: 62 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Zoiper rv2.8.109
Authorization: Digest username=“6001”,realm=“88.127.168.122”,nonce=“0d48995e”,uri=“sip:88.127.168.122:5060;transport=UDP”,response=“9936f4d909af28ea4c477655635feb
e2”,algorithm=MD5
Allow-Events: presence, kpml, talk
Content-Length: 0

Sending to 37.164.168.132:48540 (no NAT)
Sending to 37.164.168.132:48540 (no NAT)

<— Transmitting (no NAT) to 37.164.168.132:48540 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 37.164.168.132:48540;branch=z9hG4bK-524287-1—70a4cadfbc383db8;received=37.164.168.132;rport=48540
From: sip:6001@88.127.168.122:5060;transport=UDP;tag=be1f6e50
To: sip:6001@88.127.168.122:5060;transport=UDP;tag=as484ce38e
Call-ID: rNPZv_zESBXqJj2UhUqmyA…
CSeq: 62 REGISTER
Server: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“88.127.168.122”, nonce=“6bab0fd3”
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘rNPZv_zESBXqJj2UhUqmyA…’ in 32000 ms (Method: REGISTER)

<— SIP read from UDP:37.164.168.132:48540 —>
REGISTER sip:88.127.168.122:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 37.164.168.132:48540;branch=z9hG4bK-524287-1—70a4cadfbc383db8;rport
Max-Forwards: 70
Contact: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
To: sip:6001@88.127.168.122:5060;transport=UDP
From: sip:6001@88.127.168.122:5060;transport=UDP;tag=be1f6e50
Call-ID: rNPZv_zESBXqJj2UhUqmyA…
CSeq: 62 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Zoiper rv2.8.109
Authorization: Digest username=“6001”,realm=“88.127.168.122”,nonce=“0d48995e”,uri=“sip:88.127.168.122:5060;transport=UDP”,response=“9936f4d909af28ea4c477655635feb
e2”,algorithm=MD5
Allow-Events: presence, kpml, talk
Content-Length: 0

<------------->
— (14 headers 0 lines) —
Sending to 37.164.168.132:48540 (no NAT)
[Nov 23 15:55:07] NOTICE[30454]: chan_sip.c:17169 check_auth: Correct auth, but based on stale nonce received from ‘<sip:60
01@88.127.168.122:5060;transport=UDP>;tag=be1f6e50’

Call-ID: rNPZv_zESBXqJj2UhUqmyA…
CSeq: 62 REGISTER
Server: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“88.127.168.122”, nonce=“6bab0fd3”, stale=true
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘rNPZv_zESBXqJj2UhUqmyA…’ in 32000 ms (Method: REGISTER)

<— SIP read from UDP:37.164.168.132:48540 —>
REGISTER sip:88.127.168.122:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 37.164.168.132:48540;branch=z9hG4bK-524287-1—e39bc77215ab0751;rport
Max-Forwards: 70
Contact: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
To: sip:6001@88.127.168.122:5060;transport=UDP
From: sip:6001@88.127.168.122:5060;transport=UDP;tag=be1f6e50
Call-ID: rNPZv_zESBXqJj2UhUqmyA…
CSeq: 63 REGISTER
Expires: 60
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
User-Agent: Zoiper rv2.8.109
Authorization: Digest username=“6001”,realm=“88.127.168.122”,nonce=“6bab0fd3”,uri=“sip:88.127.168.122:5060;transport=UDP”,response=“63e222a3352d71291a4afdf1e2b4b4
2a”,algorithm=MD5
Allow-Events: presence, kpml, talk
Content-Length: 0

<------------->
— (14 headers 0 lines) —
Sending to 37.164.168.132:48540 (no NAT)

<— Transmitting (no NAT) to 37.164.168.132:48540 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 37.164.168.132:48540;branch=z9hG4bK-524287-1—e39bc77215ab0751;received=37.164.168.132;rport=48540
From: sip:6001@88.127.168.122:5060;transport=UDP;tag=be1f6e50
To: sip:6001@88.127.168.122:5060;transport=UDP;tag=as484ce38e
Call-ID: rNPZv_zESBXqJj2UhUqmyA…
CSeq: 63 REGISTER
Server: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer

<------------>
Scheduling destruction of SIP dialog ‘4ffffefe1cecd78c265ce0e840f1dac1@192.168.0.12:5060’ in 32000 ms (Method: NOTIFY)
Reliably Transmitting (no NAT) to 37.164.168.132:48540:
NOTIFY sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.12:5060;branch=z9hG4bK2b506fa2
Max-Forwards: 70
From: “asterisk” sip:asterisk@192.168.0.12;tag=as2ceaf7de
To: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
Contact: sip:asterisk@192.168.0.12:5060
Call-ID: 4ffffefe1cecd78c265ce0e840f1dac1@192.168.0.12:5060
CSeq: 102 NOTIFY
User-Agent: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Event: message-summary
Content-Type: application/simple-message-summary
Content-Length: 94

Messages-Waiting: yes
Message-Account: sip:asterisk@192.168.0.12
Voice-Message: 13/0 (0/0)

Scheduling destruction of SIP dialog ‘rNPZv_zESBXqJj2UhUqmyA…’ in 32000 ms (Method: REGISTER)
Retransmitting #1 (no NAT) to 37.164.168.132:48540:
NOTIFY sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.12:5060;branch=z9hG4bK2b506fa2
Max-Forwards: 70
From: “asterisk” sip:asterisk@192.168.0.12;tag=as2ceaf7de
To: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
Contact: sip:asterisk@192.168.0.12:5060
Call-ID: 4ffffefe1cecd78c265ce0e840f1dac1@192.168.0.12:5060
CSeq: 102 NOTIFY
User-Agent: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Event: message-summary
Content-Type: application/simple-message-summary
Content-Length: 94

Messages-Waiting: yes
Message-Account: sip:asterisk@192.168.0.12

<------------->
Audio is at 13972
Adding codec ulaw to SDP
Adding codec alaw to SDP
Adding codec gsm to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (no NAT) to 37.164.168.132:48540:
INVITE sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.12:5060;branch=z9hG4bK550417da
Max-Forwards: 70
From: “BOBY” sip:6004@192.168.0.12;tag=as54fa7a7f
To: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
Contact: sip:6004@192.168.0.12:5060
Call-ID: 5c05e6af48ad715f3d65c2e5579e841f@192.168.0.12:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Date: Fri, 23 Nov 2018 14:55:25 GMT
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 301

v=0
o=root 1306591449 1306591449 IN IP4 192.168.0.12
s=Asterisk PBX 13.14.1~dfsg-2+deb9u4
c=IN IP4 192.168.0.12
t=0 0
m=audio 13972 RTP/AVP 0 8 3 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

Retransmitting #1 (no NAT) to 37.164.168.132:48540:
INVITE sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.12:5060;branch=z9hG4bK550417da
Max-Forwards: 70
From: “BOBY” sip:6004@192.168.0.12;tag=as54fa7a7f
To: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
Contact: sip:6004@192.168.0.12:5060
Call-ID: 5c05e6af48ad715f3d65c2e5579e841f@192.168.0.12:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Date: Fri, 23 Nov 2018 14:55:25 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 301

v=0
o=root 1306591449 1306591449 IN IP4 192.168.0.12
s=Asterisk PBX 13.14.1~dfsg-2+deb9u4
c=IN IP4 192.168.0.12
t=0 0
m=audio 13972 RTP/AVP 0 8 3 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

Retransmitting #2 (no NAT) to 37.164.168.132:48540:
INVITE sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.12:5060;branch=z9hG4bK550417da
Max-Forwards: 70
From: “BOBY” sip:6004@192.168.0.12;tag=as54fa7a7f
To: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203
Contact: sip:6004@192.168.0.12:5060
Call-ID: 5c05e6af48ad715f3d65c2e5579e841f@192.168.0.12:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 13.14.1~dfsg-2+deb9u4
Date: Fri, 23 Nov 2018 14:55:25 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 301

v=0
o=root 1306591449 1306591449 IN IP4 192.168.0.12
s=Asterisk PBX 13.14.1~dfsg-2+deb9u4
c=IN IP4 192.168.0.12
t=0 0
m=audio 13972 RTP/AVP 0 8 3 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=maxptime:150
a=sendrecv

Retransmitting #3 (no NAT) to 37.164.168.132:48540:
INVITE sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.12:5060;branch=z9hG4bK550417da
Max-Forwards: 70
From: “BOBY” sip:6004@192.168.0.12;tag=as54fa7a7f
To: sip:6001@37.164.168.132:48540;transport=UDP;rinstance=dca0b6bea0084203

please help

12

You haven’t got correct NAT settings, but I don’t see why that is stopping the response to the INVITE, or why it is considered a non-critical INVITE.

You are sending contact headers and media addresses pointing to your private network, but to something that is presumably on the public internet. That entity should be able to, at least 100 OK and then reject the session, even though the peer would not be able to send BYE or re-INVITE.

Are you sure your NAT information is in the general section?

13

Thanks all for your help

no it is working properly, i did many things so difficult to summarize here
but if needed i can provide my config file.
let me know

now i try to have video working if you have advise tell me

regards

14

Open a new thread for this request