How do you see them making it through iptables? Are you dumping traffic off the backside of the INPUT chain somehow? FreePBX installs usually include fail2ban. I’d double-check to make sure there wasn’t a DROP put in place for the IP of the phone.
What version of DPMA do you have installed?
w.r.t. large packets, if the phone’s going across a router or ALG that eats large packets, phone firmware 220.127.116.11 added support to split the Handshake packets so that they don’t get gobbled for going over UDP limits. You’ve got 18.104.22.168. If the phone can’t handshake w/ DPMA, it can’t be told to load new firmware that way. You could use the phone’s web UI to load an updated firmware on it. The latest firmware file can be retrieved from http://dphone.dl.digium.com/firmware/asterisk/2_2_2_2/2_2_2_2_D65_firmware.eff
Your sip.conf settings:
accept_outofcall_message=yes outofcall_message_context=dpma_message_context auth_message_requests=no
Those are in the [general] section, yes?
How did you point the phone at the server? Perhaps it’s been sent to the wrong place, or it’s been wrongly sent (Fetch Configuration File from URL or manual SIP Account instead of Digium Configuration Server).