Asterisk + Twilio/SIP+TLS : Getting "488 Not Acceptable Here"

We’ve been calling out from Twilio to our asterisk (v13.13-cert4, pjsip v2.5.5) via SIP (non-TLS) with great luck. I’m now working on trying to get secure trunking turned on, and am pulling my hair out trying to get Twilio and Asterisk to play nice.

Have any of you had luck with this?

Here is my current asterisk/pjsip configuration.

When I attempt a call with pjsip debugging turned on, I do see SIP traffic on the asterisk console, but it ends up throwing this error:

<--- Transmitting SIP response (864 bytes) to TLS:54.172.60.1:44591 --->
SIP/2.0 488 Not Acceptable Here

I’ve followed Twilio’s documentation on this topic, but it is clearly incomplete or outright incorrect. Their support are not proving helpful either, as they insist that their documentation is correct.

I’ll take any pointers you’ll throw my direction. Thanks!

You’ve offered a set of codecs that doesn’t intersect with the peer’s set.

That was my initial thought as well. However, after changing my pjsip endpoint to “allow=all”, I see no change in behavior.

…additionally, the codec configuration works perfectly if I revert back to a non-tls SIP configuration, leaving all non-TLS related config the same.

I’d suggest providing the complete trace so that the INVITE can be seen, as well as the endpoint configuration.

Will do, just need to do a bit of sanitization.

Here is the SIP debug trace:

I’ve wondered if it would be worth switching to chan_sip temporarily to see if this is some odd interaction between Twilio’s SIP+TLS implementation and PJSIP.

You did not provide the endpoint configuration to see if that is the cause of the problem.

I did - in linked text in my original message:

The offer from Twilio does not have SDES media encryption. The media is offered unencrypted.

2 Likes

Ugh, well that goes against what their documentation says. Thanks for spotting that.

Indeed, if I remove the “media_encryption*” entries from my endpoint configuration, calls can go through.

What should I be looking for in the SDP from twilio that indicates whether or not they’re offering media encryption?

The following:

m=audio 15512 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv

If it was SDES then it would be RTP/SAVP instead of RTP/AVP, and there would be an a=crypto line which contains the SDES key information to use for the encryption.

1 Like

OK, great.

Thank you! Now I have some ammunition to throw over the fence to Twilio support.

OK, I’m closer here. Twilio is now configured correctly to use SIP/TLS and SRTP. Here is the SDP they’re sending:

v=0
o=root 741061186 741061186 IN IP4 34.203.250.150
s=Twilio Media Server
c=IN IP4 34.203.250.150
t=0 0
m=audio 18744 RTP/SAVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:<key redacted>

Asterisk is responding with

SIP/2.0 488 Not Acceptable Here

My endpoint is:

[twilio]
type=endpoint
transport=transport-tls
;transport=transport-udp-nat
context=from-twilio
;allow=all
disallow=all
allow=ulaw
aors=twilio
media_encryption=sdes
media_encryption_optimistic=no
dtmf_mode=inband

If I disable secure trunking on the Twilio end, and disable SIP/TLS/SRTP on my end, calls go through OK.

Well, for those that stumble upon this in the future, I was not able to resolve the problem with PJSIP. I switched “back” to chan_sip and secure calling from Twilio started working immediately.

Sorry for not responding, this fell off my list. The core code we use is the same between chan_sip and chan_pjsip, and your configuration is correct so it is concerning it did not work there. We also have pretty thorough test coverage so it may be something specific with Twilio. Can you file an issue[1] and attach your config and the SIP log so we can investigate and ensure we have a test case?

[1] https://issues.asterisk.org/jira

Hi,

May i request you to share you chan_sip conf?

i am running latest Asterisk on Linux Mint and wish to register some clients on TLS and SRP.

Many Thanks