Cannot dial Asterisk with SIP

I am attempting to dial an Asterisk installation on CentOS 5.4, using Asterisk v1.6.2.12 from the digium RPM repository. I’ve verified using tcpdump that inbound SIP UDP packets are received at the eth0 interface of this machine, but no response is sent from asterisk. Connecting to Asterisk with the option “-vvvvvvvvr” shows no output when the SIP packet arrives. Contrast this with the output from an out-of-the-box Asterisk installation on my Ubuntu server where I show the following debug line:

[Oct 12 16:18:01] NOTICE[19663] chan_sip.c: Call from '' to extension 'test' rejected because extension not found.

Here is the configuration from my non-working Asterisk installation (commented out portions not included):

sip.conf

[general]
context=default                 ; Default context for incoming calls
allowoverlap=no                 ; Disable overlap dialing support. (Default is yes)
udpbindaddr=0.0.0.0             ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
tcpenable=no                    ; Enable server for incoming TCP connections (default is no)
tcpbindaddr=0.0.0.0             ; IP address for TCP server to bind to (0.0.0.0 binds to all interfaces)
srvlookup=yes

[basic-options](!)                ; a template
        dtmfmode=rfc2833
        context=from-office
        type=friend

[natted-phone](!,basic-options)   ; another template inheriting basic-options
        nat=yes
        directmedia=no
        host=dynamic

[public-phone](!,basic-options)   ; another template inheriting basic-options
        nat=no
        directmedia=yes

[my-codecs](!)                    ; a template for my preferred codecs
        disallow=all
        allow=ilbc
        allow=g729
        allow=gsm
        allow=g723
        allow=ulaw

[ulaw-phone](!)                   ; and another one for ulaw-only
        disallow=all
        allow=ulaw

extensions.conf:

[general]
static=yes
writeprotect=no
autofallthrough=yes
clearglobalvars=no
priorityjumping=no

[globals]
CONSOLE=Console/dsp
IAXINFO=guest
TRUNK=Zap/g2
TRUNKMSD=1

[default]
; E1C extensions
; load all server-generated extension snippets
#include /opt/resources/phone/asterisk/extensions/*.conf

; test
exten => test,1,Answer
exten => test,2,Set(trips = 1)
exten => test,3,Wait,1
exten => test,4,Playback(hello-world)
exten => test,5,GotoIf($[${trips} = 5]?6:7)
exten => test,6,Goto(9999,1)
exten => test,7,Set(trips=$[${trips} + 1])
exten => test,8,Wait,2
exten => test,9,Playback(beep)
exten => test,10,Goto(test,5)
exten => 9999,1,Playback(demo-thanks)
exten => 9999,2,Hangup()

I am using the pjsua command line sip client to make the SIP call, which works fine against my other (Ubuntu) asterisk installation. Also, when attempting to start pjsua on my CentOS machine (with the non-working Asterisk) it fails to bind to port 5060 - telling me that asterisk did indeed startup and bind to that port. Any ideas?

Sounds like you may be having similar issues to what I had. Try this…
cyberciti.biz/tips/linux-ipt … rules.html

Cheers!
Dave

[quote=“dmiller”]Sounds like you may be having similar issues to what I had. Try this…
cyberciti.biz/tips/linux-ipt … rules.html

Cheers!
Dave[/quote]

Dave, that was exactly it! Thank you, I hadn’t considered looking at my iptables. I would however like to understand why this didn’t work in the first place. Here is my output from iptables prior to flushing, do you know which of these rules was preventing asterisk from receiving the UDP requests?

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Sorry I don’t actually know which is the one that makes the difference. I am a total Linux & * newbie.

If you find out more please post so we can all learn from it.

Glad I was able to help,
Dave

you actually need to add rules so the packets are accepted

these two lines inserted before the last that rejects all:
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 19000:20000 -j ACCEPT

will allow sip on port 5060 and rtp traffic on ports 19000 to 20000

If your server is exposed to the world, you NEED to understand firewall & voip security… as an FYI my servers get scanned 2 to 6 times a day.

Thanks for the reply Cerian and the heads up, Linux Firewalls is the next book on my list.

Can you give me a little bit of a hint here…those two lines that you posted, do they go into the fw.stop script that they talk about here --> cyberciti.biz/tips/linux-ipt … rules.html

Cheers!
Dave

breifly… packets go through differente chains in iptables - incoming packets go through INPUT
in your case, they are forwarded to another chain RH-Firewall-1-INPUT .
packets are matched again the rules, in order - if they match, they are accepted and sent to the application listening on the given port. If not, they reach the last line and are rejected.

The lines should be added to the /etc/sysconfig/iptables file, before the reject statement, and need a service iptables restart to take effect. alternatively, they can be added via iptables… command, but will not persist through a reboot.

Again, this is a HOT topic, if someone breaks into your system, you can end up loosing a lot of $$$

So yes, go for the book or browse online about firewall !

Again thanks for the assistance…

In your statement it says ports 19000 to 20000…should that actually be 10000 to 20000?
That is what it says in my Asterisk - The future of Telephony book.

Cheers!
Dave

Check in file: /etc/asterisk/rtp.conf, you’ll get the port range - it does not need to be 10,000 large !