Can't hangup an connected call

Asterisk Asterisk SIP
1

Problem description

When i hangup an connected call from an endpoint, asterisk not receiving the instruction. Answer/reject call is ok.

My Setup

  • Asterisk behind NAT
  • domain name point to gateway, ports forward to asterisk
  • TLS for transport, media encypted

Observations

Use Zoiper app an on android phone as an endpoint

  • Zoiper connect from internet, end phone call from Zoiper, asterisk cli received nonthing
  • Zoiper connect from localnet, end phone call from Zoiper, asterisk cli only received
    WARNING[1402]: pjproject: <?>: SSL 6 [SSL_ERROR_ZERO_RETURN] (Read) ret: 0 len: 65535
    on Zoiper pops up
Server security certificate error!
For more information click Technical
Details button.
Proceed Anyway
Back to Safety
Technical Details
Error: Certificate names mismatch
Subject: CN = xxx.com
Issuer: C= US, O = Let's Encrypt,
CN =E8
Validity
Not Before: Jan 30 11:21:53 2026
GMT
Not After: Apr 30 11:21:52 2026
GMT
Expected Name: 192.168.1.249

pjsip.conf:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=/etc/letsencrypt/live/xxx.com/fullchain.pem
priv_key_file=/etc/letsencrypt/live/xxx.com/privkey.pem
method=tlsv1_2
verify_server=yes
external_media_address=xxx.com
external_signaling_address=xxx.com
local_net=192.168.1.0/24

[1001]
type=endpoint
transport=transport-tls
media_encryption=sdes
context=from-internal
disallow=all
allow=ulaw,alaw,g722,gsm
auth=auth1001
aors=1001
rewrite_contact=yes
rtp_symmetric=yes
force_rport=yes
direct_media=no

[auth1001]
type=auth
auth_type=userpass
username=1001
password=1111

[1001]
type=aor
max_contacts=10
2

The phone is trying to connect back to the address in the original Contact header, but that address doesn’t match the TLS certificate that the server is offering. As such there is no connection on which to send the BYE.

The Contact header is wrong, or the certificate is wrong. As you have redacted the CN and not told us the actual name of the server, I can’t tell if the certificate is wrong.

The Contact header could be wrong if you haven’t specified the correct public address, or you have specified local networks which include the the remote public address.

Note that the Contact header needs to contain the domain name for which the certificate was made. I’m not sure that you can achieve that for the internal call, so you may have to disable domain checking in the internal phones.

3

Thanks for your reply.
I can reject/answer/initiate calls on the phone. Dose that mean phone to asterisk connection is ok?
I use this certificate on nginx web server with the same domain, certificate itself is ok too.