Is there some settings in sip_chan that could affect from which port number Asterisk sends replies (like 180, 200, 404 etc) to SIP requests? Or at least how to force Asterisk to use same port for replies as for incoming SIP requests?

I’ve got a following situation. Asterisk 13 has public IP address. In iptables there are only ports 5060/UDP, 10000-20000/UDP permitted for incoming traffic, along with related/established connections. Incoming call from some SIP peer:

peer:5060 INVITE → asterisk:5060
…
asterisk:37601 200-OK → peer:5060
peer:5060 ACK → asterisk:37601
…
(few minutes on line, a caller wants to hangup)
peer:5060 BYE → asterisk:37601

and this BYE never achieves Asterisk itself, as conntrack entry for UDP persists only for 30 seconds and by the time BYE request finally arrives, a firewall is already “closed” for it.

Why Asterisk can to act like this and how to solve this issue?

Thanks.

There is no option to do other than that! If you are having problems with this, look at your router.

Asterisk 13 is no longer supported, but this won’t have changed. It is too fundamentally built into Asterisk that it will only reply from the port to which the transport is bound (or chan_sip is bound, but you should no longer be using that)

A typical problem might be that the router thinks another session owns 5060, so it creates a dynamic translation rule for a random port. I’m not sure how Asterisk is find the random port number, to put in the Contact header, assuming the client is using the Contact header correctly. It might be that the same translation was applied to STUN, or it might be that you have an application level gateway, in the router, in which case, the general advice is to disable it.