Does anyone have a working mediasec config and pcap for Deutsche Telekom?

We’re trying to figure out whether we have a code issue or a configuration issue. We’ve got the following in both the endpoint and registration…

security_mechanisms=msrp-tls\;mediasec,sdes-srtp\;mediasec,dtls-srtp\;mediasec
security_negotiation = mediasec

We see the appropriate Security-Client, “Require: mediasec”, and “Proxy-Require: mediasec” headers on outgoing REGISTER requests however on outgoing INVITES, we don’t see those headers (or Security-Verify) at all although we do see the required “a=3ge2ae:requested” in the SDP. Since Asterisk doesn’t implement the UAS side of mediasec we’re not sure if it should be sending them on the initial INVITE or waiting for some response from the UAS. The code implies that it has to wait for a 401 response that has Security-Server headers but 401 responses are handled automatically and aren’t even passed to the res_pjsip_rfc3329 module. Also, the Deutsche Telekom doc[1] shows sending on the initial invite so that seems to conflict with the code.

So, does anyone have a working config and, more importantly, a pcap of a working scenario?

[1] https://www.telekom.de/hilfe/downloads/1tr119.pdf