Fixed external media address for webrtc clients

Fixed external media address for webrtc clients

we have asterisk server behind NAT using PJSIP. Some clients are connected with transport protocol wss (webrtc) and some are on UDP. Yesterday all webrtc clients stop working, without any software upgrade/change. The problem was that asterisk starts to send SDP without external address and webrtc clients were not able to connect. UDP clients work OK, because they are using external_media_address, local_net…

1.) It looks like that wss protocol is not using transport options local_net, external_media_address? Is it possible to used fixed external media address also when wss protocol is used?

2.) The problem in the first place was because (configured in rtp.conf) stop working, it hasn’t return any external address? But when I change to all starts to work. I found that (protocols - Why a STUN Server Needs Two Different Public IP addresses - Stack Overflow) on rare cases one stun server is not enough. So, is it possible (if there is no way to set fixed address) to configure two stun servers in rtp.conf. I tried this in rtp.conf:

but only the first stun server is used.

Best regards

It is not possible to configure multiple STUN servers. As well if Asterisk is on a fixed IP address you should use the ice_host_candidates functionality of rtp.conf to put the external IP address in as a host candidate, and not use STUN at all.

thanks for your response. I have tried your suggestion but it didn’t work for me.

This is my changed rtp.conf:


[ice_host_candidates] => 193.x.x.x,include_local_address

There is not a lot of documentation regarding ice_host_candidates, but as I understand correctly this configuration should map my local ip to external 193.x.x.x and also include other local ip-s. (I need this, because I have some clients also on 10.1.x.x network.)

But this SDP I get on client.

v=0 (6 more lines)
o=- 3136501614 4 IN IP4
c=IN IP4
t=0 0
a=msid-semantic:WMS *
a=group:BUNDLE 0 1
m=audio 13020 UDP/TLS/RTP/SAVPF 8 (14 more lines)
a=fingerprint:SHA-256 4E:C5:09:6F:68:0D:DE:3B:D1:F6:5E:BA:C0:A3:82:57:39:CB:A2:C0:CA:0E:2F:5B:52:47:81:83:7A:7A:00:C2
a=rtpmap:8 PCMA/8000
a=ssrc:76558848 cname:538232ea-377a-4580-bbbf-b628179978fe
a=msid:d878b6d8-74b4-40e7-8221-4ebd9a62e25b 0a3ca578-c92b-445a-94fd-3f1d9234eebc
a=rtcp-fb:* transport-cc

As you can see, in SPD there is no address 193.x.x.x present (no a=candidate lines), as there are if I enable icesupport.

Thanks for any suggestion

ICE support is required for WebRTC. You can’t disable it. The option changes the ICE host candidate lines, or adds additional ones.

great, enabling icesupport solved the issue.

have a nice day

just a note for previous discussion…

With ice_host_candidates mapping there is no way to set fixed external addresses, what is IMO most common scenario. For example, I was not able to set that only external 193.x.x.x and single local will be included as candidates in SDP.

Maybe something like this:
any => 193.x.x.x
any =>

So that in any situation ONLY those two addresses will be included and also any change in server network configuration (like adding vpn connection, docker network) will not reveal new candidate in SDP or remove fixed one.

best regards

I don’t quite understand what you mean, but you can prevent candidates from appearing in the SDP by using the “ice_deny” and “ice_permit” functionality.

I missed ice_permit options! I would like to achive that only and are used as candidates in SDP. (no other internal networks)

I tried this:

ice_permit =
ice_permit =
[ice_host_candidates] =>,include_local_address

I would expect only 2 candidates in client SDP ( and, but I got three, there is additional internal VPN network.

You have to have an ice_deny first, to start with blocking everything. It works the same as ACLs in other places.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.