Hold Pickup: Unsupported crypto suite, disconnect, one-way

Running a cloud-hosted Asterisk server (have tried multiple versions to find a fix, but operating 20.9.3 currently).
Deployed with USECALLMANAGER patch for 8851 endpoints.

SIPS + SRTP deployment, and everything is working well. Two-way calling, etc.
Endpoints are chan sip, and sip trunk to provider is PJSIP.

Now the issue:
When I call outbound, and then place the call on hold, I can resume the call without issue.
However, when I receive the call inbound (from a local extension or external call), if I place it on hold, when I resume, the phone call ends immediately.

I’ve traced the error back on the phone, and here is a comparison of the SIP debug when working (outbound call) vs non-working (inbound call)

Working (outbound call)

(567-883) JAVA-sipio-sent---> INVITE sip:***@SER.VER.PUB.IP:5061;transport=tls SIP/2.0^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK7bd2da44^M
	From: "***" <sip:***@SER.VER.PUB.IP>;tag=706bb92427fe003f2f7a63f4-20c4ff7a^M
	To: <sip:***@SER.VER.PUB.IP>;tag=as77b83cd8^M
	Call-ID: 706bb924-27fe0008-320e604b-4ddaeee2@10.45.10.62^M
	Max-Forwards: 70^M
	Session-ID: 65140f5100105000a000706bb92427fe;remote=00000000000000000000000000000000^M
	Date: Mon, 07 Oct 2024 20:17:50 GMT^M
	CSeq: 104 INVITE^M
	User-Agent: Cisco-CP8851/12.8.1^M
	Contact: <sip:***@10.45.10.62:52654;transport=tls>;+u.sip!devicename.ccm.cisco.com="SEP706BB92427FE"^M
	Accept: application/sdp^M
	Allow: ACK,BYE,CANCEL,INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE,INFO^M
	Remote-Party-ID: "***" <sip:***@SER.VER.PUB.IP>;party=calling;id-type=subscriber;privacy=off;screen=yes^M
	Call-Info: <urn:x-cisco-remotecc:resume>^M
	Supported: replaces,join,sdp-anat,norefersub,resource-priority,extended-refer,X-cisco-callinfo,X-cisco-serviceuri,X-cisco-escapecodes,X-cisco-service-control,X-c
	Allow-Events: kpml,dialog^M
	Recv-Info: conference^M
	Recv-Info: x-cisco-conference^M
	Authorization: Digest username="7091",realm="asterisk",uri="sip:***@SER.VER.PUB.IP:5061;transport=tls",response="...",nonce="...",algorithm=MD5^M
	Content-Length: 1471^M
	Content-Type: application/sdp^M
	Content-Disposition: session;handling=optional^M
	^M
	v=0^M
	o=Cisco-SIPUA 11011 2 IN IP4 10.45.10.62^M
	s=SIP Call^M
	b=AS:4064^M
	t=0 0^M
	m=audio 21434 RTP/SAVP 0 114 9 124 113 115 8 116 18 101^M
	c=IN IP4 10.45.10.62^M
	b=TIAS:64000^M
	a=crypto:1 AEAD_AES_256_GCM inline:...^M
	a=crypto:2 AEAD_AES_128_GCM inline:...^M
	a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:...^M
	a=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:...^M
	a=crypto:5 AEAD_AES_256_GCM inline:... UNENCRYPTED_SRTCP^M
	a=crypto:6 AEAD_AES_128_GCM inline:... UNENCRYPTED_SRTCP^M
	a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:... UNENCRYPTED_SRTCP^M
	a=crypto:8 AES_CM_128_HMAC_SHA1_32 inline:... UNENCRYPTED_SRTCP^M
	a=rtpmap:0 PCMU/80
	a=rtpmap:114 opus/48000/2^M
	a=fmtp:114 maxplaybackrate=16000;sprop-maxcapturerate=16000;maxaveragebitrate=64000;stereo=0;sprop-stereo=0;usedtx=0^M
	a=rtpmap:9 G722/8000^M
	a=rtpmap:124 ISAC/16000^M
	a=rtpmap:113 AMR-WB/16000^M
	a=fmtp:113 octet-align=0;mode-change-capability=2^M
	a=rtpmap:115 AMR-WB/16000^M
	a=fmtp:115 octet-align=1;mode-change-capability=2^M
	a=rtpmap:8 PCMA/8000^M
	a=rtpmap:116 iLBC/8000^M
	a=fmtp:116 mode=20^M
	a=rtpmap:18 G729/8000^M
	a=fmtp:18 annexb=yes^M
	a=rtpmap:101 telephone-event/8000^M
	a=fmtp:101 0-15^M
	a=sendrecv^M

(567-883) JAVA-sipio-recv<--- SIP/2.0 100 Trying^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK7bd2da44;received=PHO.NE.PUB.IP;rport=61496^M
	From: "***" <sip:***@SER.VER.PUB.IP>;tag=706bb92427fe003f2f7a63f4-20c4ff7a^M
	To: <sip:***@SER.VER.PUB.IP>;tag=as77b83cd8^M
	Call-ID: 706bb924-27fe0008-320e604b-4ddaeee2@10.45.10.62^M
	CSeq: 104 INVITE^M
	Server: Asterisk PBX 20.9.1^M
	Allow: INVITE, ACK, CANCEL, OPTIONS,BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE^M
	Supported: replaces,timer,X-cisco-sis-10.0.0^M
	Contact: <sip:***@SER.VER.PUB.IP:5061;transport=tls>^M
	Call-Info: <urn:x-cisco-remotecc:callinfo>; orientation=to; security=Encrypted^M
	Content-Length: 0^M

(567-883) JAVA-sipio-recv<--- SIP/2.0 200 OK^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK7bd2da44;received=PHO.NE.PUB.IP;rport=61496^M
	From: "***" <sip:***@SER.VER.PUB.IP>;tag=706bb92427fe003f2f7a63f4-20c4ff7a^M
	To: <sip:***@SER.VER.PUB.IP>;tag=as77b83cd8^M
	Call-ID: 706bb924-27fe0008-320e604b-4ddaeee2@10.45.10.62^M
	CSeq: 104 INVITE^M
	Server: Asterisk PBX 20.9.1^M
	Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE^M
	Supported: replaces,timer,X-cisco-sis-10.0.0^M
	Contact: <sip:***@SER.VER.PUB.IP:5061;transport=tls>^M
	Content-Type: application/sdp^M
	Content-Length: 343^M
	^M
	v=0^M
	o=root 1788566023 1788566025 IN IP4 SER.VER.PUB.IP^M
	s=Asterisk PBX 20.9.1^M
	c=IN IP4 SER.VER.PUB.IP^M
	t=0 0^M
	m=audio 11528 RTP/SAVP 9 101^M
	a=crypto:1 AEAD_AES_256_GCM inline:...^M
	a=rtpmap:9 G722/8000^M
	a=rtpmap:101 telephone-event/8000^M
	a=fmtp:101 0-16^M
	a=maxptime:140^M
	a=sendrecv^M
    
(567-883) JAVA-sipio-sent---> ACK sip:***@SER.VER.PUB.IP:5061;transport=tls SIP/2.0^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK34ffc64b^M
	From: "***" <sip:***@SER.VER.PUB.IP>;tag=706bb92427fe003f2f7a63f4-20c4ff7a^M
	To: <sip:***@SER.VER.PUB.IP>;tag=as77b83cd8^M
	Call-ID: 706bb924-27fe0008-320e604b-4ddaeee2@10.45.10.62^M
	Max-Forwards: 70^M
	Session-ID: 65140f5100105000a000706bb92427fe;remote=00000000000000000000000000000000^M
	Date: Mon, 07 Oct 2024 20:17:50 GMT^M
	CSeq: 104 ACK^M
	User-Agent: Cisco-CP8851/12.8.1^M
	Remote-Party-ID: "***" <sip:***@SER.VER.PUB.IP>;party=calling;id-type=subscriber;privacy=off;screen=yes^M
	Content-Length: 0^M
	Recv-Info: conference^M
	Recv-Info: x-cisco-conference^M
	Authorization: Digest username="7091",realm="asterisk",uri="sip:***@SER.VER.PUB.IP:5061;transport=tls",response="...",nonce="...",algorithm=MD5^M
	^M

Non-working (inbound call)

(567-883) JAVA-sipio-sent---> INVITE sip:***@SER.VER.PUB.IP:5061;transport=tls SIP/2.0^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK77f59dcc^M
	From: <sip:***@10.45.10.62:52654;transport=tls>;tag=706bb92427fe003e12924eb7-769cfb34^M
	To: "***" <sip:***@SER.VER.PUB.IP>;tag=as1a77104e^M
	Call-ID: 2839d1857691c804017329400b656ba6@SER.VER.PUB.IP:5061^M
	Max-Forwards: 70^M
	Session-ID: 4beab8c400105000a000706bb92427fe;remote=00000000000000000000000000000000^M
	Date: Mon, 07 Oct 2024 20:14:33 GMT^M
	CSeq: 102 INVITE^M
	User-Agent: Cisco-CP8851/12.8.1^M
	Contact: <sip:***@10.45.10.62:52654;transport=tls>;+u.sip!devicename.ccm.cisco.com="SEP706BB92427FE"^M
	Accept: application/sdp^M
	Allow: ACK,BYE,CANCEL,INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE,INFO^M
	Remote-Party-ID: "***" <sip:***@SER.VER.PUB.IP>;party=called;id-type=subscriber;privacy=off;screen=yes^M
	Call-Info: <urn:x-cisco-remotecc:resume>^M
	Supported: replaces,join,sdp-anat,norefersub,resource-priority,extended-refer,X-cisco-callinfo,X-cisco-serviceuri,X-cisco-escapecodes,X-cisc
	Allow-Events: kpml,dialog^M
	Recv-Info: conference^M
	Recv-Info: x-cisco-conference^M
	Authorization: Digest username="7091",realm="asterisk",uri="sip:***@SER.VER.PUB.IP:5061;transport=tls",response="...",nonce="...",algorithm=MD5^M
	Content-Length: 1471^M
	Content-Type: application/sdp^M
	Content-Disposition: session;handling=optional^M
	^M
	v=0^M
	o=Cisco-SIPUA 26440 2 IN IP4 10.45.10.62^M
	s=SIP Call^M
	b=AS:4064^M
	t=0 0^M
	m=audio 25924 RTP/SAVP 0 114 9 124 113 115 8 116 18 101^M
	c=IN IP4 10.45.10.62^M
	b=TIAS:64000^M
	a=crypto:1 AEAD_AES_256_GCM inline:...^M
	a=crypto:2 AEAD_AES_128_GCM inline:...^M
	a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:...^M
	a=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:...^M
	a=crypto:5 AEAD_AES_256_GCM inline:... UNENCRYPTED_SRTCP^M
	a=crypto:6 AEAD_AES_128_GCM inline:... UNENCRYPTED_SRTCP^M
	a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:... UNENCRYPTED_SRTCP^M
	a=crypto:8 AES_CM_128_HMAC_SHA1_32 inline:... UNENCRYPTED_SRTC
	a=rtpmap:0 PCMU/8000^M
	a=rtpmap:114 opus/48000/2^M
	a=fmtp:114 maxplaybackrate=16000;sprop-maxcapturerate=16000;maxaveragebitrate=64000;stereo=0;sprop-stereo=0;usedtx=0^M
	a=rtpmap:9 G722/8000^M
	a=rtpmap:124 ISAC/16000^M
	a=rtpmap:113 AMR-WB/16000^M
	a=fmtp:113 octet-align=0;mode-change-capability=2^M
	a=rtpmap:115 AMR-WB/16000^M
	a=fmtp:115 octet-align=1;mode-change-capability=2^M
	a=rtpmap:8 PCMA/8000^M
	a=rtpmap:116 iLBC/8000^M
	a=fmtp:116 mode=20^M
	a=rtpmap:18 G729/8000^M
	a=fmtp:18 annexb=yes^M
	a=rtpmap:101 telephone-event/8000^M
	a=fmtp:101 0-15^M
	a=sendrecv^M

(567-883) JAVA-sipio-recv<--- SIP/2.0 100 Trying^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK77f59dcc;received=PHO.NE.PUB.IP;rport=61496^M
	From: <sip:***@10.45.10.62:52654;transport=tls>;tag=706bb92427fe003e12924eb7-769cfb34^M
	To: "***" <sip:***@SER.VER.PUB.IP>;tag=as1a77104e^M
	Call-ID: 2839d1857691c804017329400b656ba6@SER.VER.PUB.IP:5061^M
	CSeq: 102 INVITE^M
	Server: Asterisk PBX 20.9.1^M
	Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE^M
	Supported: replaces,timer,X-cisco-sis-10.0.0^M
	Contact: <sip:***@SER.VER.PUB.IP:5061;transport=tls>^M
	Call-Info: <urn:x-cisco-remotecc:callinfo>; orientation=from; security=Encrypted^M
	Content-Length: 0^M

(567-883) JAVA-sipio-recv<--- SIP/2.0 200 OK^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK77f59dcc;received=PHO.NE.PUB.IP;rport=61496^M
	From: <sip:***@10.45.10.62:52654;transport=tls>;tag=706bb92427fe003e12924eb7-769cfb34^M
	To: "***" <sip:***@SER.VER.PUB.IP>;tag=as1a77104e^M
	Call-ID: 2839d1857691c804017329400b656ba6@SER.VER.PUB.IP:5061^M
	CSeq: 102 INVITE^M
	Server: Asterisk PBX 20.9.1^M
	Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE^M
	Supported: replaces,timer,X-cisco-sis-10.0.0^M
	Contact: <sip:***@SER.VER.PUB.IP:5061;transport=tls>^M
	Content-Type: application/sdp^M
	Content-Length: 625^M
	^M
	v=0^M
	o=root 2003326329 2003326331 IN IP4 SER.VER.PUB.IP^M
	s=Asterisk PBX 20.9.1^M
	c=IN IP4 SER.VER.PUB.IP^M
	t=0 0^M
	m=audio 17756 RTP/SAVP 9 101^M
	a=crypto:1 AEAD_AES_256_GCM inline:...^M
	a=crypto:2 AEAD_AES_128_GCM inline:...^M
	a=crypto:3 AES_256_CM_HMAC_SHA1_80 inline:...^M
	a=crypto:4 AEAD_AES_256_GCM inline:...^M
	a=rtpmap:9 G722/8000^M
	a=rtpmap:101 telephone-event/8000^M
	a=fmtp:101 0-16^M
	a=maxptime:140^M
	a=sendrecv^M
    
(567-883) JAVA-sipio-sent---> ACK sip:***@SER.VER.PUB.IP:5061;transport=tls SIP/2.0^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK04cb055b^M
	From: <sip:***@10.45.10.62:52654;transport=tls>;tag=706bb92427fe003e12924eb7-769cfb34^M
	To: "***" <sip:***@SER.VER.PUB.IP>;tag=as1a77104e^M
	Call-ID: 2839d1857691c804017329400b656ba6@SER.VER.PUB.IP:5061^M
	Max-Forwards: 70^M
	Session-ID: 4beab8c400105000a000706bb92427fe;remote=00000000000000000000000000000000^M
	Date: Mon, 07 Oct 2024 20:14:33 GMT^M
	CSeq: 102 ACK^M
	User-Agent: Cisco-CP8851/12.8.1^M
	Remote-Party-ID: "***" <sip:***@SER.VER.PUB.IP>;party=called;id-type=subscriber;privacy=off;screen=yes^M
	Content-Length: 0^M
	Recv-Info: conference^M
	Recv-Info: x-cisco-conference^M
	Authorization: Digest username="7091",realm="asterisk",uri="sip:***@SER.VER.PUB.IP:5061;transport=tls",response="...",nonce="...",algorithm=MD5^M
	^M

(567-885) JAVA- No Matching crypto suite for SRTP Context(AES_256_CM_HMAC_SHA1_80)-'X-crypto:v1' expected
(567-885) JAVA- Unsupported crypto suite


(567-883) JAVA-sipio-sent---> BYE sip:***@SER.VER.PUB.IP:5061;transport=tls SIP/2.0^M
	Via: SIP/2.0/TLS 10.45.10.62:52654;branch=z9hG4bK5b7e98bb^M
	From: <sip:***@10.45.10.62:52654;transport=tls>;tag=706bb92427fe003e12924eb7-769cfb34^M
	To: "***" <sip:***@SER.VER.PUB.IP>;tag=as1a77104e^M
	Call-ID: 2839d1857691c804017329400b656ba6@SER.VER.PUB.IP:5061^M
	Max-Forwards: 70^M
	Session-ID: 4beab8c400105000a000706bb92427fe;remote=00000000000000000000000000000000^M
	Date: Mon, 07 Oct 2024 20:14:33 GMT^M
	CSeq: 103 BYE^M
	User-Agent: Cisco-CP8851/12.8.1^M
	Content-Length: 0^M
	Authorization: Digest username="7091",realm="asterisk",uri="sip:***@SER.VER.PUB.IP:5061;transport=tls",response="...",nonce="...",algorithm=MD5^M
	^M

If you put a non-Cisco phone on the system does it also fail the same way? If not can you compare the trace?

On my FreePBX 17 system running Asterisk 21 with the callmanager patch, a call from a CP-6921 to a CP-6941 can be put on hold and then resumed on the recipient phone without issue.

This is with both extensions on the same network and the FreePBX 17 system on a different subnet - but one that IS NOT behind a translator.

So I SUSPECT the problem isn’t the PBX - it is the fact your PBX is “in the cloud” meaning it’s behind a NAT.

Hi Ted, thanks for the help here.
You’re correct that by using MicroSIP on the same network as the phones, I have the same issue. The call does not disconnect, but gets into a broken state.

Can you help clarify what you mean by “FreePBX 17 on a different subnet - but not behind a translator”. Does the server have a public IP address assigned, so there is no private network on the server without the need for NAT?

That’s an interesting point I will explore

The server does not have a public IP address it’s entirely on a private network and all extensions are on that network. That network is split into multiple subnets 172.16.1.0 172.16.100.0 etc. In fact it’s not even reachable from the public internet unless I VPN into the private network. To make and get calls on the PSTN it uses a SIP-to-POTS gateway.

Shoutout to Gareth who developed the USECALLMANAGER patch, he discovered the issue was due to the bad handling of the crypto suites in chan_sip.

He put out a new patch which fixes the ordering of crypto suites offered by asterisk.

This fixed my issue and may be solves others who have experienced no audio after resuming calls on hold that seemed to plague freepbx users.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.