NAT, Multiple VLANs , One way audio in video calls , call angs up after some time

dmsherazi · June 9, 2022, 12:45pm

Hi ,
I have an asterisk server which is behind NAT and the subnet of the Asterisk is 192.168.1.0/24

I have a managed switch that provides diffrent VLANs with subnets like 192.168.11.0/24 and similar with L3 switching . All the VLANs can access the asterisk and all udp,tcp packats are allowed to and from the asterisk server to and from all VLANs.

The transport section for pjsip is as follows

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1
local_net=192.168.1.0/16
local_net=127.0.0.1/16
external_media_address=5.36.152.149
external_signaling_address=5.36.152.149
external_signaling_port=5061
tos = cs3

Endpoints are as follows


[70102]
type = aor
max_contacts = 1
remove_existing = yes
qualify_frequency = 60
maximum_expiration = 3600
minimum_expiration = 60
default_expiration = 120

[70102]
type = auth
username = 70102
password = 70102
nonce_lifetime = 200


[70102]
type = endpoint
context=fullrights
rtp_symmetric = yes
rewrite_contact=yes
dtmf_mode = rfc4733
message_context=some_context_that_does_nothing
disallow = all
allow = ulaw
allow = alaw
allow = gsm
allow = g726
allow = h264
allow = mpeg4
allow = vp8
allow = h263p
rtp_timeout = 30
timers = yes
direct_media = no
callerid=70102 <Door_5>
         send_pai = yes
use_avpf = no
tos_audio = ef
tos_video = af41
auth = 70102
outbound_auth = 70102
aors = 70102


[90102]
type = aor
max_contacts = 5
qualify_frequency = 60
maximum_expiration = 3600
minimum_expiration = 60
default_expiration = 120
remove_existing = yes

[90102]
type = auth
username = 90102
password = 88868c

[90102]
type = endpoint
rewrite_contact=yes
context=mobile
dtmf_mode = rfc4733
disallow = all
allow = ulaw
allow = alaw
allow = gsm
allow = g726
allow = h264
allow = mpeg4
allow = vp8
allow = h263p
rtp_timeout = 30
timers = yes
direct_media = no
callerid=90102 <Mobile Exten 90102>
send_pai = yes
auth = 90102
outbound_auth = 90102
aors = 90102
dtmf_mode=rfc4733
media_encryption=sdes
transport = transport-tls
rtp_symmetric=yes
force_rport=yes

Here is the full log with debug and verbose set to 5
full.log.txt (115.4 KB)

How can this be solved?

david551 · June 9, 2022, 12:59pm

Although asterisk may do: ((source-address XOR address) AND mask) == 0 you should always assume the simpler: (source-address & mask) == address.

dmsherazi · June 9, 2022, 1:04pm

Pardon but can you please let me know how should that be done ?

should it be

local_net=192.168.0.0/16
local_net=127.0.0.0/16

dmsherazi · June 9, 2022, 1:11pm

What i see is that both remote and source are locked on to the same IP

 -- Executing [90702@fullrights:1] Dial("PJSIP/70702-00000000", "PJSIP/90702/sip:90702@188.66.144.76:8624;transport=TLS") in new stack
    -- Called PJSIP/90702/sip:90702@188.66.144.76:8624;transport=TLS
    -- PJSIP/90702-00000001 is ringing
       > 0x2184db0 -- Strict RTP learning after remote address set to: 188.66.144.76:9509
       > 0x25bc640 -- Strict RTP learning after remote address set to: 188.66.144.76:9512
    -- PJSIP/90702-00000001 answered PJSIP/70702-00000000
       > 0x20c7900 -- Strict RTP learning after remote address set to: 192.168.72.208:6000
       > 0x20eb180 -- Strict RTP learning after remote address set to: 192.168.72.208:6200
    -- Channel PJSIP/90702-00000001 joined 'simple_bridge' basic-bridge <a014344b-2cb4-48d7-ad21-02cc55d1c193>
    -- Channel PJSIP/70702-00000000 joined 'simple_bridge' basic-bridge <a014344b-2cb4-48d7-ad21-02cc55d1c193>
       > 0x20eb180 -- Strict RTP switching to RTP target address 192.168.72.208:6200 as source
       > 0x20c7900 -- Strict RTP learning after remote address set to: 192.168.72.208:6080
       > 0x20eb180 -- Strict RTP learning after remote address set to: 192.168.72.208:6280
       > 0x20c7900 -- Strict RTP switching to RTP target address 192.168.72.208:6080 as source
       > 0x20eb180 -- Strict RTP switching to RTP target address 192.168.72.208:6280 as source
       > 0x20eb180 -- Strict RTP learning complete - Locking on source address 192.168.72.208:6280
       > 0x20c7900 -- Strict RTP learning complete - Locking on source address 192.168.72.208:6080
    -- Channel PJSIP/70702-00000000 left 'simple_bridge' basic-bridge <a014344b-2cb4-48d7-ad21-02cc55d1c193>

nsec · June 13, 2022, 10:51pm

Hi, can you send the full sip and sdp messages log of this call?

system · July 13, 2022, 10:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.