No audio from extension outside of firewall

Asterisk is on a server behind a firewall. Calls made from extensions that are also behind the firewall have audio. Extensions outside the firewall will ring the number called but when answered there is no audio.

Initial thoughts were a firewall problem, but opening all ports with:
iptables -I INPUT -j ACCEPT
didn’t help.

UFW ports 5060, 10000-60000 are open for tcp and udp.

Can it be some setting in sip.conf?

Here are some of the values I tried.

Any ideas what’s wrong?

Thanks for the help.

You mean peers, not extensions.

Does the caller report the call is answered?

In which directions is there no audio?

If you get debugging with “sip set debug on”, are the correct IP addresses in the c lines, and the correct ports in the m lines, in the SDP from both sides.

nat=yes probably still works, but has been superseded by the combination of the two component settings: nat=force_rport,comedia, and is only relevant if the peer is sending the wrong addresses or ports.

You are missing type=peer.

Unless your system cannot make PSTN calls, having no authentication on internal devices is a really bad idea.

You should note that chan_sip is deprecated, unsupported, and scheduled for removal.

Thank you, thank you. I’ve been spending days trying to get this working. I’m at the point where I’m just making random changes.

There’s no audio in either direction when the call is answered (inbound and outbound).

Changed to nat=forcerport,comedia.

All the endpoints are defined as peers.

Don’t I have authentication with the “endpoint” with the “secret” in endpoint settings?

media_address =

No pjsip for me right now. That looks like another major task for another time.

I have the debug output but don’t know what to look for. There was one unauthorized that I don’t know if it’s significant.

[Mar 7 23:08:32] VERBOSE[31926] chan_sip.c: — (15 headers 15 lines) —
[Mar 7 23:08:32] VERBOSE[31926] chan_sip.c: Sending to (NAT)
[Mar 7 23:08:32] VERBOSE[31926][C-0000032d] chan_sip.c: Sending to (NAT)
[Mar 7 23:08:32] VERBOSE[31926][C-0000032d] chan_sip.c: Using INVITE request as basis request - 179d9786@
[Mar 7 23:08:32] VERBOSE[31926][C-0000032d] chan_sip.c: Found peer ‘8001’ for ‘8001’ from
[Mar 7 23:08:32] VERBOSE[31926][C-0000032d] chan_sip.c:
<— Reliably Transmitting (NAT) to —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP;branch=z9hG4bK-42665f0e;received=;rport=5060
Call-ID: 179d9786@
CSeq: 8001 INVITE
Server: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce=“13e21a9a”
Content-Length: 0

There is an underscore.

There was no secret in the configuration you provided here,

This should only be present if it has a value.

It is not significant as the peer does send authentication as a result.

However, your log is far too incomplete to be useful for debugging one way audio.

There is no audio in either direction.

Some of the problems you spotted are just my bad typing. But everything you pointed out has been corrected.

The log of the failed call is about 70,000 characters. Messages here have a limit of about 33,000 characters. I don’t see any way to add an attachment.

While it still isn’t working, I feel like I’m getting closer to a solution.


Does this result add any info?

Call from Endpoint inside of firewall to Endpoint outside has no audio either direction.

Endpoint #1 (ATA OBI110) ==> router ===> server (with firewall) ===> internet ===> Endpoint #2 (ATA OBI110)

Still waiting for the SDP from the traces.

also which ports are configured in rtp.conf

I think this should be the failed call to 4134425424.

data.txt (63.7 KB)

The only entries in rtp.conf are:


And I’ve opened ports 10000-60000 with UFW.

Server: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1

You are using an unsupported version of Asterisk. Please reproduce with 16.24.1 or 18.10.1. 13.1.0 is over seven years old, and even security fixes ended for Asterisk 13 last year.

The log show that Asterisk is ignoring the external IP address. Please use CLI commands to verify whether it has actually read it, although it may be because it isn’t a valid synonym for externaddr, although it does look like current versions recognize it, even though it isn’t documented. Did you put it in the general section?

(The peer doesn’t seem to need nat=, as it seems to be correctly presenting its public addresses, although force_rport may get it a little way in coping with the problem at the Asterisk end.)

How time passes. Didn’t realize how old my version of Asterisk is.

But I can’t upgrade Asterisk! Do I need to reinstall from scratch?

$ apt-get install asterisk

Reading package lists… Done
Building dependency tree
Reading state information… Done
asterisk is already the newest version (1:13.1.0~dfsg-1.1ubuntu4.1).
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.

Just upgraded ubuntu and again got the same message for Asterisk.

You need to get your support from Ubuntu, as they are the one that is offering the out of date package.

Ubuntu did update. The “same message” was referring to Asterisk upgrade.

You can’t upgrade the Ubuntu Asterisk package, therefore you need to contact Ubuntu, as they are responsible for ensuring that that package works.

Working! Changing settings in sip.conf was the answer. Unfortunately, I was using “trial and error” and have no idea what got it working. I lost track of what I changed.

Now, apt-get won’t upgrade my version of Asterisk. Keeps saying I have the latest version. To get the latest, go to Asterisk and download the file.

Thank you everyone for your patience and knowledge that kept got me closer to the solution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.