No Incoming Call Audio

Hello Everyone!
I’m having a problem with my asterisk system after we changed router/firewalls. (Yes. I know… the answer is “It’s a nat issue, fix your nat/firewall.” Please Listen)

We’ve just switched from a Netgear router with a built-in AIP ALG to a custom built Ubuntu router/firewall to deal with some new scans that we’re required to pass. We are running an IncrediblePBX/XIVO/Asterisk 13.11.2 server currently terminating two DIDs from DIDforsale. Everything ran fine through the Netgear router with port forwarding enabled, but we couldn’t secure it very well, and it kept needing to be rebooted.

When we switched to the custom router/firewall, we could call out with 2-way audio perfectly fine. We couldn’t call in and get our IVR to answer. After some troubleshooting, I noticed that the calls actually were connecting in the logs. I set the default incoming call extension to a single phone, and the call goes through with 2-way audio (although the calling party does not hear any ringing on their end, just silence until the called party picks up). If the called party does not pick up, the logs show voicemail activating, but the calling party doesn’t hear anything.

Obviously, the problem is in the NAT/firewall. I get that. I’ve tried everything I can think of when it comes to port forwarding. What could cause audio to flow in both directions, but pre-recorded audio (yes, I’ve tried the asterisk default sounds as well) to not flow? Is there anything I can set in the interface/config files that would help?

Please help!

–Troy

Hi Troy,
It is very good that you understand the area of your issue (NAT/firewall), but it would be very hard for community members to go any deeper before understanding your network topology and configurations, especially those related to routing, NAT, IP filtering, ALG.
IVR just sends audio one-way using the same protocol (RTP) and udp port ranges, and from IP/UDP/RTP prospective it is not different from a “usual”, human-generated audio.

What might be helpful for further analysis is two packet traces from a central network node (e.g. router):

• a “good” trace with two-way audio heard.
• a “bad” trace with IVR not heard.

One quick thing you can try is to make sure that the nf_conntrack_sip kernel module is NOT loaded. If it is, unload it and make sure it doesn’t load again by blacklisting it in /etc/modprobe.d.

Yes, good suggestion.

If it does not help, please provide routing / NAT / firewall / ALG configurations here, obfuscating public IP addresses and credentials. This might make the root cause clearer.

Gateway is Ubuntu 16.x LTS running in a windows Hyper-V environment with two dedicated NICs, 1 processor, and 1Gb memory.

*nf_conntrack_sip and nf_nat_sip have been removed and blacklisted.

Public port is eth0, private port is eth1.

Gateway is Host 1 on private network and {static ip} on public network.

PBX is 51 on private natwork

Mail Server is 53 on private network

Chain INPUT (policy DROP 5 packets, 1220 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp – eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5069,10000:20000
0 0 ACCEPT all – * * {DID host} 0.0.0.0/0
0 0 ACCEPT all – * * {DID host} 0.0.0.0/0
0 0 ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
298 19419 ACCEPT all – eth1 * 0.0.0.0/0 0.0.0.0/0
11 2601 ACCEPT all – eth0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
68 6250 ACCEPT tcp – * * 0.0.0.0/0 X.X.X.53 multiport dports 25,587,465,143,993
58 26315 ACCEPT all – eth1 eth1 0.0.0.0/0 0.0.0.0/0
994 108K ACCEPT all – eth1 eth0 0.0.0.0/0 0.0.0.0/0
1570 1870K ACCEPT all – eth0 eth1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 161 packets, 24459 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 62 packets, 8608 bytes)
pkts bytes target prot opt in out source destination
1 52 DNAT tcp – eth1 * X.X.X.0/24 0.0.0.0/0 tcp dpt:80 to:X.X.X.1:3128
0 0 DNAT udp – eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060:5069 to:X.X.X.51
0 0 DNAT tcp – eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,587,465,143,993 to:X.X.X.53
3 180 DNAT tcp – eth1 * X.X.X.0/24 {static ip} multiport dports 25,587,465,143,993 to:X.X.X.53

Chain INPUT (policy ACCEPT 2 packets, 246 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 133 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 2 packets, 133 bytes)
pkts bytes target prot opt in out source destination
51 6183 SNAT all – * eth0 X.X.X.0/24 0.0.0.0/0 to:{STATIC IP}
3 180 SNAT tcp – * * 0.0.0.0/0 X.X.X.53 multiport dports 25,587,465,143,993 to:{STATIC IP}

Just in case it helps… my IVR…
;# // BEGIN ivr-main
[ivr-main] ; IVR Template
exten => s,1,Answer
exten => s,2,Wait(1)
exten => s,3(skip),Set(IVR_MSG=/var/lib/xivo/sounds/playback/Church_IVR_Main)
exten => s,4(start),Set(TIMEOUT(digit)=3)
exten => s,5,ExecIf($["${IVR_MSG}" != “”]?Background(${IVR_MSG}))
exten => s,6,WaitExten(10,)

exten => 0,1,Dial(Local/801@default)

exten => 1,1,Playback(/var/lib/xivo/sounds/playback/Service_times_directions)
exten => 1,n,Goto(s,3)

exten => 2,1,Playback(/var/lib/xivo/sounds/playback/prayer-team)
exten => 2,n,Voicemail(710@default)
exten => 2,n,Goto(s,3)

exten => 3,1,Dial(local/702@default)

exten => 4,1,Dial(local/703@default)

exten => 5,1,Dial(Local/705@default)

exten => 6,1,Dial(Local/701@default)

exten => 7,1,Goto(i,1)

exten => 8,1,Goto(i,1)

exten => 9,1,Dial(Local/720@default)

exten => *,1,Dial(Local/3472@default)

exten => i,1,Playback(pm-invalid-option)
exten => i,n,Goto(s,4)

exten => t,1,Playback(vm-goodbye)
exten => t,n,Goto(h,1)

exten => return,1,Goto(s,3)

exten => h,1,Hangup

exten => hang,1,Playback(vm-goodbye)
exten => hang,n,Hangup

;#// Ring main office phone for troubleshooting
;# // exten => s,1,Answer
;# // exten => s,2,Wait(1)
;# // exten => s,3,Dial(Local/702@default)
;# // END ivr-main