No INVITE when using media_encryption

smathes · August 27, 2020, 8:00am

Hi,

We’re using Asterisk13.21-cert6 and we’re trying to set up Communication via SIP-TLS and SRTP.

Registrations via SIP-TLS are working just fine, but as soon as I activate SRTP I can no longer make any calls.
I’m trying to dial with ${PJSIP_DIAL_CONTACTS} but as soon as I set “media_encryption” in my pjsip endpoint asterisk does not send any INVITE packages to the client.
The client is a Snom D385 (among others) which supports SRTP Communication and which we have tested successfully in other scenarios.
The phone can be directly reached via network (no NAT, no routing).

As soon as I set “media_encryption=sdes” on the pjsip endpoint asterisk stops sending invites to the phone.

It also does not seem to be an endpoint-related issue, since I have 3 registered contacts and asterisk stops sending packets to all of them.

Here is my endpoint configuration:

[2926230]
type = aor
max_contacts = 6
qualify_frequency = 15
remove_existing = yes
default_expiration = 120
;
[2926230]
type = auth
username = 2926230
password = SECRETPASSWORD
;
[2926230]
type = endpoint
context = fulda
dtmf_mode = rfc4733
disallow = all
allow = alaw
allow = ulaw
direct_media = no
callerid = Jane Doe <230>
send_pai = yes
named_call_group = IT
named_pickup_group = IT,fulda
tos_audio = ef
tos_video = af41
cos_audio = 5
cos_video = 4
language = de
mailboxes = 36491@fulda
incoming_mwi_mailbox = 36491@fulda
auth = 2926230
outbound_auth = 2926230
aors = 2926230
allow_subscribe = no
t38_udptl = no
t38_udptl_ec = redundancy
rtp_symmetric = yes
media_encryption = sdes
media_encryption_optimistic = yes
rewrite_contact = yes

And my transport-tls section (not explicitly specified):

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
tos=cs3
cos=3
ca_list_path=/etc/ssl/certs
cert_file=/etc/ssl/certs/voip-nt.crt
priv_key_file=/etc/ssl/private/voip-nt.key
method=tlsv1_2
verify_client=no
verify_server=yes
allow_reload=yes

I don’t get any error messages on the console, despite setting log/debug level to anywhere from 100 to 9999.

What could be the cause of this strange behaviour?

jcolp · August 27, 2020, 10:16am

What exactly happens? What’s the console output?

smathes · August 27, 2020, 10:27am

Hi,

Just nothing. I get back a busy response (which doesnt come from any SIP-Traffic).

Console output using sdes:

    -- Executing [2926230@fulda-in:99] Dial("PJSIP/2926998-0000009a", "PJSIP/2926230/sip:2926230@10.108.24.47:40965;transport=TLS&PJSIP/2926230/sip:FEU411-3-187-1@10.108.24.15:5070;rinstance=1FEFEB55&PJSIP/2926230/sip:2926230@10.108.24.21:5060,,tT") in new stack
    -- Called PJSIP/2926230/sip:2926230@10.108.24.47:40965;transport=TLS
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
    -- Called PJSIP/2926230/sip:FEU411-3-187-1@10.108.24.15:5070;rinstance=1FEFEB55
    -- Called PJSIP/2926230/sip:2926230@10.108.24.21:5060
    -- PJSIP/2926230-0000009c connected line has changed. Saving it until answer for PJSIP/2926998-0000009a
    -- PJSIP/2926230-0000009b connected line has changed. Saving it until answer for PJSIP/2926998-0000009a
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
    -- PJSIP/2926230-0000009d connected line has changed. Saving it until answer for PJSIP/2926998-0000009a
  == Everyone is busy/congested at this time (3:0/0/3)

I’ve tried changing the encryption to dtls but all I get there is basically the same:

    -- Executing [2926230@fulda-in:99] Dial("PJSIP/2926998-0000009e", "PJSIP/2926230/sip:2926230@10.108.24.47:40965;transport=TLS&PJSIP/2926230/sip:FEU411-3-187-1@10.108.24.15:5070;rinstance=1FEFEB55&PJSIP/2926230/sip:2926230@10.108.24.21:5060,,tT") in new stack
    -- Called PJSIP/2926230/sip:2926230@10.108.24.47:40965;transport=TLS
    -- Called PJSIP/2926230/sip:FEU411-3-187-1@10.108.24.15:5070;rinstance=1FEFEB55
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
  == Using SIP RTP Audio CoS mark 5
  == DTLS ECDH initialized (secp256r1), faster PFS enabled
  == DTLS ECDH initialized (secp256r1), faster PFS enabled
    -- Called PJSIP/2926230/sip:2926230@10.108.24.21:5060
    -- PJSIP/2926230-000000a1 connected line has changed. Saving it until answer for PJSIP/2926998-0000009e
    -- PJSIP/2926230-0000009f connected line has changed. Saving it until answer for PJSIP/2926998-0000009e
  == DTLS ECDH initialized (secp256r1), faster PFS enabled
    -- PJSIP/2926230-000000a0 connected line has changed. Saving it until answer for PJSIP/2926998-0000009e
  == Everyone is busy/congested at this time (3:0/0/3)

jcolp · August 27, 2020, 10:29am

That’s not nothing, dialplan executed and it tried to dial three targets. The output of “pjsip set logger on” shows nothing going out?

smathes · August 27, 2020, 12:14pm

Hi,
as I was about to record an example the signaling and transmission is working again.
I can’t really explain to myself why it is working again, but it is.

On previous tests I was listening with tcpdump for outgoing SIP packages and didn’t see any traffic going out. I know this isn’t helpful for asterisk internal stuff.

I will keep watching the issue and report back with examples of “pjsip set debugger on” as soon as possible.

system · September 26, 2020, 12:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.