No sound between extensions

Having installed a working asterisk server on my LAN behind a NAT router I decided to move the the same asterisk server setup to AWS Litghtsail thinking it would be simple.

So far I have not been able to get sound between any extensions.

Details:

OS: Ubuntu 24.04.3 LTS x86_64

Asterisk Version: Asterisk 20.6.0~dfsg+~cs6.13.40431414-2build5

[transport-udp-nat]
type = transport
protocol = udp
bind = 0.0.0.0
; NAT settings
local_net = [AWS Private internal IP]
local_net = 127.0.0.1/32
local_net = 192.168.0.0/16
external_media_address = [AWS Public IP]
external_signaling_address = [AWS Public IP]

endpoint-internal-d70
type = endpoint
disallow = all
allow = ulaw
direct_media = no
transport = transport-udp-nat
media_address = [my LAN external IP]
rtp_symmetric = yes
force_rport = yes
rewrite_contact = yes
trust_id_outbound = yes
device_state_busy_at = 1
dtmf_mode = rfc4733

auth-userpass
type = auth
auth_type = userpass

aor-single-reg
type = aor
max_contacts = 2

Incoming calls reach the IVR and the message option can be heard. The selected option rings the appropriate extension. When answering the extension there is no sound either way.

The extensions ring each other, but when answered there is no sound either way.

The AWS server has iptables opening the follow ports:

TRUSTED_ADDR=[AWS Public IP],[AWS Private internal IP],[my LAN external IP]

iptables -A INPUT -p tcp -m tcp -s $TRUSTED_ADDR --dport 4569:5069 -j ACCEPT

iptables -A INPUT -p udp -m udp -s $TRUSTED_ADDR --dport 4569:5069 -j ACCEPT

iptables -A INPUT -p tcp -m tcp -s $TRUSTED_ADDR --dport 5080 -j ACCEPT

iptables -A INPUT -p udp -m udp -s $TRUSTED_ADDR --dport 5080 -j ACCEPT

iptables -A INPUT -p tcp -m tcp -s $TRUSTED_ADDR --dport 9999:20001 -j ACCEPT

iptables -A INPUT -p udp -m udp -s $TRUSTED_ADDR --dport 9999:20001 -j ACCEPT

The same ports are open on the AWS Lightsail control panel

The LAN router is Openwrt based and I have tried opening all ports to the AWS server public ip but there is still no sound between the extensions.

The console gives the following output when calling between extension:

[2025-10-11 21:30:34] SECURITY[3777]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-10-11T21:30:34.644+0000”,Severity=“Informational”,Service=“PJSIP”,EventVersion=“1”,AccountID=“5413”,SessionID=“1_4176616945@192.168.16.122”,LocalAddress=“IPV4/UDP/[AWSPrivateIP]/5060”,RemoteAddress=“IPV4/UDP/[myLANPublicIP]/5060”,UsingPassword=“1”– Executing [5411@Long-Distance:1] NoOp(“PJSIP/5413-00000002”, “”) in new stack– Executing [5411@Long-Distance:2] Set(“PJSIP/5413-00000002”, “CDR_PROP(disable)=1”) in new stack– Executing [5411@Long-Distance:3] Goto(“PJSIP/5413-00000002”, “Internal-Main,5411,1”) in new stack– Goto (Internal-Main,5411,1)– Executing [5411@Internal-Main:1] Verbose(“PJSIP/5413-00000002”, “1, “User 5413 dialed 5411.””) in new stack“User 5413 dialed 5411.”– Executing [5411@Internal-Main:2] Set(“PJSIP/5413-00000002”, “SAC_DIALED_EXTEN=5411”) in new stack– Executing [5411@Internal-Main:3] GotoIf(“PJSIP/5413-00000002”, “0?dialed-BUSY,1:”) in new stack– Executing [5411@Internal-Main:4] Dial(“PJSIP/5413-00000002”, “PJSIP/5411,30,t,T”) in new stack– Called PJSIP/5411– PJSIP/5411-00000003 is ringing

0x737850295fd0 – Strict RTP learning after remote address set to: 192.168.16.188:7078– PJSIP/5411-00000003 answered PJSIP/5413-000000020x7378502bd150 – Strict RTP learning after remote address set to: 192.168.16.122:12760– Channel PJSIP/5411-00000003 joined ‘simple_bridge’ basic-bridge <96b185ed-7691-4bd5-a753-63ed3f1b1b84>– Channel PJSIP/5413-00000002 joined ‘simple_bridge’ basic-bridge <96b185ed-7691-4bd5-a753-63ed3f1b1b84>– Channel PJSIP/5411-00000003 left ‘simple_bridge’ basic-bridge <96b185ed-7691-4bd5-a753-63ed3f1b1b84>– Channel PJSIP/5413-00000002 left ‘simple_bridge’ basic-bridge <96b185ed-7691-4bd5-a753-63ed3f1b1b84>== Spawn extension (Internal-Main, 5411, 4) exited non-zero on ‘PJSIP/5413-00000002’– Executing [h@Internal-Main:1] Hangup(“PJSIP/5413-00000002”, “”) in new stack== Spawn extension (Internal-Main, h, 1) exited non-zero on ‘PJSIP/5413-00000002’

After around 30 seconds the call hangs up.

I clearly have something not configure correctly, but I cannot workout what it is so far.

Any pointers would be appreciated.

with pjsip set logger on the output of a call between extension is as follows:

<— Received SIP request (422 bytes) from UDP:[MY-LAN-IP]:11346 —>
BYE sip:asterisk@[AWS-PUB-IP]:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.16.188:5060;branch=z9hG4bK.PgFmLDqvC;rport
From: sip:5411@MY-LAN-IP;tag=gpfV2Uj
To: “Yea Link” sip:5413@AWS-PRIVATE-IP;tag=5f1b3782-022b-4b7f-a008-7c3a338aa68b
CSeq: 111 BYE
Call-ID: 803ae0cd-52da-457c-b199-efa66110046b
Max-Forwards: 70
User-Agent: Linphone Desktop/4.4.10 (imac) Debian GNU/Linux 12 (bookworm), Qt 5.15.8 LinphoneCore/5.1.65

<— Transmitting SIP response (378 bytes) to UDP:[MY-LAN-IP]:11346 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.16.188:5060;rport=11346;received=[MY-LAN-IP];branch=z9hG4bK.PgFmLDqvC
Call-ID: 803ae0cd-52da-457c-b199-efa66110046b
From: sip:5411@MY-LAN-IP;tag=gpfV2Uj
To: “Yea Link” sip:5413@AWS-PRIVATE-IP;tag=5f1b3782-022b-4b7f-a008-7c3a338aa68b
CSeq: 111 BYE
Server: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Content-Length: 0

-- Channel PJSIP/5411-00000001 left 'simple_bridge' basic-bridge <1a0bc08a-f484-4a88-9279-175ae04f4800>
-- Channel PJSIP/5413-00000000 left 'simple_bridge' basic-bridge <1a0bc08a-f484-4a88-9279-175ae04f4800>

== Spawn extension (Internal-Main, 5411, 4) exited non-zero on ‘PJSIP/5413-00000000’
– Executing [h@Internal-Main:1] Hangup(“PJSIP/5413-00000000”, “”) in new stack
== Spawn extension (Internal-Main, h, 1) exited non-zero on ‘PJSIP/5413-00000000’
<— Transmitting SIP request (454 bytes) to UDP:[MY-LAN-IP]:5060 —>
BYE sip:5413@[MY-LAN-IP]:5060 SIP/2.0
Via: SIP/2.0/UDP [AWS-PUB-IP]:5060;rport;branch=z9hG4bKPj4461f431-7992-4f2c-8539-91a4b149a707
From: sip:5411@frankfurt.example.com;tag=1931c3d9-5b55-4513-8f16-d70e1b7c793b
To: sip:5413@frankfurt.example.com;tag=4179621216
Call-ID: 1_4179677945@192.168.16.122
CSeq: 13148 BYE
Reason: Q.850;cause=16
Max-Forwards: 70
User-Agent: Asterisk PBX 20.6.0~dfsg+~cs6.13.40431414-2build5
Content-Length: 0

<— Received SIP response (368 bytes) from UDP:[MY-LAN-IP]:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP [AWS-PUB-IP]:5060;rport=5060;branch=z9hG4bKPj4461f431-7992-4f2c-8539-91a4b149a707
From: sip:5411@frankfurt.example.com;tag=1931c3d9-5b55-4513-8f16-d70e1b7c793b
To: sip:5413@frankfurt.example.com;tag=4179621216
Call-ID: 1_4179677945@192.168.16.122
CSeq: 13148 BYE
User-Agent: Yealink W70B 146.85.0.50
Content-Length: 0

Try:

iptables -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT

Let me know it that works for you Slight different take on what you’re added.

This is only the end of the call. All the important parts are missing.

Also please use /var/log/asterisk/full, not the console output.

I don’t have a “full” file only the following:

ls -l /var/log/asterisk/
total 19884
drwxr-xr-x 2 asterisk asterisk 4096 Sep 2 21:58 cdr-csv
drwxr-xr-x 2 asterisk asterisk 4096 Apr 15 2024 cdr-custom
-rw-r–r-- 1 asterisk asterisk 20327536 Oct 12 15:00 messages.log
-rw-r–r-- 1 asterisk asterisk 116 Oct 12 14:32 queue_log
-rw-r–r-- 1 asterisk asterisk 691 Oct 11 21:47 queue_log.1
-rw-r–r-- 1 asterisk asterisk 40 Sep 28 00:00 queue_log.2
-rw-r–r-- 1 asterisk asterisk 40 Sep 21 00:00 queue_log.3
-rw-r–r-- 1 asterisk asterisk 78 Sep 17 06:40 queue_log.4

The messages.log gives the following output during a test call between extensions:

[2025-10-12 14:57:53] SECURITY[1565] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2025-10-12T14:57:53.056+0000”,Severity=“Informational”,Service=“PJSIP”,EventVersion=“1”,AccountID=“5413”,SessionID=“1_818644071@192.168.16.122”,LocalAddress=“IPV4/UDP/$AWS_PRIVATE_IP/5060”,RemoteAddress=“IPV4/UDP/$LAN_IP/22174”,Challenge=“”
[2025-10-12 14:57:53] SECURITY[1565] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-10-12T14:57:53.079+0000”,Severity=“Informational”,Service=“PJSIP”,EventVersion=“1”,AccountID=“5413”,SessionID=“1_818644071@192.168.16.122”,LocalAddress=“IPV4/UDP/$AWS_PRIVATE_IP/5060”,RemoteAddress=“IPV4/UDP/$LAN_IP/22174”,UsingPassword=“1”

The console information posted above shows everything from the very start of the test call. The call cuts off at 30 second every time with no sound in either direction.

You need to adjust logger.conf.

The key point is that the log files contain timestamps, which can sometimes be important.

Thanks for your suggestion. I have tried these rule and there was still no sound.

I have also opened all the the port on the AWS console firewall from my LAN ip and opened all the ports on my LAN firewall to the VOIP server public IP along with the following rule on the AWS server:

iptables -A INPUT -p udp -m udp -s $TRUSTED_ADDR --dport 1:65535 -j ACCEPT

Still no sound!

No it doesn’t . A call always starts with an INVITE request. You have none.

Thanks David,

I have adjusted the logger and tried another test call between extensions. The console output is as follows:

frankfurtCLI> sip set debug on
SIP Debugging enabled
frankfurtCLI> module logger reload
No such command ‘module logger reload’ (type ‘core show help module logger reload’ for other possible commands)
[2025-10-12 15:40:57] SECURITY[2073]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=“ChallengeSent”,EventTV=“2025-10-12T15:40:57.989+0000”,Severity=“Informational”,Service=“PJSIP”,EventVersion=“1”,AccountID=“5413”,SessionID=“1_824529756@192.168.16.122”,LocalAddress=“IPV4/UDP/$AWS_PRIVATE_IP/5060”,RemoteAddress=“IPV4/UDP/$LAN_IP/22174”,Challenge=“”
[2025-10-12 15:40:58] SECURITY[2073]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent=“SuccessfulAuth”,EventTV=“2025-10-12T15:40:58.011+0000”,Severity=“Informational”,Service=“PJSIP”,EventVersion=“1”,AccountID=“5413”,SessionID=“1_824529756@192.168.16.122”,LocalAddress=“IPV4/UDP/$AWS_PRIVATE_IP/5060”,RemoteAddress=“IPV4/UDP/$LAN_IP/22174”,UsingPassword=“1”
– Executing [5411@Long-Distance:1] NoOp(“PJSIP/5413-00000002”, “”) in new stack
– Executing [5411@Long-Distance:2] Set(“PJSIP/5413-00000002”, “CDR_PROP(disable)=1”) in new stack
– Executing [5411@Long-Distance:3] Goto(“PJSIP/5413-00000002”, “Internal-Main,5411,1”) in new stack
– Goto (Internal-Main,5411,1)
– Executing [5411@Internal-Main:1] Verbose(“PJSIP/5413-00000002”, “1, “User 5413 dialed 5411.””) in new stack
“User 5413 dialed 5411.”
– Executing [5411@Internal-Main:2] Set(“PJSIP/5413-00000002”, “SAC_DIALED_EXTEN=5411”) in new stack
– Executing [5411@Internal-Main:3] GotoIf(“PJSIP/5413-00000002”, “0?dialed-BUSY,1:”) in new stack
– Executing [5411@Internal-Main:4] Dial(“PJSIP/5413-00000002”, “PJSIP/5411,30,t,T”) in new stack
– Called PJSIP/5411
– PJSIP/5411-00000003 is ringing

0x7f9d30304b50 – Strict RTP learning after remote address set to: 192.168.16.188:7078
– PJSIP/5411-00000003 answered PJSIP/5413-00000002
0x7f9d302d3030 – Strict RTP learning after remote address set to: 192.168.16.122:11808
– Channel PJSIP/5411-00000003 joined ‘simple_bridge’ basic-bridge <361fcbb3-aff7-4899-b321-54ad9d30d839>
– Channel PJSIP/5413-00000002 joined ‘simple_bridge’ basic-bridge <361fcbb3-aff7-4899-b321-54ad9d30d839>
– Channel PJSIP/5411-00000003 left ‘simple_bridge’ basic-bridge <361fcbb3-aff7-4899-b321-54ad9d30d839>
– Channel PJSIP/5413-00000002 left ‘simple_bridge’ basic-bridge <361fcbb3-aff7-4899-b321-54ad9d30d839>
== Spawn extension (Internal-Main, 5411, 4) exited non-zero on ‘PJSIP/5413-00000002’
– Executing [h@Internal-Main:1] Hangup(“PJSIP/5413-00000002”, “”) in new stack
== Spawn extension (Internal-Main, h, 1) exited non-zero on ‘PJSIP/5413-00000002’
frankfurt*CLI>

The log file full.log spits out load of information. The start is as follows:

[2025-10-12 15:40:57] DEBUG[2031] res_pjsip/pjsip_distributor.c: Could not find matching transaction for Request msg INVITE/cseq=1 (rdata0x7f9d302c14e8)
[2025-10-12 15:40:57] DEBUG[2031] res_pjsip/pjsip_distributor.c: Calculated serializer pjsip/distributor-00000034 to use for Request msg INVITE/cseq=1 (rdata0x7f9d302c14e8)
[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: Splitting ‘$LAN_IP’ into…[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: …host ‘$LAN_IP’ and port ‘’.
[2025-10-12 15:40:57] DEBUG[2032] res_pjsip_endpoint_identifier_ip.c: Source address $LAN_IP:22174 does not match identify ‘aaisptrunk’[2025-10-12 15:40:57] DEBUG[2032] res_pjsip_endpoint_identifier_user.c: Attempting identify by From username ‘5413’ domain ‘frankfurt.example.com’
[2025-10-12 15:40:57] DEBUG[2032] res_pjsip_endpoint_identifier_user.c: Identified by From username ‘5413’ domain ‘frankfurt.example.com’[2025-10-12 15:40:57] DEBUG[2032] res_pjsip_authenticator_digest.c: Using default realm ‘asterisk’ on incoming auth ‘5413’.
[2025-10-12 15:40:57] DEBUG[2032] res_pjsip_authenticator_digest.c: Realm: asterisk Username: ************************ Result: NOAUTH[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: Splitting ‘$AWS_PRIVATE_IP’ into…
[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: …host ‘$AWS_PRIVATE_IP’ and port ‘’.
[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: Splitting ‘$LAN_IP’ into…[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: …host ‘$LAN_IP’ and port ‘’.
[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: Splitting ‘$LAN_IP’ into…[2025-10-12 15:40:57] DEBUG[2032] netsock2.c: …host ‘$LAN_IP’ and port ‘’.

I can post more information from the full.log file, but it may have too much text output to post on a forum thread!

full.log.txt (132.0 KB)

I have done another test call between extensions and attached the text of the full.log file.

Any advice would be appreciated.

No pjsip set logger on in effect, or verbosity not high enough.

full-log.txt (185.7 KB)

Apologies, I don’t think I set the debug mode correctly for the previous log file so I’ve had another go.

Any suggestions would be appreciated.

[2025-10-19 11:54:16] VERBOSE[26847] res_pjsip_logger.c: <--- Received SIP request (1254 bytes) from UDP:[LAN_PUBLIC_IP]:37229 --->

This should have the remote party’s public IP, not yours. If they are the same, it should have the private IP.

Via: SIP/2.0/UDP 192.168.16.188:5060;rport=37229;received=[LAN_PUBLIC_IP];branch=z9hG4bK.WL4CaPvzb

If this should be a public address, the remote Asterisk hasn’t been correctly configured for being behind NAT, as it should be showing its external signalling address, not its LAN address. However, it may be that it is being misrouted in a way that causes it to look like it came from the public side.

Thanks David,

I adjusted the config to the following and it now works:

endpoint-internal-d70
type = endpoint
disallow = all
allow = ulaw
direct_media = no
transport = transport-udp-nat
media_address = [AWS_PUBLIC_IP]
rtp_symmetric = yes
force_rport = yes
rewrite_contact = yes
trust_id_outbound = yes
device_state_busy_at = 1
dtmf_mode = rfc4733

I guess wasn’t clear on which pubic IP was required here!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.