No SRTP exchange issue


#1

Dear Asterisk Support Team,
I’m trying to troubleshoot an issue between Android Linphone and Asterisk 15.3 which has now become a showstopper for us.
Let me describe my architecture:

  1. COTURN server for STUN/TURN and this is working correctly
  2. Asterisk 15.3
  3. Chrome and JsSIP for the desktop inhouse application

Asterisk main settings for the users:

direct_media=no
disallow=all
allow=ulaw
allow=alaw
allow=opus
allow=vp8
allow=h264
ice_support=yes
rtcp_mux=yes
force_rport=yes
preferred_codec_only=yes ;aggiunto per test
rtp_symmetric=yes
;asymmetric_rtp_codec=no
disable_direct_media_on_nat=yes
use_avpf=yes
bundle=yes
max_audio_streams=10
max_video_streams=10
webrtc=yes
dtls_cert_file=/etc/certs/fullchain.cer
dtls_private_key=/etc/certs/private.key
dtls_ca_file=/etc/certs/ca.cer

Scenarios:

a) Chrome -> Chrome
everything works fine, video calls running smoothly

b) Android Linphone -> Chrome
everything works fine, video calls running smoothly
On Asterisk I see that the locking of media sources for both android and chrome works fine and I have both audio and video media (local and remote).
No errors reported by Asterisk.

c) Chrome -> Android Linphone
issue: no remote audio/video both on linphone and chrome and after a while the call drops automatically

On Asterisk I see that the locking of audio/video media source for android never happens while it completes correctly for the desktop side
Asterisk logs:
       [Sep  6 09:37:10] WARNING[32706][C-0000000c]: res_rtp_asterisk.c:2877 __rtp_recvfrom: PJ ICE Rx error status code: 370401 'Unauthorized'.
       [Sep  6 09:37:10] WARNING[31963]: res_rtp_asterisk.c:1135 ast_rtp_on_turn_rx_rtp_data: PJ ICE Rx error status code: 370401 'Unauthorized'.

 These logs above seem related to the android side.

d) Android Linphone -> Android Linphone
issue: same as above

e) I have tried to disable ICE/TURN on the phones and repeated Android Linphone -> Android Linphone
issue: same as above
on Asterisk logs I see a slightly different message:

[Sep  6 10:25:44] WARNING[3692][C-00000015]: res_rtp_asterisk.c:2877 __rtp_recvfrom: PJ ICE Rx error status code: 370400 'Bad Request'.
[Sep  6 10:25:44] WARNING[3692][C-00000015]: res_rtp_asterisk.c:2877 __rtp_recvfrom: PJ ICE Rx error status code: 370400 'Bad Request'.

but again the locking on media sources for android app doesn’t happen.

Apparently the DTLS handshake for the media streams fails, which results in no SRTP keys being exchanged for SRTP operation.
Then no audio/video packet can be decoded in case of incoming calls on Android Linphone.

Could you please help us in trying to understand whether there’s anything we can troubleshoot or adjust on the Asterisk side
trying to solve this issue?

Thanks in advance


#2

The problem seems to be with the Android Linphone. You should break down the specific scenario and eliminate one side. For example: Does originating a call that just does a Playback to the Android Linphone work? When disabling ICE/TURN did you also disable it in Asterisk? Did you get a packet capture to look at the ICE negotiation?


#3

Hello,
thanks for the reply.
I’ve tested as per your suggestions and this is what I’ve found:

  1. Does originating a call that just does a Playback to the Android Linphone work?
    Yes it works fine.
    A: Android Linphone calls the echo extension and I get audio/video playback.
    As explained, the problem arises for incoming calls only.

  2. When disabling ICE/TURN did you also disable it in Asterisk?
    A: Problem is that having webrtc=yes this also enables the following values that are needed
    for webrtc: rtcp_mux, use_avpf, ice_support, and use_received_transport.
    So it seems that I should disable webrtc first but this prevents any audio/video calls so this test seems unsuitable for my setup.

  3. Did you get a packet capture to look at the ICE negotiation?
    A: yes I got that tcpdump on Asterisk server and strangely I see that Asterisk responds to two subsequent STUN requests in a completely opposite way.
    https://mega.nz/#!q2JCnQbB!XXxXmSFgNK-SyuRwyJMY6uWxgIi6Q_Wvz-zcj1Y_ITc
    In attached packet capture, have a look at frames 435 and 437:

Frame 435 is from Linphone Android on audio port (192.168.5.110:7076) and this is answered successfully by Asterisk (192.168.5.220:51024)
Frame 437 is from Linphone Android on video port (192.168.5.110:9078) and response is “401 Unauthorized” by Asterisk (192.168.5.220:56756)

So it seems to me that ICE exchange for audio is fine (codecs available are opus, PCMU, PCMA) while it fails for video which has VP8 as only allowed codec.

IP addresses are:

192.168.5.220 Asterisk
192.168.5.212 TURN/STUN server
192.168.5.110 Android Linphone

Any idea why Asterisk responds with unauthorized?

Thanks


#4
  1. That’s not the same as what I was asking though. An originate would make an outgoing call to the Android Linphone and send it into the dialplan. To Asterisk that is an outgoing call, to the Android Linphone it is an incoming call which matches what you said wasn’t working.

  2. Does Linphone actually require all of these WebRTC options as it’s not a WebRTC client. The WebRTC option also explicitly enables features which are mandatory in WebRTC and turns them on regardless of the actual negotiation. It is not meant to be used with a client that does not fully implement it. It may entirely be possible that that is the cause of the problem, for example if Linphone does not implement bundle (or turn it on) then things would go poorly. You CAN enable most of the options individually too if specific ones are required.

  3. I’d need to see the SIP side as well to see if it is actually implementing the full WebRTC spec.


#5

Thanks jcolp
your point 2) is really helpful cause disabling webrtc specifically for the Android Linphone
solved the issue.

Many thanks