Non standart TLS port, asterisk 14


#1

Hello, everyone.

TLS port of my installation in 58790, not 5061.
I have a problem and it will drive me crazy.

Glossary:
x.x.x.x - external IP of asterisk
10.10.10.246 - internal IP of asterisk
33333 - user Carl
31.173.83.237 - Carl’s registration external IP
10.10.10.45 - internal server 2

When user from internet calling to my Asterisk everything goes right, untill user B pick up phone.
Then asterisk send 200, OK with IP and port 5061 (!!!)
Here is 200 message:
<— Reliably Transmitting (NAT) to 31.173.83.237:44340 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—581f629edeb5bc97;received=31.173.83.237;rport=44340
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
To: sip:80101@x.x.x.x;transport=TLS;tag=as433be2a7
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 2 INVITE
Server: FPBX-14.0.1.4(14.6.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: sip:80101@x.x.x.x:5061;transport=tls
P-Asserted-Identity: “CID:33333” sip:80101@x.x.x.x
Content-Type: application/sdp
Content-Length: 360

Softphone from other side replies Ack to IP:5061. Nothing happens!
PBX retransmitting few times 200 OK and then disconnecting the call with cause No user responding, 18.

But when I made translation external IP:5061 -> internal IP:58790, then call successfull.

Asterisk version - 14.6.0.

My PBX configuration:

sip_general_additional.conf:

vmexten=*97
useragent=FPBX-14.0.1.4(14.6.0)
disallow=all
allow=alaw
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
limitonpeers=yes
media_address=x.x.x.x
alwaysauthreject=yes
rtpend=20000
context=clients_route
rtpstart=10000
tcpenable=yes
callevents=no
tlsprivatekey=/etc/asterisk/keys/asterisk.key
tlscertfile=/etc/asterisk/keys/asterisk.crt
bindport=5060
jbenable=no
checkmwi=10
maxexpiry=3600
minexpiry=60
srvlookup=no
tlsenable=yes
allowguest=no
notifyhold=yes
rtptimeout=30
canreinvite=no
tlsbindaddr=0.0.0.0:58790
rtpkeepalive=0
videosupport=no
defaultexpiry=120
notifyringing=yes
maxcallbitrate=384
rtpholdtimeout=300
g726nonstandard=no
registertimeout=20
tlsclientmethod=sslv2
registerattempts=0
tlsdontverifyserver=yes
nat=force_rport,comedia
ALLOW_SIP_ANON=no
callerid=Unknown
externip=x.x.x.x
localnet=10.10.10.0/24
language=en

sip_general_custom.conf:
externaddr=x.x.x.x
nat=force_rport
localnet=10.10.10.0/255.255.255.0

user configuration:

[33333]
deny=0.0.0.0/0.0.0.0
secret=12345
dtmfmode=rfc2833
canreinvite=no
context=clients_route
host=dynamic
defaultuser=
trustrpid=yes
sendrpid=pai
type=friend
session-timers=accept
nat=force_rport,comedia
port=5060
qualify=yes
qualifyfreq=120
transport=tls,udp
avpf=no
force_avp=no
icesupport=no
rtcp_mux=no
encryption=no
namedcallgroup=
namedpickupgroup=
dial=SIP/33333
permit=0.0.0.0/0.0.0.0
callerid=Carl <33333>
callcounter=yes
faxdetect=no

Example of the call, sip set debug on. Real big.

SIP Debugging enabled

<— SIP read from TLS:31.173.83.237:44340 —>
INVITE sip:80101@x.x.x.x;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—f5d410cd103d55cd;rport
Max-Forwards: 70
Contact: sip:33333@31.173.83.237:44340;transport=TLS
To: sip:80101@x.x.x.x;transport=TLS
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
User-Agent: Zoiper rd82a609
Allow-Events: presence, kpml, talk
Content-Length: 820

v=0
o=Zoiper 0 0 IN IP4 192.168.8.100
s=Zoiper
c=IN IP4 192.168.8.100
t=0 0
m=audio 56496 RTP/SAVP 3 0 8 101
a=rtpmap:3 GSM/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBS+2jKKa/yNlQ==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBS+2jKKa/yNlQ==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBQ=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBQ=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+C
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+C
<------------->
— (13 headers 18 lines) —
Sending to 31.173.83.237:44340 (NAT)
Sending to 31.173.83.237:44340 (NAT)
Using INVITE request as basis request - LvLv8XwkasqrjH9T3b10ow…
Found peer ‘33333’ for ‘33333’ from 31.173.83.237:44340

<— Reliably Transmitting (NAT) to 31.173.83.237:44340 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—f5d410cd103d55cd;received=31.173.83.237;rport=44340
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
To: sip:80101@x.x.x.x;transport=TLS;tag=as56993da8
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 1 INVITE
Server: FPBX-14.0.1.4(14.6.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="27f2be1a"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘LvLv8XwkasqrjH9T3b10ow…’ in 32000 ms (Method: INVITE)

<— SIP read from TLS:31.173.83.237:44340 —>
ACK sip:80101@x.x.x.x;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—f5d410cd103d55cd;rport
Max-Forwards: 70
To: sip:80101@x.x.x.x;transport=TLS;tag=as56993da8
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 1 ACK
Content-Length: 0

<------------->
— (8 headers 0 lines) —

<— SIP read from TLS:31.173.83.237:44340 —>
INVITE sip:80101@x.x.x.x;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—581f629edeb5bc97;rport
Max-Forwards: 70
Contact: sip:33333@31.173.83.237:44340;transport=TLS
To: sip:80101@x.x.x.x;transport=TLS
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
User-Agent: Zoiper rd82a609
Authorization: Digest username=“33333”,realm=“asterisk”,nonce=“27f2be1a”,uri=“sip:80101@x.x.x.x;transport=TLS”,response=“a137ce22357011906853baf363d3034c”,algorithm=MD5
Allow-Events: presence, kpml, talk
Content-Length: 820

v=0
o=Zoiper 0 0 IN IP4 192.168.8.100
s=Zoiper
c=IN IP4 192.168.8.100
t=0 0
m=audio 56496 RTP/SAVP 3 0 8 101
a=rtpmap:3 GSM/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBS+2jKKa/yNlQ==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBS+2jKKa/yNlQ==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBQ=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+Cr7Xs8+QVpBQ=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+C
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:pqjJRl8vmmJpcCJth0ioBH17HFtBETSm7IdHNH+C
<------------->
— (14 headers 18 lines) —
Sending to 31.173.83.237:44340 (NAT)
Using INVITE request as basis request - LvLv8XwkasqrjH9T3b10ow…
Found peer ‘33333’ for ‘33333’ from 31.173.83.237:44340
Found RTP audio format 3
Found RTP audio format 0
Found RTP audio format 8
Found RTP audio format 101
Found audio description format GSM for ID 3
Found audio description format PCMU for ID 0
Found audio description format PCMA for ID 8
Found audio description format telephone-event for ID 101
Capabilities: us - (alaw), peer - audio=(ulaw|gsm|alaw)/video=(nothing)/text=(nothing), combined - (alaw)
Non-codec capabilities (dtmf): us - 0x1 (telephone-event|), peer - 0x1 (telephone-event|), combined - 0x1 (telephone-event|)
Peer audio RTP is at port 192.168.8.100:56496
Looking for 80101 in clients_route (domain x.x.x.x)
sip_route_dump: route/path hop: sip:33333@31.173.83.237:44340;transport=TLS

<— Transmitting (NAT) to 31.173.83.237:44340 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—581f629edeb5bc97;received=31.173.83.237;rport=44340
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
To: sip:80101@x.x.x.x;transport=TLS
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 2 INVITE
Server: FPBX-14.0.1.4(14.6.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: sip:80101@x.x.x.x:5061;transport=tls
Content-Length: 0

<------------>
Audio is at 16116
Adding codec alaw to SDP
Adding codec ulaw to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (no NAT) to 10.10.10.45:5060:
INVITE sip:80101@10.10.10.45 SIP/2.0
Via: SIP/2.0/UDP 10.10.10.246:5060;branch=z9hG4bK573f737c
Max-Forwards: 70
From: “Carl” sip:33333@10.10.10.246;tag=as194c9746
To: sip:80101@10.10.10.45
Contact: sip:33333@10.10.10.246:5060
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 102 INVITE
User-Agent: FPBX-14.0.1.4(14.6.0)
Date: Wed, 16 Aug 2017 12:35:41 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 275

v=0
o=root 295098476 295098476 IN IP4 x.x.x.x
s=Asterisk PBX 14.6.0
c=IN IP4 x.x.x.x
t=0 0
m=audio 16116 RTP/AVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv


<— Transmitting (NAT) to 31.173.83.237:44340 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—581f629edeb5bc97;received=31.173.83.237;rport=44340
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
To: sip:80101@x.x.x.x;transport=TLS;tag=as433be2a7
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 2 INVITE
Server: FPBX-14.0.1.4(14.6.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: sip:80101@x.x.x.x:5061;transport=tls
Content-Length: 0

<------------>

<— SIP read from UDP:10.10.10.45:5060 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.10.10.246:5060;branch=z9hG4bK573f737c
From: “Carl” sip:33333@10.10.10.246;tag=as194c9746
To: sip:80101@10.10.10.45;tag=03ff545c99
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 102 INVITE
Content-Length: 0

<------------->
— (7 headers 0 lines) —

<— SIP read from UDP:10.10.10.45:5060 —>
SIP/2.0 183 Session Progress
Via: SIP/2.0/UDP 10.10.10.246:5060;branch=z9hG4bK573f737c
From: “Carl” sip:33333@10.10.10.246;tag=as194c9746
To: sip:80101@10.10.10.45;tag=03ff545c99
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 102 INVITE
Contact: sip:80101@10.10.10.45:5060;transport=udp
Supported: 100rel, replaces, norefersub
Allow-Events: refer
Allow: INVITE, ACK, CANCEL, BYE, REFER, PRACK, INFO, UPDATE
Accept: application/sdp
User-Agent: snomONE/5.1.2
Content-Type: application/sdp
Content-Length: 238

v=0
o=- 1043134033 1043134033 IN IP4 10.10.10.45
s=-
c=IN IP4 10.10.10.45
t=0 0
m=audio 15978 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
<------------->
— (14 headers 12 lines) —
sip_route_dump: route/path hop: sip:80101@10.10.10.45:5060;transport=udp
Found RTP audio format 0
Found RTP audio format 8
Found RTP audio format 101
Found audio description format PCMU for ID 0
Found audio description format PCMA for ID 8
Found audio description format telephone-event for ID 101
Capabilities: us - (alaw|ulaw), peer - audio=(ulaw|alaw)/video=(nothing)/text=(nothing), combined - (alaw|ulaw)
Non-codec capabilities (dtmf): us - 0x1 (telephone-event|), peer - 0x1 (telephone-event|), combined - 0x1 (telephone-event|)
Peer audio RTP is at port 10.10.10.45:15978

<— SIP read from UDP:10.10.10.45:5060 —>
SIP/2.0 200 Ok
Via: SIP/2.0/UDP 10.10.10.246:5060;branch=z9hG4bK573f737c
From: “Carl” sip:33333@10.10.10.246;tag=as194c9746
To: sip:80101@10.10.10.45;tag=03ff545c99
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 102 INVITE
Contact: sip:80101@10.10.10.45:5060;transport=udp
Supported: 100rel, replaces, norefersub
Allow-Events: refer
Allow: INVITE, ACK, CANCEL, BYE, REFER, PRACK, INFO, UPDATE
Accept: application/sdp
User-Agent: snomONE/5.1.2
Content-Type: application/sdp
Content-Length: 238

v=0
o=- 1043134033 1043134033 IN IP4 10.10.10.45
s=-
c=IN IP4 10.10.10.45
t=0 0
m=audio 15978 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
<------------->
— (14 headers 12 lines) —
sip_route_dump: route/path hop: sip:80101@10.10.10.45:5060;transport=udp
set_destination: Parsing sip:80101@10.10.10.45:5060;transport=udp for address/port to send to
set_destination: set destination to 10.10.10.45:5060
Transmitting (no NAT) to 10.10.10.45:5060:
ACK sip:80101@10.10.10.45:5060;transport=udp SIP/2.0
Via: SIP/2.0/UDP 10.10.10.246:5060;branch=z9hG4bK35924fc6
Max-Forwards: 70
From: “Carl” sip:33333@10.10.10.246;tag=as194c9746
To: sip:80101@10.10.10.45;tag=03ff545c99
Contact: sip:33333@10.10.10.246:5060
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 102 ACK
User-Agent: FPBX-14.0.1.4(14.6.0)
Content-Length: 0


Audio is at 11318
Adding codec alaw to SDP
Adding non-codec 0x1 (telephone-event) to SDP

<— Reliably Transmitting (NAT) to 31.173.83.237:44340 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 31.173.83.237:44340;branch=z9hG4bK-524287-1—581f629edeb5bc97;received=31.173.83.237;rport=44340
From: sip:33333@x.x.x.x;transport=TLS;tag=2db68136
To: sip:80101@x.x.x.x;transport=TLS;tag=as433be2a7
Call-ID: LvLv8XwkasqrjH9T3b10ow…
CSeq: 2 INVITE
Server: FPBX-14.0.1.4(14.6.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: sip:80101@x.x.x.x:5061;transport=tls
P-Asserted-Identity: “CID:33333” sip:80101@x.x.x.x
Content-Type: application/sdp
Content-Length: 360

v=0
o=root 744232222 744232222 IN IP4 x.x.x.x
s=Asterisk PBX 14.6.0
c=IN IP4 x.x.x.x
t=0 0
m=audio 11318 RTP/SAVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:yCS1Hv05+SyhbKeaWP6LqZW6I6lda8YEMIZM1WIjDEd9mbpH3A+mPef8laraIA==

<------------>

<— SIP read from TLS:31.173.83.237:44340 —>

<------------->
Really destroying SIP dialog ‘guLQqlZDVjBht0UImczxpw…’ Method: REGISTER
Really destroying SIP dialog ‘oXZ4MCfBaprcFzznAY76UA…’ Method: REGISTER

<— SIP read from UDP:10.10.10.45:5060 —>
BYE sip:33333@10.10.10.246:5060 SIP/2.0
Via: SIP/2.0/UDP 10.10.10.45:5060;branch=z9hG4bK-f348cac7836a15eda0aca0e68bcc6004;rport
From: sip:80101@10.10.10.45;tag=03ff545c99
To: “Carl” sip:33333@10.10.10.246;tag=as194c9746
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 8038 BYE
Max-Forwards: 70
Contact: sip:80101@10.10.10.45:5060;transport=udp
Content-Length: 0

<------------->
— (9 headers 0 lines) —
Sending to 10.10.10.45:5060 (no NAT)
Scheduling destruction of SIP dialog ‘0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060’ in 32000 ms (Method: BYE)

<— Transmitting (no NAT) to 10.10.10.45:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.10.10.45:5060;branch=z9hG4bK-f348cac7836a15eda0aca0e68bcc6004;received=10.10.10.45;rport=5060
From: sip:80101@10.10.10.45;tag=03ff545c99
To: “Carl” sip:33333@10.10.10.246;tag=as194c9746
Call-ID: 0f887a6b55c4f89d3c648b061fb30dc1@10.10.10.246:5060
CSeq: 8038 BYE
Server: FPBX-14.0.1.4(14.6.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘LvLv8XwkasqrjH9T3b10ow…’ in 32000 ms (Method: INVITE)

I tried all combinations of NAT parameters. Nothing helped.

Maybe anyone faced with same issue? I need asterisk reply in all TLS packets contact port 58790?

Maybe I can rebuild asterisk with default tls port not equal 5061?


#2

Please, try ‘externtlsport=58790’ in the general section of your configuration file ‘sip.conf’. Did that help?

Because you use externip, Asterisk does not know whether beside address- also port-mapping happens. Therefore, you have to specify the port explicitly in case you do not use a standard port. You seem to use FreePBX. You might have to report that issue with them, not sure if they are about handling this automatically.


#3

This is awesome!! I feel so stupid this monent.
Thank you very much!