PJSIP NAT Issues

Hello,

I did quite some changes to my PBX in the last few months, I changed from chan_sip to pjsip, added 10.0.0.0/255.0.0.0 to my local net as we started using that locally aswell now and changed the softphone. Last week I wanted to take a call while I was on a 4G network but the call just wouldn’t get setup properly. Today I found time to investigate and I made some interesting discoveries:

When I look into the SIP Invite request from phone to PBX I see
Via: SIP/2.0/TLS 10.36.237.48;branch=xxyyzz;rport
so asterisk sees the Internal IP behin the NAT of my 4G provider. I have properly set my external_media_address and external_signalling_address and turned on

rtp_symmetric = yes
force_rport = yes
rewrite_contact = yes

for the endpoint but asterisk sends

v=0
o=- 401937471 3 IN IP4 192.168.254.254
s=Asterisk1
c=IN IP4 192.168.254.254
t=0 0
m=audio 10930 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

in reponse to the Invite. I am surprised to find the LAN IP of my asterisk server in there. Obviously if my phone sends out data to the LAN IP the packets will never reach my server. Shouldn’t asterisk make the check if we should use the LAN or external_*_address based on the actual port/ip (whatever is left after doing the rewrite_contact and force_rport)? Is there any way to get this working properly?

If properly configured and things are as expected then it should behave as you show. I’d suggest providing the actual configuration as well as a complete SIP trace including source IP address/port.

I’ve copied the relevant parts of the config:

[general-settings](!)
sdp_session = MyPBX
tos_audio = ef
tos_video = af41

[default-codecs](!)
disallow = all
allow = g722
allow = g729
allow = alaw
allow = ulaw

[global]
type = global
user_agent = My PBX
default_from_user = My-PBX
default_realm = My-PBX
keep_alive_interval = 60
                            
[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0
external_media_address = external.mynetwork.com
external_signaling_address = external.mynetwork.com
local_net = 192.168.0.0/255.255.0.0
local_net = 10.0.0.0/255.0.0.0
local_net = 172.16.0.0/12
local_net = 169.254.0.0/255.255.0.0
cert_file = /etc/asterisk/certs/myvalid.cert
priv_key_file = /etc/asterisk/certs/myvalid.key
tos = cs3
allow_reload = yes

[Softphone1]
type = aor
max_contacts = 3
remove_existing = yes
qualify_frequency=600
qualify_timeout=300.0

[Softphone1]
type = auth
username = Softphone1
password = Password1

[Softphone1](default-codecs,general-settings)
type = endpoint
context = mainctx
callerid = "Softphone1" <0001>
call_group = 1
pickup_group = 1
mailboxes = 777
auth = Softphone1
outbound_auth = Softphone1
aors = Softphone1
media_encryption = sdes
media_encryption_optimistic = yes
rtp_symmetric = yes
force_rport = yes
rewrite_contact = yes

and removed sensitive information from the trace:

<--- Received SIP request (1022 bytes) from TLS:25.165.11.12:22431 --->
INVITE sip:0002@pbx.mynetwork.com SIP/2.0
Via: SIP/2.0/TLS 10.73.209.9;branch=z9hG4bK-524287-1---36522ed02add9b69;rport
Max-Forwards: 70
Contact: <sip:Softphone1@25.165.11.12:22431;transport=TLS;rinstance=c87c1d8ae4a8ddfd>;+sip.instance="<urn:uuid:9c06fc7e-b421-5420-914b-192e79b48986>"
To: <sip:0002@pbx.mynetwork.com>
From: "Softphone1"<sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
Call-ID: <removed>
CSeq: 1 INVITE
Allow: OPTIONS, INVITE, ACK, CANCEL, BYE, REFER, INFO, NOTIFY, UPDATE, PRACK, SUBSCRIBE, MESSAGE
Content-Type: application/sdp
Supported: replaces, 100rel
User-Agent: Softphone
Content-Length: 331

v=0
o=- 726272326476 1 IN IP4 10.73.209.9
s=Cpc session
c=IN IP4 10.73.209.9
t=0 0
m=audio 49408 RTP/AVP 120 18 0 8 3 101
a=rtpmap:120 opus/48000/2
a=fmtp:120 useinbandfec=1; usedtx=1; maxaveragebitrate=64000
a=rtpmap:18 <--- Transmitting SIP response (534 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---36522ed02add9b69
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=z9hG4bK-524287-1---36522ed02add9b69
CSeq: 1 INVITE
WWW-Authenticate: <Removed>

Server: My PBX
Content-Length:  0


<--- Received SIP request (360 bytes) from TLS:25.165.11.12:22431 --->
ACK sip:0002@pbx.mynetwork.com SIP/2.0
Via: SIP/2.0/TLS 10.73.209.9;branch=z9hG4bK-524287-1---36522ed02add9b69;rport
Max-Forwards: 70
To: <sip:0002@pbx.mynetwork.com>;tag=z9hG4bK-524287-1---36522ed02add9b69
From: "Softphone1"<sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
Call-ID: <removed>
CSeq: 1 ACK
Content-Length: 0


<--- Received SIP request (1311 bytes) from TLS:25.165.11.12:22431 --->
INVITE sip:0002@pbx.mynetwork.com SIP/2.0
Via: SIP/2.0/TLS 10.73.209.9;branch=z9hG4bK-524287-1---8ed422c17808f741;rport
Max-Forwards: 70
Contact: <sip:Softphone1@25.165.11.12:22431;transport=TLS;rinstance=c87c1d8ae4a8ddfd>;+sip.instance="<urn:uuid:9c06fc7e-b421-5420-914b-192e79b48986>"
To: <sip:0002@pbx.mynetwork.com>
From: "Softphone1"<sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
Call-ID: <removed>
CSeq: 2 INVITE
Allow: OPTIONS, INVITE, ACK, CANCEL, BYE, REFER, INFO, NOTIFY, UPDATE, PRACK, SUBSCRIBE, MESSAGE
Content-Type: application/sdp
Supported: replaces, 100rel
User-Agent: Softphone
Authorization: <Removed>

SIP/2.0 100 Trying
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>
CSeq: 2 INVITE
Server: My PBX
Content-Length:  0


<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP response (893 bytes) to TLS:25.165.11.12:22431 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.73.209.9;rport=22431;received=25.165.11.12;branch=z9hG4bK-524287-1---8ed422c17808f741
Call-ID: <removed>
From: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
To: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
CSeq: 2 INVITE
Server: My PBX
Contact: <sip:192.168.254.254:5061;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length:   275

v=0
o=- 422853452 3 IN IP4 192.168.254.254
s=My-PBX
c=IN IP4 192.168.254.254
t=0 0
m=audio 10218 RTP/AVP 18 8 0 101
a=rtpmap:18 G729/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<--- Transmitting SIP request (464 bytes) to TLS:25.165.11.12:22431 --->
BYE sip:Softphone1@25.165.11.12:22431;transport=TLS;rinstance=c87c1d8ae4a8ddfd SIP/2.0
Via: SIP/2.0/TLS 192.168.254.254:5061;rport;branch=z9hG4bKPj93b92412-2966-426b-add5-bc0bd7e3cadc;alias
From: <sip:0002@pbx.mynetwork.com>;tag=4f595e8d-4b5e-4465-8a5f-ce76e18195bf
To: "Softphone1" <sip:Softphone1@pbx.mynetwork.com>;tag=ff5d3c8b
Call-ID: <removed>
CSeq: 19504 BYE
Max-Forwards: 70
User-Agent: My PBX
Content-Length:  0

I hope I didn’t forget anything. When I check using ping command I can see that external.mynetwork.com really resolves to the current external IPv4 address. After I ran core reload I received this, it’s probably not related though:

There are no local system nameservers configured, resorting to system resolution

What version of Asterisk is in use?

Its the EOL Asterisk 15.3, unfortunately I am stuck on that one for like a month or so until the new OpenWRT comes out which will contain a more current version. I hope that is not related to the issues I am seeing.

There were changes to the NAT module, so it certainly could be fixed in a newer version.

I have updated to 16.3.0 now and at first I had the same issue and when I tried it again after some time it suddenly all started to work. No clue what exactly was going on but now it’s all working perfectly again! Thanks for your help!