PJSIP TLS No Audio in asterisk

I have 1 production asterisk server with PJSIP NAT UDP configuration. Because it will be accessed from outside the office, the asterisk will be configured using PJSIP NAT UDP and PJSIP TLS. When calling using PJSIP NAT UDP can listen to sound, but when using PJSIP TLS cannot listen to sound. Here’s the configuration:

pjsip.conf
[simpletrans]
type=transport
protocol=udp
bind=0.0.0.0:5060

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[trunk-id]
type=identify
endpoint=trunk-id
match=10.xxx.xxx.xxx

[trunk-id]
type=endpoint
transport=simpletrans
disallow=all
allow=alaw
allow=ulaw
;allow=g711
context=trunk-id-inbound
aors=trunk-id

[trunk-id]
type=aor
contact=sip:10.18.19.201:5060

[Testing]
type = endpoint
context = asyx-internal
transport = transport-tls
disallow = all
allow = ulaw
callerid = Testing <6017>
aors = Testing
auth = Testing
rewrite_contact=yes
media_encryption=no

[Testing]
type = aor
max_contacts = 1

[Testing]
type=auth
auth_type=userpass
username=Testing
password=k4c0akoyee

[Testing2]
type = endpoint
context = asyx-internal
transport = simpletrans
disallow = all
allow = ulaw
callerid = Testing2 <6018>
aors = Testing2
auth = Testing2
rewrite_contact=yes
media_encryption=no

[Testing2]
type = aor
max_contacts = 1

[Testing2]
type=auth
auth_type=userpass
username=Testing2
password=k5c0akoyee

rtp.conf
rtpstart=8000
rtpend=8005

extensions.conf
[asyx-internal]
exten => 6017,1,Dial(PJSIP/Testing,20,t)
exten => 6017,n,Congestion()
exten => 6017,n,Hangup()
exten => 6018,1,Dial(PJSIP/Testing2,20,t)
exten => 6018,n,Congestion()
exten => 6018,n,Hangup()

pjsip log tls
<— Received SIP request (1040 bytes) from TLS:180.243.9.46:37415 —>
INVITE sip:082110760086@36.67.177.57 SIP/2.0
Via: SIP/2.0/TLS 192.168.100.26:61479;rport;branch=z9hG4bKPjc5c26aac9d824d1ebf9b0202597a8c86;alias
Max-Forwards: 70
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57
Contact: sip:94638102@192.168.100.26:61660;transport=tls
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
CSeq: 26434 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Content-Type: application/sdp
Content-Length: 429

v=0
o=- 3838739094 3838739094 IN IP4 192.168.100.26
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50018 RTP/AVP 113 9 0 8 101
c=IN IP4 192.168.100.26
a=rtcp:50019
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=zrtp-hash:1.10 642510d3e4300f63135853c0846766fe4d0d443b76ce88577772f176dc84ffba
a=sendrecv

<— Transmitting SIP response (579 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPjc5c26aac9d824d1ebf9b0202597a8c86;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=z9hG4bKPjc5c26aac9d824d1ebf9b0202597a8c86
CSeq: 26434 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1629725095/e41719b81ae75b47999fa177f60e251f”,opaque=“7f3f9abf18ee0d68”,algorithm=md5,qop=“auth”
Server: Asterisk PBX 16.19.1
Content-Length: 0

<— Received SIP request (442 bytes) from TLS:180.243.9.46:37415 —>
ACK sip:082110760086@36.67.177.57 SIP/2.0
Via: SIP/2.0/TLS 192.168.100.26:61479;rport;branch=z9hG4bKPjc5c26aac9d824d1ebf9b0202597a8c86;alias
Max-Forwards: 70
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=z9hG4bKPjc5c26aac9d824d1ebf9b0202597a8c86
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
CSeq: 26434 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0

<— Received SIP request (1343 bytes) from TLS:180.243.9.46:37415 —>
INVITE sip:082110760086@36.67.177.57 SIP/2.0
Via: SIP/2.0/TLS 192.168.100.26:61479;rport;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Max-Forwards: 70
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57
Contact: sip:94638102@192.168.100.26:61660;transport=tls
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
CSeq: 26435 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“Testing”, realm=“asterisk”, nonce=“1629725095/e41719b81ae75b47999fa177f60e251f”, uri="sip:082110760086@36.67.177.57", response=“c989f77fee6b7b90f9ce2834b098e588”, algorithm=md5, cnonce=“8613f94a59b84f6c992bfcf66cd5862c”, opaque=“7f3f9abf18ee0d68”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 429

v=0
o=- 3838739094 3838739094 IN IP4 192.168.100.26
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50018 RTP/AVP 113 9 0 8 101
c=IN IP4 192.168.100.26
a=rtcp:50019
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=zrtp-hash:1.10 642510d3e4300f63135853c0846766fe4d0d443b76ce88577772f176dc84ffba
a=sendrecv

<— Transmitting SIP response (381 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Content-Length: 0

<— Transmitting SIP request (944 bytes) to UDP:10.18.19.201:5060 —>
INVITE sip:082110760086@10.18.19.201:5060 SIP/2.0
Via: SIP/2.0/UDP 10.18.19.202:5060;rport;branch=z9hG4bKPjdbb5d7a1-fce8-46c0-88f4-77b7e9869d46
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201
Contact: sip:asterisk@10.18.19.202:5060
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25244 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 16.19.1
Content-Type: application/sdp
Content-Length: 261

v=0
o=- 1704294345 1704294345 IN IP4 10.18.19.202
s=Asterisk
c=IN IP4 10.18.19.202
t=0 0
m=audio 22502 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Received SIP response (338 bytes) from UDP:10.18.19.201:5060 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.18.19.202:5060;branch=z9hG4bKPjdbb5d7a1-fce8-46c0-88f4-77b7e9869d46;rport=5060
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25244 INVITE
Content-Length: 0

<— Received SIP response (852 bytes) from UDP:10.18.19.201:5060 —>
SIP/2.0 183 Session Progress
Via: SIP/2.0/UDP 10.18.19.202:5060;branch=z9hG4bKPjdbb5d7a1-fce8-46c0-88f4-77b7e9869d46;rport=5060
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25244 INVITE
Contact: sip:082110760086@10.18.19.201:5060
Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH
Require: 100rel
RSeq: 296813
Content-Length: 238
Content-Disposition: session; handling=required
Content-Type: application/sdp

v=0
o=Sonus_UAC 120271 105564 IN IP4 10.18.19.201
s=SIP Media Capabilities
c=IN IP4 10.18.19.201
t=0 0
m=audio 18284 RTP/AVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=maxptime:20

<— Transmitting SIP request (442 bytes) to UDP:10.18.19.201:5060 —>
PRACK sip:082110760086@10.18.19.201:5060 SIP/2.0
Via: SIP/2.0/UDP 10.18.19.202:5060;rport;branch=z9hG4bKPj88f46eca-33c9-42c0-902d-a449064b5923
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25245 PRACK
RAck: 296813 25244 INVITE
Max-Forwards: 70
User-Agent: Asterisk PBX 16.19.1
Content-Length: 0

<— Transmitting SIP response (859 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 183 Session Progress
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Contact: sip:192.168.1.9:5061;transport=TLS
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Received SIP response (333 bytes) from UDP:10.18.19.201:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.18.19.202:5060;branch=z9hG4bKPj88f46eca-33c9-42c0-902d-a449064b5923;rport=5060
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25245 PRACK
Content-Length: 0

<— Received SIP response (521 bytes) from UDP:10.18.19.201:5060 —>
SIP/2.0 180 Ringing
Via: SIP/2.0/UDP 10.18.19.202:5060;branch=z9hG4bKPjdbb5d7a1-fce8-46c0-88f4-77b7e9869d46;rport=5060
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25244 INVITE
Contact: sip:082110760086@10.18.19.201:5060
Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH
Require: 100rel
RSeq: 296814
Content-Length: 0

<— Transmitting SIP request (442 bytes) to UDP:10.18.19.201:5060 —>
PRACK sip:082110760086@10.18.19.201:5060 SIP/2.0
Via: SIP/2.0/UDP 10.18.19.202:5060;rport;branch=z9hG4bKPj497e66b5-85ef-48b2-8703-9bead0a1112b
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25246 PRACK
RAck: 296814 25244 INVITE
Max-Forwards: 70
User-Agent: Asterisk PBX 16.19.1
Content-Length: 0

<— Transmitting SIP response (859 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 183 Session Progress
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Received SIP response (333 bytes) from UDP:10.18.19.201:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.18.19.202:5060;branch=z9hG4bKPj497e66b5-85ef-48b2-8703-9bead0a1112b;rport=5060
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25246 PRACK
Content-Length: 0

<— Received SIP response (668 bytes) from UDP:10.18.19.201:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.18.19.202:5060;branch=z9hG4bKPjdbb5d7a1-fce8-46c0-88f4-77b7e9869d46;rport=5060
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25244 INVITE
Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed
Contact: sip:082110760086@10.18.19.201:5060
Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH
Require: timer
Supported: timer,replaces
Session-Expires: 1800;refresher=uac
Content-Length: 0

<— Transmitting SIP request (411 bytes) to UDP:10.18.19.201:5060 —>
ACK sip:082110760086@10.18.19.201:5060 SIP/2.0
Via: SIP/2.0/UDP 10.18.19.202:5060;rport;branch=z9hG4bKPj8ceb7b29-e815-448a-87fb-407edbeba344
From: sip:02129277600@192.168.1.9;tag=80b83aa9-ba33-43c1-be6f-4395c70fd9e7
To: sip:082110760086@10.18.19.201;tag=gK0caeb457
Call-ID: 63c8bd22-4bfb-4a3a-a3c0-28fffef8b348
CSeq: 25244 ACK
Max-Forwards: 70
User-Agent: Asterisk PBX 16.19.1
Content-Length: 0

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

<— Received SIP request (679 bytes) from UDP:180.243.9.46:58508 —>
SUBSCRIBE sip:Testing2@36.67.177.57 SIP/2.0
Via: SIP/2.0/UDP 192.168.100.26:58508;rport;branch=z9hG4bKPje59c8a277b1946d583a2711af12a7285
Max-Forwards: 70
From: “Testing2” sip:Testing2@36.67.177.57;tag=e03d950ead404e9ea6f75a21042b22b2
To: sip:Testing2@36.67.177.57
Contact: sip:03458917@192.168.100.26:58508
Call-ID: 16720960b4d246dbb61a5986579a6ac4
CSeq: 8925 SUBSCRIBE
Event: message-summary
Expires: 600
Supported: 100rel, replaces, norefersub, gruu
Accept: application/simple-message-summary
Allow-Events: conference, message-summary, dialog, presence, presence.winfo, xcap-diff, dialog.winfo, refer
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0

<— Transmitting SIP response (573 bytes) to UDP:180.243.9.46:58508 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.100.26:58508;rport=58508;received=180.243.9.46;branch=z9hG4bKPje59c8a277b1946d583a2711af12a7285
Call-ID: 16720960b4d246dbb61a5986579a6ac4
From: “Testing2” sip:Testing2@36.67.177.57;tag=e03d950ead404e9ea6f75a21042b22b2
To: sip:Testing2@36.67.177.57;tag=z9hG4bKPje59c8a277b1946d583a2711af12a7285
CSeq: 8925 SUBSCRIBE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1629725117/133671d7ad9b778aaeb12e2de5448ea2”,opaque=“30b03eed46f1a5ba”,algorithm=md5,qop=“auth”
Server: Asterisk PBX 16.19.1
Content-Length: 0

<— Received SIP request (979 bytes) from UDP:180.243.9.46:58508 —>
SUBSCRIBE sip:Testing2@36.67.177.57 SIP/2.0
Via: SIP/2.0/UDP 192.168.100.26:58508;rport;branch=z9hG4bKPj4bb571b42dc341f6ab1d07ae580353ca
Max-Forwards: 70
From: “Testing2” sip:Testing2@36.67.177.57;tag=e03d950ead404e9ea6f75a21042b22b2
To: sip:Testing2@36.67.177.57
Contact: sip:03458917@192.168.100.26:58508
Call-ID: 16720960b4d246dbb61a5986579a6ac4
CSeq: 8926 SUBSCRIBE
Event: message-summary
Expires: 600
Supported: 100rel, replaces, norefersub, gruu
Accept: application/simple-message-summary
Allow-Events: conference, message-summary, dialog, presence, presence.winfo, xcap-diff, dialog.winfo, refer
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“Testing2”, realm=“asterisk”, nonce=“1629725117/133671d7ad9b778aaeb12e2de5448ea2”, uri="sip:Testing2@36.67.177.57", response=“7d536d5f7d0f17ca02d59f77f69fd284”, algorithm=md5, cnonce=“c568949398b043129947a7bd0df1e93c”, opaque=“30b03eed46f1a5ba”, qop=auth, nc=00000001
Content-Length: 0

<— Transmitting SIP response (424 bytes) to UDP:180.243.9.46:58508 —>
SIP/2.0 404 Not Found
Via: SIP/2.0/UDP 192.168.100.26:58508;rport=58508;received=180.243.9.46;branch=z9hG4bKPj4bb571b42dc341f6ab1d07ae580353ca
Call-ID: 16720960b4d246dbb61a5986579a6ac4
From: “Testing2” sip:Testing2@36.67.177.57;tag=e03d950ead404e9ea6f75a21042b22b2
To: sip:Testing2@36.67.177.57;tag=z9hG4bKPj4bb571b42dc341f6ab1d07ae580353ca
CSeq: 8926 SUBSCRIBE
Server: Asterisk PBX 16.19.1
Content-Length: 0

<— Transmitting SIP response (893 bytes) to TLS:180.243.9.46:37415 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.100.26:61479;rport=37415;received=180.243.9.46;branch=z9hG4bKPj832eb60593e6429abd28a9775bea8977;alias
Call-ID: 3e1923a8002f415ebc03c782f3f6a142
From: “Testing” sip:Testing@36.67.177.57;tag=d7965f4625464bb394014bbc2e228625
To: sip:082110760086@36.67.177.57;tag=0b569d51-0e63-4cb0-a17a-a26b180f1a23
CSeq: 26435 INVITE
Server: Asterisk PBX 16.19.1
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Contact: sip:192.168.1.9:5061;transport=TLS
Supported: 100rel, timer, replaces, norefersub
Content-Type: application/sdp
Content-Length: 235

v=0
o=- 3838739094 3838739096 IN IP4 192.168.1.9
s=Asterisk
c=IN IP4 192.168.1.9
t=0 0
m=audio 22274 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv

There is no real NAT configuration[1] in this configuration. If something is handling that, then it isn’t Asterisk.

[1] Configuring res_pjsip to work through NAT - Asterisk Project - Asterisk Project Wiki

Thanks for reply, but is that what makes PJSIP TLS finally not sound?

I’m using blink softphone for testing. When calling using UDP, audio can be heard. However, using TLS, audio cannot be heard

Please mark up logs as preformatted text, so we don’t have to guess how the forum software has mangled them, and so that we don’t have to scroll back through the whole log to access an earlier posting. You should be able to do this by an edit.

Did you provide the working example? I got a very little way into the TLS trace and Blink is obviously behind NAT but isn’t compensating, so the first thing to do is to see if Blink can be configured to work properly from behind NAT.

It has a private media address, so will require comedia specifying, but that should be true for UDP as well, unless Blink is misconfigured, or broken, for TLS only. Maybe there is an application level gateway, in the router, at the remote site, that is fixing up the UDP, but can’t see inside the encryption to fix up the TLS.

It’s also sending a private contact address, but I believe that rewrite-contact compensates for that, and Contact tends not to be used with TLS.

It’s also using a private address in the Via, but it has rport, so one doesn’t need to use force-rport in Asterisk, not that it is likely that you could make a successful reciprocal TLS connection, anyway.

Asterisk also seems to be behind NAT and is sending a private media address, so comedia isn’t going to work until you fix that, as the other side won’t know where to send media so that Asterisk can learn its real media address. You certainly need an external media address configuring on Asterisk, and really should have an external signalling one, as well.

Again I’m wondering if you had an application level gateway in a router that was fixing things up, but cannot see inside the encrypted contents. Generally people find that most ALGs break things and it is best to disable them and configure devices to know about NAT properly.

Thanks for reply david, on the router there is an application level gateway that allows PJSIP UDP to talk. Can using UDP NAT, PJSIP TLS work properly? Because before that the configuration was never changed from before I worked in this office. Thank you david

I don’t understand the presence of UDP here. You need to do NAT for both TCP (signalling) and UDP (media), when using TLS.

The appropriate way of securing this combination is to use a VPN (in its original meaning). I don’t know enough about how Asterisk handles TLS authentication to be sure that correctly configuring both sides for NAT wouldn’t break the TLS au;thentication.

Thanks david, I slightly changed the PJSIP NAT configuration to be able to handle signaling and TLS media. Here’s the configuration:
pjsip.conf
[global]
type = global
user_agent = ASTERISK_SERVER

[simpletrans]
type=transport
protocol=udp
bind=0.0.0.0:5062
tos=cs3

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0:5060
local_net=192.xxx.xxx.xxx/24
local_net=127.0.0.1/24
external_media_address=3.xxx.xxx.xxx
external_signaling_address=3.xxx.xxx.xxx
external_signaling_port=5060

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
local_net=192.xxx.xxx.xxx/24
local_net=127.0.0.1/24
external_media_address=3.xxx.xxx.xxx
external_signaling_address=3.xxx.xxx.xxx
method=tlsv1

[trunk-id]
type=identify
endpoint=trunk-id
match=10.xxx.xxx.xxx

[trunk-id]
type=endpoint
transport=simpletrans
disallow=all
allow=alaw
allow=ulaw
allow=g722
;allow=g711
context=trunk-id-inbound
aors=trunk-id

[trunk-id]
type=aor
contact=sip:10.xxx.xxx.xxx:5060

[Testing]
type = endpoint
context = asyx-internal
transport = transport-tls
disallow = all
allow = g722
callerid = Testing <6017>
aors = Testing
auth = Testing
dtmf_mode = rfc4733
direct_media = no
media_encryption = no
outbound_auth = Testing
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes

[Testing]
type = aor
max_contacts = 1
remove_existing = yes

[Testing]
type=auth
auth_type=userpass
username=Testing
password=******