Pjsip | TLS/SRTP | 488 Not Acceptable Here

Asterisk Asterisk SIP
1

Hello,
I have this issue when I am trying to call from zoiper to phone and the same from phone to phone:

  • When SRTP is enabled, SIP calls fail to establish.

  • The SIP/2.0 488 Not Acceptable Here error is consistently logged.

  • This issue arises only when SRTP is activated; the system functions normally with SRTP disabled.

Setup Details:

Asterisk Version: Asterisk PBX 20.5.2
SRTP Configuration: Enabled on both Asterisk and client devices.
Codec Used: G722
TLS Certificates: Implemented as per standard guidelines ( self-signed and imported for all devices )

[Jan 10 18:47:07] ERROR[995]: res_pjsip_session.c:937 handle_incoming_sdp:  1101: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
<--- Transmitting SIP response (374 bytes) to TLS:192.168.10.187:45691 --->
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 192.168.10.187:38755;rport=45691;received=192.168.10.187;branch=z9hG4bK-524287-1---e097977ae39cdb25
Call-ID: HJk_x3AVAB7MSBkBRGUsYg..
From: <sip:1101@192.168.11.14>;tag=6823480d
To: <sip:11001@192.168.11.14>;tag=28e2d5fa-263f-4e0b-82da-9efafbec324d
CSeq: 2 INVITE
Server: Asterisk PBX 20.5.2
Content-Length:  0

My config:

# file /etc/asterisk/pjsip.conf
[transport-tls]
type=transport
protocol=tls
method=tlsv1_2  ; Use TLS 1.2
bind=0.0.0.0:63521
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key

;================================ ENDPOINT TEMPLATES ==
; Our primary endpoint template for internal desk phones.
[endpoint-internal-d70](!)
; https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample
type                        = endpoint
context                     = Long-Distance
allow                       = !all,g722
device_state_busy_at        = 1
media_encryption            = sdes

[auth-userpass](!)
type                 = auth
auth_type            = userpass

[aor-single-reg](!)
type                 = aor
max_contacts         = 1

;================================
[1101](endpoint-internal-d70)
auth             = 1101
aors             = 1101
callerid         = XXX1 <1101>
media_encryption = sdes
[1101](auth-userpass)
password         = xxx
username         = yyy
[1101](aor-single-reg)
mailboxes        = 1101@example

;================================
[10401](endpoint-internal-d70)
auth             = 10401
aors             = 10401
callerid         = XXX2 <10401>
media_encryption = sdes
[10401](auth-userpass)
password         = xxx
username         = yyy
[10401](aor-single-reg)
mailboxes        = 10401@example

I used provided example from asterisk and then customized a bit.

2

You haven’t included the unacceptable request in your log.

3

@david551 here it is

# asterisk -rvvvv
Asterisk 20.5.2, Copyright (C) 1999 - 2022, Sangoma Technologies Corporation and others.
Created by Mark Spencer <markster@digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 20.5.2 currently running on sa-tph01 (pid = 593)
sa-tph01*CLI> pjsip set logger on

PJSIP Logging enabled
<--- Received SIP request (3018 bytes) from TLS:192.168.10.187:44551 --->
INVITE sip:11001@192.168.109.14:63521;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.10.187:38755;branch=z9hG4bK-524287-1---8110fa306a0c0347
Max-Forwards: 70
Contact: <sip:1101@192.168.10.187:38755;transport=tls>
To: <sip:11001@192.168.109.14:63521>
From: <sip:1101@192.168.109.14:63521;transport=TLS>;tag=00ef1268
Call-ID: X1Y7n309rEJG65-agC4ujw..
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
Supported: replaces, norefersub, extended-refer, timer, sec-agree, outbound, path, X-cisco-serviceuri
User-Agent: Zoiper v2.10.19.7
Allow-Events: presence, kpml, talk, as-feature-event
Content-Length: 2318

v=0
o=Zoiper 0 33119686 IN IP4 192.168.10.187
s=Zoiper
c=IN IP4 192.168.10.187
t=0 0
m=audio 48422 RTP/SAVP 9 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=rtcp-mux
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:9 AES_CM_256_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:10 AES_CM_256_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:7 AES_CM_192_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:8 AES_CM_192_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
m=audio 48422 RTP/SAVPF 9 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=rtcp-mux
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:9 AES_CM_256_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:10 AES_CM_256_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:7 AES_CM_192_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:8 AES_CM_192_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
a=rtcp-fb:* nack pli
a=rtcp-fb:* ccm fir

<--- Transmitting SIP response (512 bytes) to TLS:192.168.10.187:44551 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.10.187:38755;rport=44551;received=192.168.10.187;branch=z9hG4bK-524287-1---8110fa306a0c0347
Call-ID: X1Y7n309rEJG65-agC4ujw..
From: <sip:1101@192.168.109.14>;tag=00ef1268
To: <sip:11001@192.168.109.14>;tag=z9hG4bK-524287-1---8110fa306a0c0347
CSeq: 1 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1704910232/f65f2274adadefc891d83aaade278adf",opaque="17a4324a198933c7",algorithm=MD5,qop="auth"
Server: Asterisk PBX 20.5.2
Content-Length:  0


<--- Received SIP request (366 bytes) from TLS:192.168.10.187:44551 --->
ACK sip:11001@192.168.109.14:63521;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.10.187:38755;branch=z9hG4bK-524287-1---8110fa306a0c0347
Max-Forwards: 70
To: <sip:11001@192.168.109.14>;tag=z9hG4bK-524287-1---8110fa306a0c0347
From: <sip:1101@192.168.109.14:63521;transport=TLS>;tag=00ef1268
Call-ID: X1Y7n309rEJG65-agC4ujw..
CSeq: 1 ACK
Content-Length: 0


<--- Received SIP request (3355 bytes) from TLS:192.168.10.187:44551 --->
INVITE sip:11001@192.168.109.14:63521;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.10.187:38755;branch=z9hG4bK-524287-1---c0df4125d204b146
Max-Forwards: 70
Contact: <sip:1101@192.168.10.187:38755;transport=tls>
To: <sip:11001@192.168.109.14:63521>
From: <sip:1101@192.168.109.14:63521;transport=TLS>;tag=00ef1268
Call-ID: X1Y7n309rEJG65-agC4ujw..
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
Supported: replaces, norefersub, extended-refer, timer, sec-agree, outbound, path, X-cisco-serviceuri
User-Agent: Zoiper v2.10.19.7
Authorization: Digest username="usr59be862e66bf471bb49a489d46b06aba",realm="asterisk",nonce="1704910232/f65f2274adadefc891d83aaade278adf",uri="sip:11001@192.168.109.14:63521;transport=TLS",response="bd5619ffea57b3992b3ab89667613a0a",cnonce="6338610441afd3673cb9dcbbeb1c15ad",nc=00000001,qop=auth,algorithm=MD5,opaque="17a4324a198933c7"
Allow-Events: presence, kpml, talk, as-feature-event
Content-Length: 2318

v=0
o=Zoiper 0 33119686 IN IP4 192.168.10.187
s=Zoiper
c=IN IP4 192.168.10.187
t=0 0
m=audio 48422 RTP/SAVP 9 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=rtcp-mux
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:9 AES_CM_256_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:10 AES_CM_256_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:7 AES_CM_192_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:8 AES_CM_192_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
m=audio 48422 RTP/SAVPF 9 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=rtcp-mux
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:9 AES_CM_256_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:10 AES_CM_256_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8eGZu3OiAPHkw==
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:7 AES_CM_192_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:8 AES_CM_192_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+EQDLqmZCz8c=
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:/1nlvPywzijv5/0qX5IalEnIR0NBU9hc+LgRGof+
a=rtcp-fb:* nack pli
a=rtcp-fb:* ccm fir

<--- Transmitting SIP response (320 bytes) to TLS:192.168.10.187:44551 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.10.187:38755;rport=44551;received=192.168.10.187;branch=z9hG4bK-524287-1---c0df4125d204b146
Call-ID: X1Y7n309rEJG65-agC4ujw..
From: <sip:1101@192.168.109.14>;tag=00ef1268
To: <sip:11001@192.168.109.14>
CSeq: 2 INVITE
Server: Asterisk PBX 20.5.2
Content-Length:  0


[Jan 10 19:10:32] ERROR[1333]: res_pjsip_session.c:937 handle_incoming_sdp:  1101: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
<--- Transmitting SIP response (374 bytes) to TLS:192.168.10.187:44551 --->
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 192.168.10.187:38755;rport=44551;received=192.168.10.187;branch=z9hG4bK-524287-1---c0df4125d204b146
Call-ID: X1Y7n309rEJG65-agC4ujw..
From: <sip:1101@192.168.109.14>;tag=00ef1268
To: <sip:11001@192.168.109.14>;tag=5a31e9ae-5a7b-452c-87d0-c2510d16836e
CSeq: 2 INVITE
Server: Asterisk PBX 20.5.2
Content-Length:  0


<--- Received SIP request (367 bytes) from TLS:192.168.10.187:44551 --->
ACK sip:11001@192.168.109.14:63521;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.10.187:38755;branch=z9hG4bK-524287-1---c0df4125d204b146
Max-Forwards: 70
To: <sip:11001@192.168.109.14>;tag=5a31e9ae-5a7b-452c-87d0-c2510d16836e
From: <sip:1101@192.168.109.14:63521;transport=TLS>;tag=00ef1268
Call-ID: X1Y7n309rEJG65-agC4ujw..
CSeq: 2 ACK
Content-Length: 0


<--- Received SIP request (895 bytes) from TLS:192.168.110.30:11993 --->
REGISTER sip:192.168.109.14:63521 SIP/2.0
Via: SIP/2.0/TLS 192.168.110.30:11993;branch=z9hG4bK840140044
From: "11001" <sip:11001@192.168.109.14:63521>;tag=837535005
To: "11001" <sip:11001@192.168.109.14:63521>
Call-ID: 0_837588393@192.168.110.30
CSeq: 21 REGISTER
Contact: <sip:11001@192.168.110.30:11993;transport=TLS>
Authorization: Digest username="usr66ff2e0930004398aa99fafd0ef8d585", realm="asterisk", nonce="1704909934/8b094fd55e6744aed87a03ae6aa37df6", uri="sip:192.168.109.14:63521", response="4bcf556db736f32faec779b736339ef7", algorithm=MD5, cnonce="837786576", opaque="279a83b138141918", qop=auth, nc=00000002
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T31P 124.86.0.40
Expires: 600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0


<--- Transmitting SIP response (506 bytes) to TLS:192.168.110.30:11993 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.110.30:11993;rport=11993;received=192.168.110.30;branch=z9hG4bK840140044
Call-ID: 0_837588393@192.168.110.30
From: "11001" <sip:11001@192.168.109.14>;tag=837535005
To: "11001" <sip:11001@192.168.109.14>;tag=z9hG4bK840140044
CSeq: 21 REGISTER
WWW-Authenticate: Digest realm="asterisk",nonce="1704910234/52f4df8ab3ee1331d590a8ba4bf4ec61",opaque="1716607333aa0e97",stale=true,algorithm=MD5,qop="auth"
Server: Asterisk PBX 20.5.2
Content-Length:  0


<--- Received SIP request (895 bytes) from TLS:192.168.110.30:11993 --->
REGISTER sip:192.168.109.14:63521 SIP/2.0
Via: SIP/2.0/TLS 192.168.110.30:11993;branch=z9hG4bK840236343
From: "11001" <sip:11001@192.168.109.14:63521>;tag=837535005
To: "11001" <sip:11001@192.168.109.14:63521>
Call-ID: 0_837588393@192.168.110.30
CSeq: 22 REGISTER
Contact: <sip:11001@192.168.110.30:11993;transport=TLS>
Authorization: Digest username="usr66ff2e0930004398aa99fafd0ef8d585", realm="asterisk", nonce="1704910234/52f4df8ab3ee1331d590a8ba4bf4ec61", uri="sip:192.168.109.14:63521", response="06154f60a2bde2ca44c877e558f4c837", algorithm=MD5, cnonce="840242081", opaque="1716607333aa0e97", qop=auth, nc=00000001
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T31P 124.86.0.40
Expires: 600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0


<--- Transmitting SIP response (459 bytes) to TLS:192.168.110.30:11993 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.110.30:11993;rport=11993;received=192.168.110.30;branch=z9hG4bK840236343
Call-ID: 0_837588393@192.168.110.30
From: "11001" <sip:11001@192.168.109.14>;tag=837535005
To: "11001" <sip:11001@192.168.109.14>;tag=z9hG4bK840236343
CSeq: 22 REGISTER
Date: Wed, 10 Jan 2024 18:10:34 GMT
Contact: <sip:11001@192.168.110.30:11993;transport=TLS>;expires=599
Expires: 600
Server: Asterisk PBX 20.5.2
Content-Length:  0
4

Is the res_srtp module loaded?

5

seems like no, I have loaded it manually and it now says that "that’s now valid extention, but at least it’s saying smth and shows the “lock” icon which means that it’s working.

Why it has not loaded automatically? How to load this module automatically?

6

That depends on your configuration. Module loading is configured in modules.conf, and the sample configuration file will automatically load all installed modules. If you are not using the sample config, then its behavior would be different possibly.

1 Like
7

thanks for your help, I resolved it by just configuring autoload of this module:

# file /etc/asterisk/modules.conf
load = res_srtp.so

The ticket is resolved and could be closed

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.