arwa
April 30, 2021, 3:14am
1
I configure tls-sip on my server asterisk, my SIP users that is successfully registered .
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
cipher=ADH-AES256-SHA,ADH-AES128-SHA
method=tlsv1
[6006]
type=aor
max_contacts=1
remove_existing=yes
[6006]
type=auth
auth_type=userpass
password=0001
username=6006
[6006]
type=endpoint
aors=6006
auth=6006
context= work
disallow=all
allow=ulaw
allow=alaw
;dtmf_mode=rfc4733
transport=transport-tls
media_encryption=sdes
outbound_auth=6007
outbound_proxy=y.y.y.y:5061
[6007]
type=aor
max_contacts=1
remove_existing=yes
[6007]
type=auth
auth_type=userpass
password=0000
username=6007
[6007] type=endpoint
aors=6007
auth=6007
context= work
disallow=all
allow=ulaw
allow=alaw
;dtmf_mode=rfc4733
transport=transport-tls
media_encryption=sdes
outbound_auth=6007
outbound_proxy=y.y.y.y:5061
the SIP traces using “pjsip set logger on”
<?xml version='1.0' encoding='UTF-8'?>
<presence xmlns:agp-pidf="urn:ag-projects:xml:ns:pidf" xmlns:c="urn:ietf:params:xml:ns:pidf:cipid" xmlns:caps="urn:ietf:params:xml:ns:pidf:caps" xmlns:dm="urn:ietf:params:xml:ns:pidf:data-model" xmlns:rpid="urn:ietf:params:xml:ns:pidf:rpid" xmlns="urn:ietf:params:xml:ns:pidf" entity="sip%3A6007%40192.168.1.39"><tuple id="SID-7f3e2133958829dd184ad91ad2ab5ac8"><status><basic>closed</basic><agp-pidf:extended>offline</agp-pidf:extended></status><caps:servcaps/><c:display-name>arwa</c:display-name><contact>sip%3A6007%40192.168.1.39</contact><timestamp>2021-04-29T22:24:18.697624+02:00</timestamp></tuple><dm:person id="PID-7f3e2133958829dd184ad91ad2ab5ac8"><rpid:activities><rpid:other>offline</rpid:other></rpid:activities><dm:timestamp>2021-04-29T22:24:18.697624+02:00</dm:timestamp></dm:person></presence>
<--- Transmitting SIP response (567 bytes) to TLS:192.168.1.15:54780 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.1.15:54780;rport=54780;received=192.168.1.15;branch=z9hG4bKPj8e93b61b7a8c4a5f8a978bafd1688afb;alias
Call-ID: 09ea9c41752d43aebc24d2a45707307a
From: "arwa" <sip:6007@192.168.1.39>;tag=238e9c4e8af14ff3a4f56a8a561ee3ef
To: "arwa" <sip:6007@192.168.1.39>;tag=z9hG4bKPj8e93b61b7a8c4a5f8a978bafd1688afb
CSeq: 1 PUBLISH
WWW-Authenticate: Digest realm="asterisk",nonce="1619750226/4c78d530c58f8ff75bb71e43455e151a",opaque="12b8ce3369013174",algorithm=md5,qop="auth"
Server: Asterisk PBX 16.17.0
Content-Length: 0
<--- Received SIP request (1593 bytes) from TLS:192.168.1.15:54780 --->
PUBLISH sip:6007@192.168.1.39 SIP/2.0
Via: SIP/2.0/TLS 192.168.1.15:54780;rport;branch=z9hG4bKPj43b3c1e29f3e41ee8ad9086f9156a432;alias
Max-Forwards: 70
From: "arwa" <sip:6007@192.168.1.39>;tag=238e9c4e8af14ff3a4f56a8a561ee3ef
To: "arwa" <sip:6007@192.168.1.39>
Call-ID: 09ea9c41752d43aebc24d2a45707307a
CSeq: 2 PUBLISH
Event: presence
Expires: 600
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username="6007", realm="asterisk", nonce="1619750226/4c78d530c58f8ff75bb71e43455e151a", uri="sip:6007@192.168.1.39", response="8f61e590e8dbe9fba2dd9d9983e46725", algorithm=md5, cnonce="78d1eb350f0242c4badf9797ada99e93", opaque="12b8ce3369013174", qop=auth, nc=00000001
Content-Type: application/pidf+xml
Content-Length: 848
But When trying to make a call, I am getting the below error:
[Apr 29 22:41:11] ERROR[2650]: res_pjsip_session.c:936 handle_incoming_sdp: 6007: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
Can someone help me to resolve this
jcolp
April 30, 2021, 8:52am
2
Your SIP trace is incomplete and does not include any part of a call.
You haven’t provided any part of the failing transaction in you logs. The most common error these days is reflected in the SDP, and is that one side is requesting encryption whereas the other is refusing it.
arwa
April 30, 2021, 1:34pm
4
Yes
jcolp
April 30, 2021, 1:36pm
5
That completely depends on how the other side is configured. If they’re not doing SRTP, then with your configuration the call would fail.
jcolp
April 30, 2021, 10:52pm
7
You have to provide the output of “pjsip set logger on” with an actual call attempt in it, otherwise we are just guessing what the remote side is actually offering.
arwa
April 30, 2021, 10:53pm
8
im using Asterisk 16.17.0 on ubuntu 20.04.2 LTS
the actual PJSIP configuration
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
cipher=ADH-AES256-SHA,ADH-AES128-SHA
method=tlsv1
[6006]
type=aor
max_contacts=1
remove_existing=yes
[6006]
type=auth
auth_type=userpass
password=0001
username=6006
[6006]
type=endpoint
aors=6006
auth=6006
context= work
disallow=all
allow=ulaw
allow=alaw
;dtmf_mode=rfc4733
transport=transport-tls
media_encryption=sdes
outbound_auth=6007
outbound_proxy=y.y.y.y:5061
[6007]
type=aor
max_contacts=1
remove_existing=yes
[6007]
type=auth
auth_type=userpass
password=0000
username=6007
[6007] type=endpoint
aors=6007
auth=6007
context= work
disallow=all
allow=ulaw
allow=alaw
;dtmf_mode=rfc4733
transport=transport-tls
media_encryption=sdes
outbound_auth=6007
outbound_proxy=y.y.y.y:5061
the SIP traces using “pjsip set logger on”sip trace.txt (38.9 KB)
But When trying to make a call, I am getting the below error:
ERROR[2650]: res_pjsip_session.c:936 handle_incoming_sdp: 6007: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
how can i fixe this ? what part of configuration should i add or remove ???
arwa
May 1, 2021, 12:28am
11
I didn’t understand where the problem was
I thought the DES in SDES meant Data Encryption Standard, but it just mean use the mechanism in the first quote.
Nonetheless, as the codecs look compatible, it is going to be something like that.
This is the relevant part of the log (I’ve removed the INVITE/401/ACK sequence,as it adds nothing). I would hope that enabling debug logging will give more details of what wasn’t acceptable.
<--- Received SIP request (1694 bytes) from TLS:192.168.1.15:51005 --->
INVITE sip:6006@conference.sip2sip.info SIP/2.0
Via: SIP/2.0/TLS 192.168.1.15:51005;rport;branch=z9hG4bKPjdbab5994f1924b28b57679da69676f0d;alias
Max-Forwards: 70
From: "arwa" <sip:6007@192.168.1.32>;tag=37829bb53861461b9b78c3bd97b0ff5f
To: <sip:6006@conference.sip2sip.info>
Contact: <sip:32684975@192.168.1.15:50998;transport=tls>
Call-ID: 8dcf42262ab946068d9f52547b8db1a8
CSeq: 8650 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username="6007", realm="asterisk", nonce="1619821615/c51103f11581ae47e5745eba8bff42b4", uri="sip:6006@conference.sip2sip.info", response="673cdb81dc39a00dbe439bba58bb770e", algorithm=md5, cnonce="ed6fbb5e1fbb4af5a298f3526aafe783", opaque="007c07ef3c8e0a9a", qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 785
v=0
o=- 3828817615 3828817615 IN IP4 192.168.1.15
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50000 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.1.15
a=rtcp:50001
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:BXLqSTggECiQXhbR6h05A0JLrHdxbbEFvpfPxqlI
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:nb07xCTNw97xPR9gm5c9dkFd1jrVd11oCVQRdsRB
a=sendrecv
m=message 2855 TCP/TLS/MSRP *
c=IN IP4 192.168.1.15
a=path:msrps://192.168.1.15:2855/ebf2c97ba76bde2a8356;tcp
a=accept-types:message/cpim text/* image/* application/im-iscomposing+xml
a=accept-wrapped-types:text/* image/* application/im-iscomposing+xml
a=setup:active
<--- Transmitting SIP response (375 bytes) to TLS:192.168.1.15:51005 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.1.15:51005;rport=51005;received=192.168.1.15;branch=z9hG4bKPjdbab5994f1924b28b57679da69676f0d;alias
Call-ID: 8dcf42262ab946068d9f52547b8db1a8
From: "arwa" <sip:6007@192.168.1.32>;tag=37829bb53861461b9b78c3bd97b0ff5f
To: <sip:6006@conference.sip2sip.info>
CSeq: 8650 INVITE
Server: Asterisk PBX 16.17.0
Content-Length: 0
[Apr 30 23:26:55] ERROR[21342]: res_pjsip_session.c:936 handle_incoming_sdp: 6007: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
<--- Transmitting SIP response (429 bytes) to TLS:192.168.1.15:51005 --->
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 192.168.1.15:51005;rport=51005;received=192.168.1.15;branch=z9hG4bKPjdbab5994f1924b28b57679da69676f0d;alias
Call-ID: 8dcf42262ab946068d9f52547b8db1a8
From: "arwa" <sip:6007@192.168.1.32>;tag=37829bb53861461b9b78c3bd97b0ff5f
To: <sip:6006@conference.sip2sip.info>;tag=3eb6aeea-01f5-4045-a44c-98ae2631f72d
CSeq: 8650 INVITE
Server: Asterisk PBX 16.17.0
Content-Length: 0
<--- Received SIP request (434 bytes) from TLS:192.168.1.15:51005 --->
ACK sip:6006@conference.sip2sip.info SIP/2.0
Via: SIP/2.0/TLS 192.168.1.15:51005;rport;branch=z9hG4bKPjdbab5994f1924b28b57679da69676f0d;alias
Max-Forwards: 70
From: "arwa" <sip:6007@192.168.1.32>;tag=37829bb53861461b9b78c3bd97b0ff5f
To: <sip:6006@conference.sip2sip.info>;tag=3eb6aeea-01f5-4045-a44c-98ae2631f72d
Call-ID: 8dcf42262ab946068d9f52547b8db1a8
CSeq: 8650 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0
arwa
May 1, 2021, 1:38pm
14
So what ?!?!!?! How to fix ??
Don’t have Blink present 4 codecs with Opus and G722 in the first and second order. You’re not matching codecs properly. Blink should only present g711u/a since those are the only codecs you want to use.
1 Like
I don’t think it is a codec issue, because Asterisk will just ignore the codecs that are not in common. Most of these recently have been encryption, although I’m maybe not strong enough on chan_pjsip encryption settings to know exactly what is wrong.
arwa
May 1, 2021, 2:17pm
17
even when i add codecs g722 in endpoints settings in pjsip.conf allow=g722 still not working with the same error
ERROR[2650]: res_pjsip_session.c:936 handle_incoming_sdp: 6007: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)
Does this work over standard UDP and no TLS?
And this is a public CA based cert?
It’s accepted the certificate, otherwise it wouldn’t have been prepared to decrypt the signalling, and we’ve seen logs of the decrypted signalling.
arwa
May 1, 2021, 6:36pm
22
Yes It accepts the certification