Asterisk Version: 11.24.1
FreePBX Distro 10.13.66-17
We started to notice that inbound calls from one sip provider (internetcalls.com) were being rejected as follows:
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX@from-sip-external:1] NoOp("SIP/sip.internetcalls.com-00000bbc", "Received incoming SIP connection from unknown peer to 44XXXXXXXXXX") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX@from-sip-external:2] Set("SIP/sip.internetcalls.com-00000bbc", "DID=44XXXXXXXXXX") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [44XXXXXXXXXX@from-sip-external:3] Goto("SIP/sip.internetcalls.com-00000bbc", "s,1") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Goto (from-sip-external,s,1)
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/sip.internetcalls.com-00000bbc", "0?checklang:noanonymous") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Goto (from-sip-external,s,5)
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:5] Set("SIP/sip.internetcalls.com-00000bbc", "TIMEOUT(absolute)=15") in new stack
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] func_timeout.c: -- Channel will hangup at 2017-02-01 09:33:25.707 UTC.
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:6] Log("SIP/sip.internetcalls.com-00000bbc", "WARNING,"Rejecting unknown SIP connection from 77.72.169.134"") in new stack
[2017-02-01 09:33:10] WARNING[23991][C-00000b80] Ext. s: "Rejecting unknown SIP connection from 77.72.169.134"
[2017-02-01 09:33:10] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:7] Answer("SIP/sip.internetcalls.com-00000bbc", "") in new stack
[2017-02-01 09:33:11] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:8] Wait("SIP/sip.internetcalls.com-00000bbc", "2") in new stack
[2017-02-01 09:33:13] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:9] Playback("SIP/sip.internetcalls.com-00000bbc", "ss-noservice") in new stack
[2017-02-01 09:33:13] VERBOSE[23991][C-00000b80] file.c: -- <SIP/sip.internetcalls.com-00000bbc> Playing 'ss-noservice.alaw' (language 'en')
[2017-02-01 09:33:18] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:10] PlayTones("SIP/sip.internetcalls.com-00000bbc", "congestion") in new stack
[2017-02-01 09:33:18] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [s@from-sip-external:11] Congestion("SIP/sip.internetcalls.com-00000bbc", "5") in new stack
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: == Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/sip.internetcalls.com-00000bbc'
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: -- Executing [h@from-sip-external:1] Hangup("SIP/sip.internetcalls.com-00000bbc", "") in new stack
[2017-02-01 09:33:19] VERBOSE[23991][C-00000b80] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/sip.internetcalls.com-00000bbc'
The trunk configuration for this provider looks like this (sip_additional.conf):
[Andy_ICalls_Out]
username=xxx
type=peer
sendrpid=yes
secret=xxx
qualify=yes
nat=no
insecure=port,invite
host=sip.internetcalls.com
fromuser=xxx
fromdomain=internetcalls.com
dtmfmode=rfc2833
canreinvite=yes
authuser=xxx
context=from-trunk-sip-Andy_ICalls_Out
The registration string also uses sip.internetcalls.com as the host url.
dig sip.internetcalls.com returns:
;; ANSWER SECTION:
sip.internetcalls.com. 1121 IN A 77.72.169.134
sip.internetcalls.com. 1121 IN A 77.72.169.129
asterisk sip show peers:
Andy_ICalls_Out/[username] 77.72.169.129 No No 5060 OK (17 ms)
I raised this as a bug on the “Issues” page but was advised by “Joshua Colp” that:
This is not a bug as chan)sip does not allow multiple IP addresses, even when a hostname is provided. It will resolve, and store, only one.
The approach of using multiple peers, one with each IP address, is the way to support this in chan_sip.
I do not doubt this information but it is strange because my configuration above (which uses only a hostname URL in the field “host=sip.internetcalls.com” has worked for a number of years - and has only recently started failing for inbound calls.
There is an asterisk blog which addresses this issue further:
https://blogs.asterisk.org/2016/01/27/the-pjsip-outbound-registration-line-option/
This proposes that under chan_sip the following example configuration should be used:
[inbound-configuration]
type=peer
context=incoming-itsp
disallow=all
allow=ulaw
insecure=host,port
[inbound1](inbound-configuration)
host=94.100.23.82
[inbound2](inbound-configuration)
host=94.100.23.83
[inbound3](inbound-configuration)
host=94.100.23.84
[inbound4](inbound-configuration)
host=94.100.23.85
[inbound5](inbound-configuration)
host=94.100.23.86
Now, using this example above, I am not familiar with the use of the setting “insecure=host, port”. (Bearing in mind I am using Asterisk 11.24.1)
I understood that this is normally either “insecure=very” for asterisk version 1.0.9 or earlier, or for later versions:
insecure=port ; Allow matching of peer by IP address without matching port number;
insecure=invite ; Do not require authentication of incoming INVITEs or
insecure=port,invite ; (both)
Typically used to allow incoming calls (e.g. from FWD) while having a type=friend entry defined with username and password.
It is worth mentioning that although my trunk configuration above DOES have a username and password, this most likely is only being used for outgoing calls. I don’t think the provider uses it to authenticate Inbound calls.
Accordingly, I would appreciate some further guidance on what should be entered in the insecure field in conjunction with “type=peer” as should be used for an inbound and outbound trunk.