Hello,
I’m having a strange issue when trying to configure asterisk to work with a TLS Trunk. Initially my configuration and my callflow is as follows (asterisk is not registering to any of them):
UDP Trunk —> Asterisk —> TLS Trunk
After configuring everything asterisk is able to process the FIRST call attempt, however after that call if I try a new call it will hang and it will not progress.
After researching a little it seems that asterisk is processing the call but is not sending that through the network (sip debug shows the second invite but a sniffer on the interface is not showing any outgoing packet).
I’ve tried this with versions 1.8.10.1, 1.8.11.0 and 10.3.0 and the result was the same in all cases (Initially I have installed Trixbox, however I have finally installed these Asterisk versions from source).
My current configuration is:
sip.conf
[general]
tlsenable=yes
tlsdontverifyserver=yes
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
transport=tls,udp
allowguest=no
[XXX]
host=x.x.x.x
port=5061
outboundproxy=tls://x.x.x.x
type=peer
context=from-internal
nat=yes
sendrpid=yes
canreinvite=yes
directrtpsetup=yes
transport=tls
When doing the first call asterisk log shows it progressing:
-- Executing [s@macro-dialout-trunk:19] Dial("SIP/XXXX-00000000", "SIP/XXXX/+ZZZZZZZZZZ,300,") in new stack
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
Audio is at 10854
Video is at y.y.y.y:16982
Adding codec 0x4 (ulaw) to SDP
Adding codec 0x8 (alaw) to SDP
Adding video codec 0x80000 (h263) to SDP
Adding video codec 0x200000 (h264) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (NAT) to x.x.x.x:5061:
INVITE sip:+ZZZZZZZZZZ@x.x.x.x:5061 SIP/2.0
Via: SIP/2.0/TLS y.y.y.y:5061;branch=z9hG4bK791bdd56;rport
Max-Forwards: 70
From: “unknown” sip:AAAAAAAAA@y.y.y.y;tag=as32b130bd
To: sip:+ZZZZZZZZZZ@x.x.x.x:5061
Contact: sip:AAAAAAAAA@y.y.y.y:5061;transport=TLS
Call-ID: 500ce0220f7550a211ea86984b945c33@y.y.y.y:5061
CSeq: 102 INVITE
User-Agent: Asterisk PBX 1.8.10.1
Date: Tue, 03 Apr 2012 11:57:42 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Remote-Party-ID: “unknown” sip:AAAAAAAAA@y.y.y.y;party=calling;privacy=off;screen=no
Content-Type: application/sdp
Content-Length: 389
v=0
o=root 1699326560 1699326560 IN IP4 y.y.y.y
s=Asterisk PBX 1.8.10.1
c=IN IP4 y.y.y.y
b=CT:384
t=0 0
m=audio 10854 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
a=ptime:20
a=sendrecv
m=video 16982 RTP/AVP 34 99
a=rtpmap:34 H263/90000
a=rtpmap:99 H264/90000
a=sendrecv
– Called SIP/XXXX/+ZZZZZZZZZZ
SSL certificate ok
<— SIP read from TLS:x.x.x.x:5061 —>
SIP/2.0 100 Trying
From: "unknown"sip:AAAAAAAAA@y.y.y.y;tag=as32b130bd
To: sip:+ZZZZZZZZZZ@x.x.x.x:5061;tag=750b21295925201243143855
Call-ID: 500ce0220f7550a211ea86984b945c33@y.y.y.y:5061
CSeq: 102 INVITE
Server: CS2000_NGSS/8.0
Supported: 100rel
Via: SIP/2.0/TLS y.y.y.y:5061;rport;branch=z9hG4bK791bdd56
Contact: sips:x.x.x.x:5061;transport=TLS
Content-Length: 0
The second call just shows the initial invite, but there is no progress after that:
-- Executing [s@macro-dialout-trunk:19] Dial("SIP/VersoC5-00000002", "SIP/BTSP/+ZZZZZZZZZZ,300,") in new stack
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
Audio is at 17842
Video is at y.y.y.y:19224
Adding codec 0x4 (ulaw) to SDP
Adding codec 0x8 (alaw) to SDP
Adding video codec 0x80000 (h263) to SDP
Adding video codec 0x200000 (h264) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (NAT) to x.x.x.x:5061:
INVITE sip:+ZZZZZZZZZZ@x.x.x.x:5061 SIP/2.0
Via: SIP/2.0/TLS y.y.y.y:5061;branch=z9hG4bK6577bba6;rport
Max-Forwards: 70
From: “unknown” sip:AAAAAAAAA@y.y.y.y;tag=as1862aadb
To: sip:+ZZZZZZZZZZ@x.x.x.x:5061
Contact: sip:AAAAAAAAA@y.y.y.y:5061;transport=TLS
Call-ID: 7bf30fdc749264df55ff21c31fbc35d5@y.y.y.y:5061
CSeq: 102 INVITE
User-Agent: Asterisk PBX 1.8.10.1
Date: Tue, 03 Apr 2012 11:58:10 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Remote-Party-ID: “unknown” sip:AAAAAAAAA@y.y.y.y;party=calling;privacy=off;screen=no
Content-Type: application/sdp
Content-Length: 389
v=0
o=root 2023926852 2023926852 IN IP4 y.y.y.y
s=Asterisk PBX 1.8.10.1
c=IN IP4 y.y.y.y
b=CT:384
t=0 0
m=audio 17842 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
a=ptime:20
a=sendrecv
m=video 19224 RTP/AVP 34 99
a=rtpmap:34 H263/90000
a=rtpmap:99 H264/90000
a=sendrecv
A packet capture of these two attempts shows that during the first call there are packet exchange between both hosts, however during the second call there is nothing being sent from asterisk:
First Call:
08:57:42.446860 IP Asterisk.36695 > Trunk.sip-tls: S 92333481:92333481(0) win 5840 <mss 1460,sackOK,timestamp 101439 0,nop,wscale 7>
08:57:42.710537 IP Trunk.sip-tls > Asterisk.36695: S 212379161:212379161(0) ack 92333482 win 5792 <mss 1460,sackOK,timestamp 2210421682 101439,nop,wscale 4>
08:57:42.710562 IP Asterisk.36695 > Trunk.sip-tls: . ack 1 win 46 <nop,nop,timestamp 101703 2210421682>
08:57:42.711593 IP Asterisk.36695 > Trunk.sip-tls: P 1:104(103) ack 1 win 46 <nop,nop,timestamp 101704 2210421682>
08:57:42.974076 IP Trunk.sip-tls > Asterisk.36695: . ack 104 win 362 <nop,nop,timestamp 2210421946 101704>
08:57:42.974990 IP Trunk.sip-tls > Asterisk.36695: P 1:1101(1100) ack 104 win 362 <nop,nop,timestamp 2210421946 101704>
08:57:42.975033 IP Asterisk.36695 > Trunk.sip-tls: . ack 1101 win 63 <nop,nop,timestamp 101968 2210421946>
08:57:42.990905 IP Asterisk.36695 > Trunk.sip-tls: . 104:1552(1448) ack 1101 win 63 <nop,nop,timestamp 101983 2210421946>
08:57:42.990912 IP Asterisk.36695 > Trunk.sip-tls: P 1552:1923(371) ack 1101 win 63 <nop,nop,timestamp 101983 2210421946>
08:57:43.254747 IP Trunk.sip-tls > Asterisk.36695: . ack 1923 win 724 <nop,nop,timestamp 2210422226 101983>
08:57:43.291339 IP Trunk.sip-tls > Asterisk.36695: P 1101:1160(59) ack 1923 win 724 <nop,nop,timestamp 2210422263 101983>
08:57:43.291584 IP Asterisk.36695 > Trunk.sip-tls: P 1923:3085(1162) ack 1160 win 63 <nop,nop,timestamp 102284 2210422263>
08:57:43.556736 IP Trunk.sip-tls > Asterisk.36695: P 1160:1634(474) ack 3085 win 905 <nop,nop,timestamp 2210422529 102284>
08:57:43.596309 IP Asterisk.36695 > Trunk.sip-tls: . ack 1634 win 80 <nop,nop,timestamp 102589 2210422529>
08:57:44.348864 IP Trunk.sip-tls > Asterisk.36695: P 1634:2284(650) ack 3085 win 905 <nop,nop,timestamp 2210423321 102589>
08:57:44.348895 IP Asterisk.36695 > Trunk.sip-tls: . ack 2284 win 98 <nop,nop,timestamp 103342 2210423321>
08:57:45.389115 IP Trunk.sip-tls > Asterisk.36695: P 2284:3190(906) ack 3085 win 905 <nop,nop,timestamp 2210424361 103342>
08:57:45.389209 IP Asterisk.36695 > Trunk.sip-tls: . ack 3190 win 115 <nop,nop,timestamp 104382 2210424361>
08:57:47.390880 IP Trunk.sip-tls > Asterisk.36695: P 3190:4096(906) ack 3085 win 905 <nop,nop,timestamp 2210426363 104382>
08:57:47.390908 IP Asterisk.36695 > Trunk.sip-tls: . ack 4096 win 129 <nop,nop,timestamp 106384 2210426363>
08:57:47.391740 IP Asterisk.36695 > Trunk.sip-tls: P 3085:3607(522) ack 4096 win 129 <nop,nop,timestamp 106385 2210426363>
08:57:47.695720 IP Trunk.sip-tls > Asterisk.36695: . ack 3607 win 1086 <nop,nop,timestamp 2210426668 106385>
08:57:47.695746 IP Asterisk.36695 > Trunk.sip-tls: P 3607:4721(1114) ack 4096 win 129 <nop,nop,timestamp 106689 2210426668>
08:57:47.958934 IP Trunk.sip-tls > Asterisk.36695: . ack 4721 win 1267 <nop,nop,timestamp 2210426932 106689>
08:57:47.960712 IP Trunk.sip-tls > Asterisk.36695: P 4096:4570(474) ack 4721 win 1267 <nop,nop,timestamp 2210426933 106689>
08:57:47.975335 IP Trunk.sip-tls > Asterisk.36695: P 4570:5460(890) ack 4721 win 1267 <nop,nop,timestamp 2210426948 106689>
08:57:47.975347 IP Asterisk.36695 > Trunk.sip-tls: . ack 5460 win 157 <nop,nop,timestamp 106968 2210426933>
08:57:47.976031 IP Asterisk.36695 > Trunk.sip-tls: P 4721:5243(522) ack 5460 win 157 <nop,nop,timestamp 106969 2210426933>
08:57:48.279390 IP Trunk.sip-tls > Asterisk.36695: . ack 5243 win 1448 <nop,nop,timestamp 2210427252 106969>
08:57:51.736328 IP Asterisk.36695 > Trunk.sip-tls: P 5243:6357(1114) ack 5460 win 157 <nop,nop,timestamp 110729 2210427252>
08:57:51.999605 IP Trunk.sip-tls > Asterisk.36695: . ack 6357 win 1629 <nop,nop,timestamp 2210430973 110729>
08:57:52.001089 IP Trunk.sip-tls > Asterisk.36695: P 5460:5934(474) ack 6357 win 1629 <nop,nop,timestamp 2210430975 110729>
08:57:52.013414 IP Trunk.sip-tls > Asterisk.36695: P 5934:6824(890) ack 6357 win 1629 <nop,nop,timestamp 2210430985 110729>
08:57:52.013424 IP Asterisk.36695 > Trunk.sip-tls: . ack 6824 win 186 <nop,nop,timestamp 111007 2210430975>
08:57:52.013923 IP Asterisk.36695 > Trunk.sip-tls: P 6357:6879(522) ack 6824 win 186 <nop,nop,timestamp 111007 2210430975>
08:57:52.317394 IP Trunk.sip-tls > Asterisk.36695: . ack 6879 win 1810 <nop,nop,timestamp 2210431291 111007>
08:57:52.317409 IP Asterisk.36695 > Trunk.sip-tls: P 6879:7417(538) ack 6824 win 186 <nop,nop,timestamp 111311 2210431291>
08:57:52.580105 IP Trunk.sip-tls > Asterisk.36695: . ack 7417 win 1991 <nop,nop,timestamp 2210431554 111311>
08:57:52.581554 IP Trunk.sip-tls > Asterisk.36695: P 6824:7394(570) ack 7417 win 1991 <nop,nop,timestamp 2210431555 111311>
08:57:52.621825 IP Asterisk.36695 > Trunk.sip-tls: . ack 7394 win 200 <nop,nop,timestamp 111615 2210431555>
Second Call:
40 packets captured
40 packets received by filter
0 packets dropped by kernel
After the first call the TLS connection remains established but it seems not to be used for the second call, and as the first call works fine I would discard any problem with the certificates (which is successfully negotiated in the first call):
[Trixbox asterisk-1.8.10.1]# netstat -an |grep 5061
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN
tcp 0 0 y.y.y.y:36695 x.x.x.x:5061 ESTABLISHED
Does anyone saw this issue before? Does anyone sees anything wrong with my configuration?
Thanks everyone.