T.38 Udptl nat problem

I’m running Asterisk 16.2.1 as my SIP Server and version 1.4 on my devices (play the role as T.38 Gateway)… Since i connected the devices to server on local network, everything works fine… But when i connected devices from the outside (my server and my devices are all NATed), the devices can sent rtp and udptl packets to server but it keep sending v21 hdlc-data all the time and stopped after 1 min when it can not get the CED tone from the receiving side.

My model seem like this:

Fax Machine <-> T.38 GW <-> Internet <-> SIP Server <-> Internet <-> T.38 GW <-> Fax Machine

I don’t really know where the problem, here is my sip.conf at server and devices

Asterisk box:

general
allowoverlap=no
bindport=5060
bindaddr=0.0.0.0
faxdetect=yes
nat=yes
t38pt_udptl=yes,fec,maxdatagram=400
t38pt_usertpsource=yes

register => 24411:passwd@my_public_IP

24411
username=24411
type=friend
secret=passwd
qualify=yes
port=5060
host=my_public_IP
dtmfmode=auto
allow=all
faxdetect=yes
nat=yes
t38pt_udptl=yes,fec,maxdatagram=400
t38pt_usertpsource=yes

And configuration of sip of server:
general
context=default
allowoverlap=no
udpbindaddr=0.0.0.0
transport=udp
externip=my_public_IP
localnet=my_local/255.255.255.224
dtmfmode=auto
ignoresdpversion=yes
t38pt_udptl=yes,fec,maxdatagram=400
t38pt_usertpsource=yes
directmedia=no

1x(!)
type=friend
host=dynamic
context=udptl_t38
allow=all
rtp_symmetric=yes
qualify=yes
insecure=invite,port
canreinvite=no
directmedia=no

What is the actual SIP trace? (sip set debug on)? Is the correct IP address present in it? Have you forwarded both RTP and UDPTL ports?

Thank you for supporting… I think my media flow is on track (cause i set debug on with rtp and udptl packets), except one thing: my server keep sending v.21 hdlc-data and don’t get the response

Here are my pcap when send t38 pass-thru udptl on local (works fine) and on the internet (failed)

Screenshot_2020-05-21_22-57-13 Screenshot_2020-05-21_22-58-30

There’s still more information needed as I said, such as the actual SIP trace and whether you’ve forwarded things.

Ok, here is my sip set debug log on my asterisk box

SIP Debugging re-enabled
Reliably Transmitting (NAT) to MY_PUBLIC_IP:5060:
OPTIONS sip:MY_PUBLIC_IP SIP/2.0
Via: SIP/2.0/UDP 192.168.19.100:5060;branch=z9hG4bK11e6bdf4;rport
From: “asterisk” sip:asterisk@192.168.19.100;tag=as4a9a9d0e
To: sip:MY_PUBLIC_IP
Contact: sip:asterisk@192.168.19.100
Call-ID: 6b9f4d3e45cd362272c909f17001e629@192.168.19.100
CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Mon, 01 Jan 2007 00:21:37 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Content-Length: 0

<— SIP read from MY_PUBLIC_IP:5060 —>
SIP/2.0 404 Not Found
Via: SIP/2.0/UDP 192.168.19.100:5060;branch=z9hG4bK11e6bdf4;received=192.168.19.100;rport=5060
From: “asterisk” sip:asterisk@192.168.19.100:5060;tag=as4a9a9d0e
To: sip:MY_PUBLIC_IP;tag=as070c76de
Call-ID: 6b9f4d3e45cd362272c909f17001e629@192.168.19.100
CSeq: 102 OPTIONS
Server: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Accept: application/sdp
Content-Length: 0

Really destroying SIP dialog ‘6b9f4d3e45cd362272c909f17001e629@192.168.19.100’ Method: OPTIONS
Really destroying SIP dialog ‘487f4e766db2251e784acda07a6972ff@MY_PUBLIC_IP:5060’ Method: OPTIONS
REGISTER 12 headers, 0 lines
Reliably Transmitting (NAT) to MY_PUBLIC_IP:5060:
REGISTER sip:MY_PUBLIC_IP SIP/2.0
Via: SIP/2.0/UDP 192.168.19.100:5060;branch=z9hG4bK20818036;rport
From: sip:202@MY_PUBLIC_IP;tag=as5a1008c4
To: sip:202@MY_PUBLIC_IP
Call-ID: 6cca09db64fef55709c9165732450260@192.168.19.100
CSeq: 108 REGISTER
User-Agent: Asterisk PBX
Max-Forwards: 70
Authorization: Digest username=“202”, realm=“asterisk”, algorithm=MD5, uri=“sip:MY_PUBLIC_IP”, nonce=“6a04fa79”, response=“ca82ccd383de69673fc2457fbaeb0c93”
Expires: 120
Contact: sip:s@192.168.19.100
Event: registration
Content-Length: 0

And sip settings:

  • Name : 202
    Description :
    Secret :
    MD5Secret :
    Remote Secret:
    Context : fax
    Record On feature : automon
    Record Off feature : automon
    Subscr.Cont. :
    Language :
    Tonezone :
    AMA flags : Unknown
    Transfer mode: open
    CallingPres : Presentation Allowed, Not Screened
    Callgroup :
    Pickupgroup :
    Named Callgr :
    Nam. Pickupgr:
    MOH Suggest :
    Mailbox :
    VM Extension : asterisk
    LastMsgsSent : 0/0
    Call limit : 0
    Max forwards : 0
    Dynamic : Yes
    Callerid : “” <>
    MaxCallBR : 384 kbps
    Expire : 119
    Insecure : no
    Force rport : Auto (No)
    Symmetric RTP: No
    ACL : No
    ContactACL : No
    DirectMedACL : No
    T.38 support : No
    T.38 EC mode : Unknown
    T.38 MaxDtgrm: 4294967295
    DirectMedia : No
    PromiscRedir : No
    User=Phone : No
    Video Support: No
    Text Support : No
    Ign SDP ver : No
    Trust RPID : No
    Send RPID : No
    Path support : No
    Path : N/A
    TrustIDOutbnd: Legacy
    Subscriptions: Yes
    Overlap dial : No
    DTMFmode : rfc2833
    Timer T1 : 500
    Timer B : 32000
    ToHost :
    Addr->IP : 21.133.114.46:5060
    Defaddr->IP : (null)
    Prim.Transp. : UDP
    Allowed.Trsp : UDP
    Def. Username: 202
    SIP Options : (none)
    Codecs : (g722|g726|gsm|ilbc|ulaw|alaw)
    Auto-Framing : No
    Status : OK (5 ms)
    Useragent : Asterisk PBX
    Reg. Contact : sip:s@21.133.114.46:5060
    Qualify Freq : 60000 ms
    Keepalive : 0 ms
    Sess-Timers : Accept
    Sess-Refresh : uas
    Sess-Expires : 1800 secs
    Min-Sess : 90 secs
    RTP Engine : asterisk
    Parkinglot :
    Use Reason : No
    Encryption : No
    RTCP Mux : No

You need to show “sip set debug on” while a fax attempt is occurring. You also did not answer my question about forwarding of ports.

Sorry for long reply… I used range 10000 - 20000 for RTP and 11000 - 11999 for UDPTL and already forwarded ports

Here is the debug while sending fax:

Sending to MY_PUBLIC_IP : 5060 (NAT)
m=image 11862 udptl t38
Got T.38 offer in SDP in dialog 561f04fe3a2c729f651a7b411464f2f6@192.168.19.100
Capabilities: us - 0xc (ulaw|alaw), peer - audio=0x0 (nothing)/video=0x0 (nothing), combined - 0x0 (nothing)
Non-codec capabilities (dtmf): us - 0x1 (telephone-event), peer - 0x0 (nothing), combined - 0x0 (nothing)
Got T.38 Re-invite without audio. Keeping RTP active during T.38 session.

<— Transmitting (NAT) to MY_PUBLIC_IP:5060 —>
SIP/2.0 100 Trying
Via: SIP/2.0/UDP MY_PUBLIC_IP:5060;branch=z9hG4bK41443183;received=MY_PUBLIC_IP;rport=5060
From: sip:204@MY_PUBLIC_IP:5060;tag=as7e5e83ae
To: “asterisk” sip:asterisk@192.168.19.100:5060;tag=as4f2e6f0a
Call-ID: 561f04fe3a2c729f651a7b411464f2f6@192.168.19.100
CSeq: 102 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact: sip:asterisk@192.168.19.100
Content-Length: 0

<— Reliably Transmitting (NAT) to MY_PUBLIC_IP:5060 —>
SIP/2.0 200 OK
Via: SIP/2.0/UDP MY_PUBLIC_IP:5060;branch=z9hG4bK41443183;received=MY_PUBLIC_IP;rport=5060
From: sip:204@MY_PUBLIC_IP:5060;tag=as7e5e83ae
To: “asterisk” sip:asterisk@192.168.19.100:5060;tag=as4f2e6f0a
Call-ID: 561f04fe3a2c729f651a7b411464f2f6@192.168.19.100
CSeq: 102 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact: sip:asterisk@192.168.19.100
Content-Type: application/sdp
Content-Length: 266

v=0
o=root 366 368 IN IP4 192.168.19.100
s=session
c=IN IP4 192.168.19.100
t=0 0
m=image 11241 udptl t38
a=T38FaxVersion:0
a=T38MaxBitRate:9600
a=T38FaxRateManagement:transferredTCF
a=T38FaxMaxBuffer:1397
a=T38FaxMaxDatagram:1397
a=T38FaxUdpEC:t38UDPFEC

<— SIP read from MY_PUBLIC_IP:5060 —>
ACK sip:asterisk@192.168.19.100:5060 SIP/2.0
Via: SIP/2.0/UDP MY_PUBLIC_IP:5060;branch=z9hG4bK11b00641;rport
Max-Forwards: 70
From: sip:204@MY_PUBLIC_IP:5060;tag=as7e5e83ae
To: “asterisk” sip:asterisk@192.168.19.100:5060;tag=as4f2e6f0a
Contact: sip:204@MY_PUBLIC_IP:5060
Call-ID: 561f04fe3a2c729f651a7b411464f2f6@192.168.19.100
CSeq: 102 ACK
User-Agent: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Content-Length: 0

Reliably Transmitting (NAT) to MY_PUBLIC_IP:5060:
OPTIONS sip:MY_PUBLIC_IP SIP/2.0
Via: SIP/2.0/UDP 192.168.19.100:5060;branch=z9hG4bK3e41524e;rport
From: “asterisk” sip:asterisk@192.168.19.100;tag=as2e5b2212
To: sip:MY_PUBLIC_IP
Contact: sip:asterisk@192.168.19.100
Call-ID: 77b1c91049e094942841f62c41faaa99@192.168.19.100
CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Mon, 01 Jan 2007 00:42:38 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Content-Length: 0

<— SIP read from MY_PUBLIC_IP:5060 —>
SIP/2.0 404 Not Found
Via: SIP/2.0/UDP 192.168.19.100:5060;branch=z9hG4bK3e41524e;received=192.168.19.100;rport=5060
From: “asterisk” sip:asterisk@192.168.19.100:5060;tag=as2e5b2212
To: sip:MY_PUBLIC_IP;tag=as21edc93c
Call-ID: 77b1c91049e094942841f62c41faaa99@192.168.19.100
CSeq: 102 OPTIONS
Server: Asterisk PBX 16.2.1~dfsg-2ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Accept: application/sdp
Content-Length: 0

Really destroying SIP dialog ‘77b1c91049e094942841f62c41faaa99@192.168.19.100’ Method: OPTIONS
Really destroying SIP dialog ‘29e9180e48705beb14ed42f94ab436c1@MY_PUBLIC_IP:5060’ Method: OPTIONS
REGISTER 12 headers, 0 lines
Reliably Transmitting (NAT) to MY_PUBLIC_IP:5060:
REGISTER sip:MY_PUBLIC_IP SIP/2.0
Via: SIP/2.0/UDP 192.168.19.100:5060;branch=z9hG4bK158959a1;rport
From: sip:202@MY_PUBLIC_IP;tag=as3de3f596
To: sip:202@MY_PUBLIC_IP
Call-ID: 6cca09db64fef55709c9165732450260@192.168.19.100
CSeq: 132 REGISTER
User-Agent: Asterisk PBX
Max-Forwards: 70
Authorization: Digest username=“202”, realm=“asterisk”, algorithm=MD5, uri=“sip:MY_PUBLIC_IP”, nonce=“06a837c1”, response=“e973f7c5793daade80b1b4d30b2a5945”
Expires: 120

It is placing “192.168.19.100” into the SDP. Is that reachable by the remote side? If not then you either need to configure Asterisk so it knows it is behind NAT and places the correct IP address into the SDP, or you can try enabling the NAT functionality on the remote server instance.

I got it, so how should I configure the Asterisk cause i tried many parameters but anyone of them resolve my problem

In sip.conf, i added nat=yes on Asterisk box and nat=force_rport,comedia on Server… Since i used externip and localhost, i had to manually update the public ip of asterisk box whenever ISP change the IP address, its so unconventional

nat=yes is a deprecated form of nat=force_rport,comedia

These options are primarily when Asterisk is outside NAT and the peer is inside.

Note that there are no configurations where having comedia (/nat=yes) on both sides offers any advantage, as comedia requires media to reach the right destination in one direction without any such hacks for the comedia to detect the right address for the other direction.

Also, as far as I know, Asterisk handles NAT sufficiently well that nat= should work when left at default.

If your ISP is changing IP addresses whilst the router is up, you need to find a business friendly ISP.

Assuming you control all the Asterisk machines, a VPN is probably the best solution.

I have a leased line for SIP Server so it got fixed public IP address.

But i have multiple devices which installed asterisk 1.4 too, and i want all of them will work well (Fax T.38 Udptl) with NAT in separate networks like home, offfice… etc, which normally have dynamic public IP address.

So i wonder if Asterisk can deal with NAT via configure in sip.conf, rtp.conf or udptl.conf?