X-Lite is not able to connect Asterisk Server

Hello All,
I am not able to connect x-lite to the asterisk server. Getting SIP 408 error

  1. I have Global IP assigned.
  2. X-Lite are running at Windows System.
  3. Asterisk is running at Cloud server.
  4. Configured sip.conf [Contents are below].
  5. Port forward at my local router [5060 - 5070 UDP ]
  6. Port forward at my local router for rtp [10000-20000 UDP]
    Now Still I am not able to connect to Asterisk Server.
[general]
context=public
allowguest=no
srvlookup=yes
udpbindaddr=0.0.0.0
tcpenable=no
transport=udp
;nat=force_rport
nat=force_rport,comedia
srvlookup=yes
qualify=yes
canreinvite=no
disallow=all
alwaysauthreject = yes
deny=0.0.0.0/0.0.0.0
permit=88.99.xxxx.xxxx/255.255.255.0  ---> Asterisk Server IP running at Cloud
externip=115.187.yyy.yyy [Global_IP]
localnet=192.168.1.14/255.255.255.0 [Local Windows IP where X-lite is running]

Please find the SIP debug details

Scheduling destruction of SIP dialog '1546395883-1570214774-330806850' in 32000 ms (Method: INVITE)
Retransmitting #1 (NAT) to 202.248.69.218:55947:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 202.248.69.218:55947;branch=z9hG4bK1471488608;received=202.248.69.218;rport=55947
From: <sip:1001@88.99.245.202>;tag=683112091
To: <sip:1333972541498@88.99.245.202>;tag=as5e7dad21
Call-ID: 1546395883-1570214774-330806850
CSeq: 2 INVITE
Server: Asterisk PBX 15.7.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0


---
Retransmitting #7 (NAT) to 74.63.239.162:56499:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 74.63.239.162:56499;branch=z9hG4bK742560625;received=74.63.239.162;rport=56499
From: <sip:6666@88.99.245.202>;tag=770279010
To: <sip:810972599058332@88.99.245.202>;tag=as638a6087
Call-ID: 1080154037-743875535-1164588411
CSeq: 1 INVITE
Server: Asterisk PBX 15.7.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="2f9d7894"
Content-Length: 0


---
Retransmitting #10 (NAT) to 74.63.239.162:57774:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 74.63.239.162:57774;branch=z9hG4bK1172425719;received=74.63.239.162;rport=57774
From: <sip:6666@88.99.245.202>;tag=2026924408
To: <sip:009972599058332@88.99.245.202>;tag=as7c5a8784
Call-ID: 959656067-113925940-65465357
CSeq: 1 INVITE
Server: Asterisk PBX 15.7.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="126435c4"
Content-Length: 0


---

<--- SIP read from UDP:74.63.239.162:52874 --->
INVITE sip:972599058332@88.99.245.202 SIP/2.0
Via: SIP/2.0/UDP 74.63.239.162:52874;branch=z9hG4bK1034840865
Max-Forwards: 70
From: <sip:777@88.99.245.202>;tag=286231103
To: <sip:972599058332@88.99.245.202>
Call-ID: 2085166991-1317233016-1898455882
CSeq: 1 INVITE
Contact: <sip:777@74.63.239.162:52874>
Content-Type: application/sdp
Content-Length: 207
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: fdgddfg546df4g8d5f

v=0
o=777 16264 18299 IN IP4 192.168.1.83
s=call
c=IN IP4 192.168.1.83
t=0 0
m=audio 25282 RTP/AVP 0 101
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11
<------------->
--- (12 headers 10 lines) ---
Sending to 74.63.239.162:52874 (NAT)
Sending to 74.63.239.162:52874 (NAT)
Using INVITE request as basis request - 2085166991-1317233016-1898455882
No matching peer for '777' from '74.63.239.162:52874'

<--- Reliably Transmitting (NAT) to 74.63.239.162:52874 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 74.63.239.162:52874;branch=z9hG4bK1034840865;received=74.63.239.162;rport=52874
From: <sip:777@88.99.245.202>;tag=286231103
To: <sip:972599058332@88.99.245.202>;tag=as3174174f
Call-ID: 2085166991-1317233016-1898455882
CSeq: 1 INVITE
Server: Asterisk PBX 15.7.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="6560c0da"
Content-Length: 0

Looks like you have set a password on Asterisk but not on the phone.

I have double checked the same. The password is working fine. When I connecting through my phone hotspot, [where no NAT is activated], all are working fine. X-lite from my desktop connecting the asterisk server perfectly.
Now when I am trying to connect using the ISP connection, [for which I am using home router for internet] x-lite is not connecting.It is giving 408 error.

  1. I have a Global IP which I have assigned at sip.conf.
  2. The local ip from my desktop is also mentioned at sip.conf.

Please advice.

A strange message I have found
When I am performing asterisk -rvvvv
then I doing CLI> SIP reload
I found the below error

ERROR[17993]: chan_sip.c:33216 reload_config: Error enabling TCP keep-alive on sip socket: Bad file descriptor

What does it mean? Please advice

Anyone is there :wink:

If you re getting 408 it is request time out, nothing related to what it is on your sip logs

The error ’ 408 Request Timeout ’ indicates that the client is not receiving any response from the server to which you are trying to connect.

Have you verify IPTABLES, firewall , etc?

Just wanted to know that IPTABLES and Firewall rules you are talking about the Server where Asterisk is running.
Is my understanding is correct?

As I have already stated my Softfone [Client] is behind NAT.

Port_forward I am not really getting the below debug details

Really destroying SIP dialog '384233017-570508860-169635497' Method: INVITE

<--- SIP read from UDP:74.63.239.162:65005 --->
INVITE sip:100972599058332@88.99.245.202 SIP/2.0
Via: SIP/2.0/UDP 74.63.239.162:65005;branch=z9hG4bK3831607
Max-Forwards: 70
From: <sip:2055@88.99.245.202>;tag=925648731
To: <sip:100972599058332@88.99.245.202>
Call-ID: 1235463954-1961520878-491951053
CSeq: 1 INVITE
Contact: <sip:2055@74.63.239.162:65005>
Content-Type: application/sdp
Content-Length: 208
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: fdgddfg546df4g8d5f

v=0
o=2055 16264 18299 IN IP4 192.168.1.83
s=call
c=IN IP4 192.168.1.83
t=0 0
m=audio 25282 RTP/AVP 0 101
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11
<------------->
--- (12 headers 10 lines) ---
Sending to 74.63.239.162:65005 (NAT)
Sending to 74.63.239.162:65005 (NAT)
Using INVITE request as basis request - 1235463954-1961520878-491951053
No matching peer for '2055' from '74.63.239.162:65005'

<--- Reliably Transmitting (NAT) to 74.63.239.162:65005 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 74.63.239.162:65005;branch=z9hG4bK3831607;received=74.63.239.162;rport=65005
From: <sip:2055@88.99.245.202>;tag=925648731
To: <sip:100972599058332@88.99.245.202>;tag=as09bec444
Call-ID: 1235463954-1961520878-491951053
CSeq: 1 INVITE
Server: Asterisk PBX 15.7.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="7b3c319b"
Content-Length: 0

I have port forward at my home router as the picture attached. My Global-IP is 115.187.34.132.
The SIP.conf [General] section is below

[general]
context=public
allowguest=no
srvlookup=yes
udpbindaddr=0.0.0.0
tcpenable=no
transport=udp
;nat=force_rport
nat=force_rport,comedia
srvlookup=yes
qualify=yes
canreinvite=no
disallow=all
alwaysauthreject = yes
deny=0.0.0.0/0.0.0.0
permit=88.99.245.202/255.255.255.0 --> This is the Asterisk Server IP address and Subnet
;permit=115.187.34.132/255.255.255.0
externip=115.187.34.132  --> GLOBAL_IP assigned by my ISP
;externip=88.99.245.202
localnet=192.168.1.14/255.255.255.192   --> My Local windows IP where X-lite is running

Do I perform anything at my home router or at Asterisk server IPTABLES

If Asterisk is running on a cloud server it should be accesible from the world as it have a public IP assisgned. Just makre sure there is not firewall rules applied by your cloud provider, also run use the iptables command to verify no rule blocking

Best practice when running Asterisk in the cloud is to use a VPN.

I am wondering that, when I am bypassing my home router, X-lite are registering as usual. No error found. [ I am activating my mobile hotspot where I am perfectly able to register and call from Xlite]
My confusion is, if there is a firewall rule set at Cloud server, then from Mobile hotspot also I would have faced the error.
Is my understanding correct?

One confusion Please

  1. externip=< Is this is the public IP what my ISP has been provided or the Public IP of the Asterisk Server>
  2. localnet = < Is this the localhost ip address for the asterisk server or my Windows IP address>
  3. Permit=< Is this is the Public IP address of cloud asterisk server with subnet mask>

Please advice

localnet is the set of networks that do not use NAT.

externip is that address that will appear to be the source of packets sent by Asterisk when sent to addresses not in localnet.

Permit is the address of the remote client as seen by Asterisk. In a more conventional configuration it would be the address used by your internet telephony provider.

Thank you for the advice.
When I am performing sip set debug on I am getting the below details

Retransmitting #2 (NAT) to 223.191.20.209:28553:
OPTIONS sip:Pokhraj@223.191.20.209:28553;rinstance=36ee18d4b1c4cd50 SIP/2.0
Via: SIP/2.0/UDP 88.99.245.202:5060;branch=z9hG4bK41b738a5;rport
Max-Forwards: 70
From: "asterisk" <sip:asterisk@88.99.245.202>;tag=as406222aa
To: <sip:Pokhraj@223.191.20.209:28553;rinstance=36ee18d4b1c4cd50>
Contact: <sip:asterisk@88.99.245.202:5060>
Call-ID: 5896caac36c4d329446d143b764e06dd@88.99.245.202:5060
CSeq: 102 OPTIONS
User-Agent: Asterisk PBX 15.7.1
Date: Sun, 03 Mar 2019 10:12:46 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

I am not able to get the 223.191.20.209 ip address. From where it coming from?

That is showing an Asterisk client, not an Asterisk server, and is not showing a call attempt. It is showing Asterisk trying to verify connectivity to the phone and failing.


Please check once my SIP.conf Configuration.
Is that correct?

Also SIP Show Peers as below

localnet is wrong. The loop back network will be treated as localnet even if not specified as such.

I am confused. Could you please advice what will be the localnet for me? Please find the attached IP addresses I have set at my Windows 7. Also I have port forward 5060 for UDP incoming at my home router.
My_Windows_IP4_Setting

the local net should be the local network for your sip server

Localnet -> This is an option has to be set in the [general] context at sip.conf and has to be set to the netmask for the private network asterisk is in, this is only needed when asterisk is behind a NAT and trying to communicate with devices outside of the NAT.

e.g: localnet=192.168.0.0/255.255.255.0