Random ports on registration

[Sippy]

This is a large freepbx install. I have a voip.ms trunk setup that has been working fine for two years. We updated to the latest freepbx and asterisk. Now my voip.ms trunk is getting registered on random ports other than 5060 . It is causing incoming calls to fail because the ports are blocked by the firewall.

Does anyone know why this is happening. The ports are outside of 10000-20000. All my other systems register on 5060.

 

[tbrummell]

Do you have the port specified in the registration string?

@toronto6.voip.ms:5060

Is this server behind a firewall/router? If yes, does it have SIP ALG or something? And my comments are just for Chan_SIP, I don't know how PJSIP behaves.
You could always switch to TLS, pretty sure that will get you around any ALG issues, and keep you a titch more secure.

 

[Sippy]

yes it is specified in the registration string but asterisk is requesting registration on random ports. here is a screen shot of traffic going out ALG is not on. This is a barracuda router report showing the outgoing traffic example. Every time the registry expires it request it again on another random port. I changed to 5080 trying to fix it but no joy. We do use pjsip for phones. How would I make TLS work.

 

[Sippy]

I also have qualify set to yes. I have searched on line for where Asterisk would select a port other than 5060 for registration of a trunk. NAT is set for yes.

 

[tbrummell]

If you capture an outbound call, what does the Contact line say the port is using? Hint: use sngrep, or capture via span/mirror port & Wireshark. Do not capture at the firewall.

 

[Sippy]

Outbound is not in use on this trunk. Only inbound.
Other trunks are used for outbound.

 

[billsimon]

This is how a NAT works... especially if something else behind your firewall/NAT is also sending registrations to voip.ms. Only one client can be port 5060 on the same public IP address.

Asterisk is not using random ports. Turn on the SIP debugs in Asterisk and see. It is putting the port you specify (5060 or 5080) in the contact header.

 

[dallas]

This is how a NAT works... especially if something else behind your firewall/NAT is also sending registrations to voip.ms. Only one client can be port 5060 on the same public IP address.

@billsimon I've seen this statement before and unless I'm missing something, it doesn't make sense. I have 2 trunks registered to the same public IP address and they work fine.
These are Mynetfone trunks on my Incredible RasPBX 4.11.3.

 

[Sippy]

@billsimon I've seen this statement before and unless I'm missing something, it doesn't make sense. I have 2 trunks registered to the same public IP address and they work fine.
These are Mynetfone trunks on my Incredible RasPBX 4.11.3.
View attachment 2766

This is how a NAT works... especially if something else behind your firewall/NAT is also sending registrations to voip.ms. Only one client can be port 5060 on the same public IP address.

Asterisk is not using random ports. Turn on the SIP debugs in Asterisk and see. It is putting the port you specify (5060 or 5080) in the contact header.

Look at my screen shot. Asterisk is registering on random ports outside of 5060 or 5080. Voip.ms registration settings show which ports it registers on. Tech support ask me if we were using pjsip. We are. Why would that make asterisk select random ports for trunk registration.

 

[billsimon]

@billsimon I've seen this statement before and unless I'm missing something, it doesn't make sense. I have 2 trunks registered to the same public IP address and they work fine.
These are Mynetfone trunks on my Incredible RasPBX 4.11.3.
View attachment 2766

Asterisk is “one client” ... I’m not talking about multiple trunks from the same internal ip.

 

[billsimon]

Look at my screen shot. Asterisk is registering on random ports outside of 5060 or 5080. Voip.ms registration settings show which ports it registers on. Tech support ask me if we were using pjsip. We are. Why would that make asterisk select random ports for trunk registration.

Your screen shot is your router, not asterisk. Maybe asterisk is doing something weird but you won’t know it just by looking at your firewall. Look at logs and sngrep on the server (for the registration packets) as tbrummel already asked. Share your pjsip config here too.

 

[Sippy]

sngrep:
xREGISTER sip:atlanta2.voip.ms SIP/2.0
x.x.x.x:5060 xVia: SIP/2.0/UDP 170.249.178.250:5060;br
qqqqqqqqqqwqqqqqqqqq xch=z9hG4bK5d48c719;rport
a x REGISTExMax-Forwards: 70
a 13:40:16.446289 x qqqqqqqqqqqqqqqqxFrom: <sip:[email protected]
a +0.023181 x 401 Unauthoxms>;tag=as7d7d8293
a 13:40:16.469470 x <qqqqqqqqqqqqqqqxTo: <sip:[email protected].
a +0.000212 x REGISTEx>
x 13:40:16.469682 x qqqqqqqqqqqqqqqqxCall-ID: 6ccd996758d46a8a6047fbd069b13bf
x +0.023492 x 200 OKx127.0.0.1
x 13:40:16.493174 x <qqqqqqqqqqqqqqqxCSeq: 228 REGISTER
x +104.999928 x REGISTExSupported: replaces
x 13:42:01.493102 x qqqqqqqqqqqqqqqqxUser-Agent: FPBX-15.0.16.49(16.6.2)
x +0.023199 x 401 UnauthoxAuthorization: Digest username="XXXXXX
x 13:42:01.516301 x <qqqqqqqqqqqqqqqxcusowa", realm="atlanta2.voip.ms", algor
x +0.000235 x REGISTExhm=MD5, uri="sip:atlanta2.voip.ms", nonc
x 13:42:01.516536 x qqqqqqqqqqqqqqqqx"6feeba39", response="40e13a577cfac44db0
x +0.023498 x 200 OKxe34dff57e92f"
x 13:42:01.540034 x <qqqqqqqqqqqqqqqxExpires: 120
x +104.999656 x REGISTExContact: <sip:[email protected]:5060>
x 13:43:46.539690 x qqqqqqqqqqqqqqqqxContent-Length: 0

Now we have registered on the correct port, which had to do with a rule in the firewall, but we get a busy on any call to a DID pointed to the sub account that is registered. I have set up an iax port to try and fix the problem but no joy. Why is inbound trunks receiving a busy.

 

[tbrummell]

OK, essentially a new problem. For this one I'd

tail -f /var/log/asterisk/full

and watch the call arrive at the PBX, if it does at all... At least if it hits Asterisk it'll log why it's rejected.

 

[Sippy]

OK, essentially a new problem. For this one I'd

tail -f /var/log/asterisk/full

and watch the call arrive at the PBX, if it does at all... At least if it hits Asterisk it'll log why it's rejected.

Thank you I will check it

 

[billsimon]

which had to do with a rule in the firewall,

No surprise to me. For others who find this thread perhaps you could share more about the firewall rule that was causing the behavior.

 

[Sippy]

No surprise to me. For others who find this thread perhaps you could share more about the firewall rule that was causing the behavior.

it was a setting on the barracuda firewall that changed the outgoing port of 5060 to a random port of its choosing. Took a while to find it. This firewall is very hard for the IT guy to figure out. I suspect our incoming traffic is having the same issue but it seems to be sending it ok. Just getting a busy signal on all inbound calls from that trunk. tail -f /var/log/asterisk/full shows the following


[2020-05-19 08:07:10] NOTICE[1808][C-0000000b] chan_sip.c: Failed to authenticate device <sip:[email protected]>;tag=as7fc5a603 for INVITE, code = -1

 

[billsimon]

So according to your initial post "it was working fine for years" with this randomization setting?

This firewall is very hard for the IT guy to figure out.

heh, there are a lot of good IT people looking for jobs right now.

chan_sip.c: Failed to authenticate device

In chan_sip, this either means the peer is not matching (do you have that hostname/IP in your sip trunk definition) or you are challenging the incoming invite, which you don't want to do for a trunk... add insecure=port,invite

 

[Sippy]

Gettin calls in but recording says number not in service here is tail var

[2020-05-19 09:38:44] VERBOSE[13237][C-00000003] netsock2.c: Using SIP RTP TOS bits 184
[2020-05-19 09:38:44] VERBOSE[13237][C-00000003] netsock2.c: Using SIP RTP CoS mark 5
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [2512364600@from-sip-external:1] NoOp("SIP/209.217.224.50-00000000", "Received incoming SIP connection from unknown peer to 2512364600") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [2512364600@from-sip-external:2] Set("SIP/209.217.224.50-00000000", "DID=2512364600") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [2512364600@from-sip-external:3] Goto("SIP/209.217.224.50-00000000", "s,1") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx_builtins.c: Goto (from-sip-external,s,1)
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:1] GotoIf("SIP/209.217.224.50-00000000", "1?setlanguage:checkanon") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx_builtins.c: Goto (from-sip-external,s,2)
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:2] Set("SIP/209.217.224.50-00000000", "CHANNEL(language)=en") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:3] GotoIf("SIP/209.217.224.50-00000000", "1?noanonymous") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx_builtins.c: Goto (from-sip-external,s,5)
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:5] Set("SIP/209.217.224.50-00000000", "TIMEOUT(absolute)=15") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] func_timeout.c: Channel will hangup at 2020-05-19 09:38:59.772 CDT.
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:6] Set("SIP/209.217.224.50-00000000", "receveip=recvip") in new stack
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:7] Log("SIP/209.217.224.50-00000000", "WARNING,"Rejecting unknown SIP connection from 10.0.0.1"") in new stack
[2020-05-19 09:38:44] WARNING[18197][C-00000003] Ext. s: "Rejecting unknown SIP connection from 10.0.0.1"
[2020-05-19 09:38:44] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:8] Answer("SIP/209.217.224.50-00000000", "") in new stack
[2020-05-19 09:38:45] VERBOSE[18197][C-00000003] pbx.c: Executing [s@from-sip-external:9] Wait("SIP/209.217.224.50-00000000", "2") in new stack

 

[tbrummell]

WARNING,"Rejecting unknown SIP connection from 10.0.0.1

I can only assume that is the firewall? It is re-writing the SIP invite, and your PBX is rejecting it. You need your firewall admin to stop that. One thing you *may* be able to do is add 10.0.0.1 as a trunk in your PBX, so that it allows the call. But you may still end up with no/1-way audio. But it'd be a start I guess....

 

[Sippy]

Router setting again changed to show only the inbound traffic and not the gateway. cleared fail to ban jail and everythings good. Thank you @tbrummell for leading us through this fix. Fail to ban was the culprit to start.