Travelin' Man Missed His Plane

[vorshr]

Travelin' man issues. Device does not match ACL.

Hello All, first I want to start out and apologize for the length of this post.

I installed Incredible PBX 2 Purple with no issues, ran all upgrades, I am able to connect from my external IP and from my internal IP. I can make phone calls through Google Voice and incoming calls are routed to my extension 701 as they should be. Having an issue with voicemail saying an error has occurred but will deal with that later. I then decided to install Travelinman as there are times when I need to make calls when I am away from my office but make it look as if I am in the office. The install of travelinman went fine, iptables was updated with port 83 and udp 5060.


My router is a Linksys e2000 which I have all port forwarding setup and forwarded as they should. When I attempt to connect my sip phone from my iphone or ipad (using my verizon mifi) I get the following error:

root@pbx:/etc/asterisk $ tail -f /var/log/asterisk/full
[2011-08-30 21:42:35] NOTICE[6075] chan_sip.c: Registration from '"Jim" <sip:[email protected]:5060>' failed for '166.137.138.23:31971' - Device does not match ACL
[2011-08-30 21:42:35] NOTICE[6075] chan_sip.c: Registration from '"Jim" <sip:[email protected]:5060>' failed for '166.137.138.23:31971' - Device does not match ACL
[2011-08-30 21:42:36] NOTICE[6075] chan_sip.c: Registration from '"Jim" <sip:[email protected]:5060>' failed for '166.137.138.23:31971' - Device does not match ACL
[2011-08-30 21:42:38] NOTICE[6075] chan_sip.c: Registration from '"Jim" <sip:[email protected]:5060>' failed for '166.137.138.23:31971' - Device does not match ACL

In my /etc/asterisk/701.inc file I have:

root@pbx:/etc/asterisk $ less 701.inc
;placeholder for future expansion PIAF Dev Team
[701](+)
permit=166.137.138.23/255.255.255.255

In my sip_custom_post.conf file I have:

root@pbx:/etc/asterisk $ less sip_custom_post.conf
;placeholder for future expansion PIAF Dev Team
#include 501.inc
#include 701.inc
#include 702.inc
#include 703.inc
#include 704.inc
#include 705.inc
#include 706.inc
#include 707.inc
#include 708.inc
#include 709.inc
#include 710.inc
#include 711.inc
#include 712.inc
#include 713.inc
#include 714.inc
#include 715.inc

#include 501.inc
#include 701.inc
#include 702.inc
#include 703.inc
#include 704.inc
#include 705.inc
#include 706.inc
#include 707.inc
#include 708.inc
#include 709.inc
#include 710.inc
#include 711.inc
#include 712.inc
#include 713.inc
#include 714.inc
#include 715.inc

It appears that everything is setup correctly and I even attempted to disable iptables and fail2ban to see if that would help but no go.

In doing an iptables -L -n it shows my remote IP as being whitelisted:

root@pbx:/etc/asterisk $ iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VSFTPD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
fail2ban-APACHE tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-ASTERISK all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
fail2ban-VSFTPD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-APACHE tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-ASTERISK all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:83
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:83
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:83
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9080
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5038
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9022
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5222
ACCEPT udp -- 64.27.1.153 0.0.0.0/0 udp dpt:4569
ACCEPT udp -- 66.54.140.46 0.0.0.0/0 udp dpt:4569
ACCEPT udp -- 66.54.140.47 0.0.0.0/0 udp dpt:4569
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:88
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060
WHITELIST udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 4569,5000:5082
ACCEPT all -- 74.67.110.132 0.0.0.0/0
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 172.16.0.0/12 0.0.0.0/0
ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
ACCEPT all -- 127.0.0.0/8 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain WHITELIST (1 references)
target prot opt source destination
ACCEPT all -- 64.2.142.26 0.0.0.0/0
ACCEPT all -- 64.2.142.215 0.0.0.0/0
ACCEPT all -- 204.155.28.10 0.0.0.0/0
ACCEPT all -- 166.137.138.23 0.0.0.0/0

Chain fail2ban-APACHE (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ASTERISK (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-VSFTPD (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Would anyone know what would cause travelman not to work? Did I overlook something?

Please let me know.

Thanks
Jim

 

[vorshr]

Also, in /var/www/travelman/xxxxx (x for security) my config is set to allow extension 701 and when I visit the travelman URL it tells me ext 701 is enabled.

Thanks!

 

[wardmundy]

failed for '166.137.138.23:31971'

That error suggests that your router isn't opening ports to allow the returning UDP connection from your calls. You should consider another router. dLink routers do it properly. The other option is to map UDP:10000-60000 in your router to the IP of your server.

Only if that doesn't fix it, try adjusting:
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
to:
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:60000
in /etc/sysconfig/iptables and then service iptables restart

Please post your results. Good luck!

 

[vorshr]

Hi Ward, thanks for the reply. The strange thing about this is I had this working on a previous install and then got a new box and since then it isnt working. I took your suggestion and added UDP 10000:60000 in my router, that didnt work. So I adjusted iptables per your suggestion and still no go. In tailing my logs I see this when I access travelman from my browser on my iphone:

[2011-08-31 10:07:46] VERBOSE[6075] chan_sip.c: Reloading SIP
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_general_additional.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_general_custom.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_nat.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_registrations_custom.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_registrations.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_custom.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_additional.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_custom_post.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] ERROR[6075] config.c: The file '501.inc' was listed as a #include but it does not exist.
[2011-08-31 10:07:46] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/users.conf': [2011-08-31 10:07:46] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:46] VERBOSE[6075] netsock2.c: == Using SIP TOS bits 96
[2011-08-31 10:07:46] VERBOSE[6075] netsock2.c: == Using SIP CoS mark 4
[2011-08-31 10:07:47] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_notify.conf': [2011-08-31 10:07:47] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:47] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_notify_custom.conf': [2011-08-31 10:07:47] VERBOSE[6075] config.c: == Found
[2011-08-31 10:07:47] VERBOSE[6075] config.c: == Parsing '/etc/asterisk/sip_notify_additional.conf': [2011-08-31 10:07:47] VERBOSE[6075] config.c: == Found
[2011-08-31 10:08:16] NOTICE[6075] chan_sip.c: Registration from '"Jim" <sip:[email protected]:5060>' failed for '166.137.137.50:13483' - Device does not match ACL

 

[edisoninfo]

[2011-08-31 10:07:46] ERROR[6075] config.c: The file '501.inc' was listed as a #include but it does not exist.

Something is wrong in your config. It is not finding the file...

 

[vorshr]

Strange thing is, I do not use 501, only 701 right now. I don't think this error is relevant to my issue though. Makes no sense everything appears to be working right. Don't think it's my router either as my asterisk/full log probably wouldnt even show that if my router were blocking something, correct?

Jim

 

[wardmundy]

Let's forget about 501 for the time being.

Try this...

I have this error initially with Asterisk server when I try to register.

"Device does not match ACL "

got it resolved by setting Caller ID Name : " username exten "

 

[vorshr]

Can I ask where I set this? In my sip phone software (media-5 phone) or in Free Pbx? Also wheny ou say

" username exten "

Would that be 701 or enter what is in the quotes?

Thanks
Jim

 

[vorshr]

I figured it out. In my sip software I entered my name for display name. Once I changed that to 701 I was able to log in.

Thanks for your help. Now I will deal with my voicemail issue...

Jim