Solved

Multiple SIP handsets on a LAN connecting to Asterisk Server

Posted on 2011-03-23
16
643 Views
Last Modified: 2012-05-11
We have 5 x SNOM 300 Handsets connnected on a LAN to a hosted Asterisk FreePBX and are having problems getting any of them to register with the Asterisk box.

I had assumed that this was because they were all using port 5060, so I set a forward up for port 5061 on the gateway and changed one of the handsets to use port 5061 to test it but this still didnt connect. There is no firewall enabled.

In the trace on the phone it suggests it is also using port 52306 in the negotiating which I guess will not work as there is no port forwarding for this port, and not sure there should be?

Do we need to use individual ports and port forwarding? The stun server settings seem to be working as the IP address each phone is sending is the correct one.

0
Comment
Question by:andrew_2706
  • 7
  • 4
  • 3
  • +1
16 Comments
 
LVL 32

Expert Comment

by:DrDamnit
ID: 35197590
Your first step is not to change ports, it is actually to look at the CLI, and see if registrations are being attempted.

Have you logged into the CLI for the FreePBX box and looked at that?
0
 

Author Comment

by:andrew_2706
ID: 35198017
Sorry but I don't know how perform a sip trace on the FreePBX in order to see if a registration attempt is been made.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 35198051
cli is
sip show peers

if nat=yes ,, change it to no
then try

0
 
LVL 11

Expert Comment

by:jfaubiontx
ID: 35198105
You said the Asterisk server is hosted. Is it behind a firewall and not seeing the registrations? At the site all phones using port 5060 is the inteneded config. They request their registration by sending the packet to the server on port 5060. The router at the site will assign a return port (in the case you show it is port 52306) which the router uses to know which phone to send the return packet to. Do you have command line access to the Asterisk server? If not, do you have the rights to install the Asterisk CLI module for FreePBX? Let me know which and I'll send the instructions to watch the registration attempt on Asterisk.  
0
 

Author Comment

by:andrew_2706
ID: 35198188
Sorry probably should of said, phones did work at another location without any changes to firewall, now change of location and a different firewall and they don't work. They will make outgoing calls but not inbound and don't show as registered on pbx, there is no firewall on pbx.
I can see a tab on the pbx for Asterisk CLI.
0
 
LVL 11

Expert Comment

by:jfaubiontx
ID: 35198235
Does the extension have a permit entery that is onlt allowing the pervious address?
0
 

Author Comment

by:andrew_2706
ID: 35198322
Sorry not sure what you mean
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 32

Expert Comment

by:DrDamnit
ID: 35198499
First look into the NAT checkbox in FreePBX for the extension. If Checked, uncheck. If unchecked, check.

If that doesn't do it, bottom line, we need CLI access to figure out what's going on.

If you have root access to the box, then please use the following procedure to create a log file of the Asterisk CLI:

1. Open the CLI using this:

       asterisk -rvvvvvv | tee /var/log/asterisk.log

This puts the a debug log into the file /var/log/asterisk.log

2. Reproduce the problem.
3. Make calls
4. Exit the CLI after you get the error.
5. Post the log here (as "code" or as an attachment).

If not, please install the CLI module as stated by jfaubiontx.
0
 

Author Comment

by:andrew_2706
ID: 35198792
CLI module is installed, anyone know the commands please?
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 35198936
SIP SHOW PEERS would be the first one to check.

Other than than, please see if you can throw the CLI output to a log, and reproduce the problem so you can post it here for us to look at.
0
 
LVL 11

Expert Comment

by:jfaubiontx
ID: 35199276
Let me back up a bit here. To clarify, you have a hosted Asterisk/FreePBX server that has a static public IP address without a NAT router. The phones were working at a previous remote site. You have moved the phones to a new site where they no longer register with the Asterisk/FreePBX server. You also mentioned that a STUN server was being used. To be clear we are assuming the IP address for the Asterisk/FreePBX server has not changed, the STUN server has not changed, and that the IP address of the router at the remote location has changed. If any of this is not correct, please let me know. To further clarify, a STUN server is used by the remote phone to identify it's public IP address for connecting to the Asterisk/FreePBX server. These are used to help with traversing a NAT router. We find these are often unnecessary when dealing with Asterisk unless both are behind a NAT firewall.

In the snom phone, you should set the account to the extension number being assigned to the phone, next put the public IP address of the Asterisk/FreePBX server in the registrar field on the snom. The port should remain at 5060 unless the Asterisk/FreePBX has been changed to use a different port. Enter the password for the account. The phone should then register to the Asterisk/FreePBX server. If not, I would go to FreePBX->Extensions and then to the extension your working with. Make sure the Deny field is set to 0.0.0.0/0.0.0.0 and the permit field is set to 0.0.0.0/0.0.0.0. At least initially. Once registered you could configure the permit field for the remote router address (if static) or the range of IP addresses the router could get (if dynamically allocated) ad this would help to further secure the Asterisk/FreePBX system but that's another issue. Since the Asterisk/FreePBX is not behind a firewall, changing the NAT setting won't make a lo of difference and really won't affect registration as much as it would the RTP or audio path.

Since you're using a hosted Asterisk/FreePBX, you may not have access to the command line of the server. If not, go to the FreePBX->Tools->Asterisk CLI. In the command box enter "sip show peers" without the quotes. See if the list has the extension your working with has an IP address listed and if so is it the IP address on the remote router? Unfortunately the Asterisk CLI module will not allow you to enable and watch a SIP debug. So you will either need to get access to the command line or enlist the help of the hosted provider to have them debug the connection. If you do get access to the command line, enter "asterisk -vvvr" (that is three lower case V). Once in enter "sip set debug ip <ip_addr>" where <ip_addr> is the WAN IP address of the remote router. Look for the SIP 2.0 messages. If your not seeing any messages at all, then you could have a routing or firewall issue such that the packets are not getting to the server or the wrong IP addresses entered. If you're getting SIP 2.0/401 Unauthorized messages check to make sure your secrets match. If ou have SIP 2.0/404 then make sure you have the right account or extension entered in the snom. If your getting something else capture it and paste it here for further review.
0
 

Author Comment

by:andrew_2706
ID: 35205267
Thanks for that it's got me confused, but in a good way!

I've run sip set debug and although I don't see a lot of registration attempts when I do it's showing as 401 Unauthorized. And that's why I'm confused as the authorization name and password has not changed on the handsets, I've even tried to re enter the password but registration still fails!!
0
 

Accepted Solution

by:
andrew_2706 earned 0 total points
ID: 35205823
Problem solved, it SIP ALG turned on in the firewall which could only be seen and changed using telnet.
0
 
LVL 11

Expert Comment

by:jfaubiontx
ID: 35208361
Thanks for sending us on a wild goose chase. You told us there was no firewall enabled and now you claim the fix was in the firewall and that we wasted our time to attempt to answer your question. I am so frustrated my people that don't provide the correct information and then with our help find the answer "on their own" and want their points refunded. Sorry for the rant but if I'm not getting anything else for my efforts, you can at least hear my side of it.
0
 

Author Closing Comment

by:andrew_2706
ID: 35239061
Problem found to be firewall at new site
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: user_n
How Sip Phone (User Agent) works and communicates with sip servers 1.  There is a sip server and a sip registrar.  The sip server and sip registrar can be one server or two different servers. The sip registrar is the server on which it is record…
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now