Multiple SIP handsets on a LAN connecting to Asterisk Server

We have 5 x SNOM 300 Handsets connnected on a LAN to a hosted Asterisk FreePBX and are having problems getting any of them to register with the Asterisk box.

I had assumed that this was because they were all using port 5060, so I set a forward up for port 5061 on the gateway and changed one of the handsets to use port 5061 to test it but this still didnt connect. There is no firewall enabled.

In the trace on the phone it suggests it is also using port 52306 in the negotiating which I guess will not work as there is no port forwarding for this port, and not sure there should be?

Do we need to use individual ports and port forwarding? The stun server settings seem to be working as the IP address each phone is sending is the correct one.

andrew_2706Asked:
Who is Participating?
 
andrew_2706Connect With a Mentor Author Commented:
Problem solved, it SIP ALG turned on in the firewall which could only be seen and changed using telnet.
0
 
DrDamnitCommented:
Your first step is not to change ports, it is actually to look at the CLI, and see if registrations are being attempted.

Have you logged into the CLI for the FreePBX box and looked at that?
0
 
andrew_2706Author Commented:
Sorry but I don't know how perform a sip trace on the FreePBX in order to see if a registration attempt is been made.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
memo_tntCommented:
cli is
sip show peers

if nat=yes ,, change it to no
then try

0
 
jfaubiontxCommented:
You said the Asterisk server is hosted. Is it behind a firewall and not seeing the registrations? At the site all phones using port 5060 is the inteneded config. They request their registration by sending the packet to the server on port 5060. The router at the site will assign a return port (in the case you show it is port 52306) which the router uses to know which phone to send the return packet to. Do you have command line access to the Asterisk server? If not, do you have the rights to install the Asterisk CLI module for FreePBX? Let me know which and I'll send the instructions to watch the registration attempt on Asterisk.  
0
 
andrew_2706Author Commented:
Sorry probably should of said, phones did work at another location without any changes to firewall, now change of location and a different firewall and they don't work. They will make outgoing calls but not inbound and don't show as registered on pbx, there is no firewall on pbx.
I can see a tab on the pbx for Asterisk CLI.
0
 
jfaubiontxCommented:
Does the extension have a permit entery that is onlt allowing the pervious address?
0
 
andrew_2706Author Commented:
Sorry not sure what you mean
0
 
DrDamnitCommented:
First look into the NAT checkbox in FreePBX for the extension. If Checked, uncheck. If unchecked, check.

If that doesn't do it, bottom line, we need CLI access to figure out what's going on.

If you have root access to the box, then please use the following procedure to create a log file of the Asterisk CLI:

1. Open the CLI using this:

       asterisk -rvvvvvv | tee /var/log/asterisk.log

This puts the a debug log into the file /var/log/asterisk.log

2. Reproduce the problem.
3. Make calls
4. Exit the CLI after you get the error.
5. Post the log here (as "code" or as an attachment).

If not, please install the CLI module as stated by jfaubiontx.
0
 
andrew_2706Author Commented:
CLI module is installed, anyone know the commands please?
0
 
DrDamnitCommented:
SIP SHOW PEERS would be the first one to check.

Other than than, please see if you can throw the CLI output to a log, and reproduce the problem so you can post it here for us to look at.
0
 
jfaubiontxCommented:
Let me back up a bit here. To clarify, you have a hosted Asterisk/FreePBX server that has a static public IP address without a NAT router. The phones were working at a previous remote site. You have moved the phones to a new site where they no longer register with the Asterisk/FreePBX server. You also mentioned that a STUN server was being used. To be clear we are assuming the IP address for the Asterisk/FreePBX server has not changed, the STUN server has not changed, and that the IP address of the router at the remote location has changed. If any of this is not correct, please let me know. To further clarify, a STUN server is used by the remote phone to identify it's public IP address for connecting to the Asterisk/FreePBX server. These are used to help with traversing a NAT router. We find these are often unnecessary when dealing with Asterisk unless both are behind a NAT firewall.

In the snom phone, you should set the account to the extension number being assigned to the phone, next put the public IP address of the Asterisk/FreePBX server in the registrar field on the snom. The port should remain at 5060 unless the Asterisk/FreePBX has been changed to use a different port. Enter the password for the account. The phone should then register to the Asterisk/FreePBX server. If not, I would go to FreePBX->Extensions and then to the extension your working with. Make sure the Deny field is set to 0.0.0.0/0.0.0.0 and the permit field is set to 0.0.0.0/0.0.0.0. At least initially. Once registered you could configure the permit field for the remote router address (if static) or the range of IP addresses the router could get (if dynamically allocated) ad this would help to further secure the Asterisk/FreePBX system but that's another issue. Since the Asterisk/FreePBX is not behind a firewall, changing the NAT setting won't make a lo of difference and really won't affect registration as much as it would the RTP or audio path.

Since you're using a hosted Asterisk/FreePBX, you may not have access to the command line of the server. If not, go to the FreePBX->Tools->Asterisk CLI. In the command box enter "sip show peers" without the quotes. See if the list has the extension your working with has an IP address listed and if so is it the IP address on the remote router? Unfortunately the Asterisk CLI module will not allow you to enable and watch a SIP debug. So you will either need to get access to the command line or enlist the help of the hosted provider to have them debug the connection. If you do get access to the command line, enter "asterisk -vvvr" (that is three lower case V). Once in enter "sip set debug ip <ip_addr>" where <ip_addr> is the WAN IP address of the remote router. Look for the SIP 2.0 messages. If your not seeing any messages at all, then you could have a routing or firewall issue such that the packets are not getting to the server or the wrong IP addresses entered. If you're getting SIP 2.0/401 Unauthorized messages check to make sure your secrets match. If ou have SIP 2.0/404 then make sure you have the right account or extension entered in the snom. If your getting something else capture it and paste it here for further review.
0
 
andrew_2706Author Commented:
Thanks for that it's got me confused, but in a good way!

I've run sip set debug and although I don't see a lot of registration attempts when I do it's showing as 401 Unauthorized. And that's why I'm confused as the authorization name and password has not changed on the handsets, I've even tried to re enter the password but registration still fails!!
0
 
jfaubiontxCommented:
Thanks for sending us on a wild goose chase. You told us there was no firewall enabled and now you claim the fix was in the firewall and that we wasted our time to attempt to answer your question. I am so frustrated my people that don't provide the correct information and then with our help find the answer "on their own" and want their points refunded. Sorry for the rant but if I'm not getting anything else for my efforts, you can at least hear my side of it.
0
 
andrew_2706Author Commented:
Problem found to be firewall at new site
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.