Remote SIP phone through Zentyal to internal Asterisk server

[mdodds]

Hi all,

I am running Zentyal 2.2 as a gateway, static external IP, internal network 192.168.4.0/24.  I have an internal Asterisk/FreePBX server on 192.168.4.10. I have ports 5060-5070 UDP port forwarded to the asterisk box, as well as ports 10000-20000 UDP for RTP traffic.
I am trying to get a remote SIP phone to work. It will register on the server, but if I try to make a call it will dial the number, (using DAHDI with a Sangoma analog card) then almost immediately the asterisk server will hang up. The asterisk CLI shows the following:

 WARNING[3145]: chan_sip.c:3785 retrans_pkt: Maximum retries exceeded on transmission 3760a160ac793728@192.168.30.104 for seqno 2504 (Critical Response) -- See doc/sip-retransmit.txt.

 WARNING[3145]: chan_sip.c:3812 retrans_pkt: Hanging up call 3760a160ac793728@192.168.30.104 - no reply to our critical packet (see doc/sip-retransmit.txt).


Note that the IP address in the error message, 192.168.30.104 is the IP of the SIP phone on my remote LAN.

I have another remote extension on the same LAN pointed to an asterisk server at a different location that works fine, the only difference is that the other asterisk server is behind a ClearOS gateway.

Also, I tried a softphone on a Windows box with an OpenVPN connection to the Zentyal box  and it works fine, so I'm pretty sure it's a NAT issue (probably a newbie Zentyal issue!)

Does anyone have any ideas?

Thanks,
Mike

[half_life]

Set to NAT = Yes in extension configuration.  Does the phone support STUN?

[mdodds]

Yep, the extension is set to nat=yes as well as qualify=yes.  Also, I just discovered I have a SIP outbound trunk on the same server that has no outbound audio. I tried listing a stun server on the extension, but no difference.
I think I must be missing a setting somewhere, since I am familiar with Clarkconnect/ClearOS, but a rank newbie on Zentyal.
This has to be a NAT issue, but I don't know what else to try



Mike

[half_life]

This is what my port redirection looks like at home.  It works this way for me.

eth1   Zentyal   5060             TCP/UDP   4.79.19.0/24   192.168.0.1   Same   
--    
eth1   Zentyal   10000:20000   UDP   4.79.19.0/24   192.168.0.1   Same   
--    
Under services this is what VOIP looks like:

UDP   any   5060    
UDP   any   10000:20000    
UDP   any   5036    
UDP   any   4569    

This is in external networks to zentyal.  I could have picked VOIP instead of any but felt that specifying an IP address was sufficient.
yes   4.79.19.60/32   any   --    

That all being said,  it is not what your problem is. This error says it all.

 WARNING[3145]: chan_sip.c:3812 retrans_pkt: Hanging up call 3760a160ac793728@192.168.30.104 - no reply to our critical packet (see doc/sip-retransmit.txt).     

192.168.30.104 is not a routable IP address.  Unless it is somewhere on your local lan,  asterisk is never going to attach to this IP address.  The packet should be directed to the public IP address of the router/computer etc that is the gateway to that phone.  STUN is the normal route.  What is the result of :

sip show peers

from the asterisk console?

[mdodds]

Thanks for the help!  As I mentioned earlier, the 192.168.30.104 is the internal address of the extension on MY LAN.

I have a different remote extension coming from my LAN to another remote asterisk box, and when I check over there, that remote extension shows my outside IP, which is correct.

Sip show peers on the asterisk box behind Zentyal shows the IP of the extension as being the Zentyal internal IP, rather than my outside IP:
740/740                    192.168.4.1      D   N   A  5060     OK (56 ms)

Apparently asterisk is not seeing that remote extension as originating from my outside IP.

The only difference I know of between the two is that the asterisk box that shows the remote extension properly (with my external IP) is behind a ClearOS firewall, while the one that shows the extension as coming from the internal firewall IP is behind Zentyal. 

Is port forwarding all I need to set up or do I need an entry in the external networks to Zentyal or external networks to internal networks?  I was under the impression that the external networks to Zentyal was for opening the firewall to services running directly on the Zentyal box? Are you running Asterisk on Zentyal or behind it on another box?

Mike

[half_life]

Thanks for the help!  As I mentioned earlier, the 192.168.30.104 is the internal address of the extension on MY LAN.

I have a different remote extension coming from my LAN to another remote asterisk box, and when I check over there, that remote extension shows my outside IP, which is correct.

Sip show peers on the asterisk box behind Zentyal shows the IP of the extension as being the Zentyal internal IP, rather than my outside IP:
740/740                    192.168.4.1      D   N   A  5060     OK (56 ms)

Apparently asterisk is not seeing that remote extension as originating from my outside IP.

The only difference I know of between the two is that the asterisk box that shows the remote extension properly (with my external IP) is behind a ClearOS firewall, while the one that shows the extension as coming from the internal firewall IP is behind Zentyal. 

Is port forwarding all I need to set up or do I need an entry in the external networks to Zentyal or external networks to internal networks?  I was under the impression that the external networks to Zentyal was for opening the firewall to services running directly on the Zentyal box? Are you running Asterisk on Zentyal or behind it on another box?

Mike

If all points (extension and asterisk server) are all on the same network.  Ie no need to travel the internet to get from point to point,  set NAT= no  and turn off stun.  This is a straight routing issue.   Also to help identify if it is the firewall getting in your way,  turn off firewall temporarily to check.

[mdodds]

Here is the setup:

extension on my lan-->My ClearOS firewall-->Internet-->remote customer Zentyal-->Asterisk server   
This isn't working

Other extension on my lan-->My ClearOS firewall-->Internet-->remote customer ClearOS-->Asterisk server 
This works

On the ClearOS to ClearOS setup, my extension is NAT'ed to show my external IP at the remote end, but for some reason the ClearOS to Zentyal setup is apparently still showing my local LAN address rather than the external IP, so it has no way to route back.
I'm thinking either I have Zentyal configured wrong (most likely) or there is a glitch somewhere.

[half_life]

NAT =  Yes  Qualify = yes   canreinvite = no.  Firewall settings as before and port forwarding as before.  On the Remote side what are the trunk settings?  To answer one of your earlier questions.  At home it is behind a Zentyal server.  At work it is on a public IP.  I am currently using Elastix but cut my teeth on plain vanilla asterisk 1.2 through 1.4.

[mdodds]

Ahhhh.....OK, I wish either the extension or the pbx was on a public IP   In my case both of them are behind a NAT firewall.
On the remote asterisk server, it either dials out through a POTS line or a SIP trunk. The SIP trunk has one way audio, just changed a few settings to see if that clears up.

I would go back to a ClearOS to ClearOS setup since I know that works with SIP, but in this case the customer required an IPSec connection to a Cisco firewall (ugh) and Zentyal handled that just fine and ClearOS didn't. 

So I am going to have to continue beating on Zentyal to get the remote SIP working.....I see lots of grep and wireshark in my future.
The pbx is a plain vanilla Debian with Asterisk and FreePBX......and I also remember hand coding dial plans in the bad old days

[half_life]

How is this working out for  you?  I still hand code some things (freepbx doesn't make everything easy). 

[oseocreativo]

Having the same problem with zentyal 2.2 with an internal asterisk server all configurations for packet filter and port forward are re-cheked and all seems ok but on the asterisk box i can see that the ip address for the remote extensions appear to have the same ip as the zentyal box it appears that the Replace source address option doesnt work same result if checked or unchecked  it always gives zentyals ip address as the external address.

[free]

Hello, I guess your problems stem from the type of NAT.
I want to ask Zentyal supports Full Cone NAT, or not?
I had problems with SIP on another distribution, and the decision proved to be Full Cone NAT.
Thanks in advance.

[mdodds]

It's been awhile since I have worked on this problem, but now I really need to make it work. Is there anyone who is using the same setup (remote extension behind ClearOS firewall or similar, asterisk server behind Zentyal firewall) and has gotten it working?
The more I work on it, the more confused I get   I think I'm just getting mixed up with the terms that Zentyal uses.
The Zentyal "services" concept has me confused.  Do I create a SIP service with 5060-5080 and 10000-20000 UDP and then set that up in the External networks to internal networks section under packet filtering, or do I port forward those ports to the Asterisk server under the port forward section, or do I do both?
I have tried various combinations of these and still nothing seems to work; the phone registers and will make calls through the server (using dahdi and a Sangoma card), but no audio either way.

Thanks in advance to anyone that can help!

Mike