QUESTION Inbound from VoIP.ms DID causes extension to fail SRTP, hangup; works fine with other calls/trunks

[jackal]

I'm running Asterisk 11.18 from Incredible PBX 11-12.

After tons of Googling, reviewing these and other boards, and creating and installing and provisioning self-signed certificates and things, I think I've gotten TLS and SRTP all set up and working, now--it works flawlessly on my Groundwire softphone on iOS, and test calls between Groundwire and my Yealink W52P function fine and show the security indicators, and SIP debugs confirm that it's riding over TLS.

But then, I tried testing a call to a VoIP.ms DID whose destination is the Yealink. The calling side heard ringback tones, and as soon as I answered the extension, I heard a very loud, brief white-noise-ish sound on the extension, and the call hung up. On the other end, the calling side was then directed to voicemail.

A review of the logs indicated this key line:

[2015-09-25 18:26:49] WARNING[2815][C-00000007]: chan_sip.c:10389 process_sdp: Rejecting secure audio stream without encryption details: audio 11872 RTP/SAVP 0 101

Lots of Googling ensued, and I even encountered this:

http://tech.iprock.com/?p=10673
https://issues.asterisk.org/jira/browse/ASTERISK-17899

So I added ignorecryptolifetime=yes to sip_custom_post.conf and reloaded (and webgui reloaded and amportal restarted) to no effect.

The very weird thing is that this only happens on external inbound calls from VoIP.ms trunks. Calls from other extensions are fine, as are calls from other trunks like Flowroute and Google Voice. Also, if I redirect that VoIP.ms trunk to my Groundwire on iOS extension, it works fine. It's only the interplay between the VoIP.ms trunk and the Yealink extension that seems to be having issues.

Maybe there is some context weirdness that is treating VoIP.ms differently--other than a few tweaks, my install is almost entirely stock Incredible PBX 11-12, and I haven't made any other real substantive changes that would affect this (AFAIK)--but I'm at the end of my knowledge and Googling abilities here.

A full glance at the SIP debugs doesn't seem to indicate anything of special note, but I'll include them here for good measure:

-- Executing [s@macro-dial-one:38] GotoIf("SIP/voipms-0000000c", "1?godial") in new stack
    -- Goto (macro-dial-one,s,43)
    -- Executing [s@macro-dial-one:43] Macro("SIP/voipms-0000000c", "dialout-one-predial-hook,") in new stack
    -- Executing [s@macro-dialout-one-predial-hook:1] MacroExit("SIP/voipms-0000000c", "") in new stack
    -- Executing [s@macro-dial-one:44] Dial("SIP/voipms-0000000c", "SIP/2111,15,Ttr") in new stack
  == Using SIP VIDEO TOS bits 136
  == Using SIP VIDEO CoS mark 6
  == Using SIP RTP TOS bits 184
  == Using SIP RTP CoS mark 5
Audio is at 12836
Adding codec 100003 (ulaw) to SDP
Adding codec 100008 (g729) to SDP
Adding non-codec 0x1 (telephone-event) to SDP
Reliably Transmitting (NAT) to [endpoint]:59541:
INVITE sip:[ext]@[endpoint]:59541;transport=TLS SIP/2.0
Via: SIP/2.0/TLS [pbx]:5061;branch=xxx;rport
Max-Forwards: 70
From: "[NAME]" <sip:[cid]@[pbx]>;tag=xxx
To: <sip:[ext]@[endpoint]:59541;transport=TLS>
Contact: <sip:[cid]@[pbx]:5061;transport=TLS>
Call-ID: xxx@[pbx]:5061
CSeq: 102 INVITE
User-Agent: FPBX-12.0.70(11.18.0)
Date: Fri, 25 Sep 2015 22:26:41 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 368
 
v=0
o=root xxx xxxIN IP4 208.100.39.55
s=Asterisk PBX 11.18.0
c=IN IP4 208.100.39.55
t=0 0
m=audio 10204 RTP/SAVP 0 18 101
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:[some string]
 
---
    -- Called SIP/[ext]
 
<--- SIP read from TLS:[endpoint]:59541 --->
SIP/2.0 100 Trying
Via: SIP/2.0/TLS [pbx]:5061;branch=xxx;rport
From: "[NAME]" <sip:[cid]@[pbx]>;tag=xxx
To: <sip:[ext]@[endpoint]:59541;transport=TLS>
Call-ID: xxx@[pbx]:5061
CSeq: 102 INVITE
User-Agent: Yealink SIP-W52P 25.73.0.40
Content-Length: 0
 
<------------->
--- (8 headers 0 lines) ---
 
<--- SIP read from TLS:[endpoint]:59541 --->
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS [pbx]:5061;branch=xxx;rport
From: "[NAME]" <sip:[cid]@[pbx]>;tag=xxx
To: <sip:[ext]@[endpoint]:59541;transport=TLS>;tag=xxx
Call-ID: xxx@[pbx]:5061
CSeq: 102 INVITE
Contact: <sip:[ext]@[endpoint]:59541;transport=TLS>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
User-Agent: Yealink SIP-W52P 25.73.0.40
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0
 
<------------->
--- (11 headers 0 lines) ---
list_route: hop: <sip:[ext]@[endpoint]:59541;transport=TLS>
    -- SIP/2111-0000000d is ringing
 
<--- SIP read from TLS:[endpoint]:59541 --->
 
 
<------------->
 
<--- SIP read from TLS:[endpoint]:59541 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS [pbx]:5061;branch=xxx;rport
From: "[NAME]" <sip:[cid]@[pbx]>;tag=as1549ec6d
To: <sip:[ext]@[endpoint]:59541;transport=TLS>;tag=xxx
Call-ID: xxx@[pbx]:5061
CSeq: 102 INVITE
Contact: <sip:[ext]@[pbx]:59541;transport=TLS>
Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
User-Agent: Yealink SIP-W52P 25.73.0.40
Content-Length: 298
 
v=0
o=- 20043 20043 IN IP4 [endpoint]
s=SDP data
c=IN IP4 [endpoint]
t=0 0
m=audio 11872 RTP/SAVP 0 101
a=rtpmap:0 PCMU/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:[longstring]
a=sendrecv
a=ptime:20
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
<------------->
--- (11 headers 12 lines) ---
Found RTP audio format 0
Found RTP audio format 101
Found audio description format PCMU for ID 0
Found audio description format telephone-event for ID 101
[2015-09-25 18:26:49] WARNING[2815][C-00000007]: chan_sip.c:10389 process_sdp: Rejecting secure audio stream without encryption details: audio 11872 RTP/SAVP 0 101
list_route: hop: <sip:[ext]@[endpoint]:59541;transport=TLS>
set_destination: Parsing <sip:[ext]@[endpoint]:59541;transport=TLS> for address/port to send to
set_destination: set destination to [endpoint]:59541
Transmitting (NAT) to [endpoint]:59541:
ACK sip:[ext]@[endpoint]:59541;transport=TLS SIP/2.0
Via: SIP/2.0/TLS [pbx]:5061;branch=xxx;rport
Max-Forwards: 70
From: "[NAME]" <sip:[cid]@[pbx]>;tag=xxx
To: <sip:[ext]@[endpoint]:59541;transport=TLS>;tag=xxx
Contact: <sip:[cid]@[pbx]:5061;transport=TLS>
Call-ID: xxx@[pbx]:5061
CSeq: 102 ACK
User-Agent: FPBX-12.0.70(11.18.0)
Content-Length: 0
 
 
---
set_destination: Parsing <sip:[ext]@[endpoint]:59541;transport=TLS> for address/port to send to
set_destination: set destination to [endpoint]:59541
Reliably Transmitting (NAT) to [endpoint]:59541:
BYE sip:[ext]@[endpoint]:59541;transport=TLS SIP/2.0
Via: SIP/2.0/TLS [pbx]:5061;branch=xxx;rport
Max-Forwards: 70
From: "[NAME]" <sip:[cid]@[pbx]>;tag=xxx
To: <sip:[ext]@[endpoint]:59541;transport=TLS>;tag=xxx
Call-ID: xxx@[pbx]:5061
CSeq: 103 BYE
User-Agent: FPBX-12.0.70(11.18.0)
X-Asterisk-HangupCause: Bearer capability not available
X-Asterisk-HangupCauseCode: 58
Content-Length: 0
 
 
---
Scheduling destruction of SIP dialog '[longstring]@[pbx]:5061' in 11136 ms (Method: INVITE)
Scheduling destruction of SIP dialog '[longstring]@[pbx]:5061'' in 11136 ms (Method: INVITE)
  == Everyone is busy/congested at this time (1:0/0/1)
    -- Executing [s@macro-dial-one:45] ExecIf("SIP/voipms-0000000c", "0?MacroExit()") in new stack
    -- Executing [s@macro-dial-one:46] ExecIf("SIP/voipms-0000000c", "0?Set(DIALSTATUS=)") in new stack
    -- Executing [s@macro-dial-one:47] GosubIf("SIP/voipms-0000000c", "0?s-CHANUNAVAIL,1()") in new stack
    -- Executing [s@macro-dial-one:48] MacroExit("SIP/voipms-0000000c", "") in new stack
    -- Executing [s@macro-exten-vm:17] Set("SIP/voipms-0000000c", "SV_DIALSTATUS=CHANUNAVAIL") in new stack

Any ideas? If need be, I can post sanitized SIP debugs for a working call.

 

[atsak]

Did you ask voip.ms support about it? I ask because they have been helpful in the past for me. . .

 

[jackal]

Did you ask voip.ms support about it? I ask because they have been helpful in the past for me. . .

No, I haven't, since I assume it's a configuration issue in Asterisk--I don't know how anything on their end could have an effect on a call to an internal extension.

But you're right; their support is pretty good and competent--I just hate to bug them unless it is not on my end as I know their model is a low-margin business, and I'm not exactly a high-spender with them (that said, I did set up a previous employer on Asterisk with about 2,000 minutes per month in toll call volume).

However, I just got the idea to check trunk settings, and I noticed that the voip.ms trunk was set to:

canreinvite=nonat

On a lark, I tested changing it to:

canreinvite=no

and lo and behold, it works. (I do have directrtpsetup=yes in Chan SIP settings, so I guess I lied about it being a mostly stock setup...)

My understanding is that Asterisk will by default proxy media if SRTP is involved (confirmed here and here), and yet it seems that it's possible that in this case, Asterisk is trying to reinvite the media stream, which obviously causes a mismatch as the voip.ms media isn't encrypted (though I didn't see that in the SIP debugs).

I went ahead and resolved the problem by changing the trunk back to canreinvite=nonat (as voip.ms's configuration documents recommend) and then set the extension's canreinvite parameter to "no," though I can't help but think that there's something else in play here that probably needs to be resolved.

But I can live with this setting--by design, any extensions that use SRTP shouldn't have their media reinvited anyway, so the "no" setting shouldn't compromise any functionality, I don't think.