QUESTION 3 weeks ago POOF VPN'd remote offices audio stops - any ideas?

BigSeph

New Member
Joined
Mar 29, 2009
Messages
15
Reaction score
1
3 Edgerouters (main site, remote site, remote site) with working IPSEC VPNs for 2 years+

PIAF inside main site with local IP, static IP and VPN subnets added to SIP settings in FreePBX

All of a sudden 3 weeks ago I have working audio in main office (where the PIAF server is) but no audio whatsoever in remote offices. Traffic passes fine between sites (can pull up Yealink phone web pages in each outer office, or PBX admin page from outer offices).

But I see this in my Asterisk log when calling a remote extension:

2335

Obviously Flowroute is our SIP provider.

TCPdump shows no effort to send RTP from the PBX so I can't even see where it's trying to send to. I see INVITE -> OPTIONS -> ACK -> BYE on the SIP signaling between server and remote phone (which is the internal IP of the remote phone on a separate VPN'd subnet)

Two users sitting 10 feet away in the same remote office can ring each other's phones, but no voice transmits.

I've changed PBX servers, I've changed just about every setting except the direct media stuff, changed all sorts of firmware versions on firewalls, all sorts of firewall settings, natted remote site, unnatted remote site, set firewalls to default configs and rebuilt from scratch, built PIAF server from scratch and placed it in office but remote phones still don't transmit audio.

I've never had to dig this far down on a no-traffic issue, if anybody has had the dreaded "lack of RTP activity in 31 seconds" message and resolved it, please post it here. :)

Thanks in advance to anyone who dares respond.
 

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,008
Reaction score
207
There has to be something going on with the routers or firewall on IncrediblePBX. This is simply saying that the PBX does not seen any RTP traffic getting through and assumes the call is not connected. Something has changed somewhere or this would not just happen. Perhaps the routers had a change made initially that was not stored in NVRam and they have since been rebooted and lost the translation. Maybe something got changed in the IPBX firewall rules. This is almost certainly going to be a network level issue.

The link above may resolve the issue. I always set my RTP timeout to 3600 or higher to insure that people who mute their audio on conference calls do not get disconnected. But if two people in the same room can call each other and not get any audio for even the first 31 seconds, then I don't think the issue is purely an RTP timeout parameter issue.

One last obvious recommendation on your IPBX gui page for Settings > Asterisk SIP Settings, make sure the RTP port range specified on that page is allowed/forwarded through your routers and firewalls in both directions.
 
Last edited:

dhoppy

Member
Joined
Mar 9, 2009
Messages
64
Reaction score
11
But if two people in the same room can call each other and not get any audio for even the first 31 seconds, then I don't think the issue is purely an RTP timeout parameter issue.
I think he said that two people in the remote site sitting next to each other... That means, if I understand correctly, they are both connected to the same PBX over VPN. Even though they are in the same room, the call still goes to the PBX at the main site.
 

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,008
Reaction score
207
I think he said that two people in the remote site sitting next to each other... That means, if I understand correctly, they are both connected to the same PBX over VPN. Even though they are in the same room, the call still goes to the PBX at the main site.
Exactly. The VPN pathway between routers and setup of routers becomes suspect.
 

BigSeph

New Member
Joined
Mar 29, 2009
Messages
15
Reaction score
1
There has to be something going on with the routers or firewall on IncrediblePBX. This is simply saying that the PBX does not seen any RTP traffic getting through and assumes the call is not connected. Something has changed somewhere or this would not just happen. Perhaps the routers had a change made initially that was not stored in NVRam and they have since been rebooted and lost the translation. Maybe something got changed in the IPBX firewall rules. This is almost certainly going to be a network level issue.

The link above may resolve the issue. I always set my RTP timeout to 3600 or higher to insure that people who mute their audio on conference calls do not get disconnected. But if two people in the same room can call each other and not get any audio for even the first 31 seconds, then I don't think the issue is purely an RTP timeout parameter issue.

One last obvious recommendation on your IPBX gui page for Settings > Asterisk SIP Settings, make sure the RTP port range specified on that page is allowed/forwarded through your routers and firewalls in both directions.
Thanks for posting, here's some info on these:

I have iptables disabled, server is behind a NAT/firewall we use a registration string and never had to punch any specific holes for inbound and outbound to work

I opened up the main office firewall to UDP RTP ports and forwarded to PBX server.

Edgerouter has the option to do port forwards on a range (main site has them all forwarded to inside PBX) or I could make a firewall rule allowing all 10000-20000 in and out on the firewalls at remote sites, but this was never needed before.

I set the RTP timeout and other changes from the link but didn't help anything. :/

Should I have to do anything to remote office firewalls if the IPSEC site-to-site shows the proper route in table 220 and show vpn ipsec sa shows that the tunnel is up? I see traffic flowing properly on tcpdump from the phone server to the remote subnet via SIP, I just don't see any RTP activity.
 

BigSeph

New Member
Joined
Mar 29, 2009
Messages
15
Reaction score
1
I think he said that two people in the remote site sitting next to each other... That means, if I understand correctly, they are both connected to the same PBX over VPN. Even though they are in the same room, the call still goes to the PBX at the main site.
Yes, from a simple testing standpoint two people in the main office can call each other's extension and hear two-way audio.

Two people in a remote office can call each other's extension and the call shows as answered but they hear no audio coming through on either end.

One remote calling the main office or the main office calling a remote phone = no audio both ways

I was leaning toward "hey some asterisk file got corrupted" but when I put in a fresh server with rebuilt extensions using same SIP trunk and same extensions and inbound routes, still no audio at remote offices.

I appreciate you guys chiming in and throwing out some ideas here.
 

atsak

Guru
Joined
Sep 7, 2009
Messages
1,821
Reaction score
186
These are edgerouters but I've seen a problem like this on Fortinet. In that instance the issue is that the routing table was not completely clearing sessions when an IPSEC tunnel dropped for some reason (outage typically). I had to add blackhole routes at a low priority and reboot the firewall, stable since then.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,446
Messages
137,997
Members
14,613
Latest member
roshan2019