Phone Registers rejected by ACL domains

Status
Not open for further replies.

BordCloud

New Member
Aug 31, 2017
5
0
1
We are trying to get our hosting platforming running. We are a member of FusionPBX. We have spent days on end getting our trunks to work with inbound and outbound calls. We have tried on three different systems.

Issues we have for outgoing calls is rejected ACL form a registered Snom phone and Zoiper soft phone. We are using internal profile on the gateway.

We have nated phones gong to a Hosted FusionPBX that is also nated behind a firewall. Registration is not a problem.

Phones registered and we were able to get outgoing and incoming calls to work. However now we can only get incoming calls to work at one location and outgoing
call reject. Same on all 3 different installs. For Incoming calls a second location only works for a short time after we register the phone. We are trying to get this operational by tomorrow. We have never been able to get internal calls to work with Snom phones behind two separate routers. We have tried everything. Any direction would be appreciated.













7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:543 (sofia/internal/513@test.fusionpbx.net) Running State Change CS_NEW
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] sofia.c:9456 sofia/internal/513@test.fusionpbx.net receiving invite from xx.x.xxx.210:34284 version: 1.6.9 -16-d574870 64bit
2020-07-02 18:00:46.207893 [WARNING] sofia.c:9616 IP xx.x.xxx.210 Rejected by acl "domains"
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [NOTICE] sofia.c:2246 Hangup sofia/internal/513@test.fusionpbx.net [CS_NEW] [CALL_REJECTED]
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] sofia.c:1430 Channel is already hungup.
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] sofia.c:1430 Channel is already hungup.
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:562 (sofia/internal/513@test.fusionpbx.net) State NEW
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:543 (sofia/internal/513@test.fusionpbx.net) Running State Change CS_HANGUP
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:809 (sofia/internal/513@test.fusionpbx.net) Callstate Change DOWN -> HANGUP
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:811 (sofia/internal/513@test.fusionpbx.net) State HANGUP
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] mod_sofia.c:437 Channel sofia/internal/513@test.fusionpbx.net hanging up, cause: CALL_REJECTED
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:60 sofia/internal/513@test.fusionpbx.net Standard HANGUP, cause: CALL_REJECTED
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:811 (sofia/internal/513@test.fusionpbx.net) State HANGUP going to sleep
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:578 (sofia/internal/513@test.fusionpbx.net) State Change CS_HANGUP -> CS_REPORTING
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:543 (sofia/internal/513@test.fusionpbx.net) Running State Change CS_REPORTING
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:897 (sofia/internal/513@test.fusionpbx.net) State REPORTING
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:174 sofia/internal/513@test.fusionpbx.net Standard REPORTING, cause: CALL_REJECTED
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:897 (sofia/internal/513@test.fusionpbx.net) State REPORTING going to sleep
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:569 (sofia/internal/513@test.fusionpbx.net) State Change CS_REPORTING -> CS_DESTROY
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_session.c:1647 Session 7 (sofia/internal/513@test.fusionpbx.net) Locked, Waiting on external entities
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [NOTICE] switch_core_session.c:1665 Session 7 (sofia/internal/513@test.fusionpbx.net) Ended
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [NOTICE] switch_core_session.c:1669 Close Channel sofia/internal/513@test.fusionpbx.net [CS_DESTROY]
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:700 (sofia/internal/513@test.fusionpbx.net) Running State Change CS_DESTROY
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:710 (sofia/internal/513@test.fusionpbx.net) State DESTROY
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] mod_sofia.c:342 sofia/internal/513@test.fusionpbx.net SOFIA DESTROY
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:181 sofia/internal/513@test.fusionpbx.net Standard DESTROY
7b6db778-5462-4619-b206-d7a99eba3f58 2020-07-02 18:00:46.207893 [DEBUG] switch_core_state_machine.c:710 (sofia/internal/513@test.fusionpbx.net) State DESTROY going to sleep
 

hfoster

Active Member
Jan 28, 2019
674
80
28
34
Regarding the ACL question, might be a stupid one but have you added your trunk providers IP address(es) which I'm guessing is that IP address ending in 201 in CIDR form to the 'domains' Access Control List? Reload the ACL if you do need to add them. Do be careful you don't open the PBX to the world with a dodgy access control list.

Not sure on the rest, but I suspect it's either going to be SIP ALG, or something else preventing the phones from continually updating their registration. I've usually seen this where the phone still thinks it's registered but it expired a long time ago, so any further invites are just rejected.

Might be worth paying for a bit of support if you're launching a service as FreeSwitch is a beast to wrangle for some implementations, especially behind NAT.
 

BordCloud

New Member
Aug 31, 2017
5
0
1
Thank you for taking the time to respond. With making many changes, we started from scratch with a fresh install. We had everything working then the final step was creating an inbound gateway and DID. The incoming trunks worked to the pbx company directory but when trying to get to them to worked
with the IP phones, it causes the phones not to be able to dial out or even access their own voicemail.

So checking into the below error pointing us to putting the IP address of the phone to the CIDR at the extension level and adding the domain like below
to the Domain ACL.

Type: allow
CIDR: (leave blank)
Domain: pbx-inside.xyz

This seemed to resolve our last problem. Now need to move it to a Domain Name and hope that it continues to works as we need to support multiple
customers. It will be a fun Weekend and hopefully fireworks at the end.

57f06857-eafb-4da7-ab66-ac0298813b50 Dialplan: sofia/internal/202@XX.XXX.XXX.XX Action set(call_direction=inbound) INLINE
57f06857-eafb-4da7-ab66-ac0298813b50 EXECUTE [depth=0] sofia/internal/202@XX.XXX.XXX.XX set(call_direction=inbound)
57f06857-eafb-4da7-ab66-ac0298813b50 2020-07-03 16:58:27.955721 [DEBUG] mod_dptools.c:1672 SET sofia/internal/202@XX.XXX.XXX.XX [call_direction]=[inbound]
57f06857-eafb-4da7-ab66-ac0298813b50 Dialplan: sofia/internal/202@XX.XXX.XXX.XX Action log(WARNING [inbound routes] 404 not found ${sip_network_ip})
 

hfoster

Active Member
Jan 28, 2019
674
80
28
34
Be very careful with the ACLs, and always test from inside and out the 'trusted' networks. It's very easy to open the thing to the world if you allow unauthenticated invites into a gateway, in turn transforming your PBX into a free international and premium rate calling card. I suspect with that blank CIDR entry you may be allowing the entire internet in.

I only permit exactly what I need to from the SIP Trunk provider, and leaving the domain blank as I'm not getting funky with per domain ACLs.

Access Controls - FusionPBX Docs

Type choose allow
CIDR enter the 12.34.56.0/32
Domain (Leave Blank, used for advanced scenarios)
Description (Carrier Name)
 

Incubugs

Member
Apr 7, 2018
175
10
18
49
Also ensure you add your trunk provider ip address to fail2ban jail.conf under ignore ip , i had awful issues before i did that, then all was good after that.
 
Status
Not open for further replies.