Gateway taken out of service when switched to TLS

Status
Not open for further replies.
R

randyrtx

New Member
Sep 16, 2019
6
0
1
53
So I am testing TLS / SRTP with a carrier but can't seem to get outbound calling to work. Inbound TLS calls work great. Prior to switching to TLS the gateway was working with SIP UDP using the external profile. Once I switched to TLS, I updated the port of the gateway to reflect the TLS port of 5061 xxx.xxx.xxx.xxx:5061, I also updated the register transport to TLS. As a result the gateway is taken out of service due to ping failures so it will not attempt a call. Any ideas or suggestions?


sofia.c:6307 Ping failed xxx - with code 503 state DOWN

When I attempt a call it states mod_sofia.c:4786 Gateway 'xxxx' is down!

Also - I noticed that when I do a reload, I get an error about ignoring duplicate gateway.
sofia.c:3699 Ignoring duplicate gateway - but when I do a sofia status it only lists 1 gateway and I double checked what was listed in the DB.
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,044
565
113
External profile TLS is 5081, that is what the gateway should be on.
 
R

randyrtx

New Member
Sep 16, 2019
6
0
1
53
So there was a DNS issue and with the CERT it was not passing the mustard so failed. that has been corrected.

What I really need to know is how to only encrypt the B leg of an outbound call.

I have no issue with inbound calls using TLS / SRTP 5081 is the port my box listening on - my carrier is 5061. On inbound calls I see it talking to 5081 and I am talking to them on port 5061. I see the A leg is SIP TLS and the B leg is SIP UDP.

On outbound calls I need to talk to them on 5061 TLS. I am talking to my carrier on the right port by specifying the IP of the gateway with :5061 If I set the register transport to TLS in the gateway it seems to want to encrypt both legs of the call. Packet captures shows that it attempts to encrypt the A leg of the call (and why it fails) and not just the B leg. If I leave the register transport blank I send a standard SIP invite to my carrier on 5061. If I do not put register TLS on the gateway but put the transport=tls in the outbound dialplan then I get "You are trying to use a different transport type for this gateway".

So how can I get FS to encrypt just the B leg of the call?
 
R

randyrtx

New Member
Sep 16, 2019
6
0
1
53
got this issue resolved. rookie mistake. I was reloading the xml when I should have stopped / started the gateway to make my changes take effect.
 
Status
Not open for further replies.
Top Bottom