<div dir="ltr"><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 29, 2016 at 2:04 PM, Kevin Long <span dir="ltr"><<a href="mailto:kevin.long@haloprivacy.com" target="_blank">kevin.long@haloprivacy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>
<br>
Greetings.<br>
<br>
<br>
I am using the PJSIP driver with TLS transport, and my endpoints are SIP mobile apps operating in environments that I do not control.<br>
<br>
I would like Asterisk to default to sending INVITES and all other SIP signals to endpoints via the existing SIP TLS connection which is already established, rather than trying to create a new TLS connection to an endpoint which is likely behind a NAT which will not allow a new inbound TCP/TLS connection.<br>
<br>
<br>
My experience with chan_sip suggest to me that this was the default behavior, or more likely a fallback behavior, because I never had this issue before with endpoints not receiving INVITES so long as they were registered and had an open SIP control connection.<br>
<br>
<br>
I thought that I could avoid these failed outbound connections by commenting out the “transport” option on my endpoint configurations, but tcpdump is showing me that asterisk is still trying to create *new* TLS outbound connections to my endpoints, which are failing.<br>
<br>
<br>
<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">This was actually an issue in pjproject which I just fixed last week. :)</div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">It's in pjproject "trunk" so you'll have to download and build it from their subversion repository.</div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">Now whether you use "transport=" or not, pjproject will look for an existing connection to the remote endpoint before attempting to create a new one.</div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">I tested it with the current Asterisk 13 branch and I *think* it'll work with recent Asterisk releases as well. If it doesn't, let me know.</div></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<br>
Thank you for your time<br>
<br>
Kevin<br>
<br>
<br>
-<br>
<br>
<br>
<br>
<br>
My simple pjsip config file:<br>
<br>
<br>
<br>
<br>
<br>
[transport-tls]<br>
type=transport<br>
protocol=tls<br>
bind=<a href="http://0.0.0.0:5061" rel="noreferrer" target="_blank">0.0.0.0:5061</a><br>
local_net=<a href="http://10.50.55.0/24" rel="noreferrer" target="_blank">10.50.55.0/24</a><br>
external_media_address=x.x.x.x<br>
external_signaling_address=x.x.x.x<br>
cert_file=/etc/asterisk/keys/dev1.crt<br>
priv_key_file=/etc/asterisk/keys/dev1.key<br>
ca_list_file=/etc/asterisk/keys/ca.crt<br>
cipher=AES256-SHA<br>
method=tlsv1<br>
<br>
;===============EXTENSION 6001<br>
<br>
[6000]<br>
type=endpoint<br>
context=internal<br>
disallow=all<br>
allow=ulaw<br>
;transport=transport-tls<br>
auth=auth6000<br>
aors=6000<br>
direct_media=no<br>
rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port<br>
ice_support=no<br>
force_rport=yes<br>
rtp_symmetric=yes<br>
media_encryption=sdes<br>
<br>
<br>
[auth6000]<br>
type=auth<br>
auth_type=userpass<br>
password=6000<br>
username=6000<br>
<br>
[6000]<br>
type=aor<br>
max_contacts=1<br>
remove_existing=yes<br>
<br>
<br>
;===============EXTENSION 6001<br>
<br>
[6001]<br>
type=endpoint<br>
context=internal<br>
disallow=all<br>
allow=ulaw<br>
;transport=transport-tls<br>
auth=auth6001<br>
aors=6001<br>
direct_media=no<br>
rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port<br>
ice_support=no<br>
force_rport=yes<br>
rtp_symmetric=yes<br>
media_encryption=sdes<br>
<br>
<br>
<br>
[auth6001]<br>
type=auth<br>
auth_type=userpass<br>
password=6001<br>
username=6001<br>
<br>
[6001]<br>
type=aor<br>
max_contacts=1<br>
remove_existing=yes<br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" rel="noreferrer" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br></div></div>