3CX SP4 using VOIP.MS SIP trunk blocked, Bug?

Discussion in '3CX Phone System - General' started by michaelholt, Dec 13, 2016.

Thread Status:
Not open for further replies.
  1. michaelholt

    Joined:
    Oct 9, 2015
    Messages:
    18
    Likes Received:
    3
    Just installed SP4 on version 15 pro. All incoming calls were rejected. Added the IP Address to "allow" on the IP Blacklist. Now inbound calls came through but were blocked after about 30 secs. Activity logs show "ACK is not received from sip: xxxxxxxxxx@xxx.xxx.xxx.xxx" which was the same ip address added to "allow" on the IP Blacklist.

    Had to open system|parameters, find "SEC_IGNORE_USER_AGENT" and remove "voip" from the value section. (I also tried changing the name of the sip trunk to something other than voip.ms but did not work.)

    Was this an oversite to, by default, block the sip trunk voip.ms or is it intentionally being blocked?

    Me, personally, I would think that the manually configured SIP Trunk ip address would automatically be allowed and not in any way blocked, especially from multiple parameters?
     
    xirgo likes this.
  2. xirgo

    Joined:
    Nov 9, 2015
    Messages:
    22
    Likes Received:
    4
    Hey Mike,

    This is funny as I am experiencing the same issue as well. See my post here https://www.3cx.com/community/threads/source-id-in-v15.46645/

    I did some troubleshooting with voip.ms this morning and they did a trace. The INVITE request reaches the IP of 3CX, then the system responds with a 100 trying, then (after the ring time) the SIP trink system cancels the request, and 3CX system responds "481 Call/transaction doesnt exist"

    All outgoing calls work and the trunk is registering properly.

    This has happened since SP4. Luckly I had other trunks with another provider that I was able to reroute the calls to while i try to figure this out but I am more than frustrated with this.

    let me know if you happen to find a fix to your issue!

    I'm running V15 Linux SP4
     
    michaelholt likes this.
  3. xirgo

    Joined:
    Nov 9, 2015
    Messages:
    22
    Likes Received:
    4
    I just wanted to update this thread that by doing what was suggested by Mike

    Had to open system|parameters, find "SEC_IGNORE_USER_AGENT" and remove "voip" from the value section.

    Solved the issue for me

    Thanks for sharing Mike
     
    michaelholt likes this.
  4. ALuisPV

    Joined:
    Mar 7, 2016
    Messages:
    28
    Likes Received:
    1
    Hi michaelholt,

    this message is giving you a clue.

    The tipical order of SIP packets of a call can be this:

    1. Operator -- INVITE --> 3CX (Initiates a Call)
    2. 3CX -- Trying --> Operator (3CX is Trying to do the call)
    3. 3CX -- Ringing --> Operator (The destination is ringing)
    4. 3CX -- 200 OK --> Operator (The destination answered the call. At this point you can have audio)
    5. Operator -- ACK --> 3CX (Operator need to send the ACK to consider the call as correctly established)

    Maybe, the ACK is missing and, after 30 seconds, 3CX disconnects the call because didn't receive the ACK.
    The behaviour is common in SIP.

    In this case, we need to check the headers of the SIP packets of a sample call and find out why this ACK is not arriving at 3CX.

    Best Regards.
     
    michaelholt likes this.
  5. michaelholt

    Joined:
    Oct 9, 2015
    Messages:
    18
    Likes Received:
    3
    ACK was not arriving because it was being blocked by the user agent. I apologize that I didn't spell out the solution. Sometimes I get wordy.

    Thank you so much for the order. I don't think I have ever seen it spelled out like that.
     
  6. michaelholt

    Joined:
    Oct 9, 2015
    Messages:
    18
    Likes Received:
    3
    I also want to add that I performed a system restore from a backup before the service pack and the bad settings were kept. I was under the impression that a backup restore was a true rollback?

    As a note, I created a ticket in VOIP.MS and told them of this forum posting as well as the solution. If anyone calls them with this issue, they should be able to fix.

    So, now my question is about security. With removing "voip" from "SEC_IGNORE_USER_AGENT" have I weakened security so much so that I need to start looking for another SIP trunk that doesn't have "voip" anywhere in their domain or otherwise?
     
  7. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,390
    Likes Received:
    279
    No you haven't weakened the security that mush but any scanners with user agent voip will not be blocked. It is recommended to filter your SIP port to allow only trusted IP's through
     
  8. deanril@yahoo.com

    Joined:
    Oct 27, 2016
    Messages:
    51
    Likes Received:
    1
    I would second the idea 100% of only allowing known IP's in your network, because peeps are looking for 5060 open and want to use your pbx for their free phone calls.
     
  9. deanril@yahoo.com

    Joined:
    Oct 27, 2016
    Messages:
    51
    Likes Received:
    1
    Also with voip.ms its typically 2 servers depending on which city, so 2 ips, this is minimal, I have Vitelity I have to let 12 entire ip ranges in (1000's of IP's).
     
Thread Status:
Not open for further replies.