NAT 5060 firewall test head scratcher TG-1 modem

Discussion in '3CX Phone System - General' started by slewman, Jan 17, 2018.

Tags:
Thread Status:
Not open for further replies.
  1. slewman

    Joined:
    Jan 17, 2018
    Messages:
    3
    Likes Received:
    0
    Hi all,

    Appreciating the info on the forum. Im just converting to 3cx from free pbx and running into a NAT firewall problem

    I've had free pbx/asterisk working for about 6 months on the same equipment. Fairly happy but call quality suffered sometimes, plus I like to tinker and 3cx look slick.

    The Problem / info:
    - All Incoming calls = busy signal
    - sip trunk (faktortel) is registered
    - single 3cx softphone extension is registered (can call voice mail)
    - inbounds are pointed to the single extension

    The Guess:
    Must a firewall NAT issue but its hard to pin down as I can't seem to see a CLI interface or detailed log as could be done in asterisk (ready to be corrected on this). Im still getting a "full cone NAT error on 5060" error on firewall test.

    The equipment :
    TG1 modem router (freebie from internode)
    - ALG turned off
    - any phone/sip related settings turned off
    - all required ports opened/forwarded per 3cx docs (see firewall test below)
    UPnP disabled
    NAT-PMP disabled


    What I've tried:
    - DMZ'd the TG-1
    - turned of the TG-1 firewall completely
    - sent a message to obewan kenbi for help :)

    My firewall test results:

    the 2 fails are :

    -testing 3CX SIP Server... failed (How to resolve?)
    testing port 5060... full cone test failed (How to resolve?)

    full results (all else ok)

    • resolving 'stun-au.3cx.com'... done
    • resolving 'stun2.3cx.com'... done
    • resolving 'stun3.3cx.com'... done
    • resolving 'sip-alg-detector.3cx.com'... done
    • testing 3CX SIP Server... failed (How to resolve?)
      • stopping service... done
      • detecting SIP ALG... not detected
      • testing port 5060... full cone test failed (How to resolve?)
      • starting service... done
    • testing 3CX Tunneling Proxy... done
      • stopping service... done
      • testing port 5090... done
      • starting service... done
    • testing 3CX Media Server... done
      • stopping service... done
      • testing ports [9000..9255]... done
        • testing port 9000... done
        • testing port 9001... done
        • testing port 9002... done
        • testing port 9003... done
        • testing port 9004... done
        • testing port 9005... done
        • testing port 9006... done
        • testing port 9007... done
        • testing port 9008... done
        • testing port 9009... done
        • testing port 9010... done
        • testing port 9011... done
        • testing port 9012... done
        • testing port 9013... done
        • testing port 9014... done
        • testing port 9015... done
        • testing port 9016... done
        • testing port 9017... done
        • testing port 9018... done
        • testing port 9019... done
        • testing port 9020... done
        • testing port 9021... done
        • testing port 9022... done
        • testing port 9023... done
        • testing port 9024... done
        • testing port 9025... done
        • testing port 9026... done
        • testing port 9027... done
        • testing port 9028... done
        • testing port 9029... done
        • testing port 9030... done
        • testing port 9031... done
        • testing port 9032... done
        • testing port 9033... done
        • testing port 9034... done
        • testing port 9035... done
        • testing port 9036... done
        • testing port 9037... done
        • testing port 9038... done
        • testing port 9039... done
        • testing port 9040... done
        • testing port 9041... done
        • testing port 9042... done
        • testing port 9043... done
        • testing port 9044... done
        • testing port 9045... done
        • testing port 9046... done
        • testing port 9047... done
        • testing port 9048... done
        • testing port 9049... done
        • testing port 9050... done
        • testing port 9051... done
        • testing port 9052... done
        • testing port 9053... done
        • testing port 9054... done
        • testing port 9055... done
        • testing port 9056... done
        • testing port 9057... done
        • testing port 9058... done
        • testing port 9059... done
        • testing port 9060... done
        • testing port 9061... done
        • testing port 9062... done
        • testing port 9063... done
        • testing port 9064... done
        • testing port 9065... done
        • testing port 9066... done
        • testing port 9067... done
        • testing port 9068... done
        • testing port 9069... done
        • testing port 9070... done
        • testing port 9071... done
        • testing port 9072... done
        • testing port 9073... done
        • testing port 9074... done
        • testing port 9075... done
        • testing port 9076... done
        • testing port 9077... done
        • testing port 9078... done
        • testing port 9079... done
        • testing port 9080... done
        • testing port 9081... done
        • testing port 9082... done
        • testing port 9083... done
        • testing port 9084... done
        • testing port 9085... done
        • testing port 9086... done
        • testing port 9087... done
        • testing port 9088... done
        • testing port 9089... done
        • testing port 9090... done
        • testing port 9091... done
        • testing port 9092... done
        • testing port 9093... done
        • testing port 9094... done
        • testing port 9095... done
        • testing port 9096... done
        • testing port 9097... done
        • testing port 9098... done
        • testing port 9099... done
        • testing port 9100... done
        • testing port 9101... done
        • testing port 9102... done
        • testing port 9103... done
        • testing port 9104... done
        • testing port 9105... done
        • testing port 9106... done
        • testing port 9107... done
        • testing port 9108... done
        • testing port 9109... done
        • testing port 9110... done
        • testing port 9111... done
        • testing port 9112... done
        • testing port 9113... done
        • testing port 9114... done
        • testing port 9115... done
        • testing port 9116... done
        • testing port 9117... done
        • testing port 9118... done
        • testing port 9119... done
        • testing port 9120... done
        • testing port 9121... done
        • testing port 9122... done
        • testing port 9123... done
        • testing port 9124... done
        • testing port 9125... done
        • testing port 9126... done
        • testing port 9127... done
        • testing port 9128... done
        • testing port 9129... done
        • testing port 9130... done
        • testing port 9131... done
        • testing port 9132... done
        • testing port 9133... done
        • testing port 9134... done
        • testing port 9135... done
        • testing port 9136... done
        • testing port 9137... done
        • testing port 9138... done
        • testing port 9139... done
        • testing port 9140... done
        • testing port 9141... done
        • testing port 9142... done
        • testing port 9143... done
        • testing port 9144... done
        • testing port 9145... done
        • testing port 9146... done
        • testing port 9147... done
        • testing port 9148... done
        • testing port 9149... done
        • testing port 9150... done
        • testing port 9151... done
        • testing port 9152... done
        • testing port 9153... done
        • testing port 9154... done
        • testing port 9155... done
        • testing port 9156... done
        • testing port 9157... done
        • testing port 9158... done
        • testing port 9159... done
        • testing port 9160... done
        • testing port 9161... done
        • testing port 9162... done
        • testing port 9163... done
        • testing port 9164... done
        • testing port 9165... done
        • testing port 9166... done
        • testing port 9167... done
        • testing port 9168... done
        • testing port 9169... done
        • testing port 9170... done
        • testing port 9171... done
        • testing port 9172... done
        • testing port 9173... done
        • testing port 9174... done
        • testing port 9175... done
        • testing port 9176... done
        • testing port 9177... done
        • testing port 9178... done
        • testing port 9179... done
        • testing port 9180... done
        • testing port 9181... done
        • testing port 9182... done
        • testing port 9183... done
        • testing port 9184... done
        • testing port 9185... done
        • testing port 9186... done
        • testing port 9187... done
        • testing port 9188... done
        • testing port 9189... done
        • testing port 9190... done
        • testing port 9191... done
        • testing port 9192... done
        • testing port 9193... done
        • testing port 9194... done
        • testing port 9195... done
        • testing port 9196... done
        • testing port 9197... done
        • testing port 9198... done
        • testing port 9199... done
        • testing port 9200... done
        • testing port 9201... done
        • testing port 9202... done
        • testing port 9203... done
        • testing port 9204... done
        • testing port 9205... done
        • testing port 9206... done
        • testing port 9207... done
        • testing port 9208... done
        • testing port 9209... done
        • testing port 9210... done
        • testing port 9211... done
        • testing port 9212... done
        • testing port 9213... done
        • testing port 9214... done
        • testing port 9215... done
        • testing port 9216... done
        • testing port 9217... done
        • testing port 9218... done
        • testing port 9219... done
        • testing port 9220... done
        • testing port 9221... done
        • testing port 9222... done
        • testing port 9223... done
        • testing port 9224... done
        • testing port 9225... done
        • testing port 9226... done
        • testing port 9227... done
        • testing port 9228... done
        • testing port 9229... done
        • testing port 9230... done
        • testing port 9231... done
        • testing port 9232... done
        • testing port 9233... done
        • testing port 9234... done
        • testing port 9235... done
        • testing port 9236... done
        • testing port 9237... done
        • testing port 9238... done
        • testing port 9239... done
        • testing port 9240... done
        • testing port 9241... done
        • testing port 9242... done
        • testing port 9243... done
        • testing port 9244... done
        • testing port 9245... done
        • testing port 9246... done
        • testing port 9247... done
        • testing port 9248... done
        • testing port 9249... done
        • testing port 9250... done
        • testing port 9251... done
        • testing port 9252... done
        • testing port 9253... done
        • testing port 9254... done
        • testing port 9255... done
      • starting service... done
     
  2. slewman

    Joined:
    Jan 17, 2018
    Messages:
    3
    Likes Received:
    0
    Update:
    Inbound calls are working after a setting change in the trunk options:

    trunk settings / options / ticked "Force Invites to be send to IP of Registrar”

    unsure is this is a safe settings to use??
     
  3. lneblett

    lneblett Well-Known Member

    Joined:
    Sep 7, 2010
    Messages:
    2,083
    Likes Received:
    61
    This is safe, as it it telling the provider to use the IP that it saw when 3CX registered and to ignore what the headers may say to do.

    The best way to really see what is going on is to do a capture at 3CX. Using that you can tell if perhaps the issue is with the 3CX setup or the TG1. If 3CX looks OK, then we can assume that the TG1 is the issue. You would need to ask the provider to send you their capture to see what they are getting.
     
    #3 lneblett, Jan 17, 2018
    Last edited: Jan 17, 2018
  4. NickD_3CX

    NickD_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Jun 2, 2014
    Messages:
    1,326
    Likes Received:
    72
    I agree exactly with what @lneblett said, just want to explain what the "Force Invites to be send to IP of Registrar” option does, as it's new from V15.5 SP1.

    3CX is now aware of SRV records for SIP Servers, so when it registers, and the registrar given by the provider has SRV records, it will choose based on the weight and priority of the record.
    Each time it makes a call however it will do the same.

    This means that there is a chance for 3CX to be registered using SRV Registrar A, but attempts to make a call using SRV Registrar B. Although most providers that use SRVs are OK with this, there are some that want calls being only using the Registrar you are registered against.... and this is what this option does, forces this.
     
  5. slewman

    Joined:
    Jan 17, 2018
    Messages:
    3
    Likes Received:
    0
    Thanks for the details information chaps.

    I will look into the issue more deeply when I have that magical thing called TIME!

    For the moment im happy the phones are ringing, and thankful for your answers regarding the safety of this settings.

    It does seems a little like a bandaid solution, which is fine for the moment. There must be something still going on I cant work out as yet.
     
Thread Status:
Not open for further replies.