[AX86U] Half audio on incoming VoIP SIP calls, NAT mismatch?

[DanielCoffey]

I am having an intermittent issue with only half the audio being present on incoming VoIP calls to my PBX and the VoIP provider is wondering if it is a NAT Mismatch at the ASUS router. I wonder if you could give your opinion on the issue please?

Here is the equipment being used...

Router : ASUS RT-AX86U with Merlin 388.2
Unmanaged Switch : Netgear GS116LP
PBX : GrandStream UCM6300A
Handset : Grandstream WP822 wifi
VoIP Provider : GoTrunk

On the majority of incoming calls I am notified that there is a call, Caller ID is displayed and when I pick up I can hear the caller voice fine. They cannot hear me.
Rarely on an incoming call it works fine with both parties able to hear each other.
On an outgoing call it always works fine with both parties able to hear each other.

On the advice of my VoIP provider I set WAN - NAT Passthrough - SIP Passthrough - Disable. The only effect this had on the issue was that instead of no incoming calls able to hear me, now only most incoming calls had the problem.

When turning on Call Recording at my PBX I can clearly hear audio on both parties so both sides of the audio is present but the caller is not able to hear me.

The opinion of my VoIP provider is that it is a NAT mismatch at the router. Do you agree with this and how might I prove or disprove this suggestion? Anything else I should be checking on the router?

 

[alecmascot]

I use a Full Cone NAT and my calls works fine.

 

[DanielCoffey]

I will give that a go and see if it helps, thanks.

 

[DanielCoffey]

Sadly no change in my issue and in attempting to "fix" it I have made it worse. Now I get no incoming calls at all. Would folks mind having a think about what I should check to get this working again please?

As I mentioned above, I have a Dynamic IP from my ISP, the Asus router with Merlin, an unmanaged PoE switch and the GrandStream UCM6300A PBX.

Outgoing SIP calls work perfectly. Incoming calls seem to be blocked and do not reach the CDR on my PBX. See the attached SIP Trace from the SIP Host which shows the 401 Unauthorized response.

At the moment on the router the WAN - NAT Passthrough - NAT Passthrough settings are SIP Passthrough and RTSP Passthrough both Disabled. Port forwarding is on for both the US and EU SIP gateways for UDP and TCP on ports 5060 and 5566 as well as UDP ports 10000:20000 from the specific SIP gateway IPs and my UCM LAN IP. NAT Type is still set to Symmetric for now.

In the UCM itself I have not set any specific NAT values since I don't know how to present my dynamic IP. In SIP Settings - NAT I have nothing in the External Host field and 192.168.0.0/16 in the local network address table.

 

[alecmascot]

I have no setup deviating from defaults in the asus router other than the FullCone. The passthroughs are all enabled and there is no port forwarding for voip..
I am using a linksys pap2 connected to Sipgate.

 

[capncybo]

Unfortunately, this problem may be difficult for many to assist you with. Resolution probably requires (above average knowledge) with: Networking (Yet specifically with Asuswrt-Merlin firmware), VOIP-Technologies, & specifically the GrandStream UCM6300A PBX. PLUS... You mentioned using a Dynamic-IP from your ISP. Yikes.
Myself... I am only self-educated in all the above EXCEPT I completely lack any experience regarding your GrandStream UCM6300A PBX.
In addition... I use Entware to run Asterisk on my Asuswrt-Merlin router & that's how all my SIP-Clents/Devices Register & Connect.
But regardless of my experiences...
It sounds like in your case it's the router NAT & RTP connections which are causing you grief.
With SIP the registration is pretty self explanatory & typically happens on a specific & predetermined port via UDP, (Usually 5060).
However the RDP (which will contain your audio channels) gets placed within a block or range of ports.
So... I would recommend:
-#1) Ensure you are using a (reserved-IP or static-IP) for your GrandStream UCM6300A PBX by setting this within the Router's: LAN -> DHCP Server ->Enable Manual Assignment -> Select your PBX
-#2) Enable Port Forwarding (Via: WAN -> Virtual Server / Port Forwarding -> Enable -> add the same port range you specified for RDP within the GrandStream UCM6300A PBX & make sure it sends these RDP packets to the (reserved-IP or static-IP).

IMO you should probably try to avoid using Full Cone NAT as it is less secure, (Likely more vulnerable to Man-in-middle type attacks).

EDIT: I should have also recommended trying to use only TCP instead of UDP. I have read differing opinions on the routablity of UDP. In theory, it should work but in practice & actual experience...
I've have better success getting TCP to work (Although it's packet retransmission could result in some audio echo or increased latency).
IMO Hearing something, is much better than hearing no audio whatsoever.
Good-Luck in your endevours

 

[RMerlin]

On the advice of my VoIP provider I set WAN - NAT Passthrough - SIP Passthrough - Disable.

That would block SIP traffic. You need to set that setting to "Enabled", so SIP traffic will be allowed through, without enabling the obsolete NAT helper that may interfere with it.

 

[DanielCoffey]

Thank you for the great replies. I do have an assigned LAN IP address for the GrandStream PBX in the router and I think the Port Forwarding is correct as per this page... https://gotrunk.com/docs/networkconfiguration/

The part I am unsure if I am doing correctly is where they mention... "The only requirement is you would need to use local LAN IP address / port in your SIP Signalling" as I don't know where to set that in the PBX.

I will set SIP Passthrough to Enabled when the router is free but what about RTSP Passthrough?

 

[capncybo]

That would block SIP traffic. You need to set that setting to "Enabled", so SIP traffic will be allowed through, without enabling the obsolete NAT helper that may interfere with it.

Nice catch, I had noticed that earlier & forgot to mention it within my length reply. Agreed

 

[DanielCoffey]

I just found the 2020 explanation where the Disabled / Enabled / Enabled + NAT Helper were explained which makes a lot of the older SIP guides that say "disable SIP ALG" out of date.

What do you advise for the RTSP Passthrough then?

 

[RMerlin]

What do you advise for the RTSP Passthrough then?

Enabled as well. The optimal settings are for all to be "Enabled". "Disabled" is not recommended as it completely blocks traffic, and "Enabled + NAT Helper" is not recommended as many modern applications will break with the NAT helper enabled.

Note that guides may vary based on the firmware. Asus's stock firmware for instance does not have an "Enabled" mode, their Enabled mode is the same as "nabled + NAT Helper", which will break PBX operations. I don't remember if they ever removed the blocking done when in Disabled mode however.

 

[capncybo]

... "The only requirement is you would need to use local LAN IP address / port in your SIP Signalling" as I don't know where to set that in the PBX.

IMO they are simply referring to the (manner or formatting) of the numbers you dial.
Hence in your case you would dial-out via:
Ex) sip:442031234567@192.168.50.10:5060
with (442031234567) being the desired phone-number, & (192.168.50.10) being the static/reserved IP of your PBX [but, Obviously make it match your specific IP]
So, they are basically saying you have to include the "Internal-local IP-Address of the PBX" within your contacts & dial-strings

 

[DanielCoffey]

I wish they had said how though.

Right... some progress. I have set SIP Passthrough and RTSP Passthrough to Enable and powered all the equipment off and on.

I can make an outgoing call but CallerID is not being provided in the correct format. That will be an issue with my Extension or Outbound Route in the PBX. Not a major issue and I can sort it out.

Inbound calls are being rejected with 401 Unauthorized as the reason. According to Wireshark, there is an "Invite" SIP request from the Trunk to my WAN on port 5060. On the router in Port Forwarding I have a rule specifically from that Trunk IP to allow UDP 5060 through to my LAN IP. It is being rejected by either the router or the PBX.

No idea why it is complaining. Damn!

 

[DanielCoffey]

I also don't seem to be supplying CallerID on outbound calls which is a pain. There are fields for it in the Grandstream PBX for the Trunk, Outbound route and also Extension level but they don't explain the hierarchy nor the expected format (01234... or +441234...).

Any clues?

 

[capncybo]

Sorry as I mentioned earlier, I am far from an expert on any of these technologies. And in your case you seem to be using a fairly propitiatory piece of hardware from GrandStream.
Have you already tried asking for help in some of the GrandStream forums?
IMO you probably should look-up, How to access a remote shell of the PBX? To actually see what is going-on. (Using Wireshark is powerful but does require a certain level of expertise).
In my case if I start a remote asterisk session within a terminal via the following command... asterisk -rvvvvvvv
I can see what is actually occurring in real-time between my sip-clients & the Asterisk Server.
Note: in the following example I'm connecting through an OVPN tunnel (hence the: 10.8.0.3:48096;transport=TCP)

Asterisk 20.0.1, Copyright (C) 1999 - 2022, Sangoma Technologies Corporation and others.
Created by Mark Spencer <markster@digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 20.0.1 currently running on RT-AX86U-5418 (pid = 3203)
-- Added contact 'sip:user05-0x56254d12bb80@10.8.0.3:48096;transport=TCP' to AOR 'user05' with expiration of 3600 seconds
== Endpoint user05 is now Reachable

However in your case... I think the GrandStream UCM6300A is your SIP Server so...
That's why I'm suggesting you try the GrandStream forums.

Another thought is...
If your ISP will give you TWO Dynamic-IP addresses... split the incoming network BEFORE your asus router (via a small network switch).
Or temporarily just try using the PBX on it's own.
To 1st verify: That it works without any of the asus router's firewall type settings causing issues.

EDIT: I suggest putting it outside your firewall only temporarily as it will be vulnerable, however being a hardware appliance... It should be less vulnerable to attacks.

 

[DanielCoffey]

When I look at the GoTrunk SIP Trunk CDR it does appear to give me full visibility of the SIP frames and their contents. This is helpful because I can see the incoming request to my WAN and I can see the response of Unauthorized.

I have colour coded the relevant parts of the failed Inbound call with red for my WAN IP, green for the caller phone number and blue for the PBX phone number.

If I wanted to know more about the reason for the Unauthorized response, what would I have to do on the Router to capture the event? Please bear in mind I have no experience of this sort of analysis so would appreciate step by step instructions.

 

[DanielCoffey]

Here is a comment from GoTrunk about my issue with incoming calls and UDP port 5060. Is it possible I have the either the firewall or the PBX set up incorrectly when registering the UDP ports?

1. If you look at your GoTrunk missed calls CDR sip trace when we send the invite for the received calls you will see we get no response from your UCM.

*LINK REDACTED*

Normally when people use SIP credentials / Dynamic IP we see a random one.

So I'm assuming that the default signalling port 5060 is not reaching your UCM.

Looking at your UCM registrant the default port 5060 is shown.
Contact: *SIP ID* @ *WAN IP*:5060

Using SIP credentials I would normally expect the registration port to be a random number created by your router NAT but as it shows 5060 I assume you have port forwarding in place on your ASUS router?

 

[DanielCoffey]

UPDATE : Sorted... almost.

GoTrunk were able to assist me with the "Unauthorized" error. In one of the older Guides I had followed it had advised me to turn on "Auth Trunk" in the Trunk Settings... "If enabled the UCM will send a 401 response to the incoming call to authenticate the Trunk". Leaving this at the default Disabled sorted the issue.

Now I was getting a "User Busy" error on incoming calls. This was being caused by my Inbound Route not handling the incoming Caller ID properly and no rule catching it.

If I had an Inbound Route of "_X." (any number of digits) it was failing because the Caller ID was being supplied as +441234... which of course does not match that number.

Now I just need to know how to handle the inbound Caller ID so that 01234... gets passed to the handset.

 

[RMerlin]

Hosting your own PBX is such a PITA, that's why I stopped doing that years ago, after multiple headaches dealing with PBX-in-a-box and Callcentric. I simply moved my business phones to another provider who hosts the PBX, and I have my IP phones pointed at the provider instead.

 

[DanielCoffey]

I was hoping to minimise my monthly outgoings by just paying for the SIP trunk and purchasing my own PBX as I am an unpaid carer. Renting a cloud PBX does add a little extra to the monthly cost.