Grandstream UCM 6202 and Sipload


#1

I’ve added three different SIP provider to our UCM 6202:

  1. 1und1
  2. Fonial
  3. Sipload

The was quite some trouble with this but now it is nearly finished. I managed to get the 1und1 numbers on the UCM and the Fonial numbers as well. I needed to use port 5070 because I am behind a Fritzbox. For 1und1 and Fonial this is no problem anymore.

Only Sipload is not working yet. I contacted the provider and they told me this:

"we suspect a problem with your firewall / possibly a faulty port forwarding if configured or the telephone system. Normally it should not matter from which port we receive requests.

Registration request comes from the customer, starting from source port 5070/UDP:
13:48:25.024467 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto UDP (17), length 614)
_ [myip].5070_

We answer the request with “401 Unauthorized” and a digest/nonce (as required by the SIP standard):
13:48:25.024554 IP (tos 0x0, ttl 64, id 18188, offset 0, flags [none], proto UDP (17), length 610)
_ 188.246.0.82.5060 > [myip].5070: SIP, length: 582_

The client would then have to send a new REGISTER request, this time with username and password, the latter being hashed with the nonce we have provided.
Instead we get an ICMP message from the IP [myip] that port 5070/UDP is not available:
13:48:25.059822 IP (tos 0x0, ttl 59, id 11856, offset 0, flags [none], proto ICMP (1), length 576)
_ [myip] > 188.246.0.82: ICMP [myip] udp port 5070 unreachable, length 556_
_ IP (tos 0x0, ttl 59, id 18188, offset 0, flags [none], proto UDP (17), length 610)_

The TTL of the packets from the IP [myip] is always 59, so this suggests that there is either a firewall in between, which does SIP-ALG or that the PBX itself is generating the unreachable messages.
This could also be an incorrectly configured port forwarding, if configured accordingly."

I answered this:

I tried a few more things after that:
_ _
1. cut the connections (which the Fritzbox has been making so far) and disabled the FB in this respect.
_2. activated the “Auth-Trunk” setting in the SIP settings UCM6202%20VoIP%20Trunks _
_3. and at the account sip[myacountnumber] changed to IAX instead of SIp. _
_ _
Either a voice told me “The person you are calling…” or it was canceled immediately.
Thus unfortunately no success.

They answered this:

"we believe that the attitude changes you mention do not have as much to do with the problem we describe or can have an effect on it.

Once again briefly presented in a very simplified way:

_Your system suggests port 5070 for establishing communication _

We say, yes we can do that, please send us us username and password -> so send a message back to port 5070

However, your system does not provide the user name and password required to establish communication, but reports back that port 5070 is not accessible at the system or in the network.

_Whereby the word system can also stand for your firewall / router. This can also cause this…so report back that port 5070 is not accessible. We do not know exactly, we are outside. Or maybe a configured port forwarding on the firewall is not working for you _

The problem is not that the system doesn’t send us authentication, but that all the packets we send to the system will be sent somewhere on your system -> port 5070 unreachable

It might help to restart everything: Router/Firewall/PBX. And if port forwardings are set up, please check them all once to make sure they are correct and not pointing to a wrong port."

Does anyone know a solution?


#2

You should not enable the auth-trunk setting, nor should you use IAX.

You are trying to connect to a SIP provider, not an IAX provider. Presumably the SIP trunk settings in the UCM are for a register trunk. YOu should have a username, authID and password by which to register with the providers. You should register to them using port 5060UDP which is indicated in the hostname/IP settings and then in your settings for PBX Settings, SIP Settings, you should indicate port 5070 in the bind UDP port and then again in the NAT section under external UDP port.

What the above does is that when the UCM sends, it will send to the provider’s 5060 port and when they reply it will come to your 5070 port. You will also need to setup any phone connected to the UCM using 5070.

You should also port forward 5070 as well as the RTP ports and if possible, set a firewall rule for 5070 to only allow the SIP providers as it will only be a matter of time before the hackers will come knocking.


#3

Hi Ipneblett,
thanks for your support.

I just return from banging my head against the wall :face_with_symbols_over_mouth:
The problem was: The SIP providers Ip has been added to the Fail2Ban blacklist…
I’ve added it to the whitelist (next to all other SIP providers in my list) and it works now.

So for the future: Check the blacklists in case the sip trunk of a provider does not work for a reason you do not understand :wink: