Dreaded one-way audio with nat=yes

Home » Asterisk Users » Dreaded one-way audio with nat=yes
Asterisk Users 9 Comments

I’m trying to move the asterisk server to an Amazon Web instance. We have teliax for our sip provider. I’d like for our DID lines to be connected to a users cell phone.

Seems simple enough, but I’m getting the dreaded one-way audio, even with nat=yes everyplace I can think of.

The dialplan is real easy:

exten => _j.,1,NoOp("From teliax sip with exten "${EXTEN}")
exten => _j.,n,Set(3digitexten=${EXTEN:12:3}
exten => _j.,n,NoOp("Callerid is " ${CALLERID(all)} )
exten => _j.,n,GoTo(from-outside,${3digitexten},1)

exten => 123,1,NoOp()
exten => 123,n,Answer()
exten => 123,n,Dial(SIP/jnctn/1212xxxyyyy)
exten => 123,n,HangUp()

directmedia=no ; tried nonat

sip show peer jnctn:
Insecure : invite
Force rport : Yes
DirectMedia : No

sip show peer teliax:
Insecure : port,invite
Force rport : Yes
DirectMedia : No

And the cli doesn’t show any problems.

9 thoughts on - Dreaded one-way audio with nat=yes

  • So I tried having teliax connect to the asterisk box with iax. But now I
    get no audio both ways!

    Answer(“IAX2/iaxtest-1945”, “”) in new stack
    GotoIf(“IAX2/iaxtest-1945”, “1?123,1”) in new stack

  • It may sound silly but did you configure/open firewall ports on amazon ec2? The instance itself as we as from the amazon ec2 panel?

    Sent from my iPhone

  • Well that’s interesting. I hadn’t realized that iptables was set up on
    the instance, as well as the firewall from the security group on the
    control panel.

    Flushed the instance iptables, which fixed a problem I was having with a
    phone registering.

    But I still have my one-way audio. The calling party hears nothing from
    the called party.


  • Udp port 5060, udp port range 10000-20000 open? Those are for sip.

    For iax2 udp port 4569

    Make sure they are open.

    Also can you register two ext from the same instance and see if you can hear both ways….

    What kind of trunk do you have to the other side you calling?

    Sent from my iPhone

  • The instance firewall is flushed. The security group allows udp
    10000-20000 , 5060 and 4569.

    Well it gets stranger:

    I set up a sip link to my home. Dialed the teliax number from my cell.
    Asterisk used the sip link to my home – and that worked!

    Dial(“IAX2/iaxtest-584”, “SIP/sip-to-home”)

    Which seems to mean that the teliax < -> asterisk link is fine.

    But if I use a SIP/PSTN provider , I get one-way audio:

    Dial(“IAX2/iaxtest-515”, “SIP/jnctn/“)

    Completely baffled.


  • Sean,

    I do not have experience with the Amazon service. Cannot advise how to
    implement it in their environment.

    You need to have a route from your public IP(s) to your Asterisk
    instance for all incoming connections on RTP ports.

    Absence of this routing explains why SIP connection to your home
    (egress) worked whereas incoming SIP connection from your SIP provider
    (ingress) has a packed drop issue. The egress connection is initiated
    from the LAN and firewall happily NATs in this case. On the ingress
    connection firewall drops all RTP traffic originated by your provider
    while happily NATing the traffic originated by your Asterisk.

    It is also a good idea to have “qualify=yes” in your SIP peers’ settings
    to keep these NAT tables on the firewall updated for incoming SIP traffic.


  • Solved.



    The secret was adding media_address=

    puzzled why that would be necessary – why would asterisk give out an
    address other than the externaddr?

    May be product of virtualization. ifconfig gives a address,
    though the instance does have an external ipaddress assigned to it.
    Still odd * wouldn’t use the externaddr though.