VoIP outbound calls not working

Started by RoleTue, February 27, 2026, 03:13:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 27, 2026, 03:13:09 PM
Hello all,

I've following setup at home:

Internet --> Opnsense --> Unify switch --> N670IP Pro

As handset I use Gigaset S700H Pro.
My ISP is Vodafone (Cable) in Baden-Wuerttemberg. Prior to this setup I used the Fritzbox 6660 Cable as phonebox which worked properly without any troubles. Since I wanted to get rid of the Fritzbox I acquired the VoIP Box N670. I've configured it with all required data and I get the Box registered via SIP at the Vodafone server. Incoming calls are possible. Outgoing not. As soon as I dial a number on the handset the connection is immediately aborted and the display shows "not reachable". I searched a lot for any solutions or reasons why this happens. Couldn't find any more information. Even the firewall logs don't show any blocks.
Does anyone have an idea what could cause this issue?
Thanks already in advance.
February 27, 2026, 06:33:43 PM #1
I would recommend using IPv6. That would simplify things a lot.

If you really need IPv4 make sure to create an Outbound NAT rule that sets static ports for your VoIP device.
February 27, 2026, 08:53:04 PM #2
You will need to understand what it is that is causing the device to fail when dialing.

I would suggest creating Firewall & NAT rules for your VoIP connections for the SIP & RTP connections and enabled logging of these rules, including in NAT. Reviewing the logs will show you whats going on.

Have you received incoming calls from your ITSP to verify the SIP connection works every time a call is placed to your number or is this intermittent?

Gigaset manuals can be found here - https://teamwork.gigaset.com/gigawiki/display/GPPPO/Manuals+-+N670+IP+PRO

Looking at page 88 of the English manual, you can configure it to send information to a syslog server and what to log. This may be helpful.

Looking at this page - https://teamwork.gigaset.com/gigawiki/display/GPPPO/FAQ+-+Call+settings, there is information about access and area codes when dialing. If all of this is configured correctly, your ITSP may be sending a Forbidden response to your outgoing SIP invites.

I recently replaced my Asterisk box and with one of my providers, my outbound calls were failing. The response I was receiving to my SIP invites was simply Forbidden. The problem turned out to be a contact header in the outgoing SIP request not being what they wanted.

Failing that, if your connections are using SIP (not TLS), you may be able to sniff the SIP packets and see if the call is being placed and if your ITSP is rejecting the request.

In my environment I only have outgoing SIP connections. Incoming calls arrive through them.

Good luck!
February 27, 2026, 09:54:41 PM #3
Hello Olmo,

thanks for the reply. IPv6 is not supported by the device according to the web configurator. FW rules including outbound are already set. I used the same setup with the Fritzbox which worked. I simply exchanged the devices. That's why I don't understand what's going on. Anyway, I'll recheck the firewall rules.

Hello Imoore,

yes, I already have downloaded the manuals for the N670. I read about the remote syslog server. Maybe I should try this as you suggest it. As said above firewall rules are set up and logging is enabled. The firewall doesn't show any blocks. I checked it with the live view while dialing.
Your second link looks interesting. I'll go through it. Thanks a lot for that.
I'll report back.

Thanks again to both of you.
February 27, 2026, 10:19:10 PM #4
Did you create the Outbound Rule for specific ports? If so, check if they still match. RTP ports may be different between a Fritzbox and a Gigaset device.
February 28, 2026, 02:58:24 AM #5
I've found this document for Vodafone Germany, which may help.

https://www.vodafone.de/media/downloads/pdf/Vodafone-Kabel-Deutschland-GmbH-Telephony-Interface-Specific.pdf

In my environment I have a separate VLAN for VoIP. The way I've written my rules is to only allow connections from this VLAN to the SIP_Providers alias. In my SIP_Providers alias I have included the ITSP's SIP & RTP server addresses.

With the traffic originating from my network, the rules match the DSCP field and then tags it. This is applied to SIP, RTP voice & RTP video.

The VoIP Outbound NAT rule simply matches these tagged packets.

The outgoing firewall rule simply matches the tagged packets. This removes the need to create rules using RTP ranges, as these will differ between providers.

The screen shots may help to illustrate this.

The QoS settings for the N670IP Pro are on page 55 of the English manual. You could look up the settings on your Fritzbox and replicate them on the N670IP Pro. I doubt this will be the reason your outbound calls are failing.

You may need to reference this site when working out what you need to set for the DSCP/TOS field - https://tucny.com/Home/dscp-tos
February 28, 2026, 03:00:35 AM #6
The remaining images -1.
February 28, 2026, 03:01:08 AM #7
Now for the final image.
March 01, 2026, 11:54:46 AM #8
Hi lmoore, thanks a lot. Just only noticed the screenshots. Yesterday I went through the first document you linked. This is interesting. Under Sip security chapter 5.4 we read about error 401 (unauthorized). Yesterday I installed zeek on my opnsense which writes a sip.log. When I dial a number I get error 401.

1772360707.341781       CXIN2W2x3RwSMys8Y4      192.168.1.100   5060    80.69.110.78    5060    0       -       -       -       -       -       <sip:xxxxxxxxxx@hiq9a-sbcv461a.kabelbw.de>      <sip:xxxxxxxxxx@hiq9a-sbcv461a.kabelbw.de>;tag=test_tag_0215532162      -       -       -       -       (empty)    SIP/2.0/UDP 192.168.1.100:5060;received=88.152.184.228  -       401     Unauthorized    -       -       0       -

For me this confirms now at least that it's not opnsense which blocks the connection. Will have to look at the document more closely and see if I understand all this.
I'll compare your screenshots with my settings. Maybe this changes the behavior of the registration process.
Thanks again for your help.
March 01, 2026, 02:07:10 PM #9
Quote from: RoleTue on March 01, 2026, 11:54:46 AMWhen I dial a number I get error 401.

My VoIP experience is limited to my home setup but IME I always see a 401 response to the initial SIP INVITE of an outgoing call. Then, there comes a second INVITE containing the Authorization Digest, after which the call proceeds successfully.
March 01, 2026, 05:13:28 PM #10
Quote from: RoleTue on March 01, 2026, 11:54:46 AM1772360707.341781      CXIN2W2x3RwSMys8Y4      192.168.1.100  5060    80.69.110.78    5060    0      -      -      -      -      -      <sip:xxxxxxxxxx@hiq9a-sbcv461a.kabelbw.de>      <sip:xxxxxxxxxx@hiq9a-sbcv461a.kabelbw.de>;tag=test_tag_0215532162      -      -      -      -      (empty)    SIP/2.0/UDP 192.168.1.100:5060;received=88.152.184.228  -      401    Unauthorized    -      -      0      -


I suspect this 401 message is from a REGISTER request. Section 5.4 of the document is referring to Registration. If you are receiving incoming calls on this device, then it must be registered. Interesting tag name being used.

The information in section 5.5 relates to placing an outgoing call. I couldn't find in the manual for the N670IP Pro an example of the Digit Map (Dial Plan), just the reference to the Access and Area Codes - these need to be checked and set accordingly.

Before changing your firewall rules get the device making outgoing calls first. Changing rules to match DSCP requires matching them with what is set in your devices QoS settings you will need two for this device, SIP signaling and RTP. The 3 values I've used are set in Asterisk - ignore my RTCP rule as this now uses the value for RTP voice. VoIP handsets have SIP & RTP values set accordingly.

You could set up your Fritzbox and capture the SIP REGISTER and INVITE traffic so you know what you should be seeing from the N670IP

Included attachments are;

SIP REGISTER flow
SIP INVITE flow
Outgoing Call including headers

Cheers,

Larry.

March 01, 2026, 06:39:40 PM #11
I set up a remote log server now and activated the remote syslog in the n670. Another result. We can see the call start:

s_local@Gigaset_N670 sip-control: [SIP][IPCConnector.cpp:340] UBUS event [sip-control/local_media] received
s_local@Gigaset_N670 sip-control: [SIP][GuiConnector.cpp:419] Call #1 local media: 192.168.1.100:5004 / 192.168.1.100:5004
s_local@Gigaset_N670 sip-control: [SIP][CallManager.cpp:1640] [xxxxxxxxxx|03bf68594a] Call #1: Starting call with account #03bf68594a to sip:017xxxxxxxx@hiq9a-sbcv461a.kabelbw.de
s_local@Gigaset_N670 sip-control: [PJSIP][pjLog.cpp:68] 15:30:49.717 sip_transport.  .......Request msg INVITE/cseq=30849 (tdta0x7165e4) exceeds UDP size threshold (1300), switching to TCP recommended
s_local@Gigaset_N670 sip-control: [PJSIP][pjLog.cpp:68] 15:30:50.225 sip_transport.  .Request msg INVITE/cseq=30849 (tdta0x7165e4) exceeds UDP size threshold (1300), switching to TCP recommended
s_local@Gigaset_N670 sip-control: [PJSIP][W][pjLog.cpp:64] 15:30:50.230    tsx0x71a67c  .Error sending Request msg INVITE/cseq=30849 (tdta0x7165e4): Message too long
s_local@Gigaset_N670 sip-control: [PJSIP][W][pjLog.cpp:64] 15:30:50.233    tsx0x71a67c  .Transport error, terminating transaction. Err=120090 (Message too long)
s_local@Gigaset_N670 sip-control: [SIP][CallManager.cpp:249] [xxxxxxxxxx|03bf68594a] Call #1: stateChangedHandler: Invite session state: DISCONNCTD
s_local@Gigaset_N670 sip-control: [SIP][Call.cpp:723] [xxxxxxxxxx|03bf68594a] Call #1: disconnected. Reason = 503 Message too long. Duration: 0,0 sec.
s_local@Gigaset_N670 giga-ip-bs[24954]: SIP_UAA: [xxxxxxxxxx|03bf68594a|PMID:00001] Call #1: receive:call_rejected status:ok

I shortend the lines a bit. According to the rsyslog the udp package size is to large. Do I have the possibility to limit the udp package size in Opnsense?

@Larry, also thanks a lot ...
March 01, 2026, 06:49:45 PM #12
Hi Larry and Imoore,

yes, looking at the txt files it makes sense. First call ist 401, 2nd gives the 200 ok.
March 01, 2026, 07:43:49 PM #13
Quote from: RoleTue on March 01, 2026, 06:39:40 PMs_local@Gigaset_N670 sip-control: [SIP][IPCConnector.cpp:340] UBUS event [sip-control/local_media] received
s_local@Gigaset_N670 sip-control: [SIP][GuiConnector.cpp:419] Call #1 local media: 192.168.1.100:5004 / 192.168.1.100:5004
s_local@Gigaset_N670 sip-control: [SIP][CallManager.cpp:1640] [xxxxxxxxxx|03bf68594a] Call #1: Starting call with account #03bf68594a to sip:017xxxxxxxx@hiq9a-sbcv461a.kabelbw.de
s_local@Gigaset_N670 sip-control: [PJSIP][pjLog.cpp:68] 15:30:49.717 sip_transport.  .......Request msg INVITE/cseq=30849 (tdta0x7165e4) exceeds UDP size threshold (1300), switching to TCP recommended
s_local@Gigaset_N670 sip-control: [PJSIP][pjLog.cpp:68] 15:30:50.225 sip_transport.  .Request msg INVITE/cseq=30849 (tdta0x7165e4) exceeds UDP size threshold (1300), switching to TCP recommended
s_local@Gigaset_N670 sip-control: [PJSIP][W][pjLog.cpp:64] 15:30:50.230    tsx0x71a67c  .Error sending Request msg INVITE/cseq=30849 (tdta0x7165e4): Message too long
s_local@Gigaset_N670 sip-control: [PJSIP][W][pjLog.cpp:64] 15:30:50.233    tsx0x71a67c  .Transport error, terminating transaction. Err=120090 (Message too long)
s_local@Gigaset_N670 sip-control: [SIP][CallManager.cpp:249] [xxxxxxxxxx|03bf68594a] Call #1: stateChangedHandler: Invite session state: DISCONNCTD
s_local@Gigaset_N670 sip-control: [SIP][Call.cpp:723] [xxxxxxxxxx|03bf68594a] Call #1: disconnected. Reason = 503 Message too long. Duration: 0,0 sec.

Well... what transports does the Fritzbox use when connecting to the ITSP and does it switch to TCP automatically, or does it not exceed the UDP threshold!?

Reading the Vodafone Telephony Interface Specification, it states, and keeping in mind this is a 10 year old document;

 - The SIP UE MUST only use UDP as transport protocol.
 - The SIP UE MUST NOT use TCP, SCTP or TLS.

If VoIP on your Fritzbox is still working, try to work out what is different about its configurations compared to the N670IP Pro, it could be somewhere other than the account settings.

Also, where you set the "SIP Account Name", make this quite short - perhaps only 1 character long and see if this helps.

You may also want to test setting the transport to TCP in case Vodafone have enabled this since they wrote the document.

There may be unnecessary options enabled in your SIP settings which may be contributing to the message size exceeding the limit of 1300.

Disable all Codecs except for G711A, this will make the headers a little smaller.

Have you enabled TCP for port 5060 in your firewall & NAT rules?

Also, section 7 of the Vodafone document states there must not be any request for QoS. This could be interpreted to mean the DiffServ settings should be set to 0 for SIP & RTP. This wont be influencing the message size if the INVITE so wont be related to the length of the UDP message.
March 01, 2026, 08:46:34 PM #14 Last Edit: March 01, 2026, 09:12:50 PM by keeka
So the Gigaset is creating a SIP INVITE packet, then refusing to send it because it exceeds 1300B and aborts the call?
Looking at the packet captures I made, when experiencing VoIP problems (long story also involving a Gigaset VoIP DECT phone), the biggest SIP packet size I saw was 1269B. That too was the SIP INVITE with authorization header.
@lmoore's suggestion to disable, say, some codecs to reduce the SIP payload may be enough. Other than an outgoing permit rule, I doubt firewall/NAT comes in to play this early in the call. Good luck!

Quote from: RoleTue on March 01, 2026, 06:49:45 PMyes, looking at the txt files it makes sense. First call ist 401, 2nd gives the 200 ok.
I'm confused now. Does this not suggest a SIP INVITE was successfully sent?
EDIT ah as @lmoore pointed out, they are responses to SIP REGISTER.
Print
Go Up Pages1
User actions