DEV Community

Jason Shouldice
Jason Shouldice

Posted on • Originally published at vicistack.com

One-Way Audio, 503s, and the SIP Problems That Eat Your Shift

#voip #asterisk #sysadmin #devops

You're staring at the Asterisk CLI. Calls are connecting but nobody can hear anything. Or the agent hears the customer fine, but the customer hears dead air. Or calls fail immediately with a 503 and your trunk shows "UNREACHABLE."

Every one of these problems came from a real VICIdial system I fixed. Here's what to check and in what order, because the order matters — you don't want to spend two hours debugging codec mismatches when the problem is a blocked UDP port.

Before You Touch Anything: Get Your Tools Ready 

# This is the single most useful SIP debugging command
sngrep -d eth0 port 5060

# Check current trunk status
asterisk -rx "sip show peers"

# Active channels with codec info
asterisk -rx "core show channels verbose"
Enter fullscreen mode Exit fullscreen mode

sngrep shows you the full SIP ladder diagram — INVITE, 100 Trying, 180 Ringing, 200 OK, ACK, BYE — in a visual flow. If you don't have it installed: yum install sngrep or apt install sngrep. This tool will save you more hours than any config change.

Problem 1: One-Way Audio (80% Chance It's NAT)

This is the most common SIP issue in VICIdial. Agent hears the customer, customer hears silence. Works fine on internal calls, breaks on outbound.

Open sngrep and look at the SDP body. Find the line starting with c=. If it says c=IN IP4 10.0.0.50 (a private IP) instead of your public IP, that's the problem. The carrier is sending media to a private address it can't reach.

Fix in sip.conf:

[general]
externaddr=203.0.113.50       ; Your public IP
localnet=10.0.0.0/8
localnet=172.16.0.0/12
localnet=192.168.0.0/16
nat=force_rport,comedia
Enter fullscreen mode Exit fullscreen mode

If your public IP is dynamic, use externhost=sip.yourdomain.com with externrefresh=60 instead.

The other 20% of the time, it's the firewall blocking RTP ports. VICIdial uses UDP 10000-20000 for media by default. Open them:

iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

Problem 2: 503 Service Unavailable

Calls fail immediately. sip show peers shows the trunk as UNREACHABLE or UNKNOWN.

Run through these in order:

  1. Is the carrier actually up? Check their status page. Carrier outages are more common than you'd think.

  2. Did you hit the channel limit? Count active channels: asterisk -rx "core show channels" | grep -c "SIP/your-trunk"

  3. Registration expired? Check: asterisk -rx "sip show registry". Force re-register with asterisk -rx "sip reload".

  4. DNS failure? If the trunk uses a hostname: dig sip.carrier.com. Compare against what Asterisk cached: asterisk -rx "sip show peer your-trunk".

The quick fix for 503s is implementing failover trunks in your dialplan so if the primary carrier returns an error, VICIdial automatically tries the backup. That's a separate topic — see the ViciStack failover guide for the full setup.

Problem 3: Registration Failures

sip show registry shows "Rejected" or "Request Sent" that never resolves.

Enable SIP debug: asterisk -rx "sip set debug on" and watch the CLI. You'll see the REGISTER exchange and the exact error.

401 Unauthorized: Credentials are wrong. The most common mistake is invisible trailing whitespace in the password field in sip.conf. Also check username vs defaultuser — some carriers want the account number in defaultuser, not username. And some carriers require fromuser and fromdomain fields too.

403 Forbidden: Your IP isn't whitelisted at the carrier. If you recently changed servers or IPs, contact them.

Problem 4: Garbled Audio / Codec Issues

Calls connect but audio sounds robotic or has artifacts. Check what codecs your carrier supports:

asterisk -rx "sip show peer your-trunk" | grep -A5 "Codecs"
Enter fullscreen mode Exit fullscreen mode

G.711 (ulaw) is the safe default for domestic US/Canada calling. Only use g729 if bandwidth is a real constraint — it adds latency and requires purchasing codec licenses. Set your trunk to:

allow=!all
allow=ulaw
allow=alaw
Enter fullscreen mode Exit fullscreen mode

The Nuclear Option

If nothing above fixes it, start from scratch with a clean trace:

  1. asterisk -rx "sip reload" — clear all state
  2. Start sngrep capture
  3. Make one test call and watch the entire flow
  4. Find the FIRST thing that goes wrong

The flow tells you everything: INVITE sent but no response means firewall or routing. 100 Trying received but no 180 means carrier routing issue. 200 OK received but no audio means NAT/RTP. Audio works for 30 seconds then dies means session timer.

When to Stop Debugging

If you've been reading packet captures for more than two hours, it's almost always something environmental — an ISP middlebox doing SIP ALG, a firewall with stateful UDP tracking, or a carrier-side misconfiguration that you can't fix from your end.

The pattern across hundreds of SIP issues: 80% are NAT or firewall, 15% are credentials, and 5% are genuinely weird. ViciStack can usually pinpoint the problem in under 30 minutes because we've seen every variation of these issues across 200+ VICIdial deployments.

Originally published at https://vicistack.com/blog/vicidial-sip-troubleshooting/

Top comments (0)