Fix Asterisk One-Way Audio & No Audio

The most common Asterisk problem solved: NAT traversal, RTP ports, firewall rules, and SIP configuration fixes

HomeAsterisk Solutions› One-Way Audio Fix

What is One-Way Audio?

One-way audio means that during a VoIP call on Asterisk, only one party can hear the other. The caller might hear the callee but the callee hears nothing, or vice versa. No audio means neither party can hear anything despite the call showing as connected.

This is the #1 most reported Asterisk problem and affects nearly every deployment at some point. The root cause is almost always related to NAT (Network Address Translation) and how RTP media packets are routed between endpoints.

Key Insight: SIP signaling (call setup) uses one path, but RTP media (actual audio) uses a completely different path. One-way audio happens when SIP works but RTP cannot flow in both directions.

Root Causes

1. NAT (Network Address Translation)

When Asterisk sits behind a NAT router, it advertises its private IP address (e.g., 192.168.1.100) in SDP (Session Description Protocol) messages. Remote endpoints try to send RTP packets to this private address, which is unreachable from the internet. The result: the remote side sends audio but it never arrives at Asterisk.

2. Firewall Blocking RTP Ports

Even with correct NAT settings, if the firewall blocks UDP ports 10000-20000 (Asterisk's default RTP range), media cannot flow. Many admins open SIP port 5060 but forget the RTP port range.

3. Missing or Incorrect externip/localnet

Without externip (or externaddr) configured, Asterisk does not know to replace its private IP with the public IP in SDP. Without localnet, Asterisk cannot distinguish which endpoints are local vs. remote.

4. directmedia=yes (Default in Some Configs)

When directmedia=yes, Asterisk tells endpoints to send RTP directly to each other, bypassing the server. If endpoints are on different networks or behind NAT, this direct path fails and audio drops.

5. SIP ALG on Router

Many consumer routers have a SIP Application Layer Gateway that rewrites SIP packets. This often corrupts the SDP, replacing correct IP addresses with wrong ones. This is a silent killer of VoIP audio.

Solution: chan_sip Configuration (sip.conf)

Add these settings to the [general] section of /etc/asterisk/sip.conf:

[general]
; Replace with YOUR public IP or FQDN
externaddr=203.0.113.50
; If using dynamic IP, use externhost instead:
; externhost=myasterisk.example.com
; externrefresh=60

; Define your local networks (will NOT use externaddr for these)
localnet=192.168.1.0/255.255.255.0
localnet=10.0.0.0/255.0.0.0
localnet=172.16.0.0/255.240.0.0
localnet=127.0.0.1/255.255.255.255

; Force Asterisk to handle all media (never send RTP direct)
directmedia=no

; NAT settings for endpoints behind NAT
nat=force_rport,comedia

What Each Setting Does:

  • externaddr — Tells Asterisk to replace private IPs with this public IP in SDP for remote endpoints
  • localnet — Defines which networks are “local” (no externaddr substitution for these)
  • directmedia=no — Forces all RTP through Asterisk (prevents direct media between endpoints)
  • nat=force_rport,comediaforce_rport: ignore the port in the SIP Via header, use the actual source port; comedia: send RTP to the address/port where we received RTP from (symmetric RTP)

For individual peers, add NAT settings per endpoint:

[my-phone]
type=friend
host=dynamic
nat=force_rport,comedia
directmedia=no
qualify=yes

Solution: PJSIP Configuration (pjsip.conf)

For PJSIP (recommended for Asterisk 13+), configure the transport and endpoint:

; Transport with NAT settings
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=203.0.113.50
external_signaling_address=203.0.113.50
local_net=192.168.1.0/24
local_net=10.0.0.0/8
local_net=172.16.0.0/12
local_net=127.0.0.0/8

; Endpoint configuration
[my-phone]
type=endpoint
transport=transport-udp
context=internal
disallow=all
allow=ulaw,alaw
direct_media=no
force_rport=yes
rewrite_contact=yes
rtp_symmetric=yes
ice_support=yes

PJSIP NAT Settings Explained:

  • external_media_address — Public IP for RTP (equivalent to externaddr for media)
  • external_signaling_address — Public IP for SIP signaling
  • direct_media=no — Keep all media flowing through Asterisk
  • force_rport=yes — Use the actual source port of incoming packets
  • rewrite_contact=yes — Rewrite the Contact header with the actual source address
  • rtp_symmetric=yes — Send RTP back to the address we received it from

RTP Port Configuration (rtp.conf)

Verify and configure the RTP port range in /etc/asterisk/rtp.conf:

[general]
rtpstart=10000
rtpend=20000
; Enable STUN for NAT traversal (optional but recommended)
; stunaddr=stun.l.google.com:19302
; Enable ICE support
; icesupport=yes

The default range 10000-20000 provides 10,000 ports. Each call uses 2 RTP ports (one for audio, one for RTCP). So this supports up to 5,000 simultaneous calls. For small systems, you can narrow this range (e.g., 10000-10100) to simplify firewall rules.

Firewall Rules (iptables)

Open both SIP and RTP ports in your firewall:

# SIP signaling (UDP and TCP)
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -j ACCEPT

# SIP TLS (if using encrypted signaling)
iptables -A INPUT -p tcp --dport 5061 -j ACCEPT

# RTP media ports (CRITICAL - this is what carries the audio!)
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

# Save rules
iptables-save > /etc/iptables/rules.v4

# For firewalld (CentOS/RHEL):
firewall-cmd --permanent --add-port=5060/udp
firewall-cmd --permanent --add-port=5060/tcp
firewall-cmd --permanent --add-port=10000-20000/udp
firewall-cmd --reload
Pro Tip: For cloud servers (AWS, GCP, Azure, Hetzner, OVH), you also need to configure the security group or network firewall at the provider level, not just iptables on the server.

Debugging One-Way Audio

Use these commands to diagnose the issue:

# Enable RTP debugging to see media flow
asterisk -rx "rtp set debug on"

# Enable SIP debugging to inspect SDP
asterisk -rx "sip set debug on"
# or for PJSIP:
asterisk -rx "pjsip set logger on"

# Check what IP Asterisk advertises in SDP
# Look for "c=IN IP4 x.x.x.x" and "m=audio PORT RTP/AVP"

# Use tcpdump to capture RTP traffic
tcpdump -i eth0 -n udp portrange 10000-20000

# Verify RTP ports are open (from external machine)
nmap -sU -p 10000-10100 YOUR_PUBLIC_IP

# Check active channels and their codec
asterisk -rx "core show channels verbose"

What to Look For:

  • In SDP: the c= line should show your public IP for remote endpoints
  • In tcpdump: RTP packets should flow in both directions
  • If RTP only flows one way, the return path is blocked (firewall or NAT issue)
  • If SDP shows a private IP (192.168.x.x) for a remote call, externaddr is not working

Quick Fix Checklist

  1. Set externaddr/externip to your public IP in sip.conf or external_media_address in pjsip.conf
  2. Define localnet for all your local subnets
  3. Set directmedia=no (or direct_media=no in PJSIP)
  4. Set nat=force_rport,comedia (or rtp_symmetric=yes + force_rport=yes in PJSIP)
  5. Open UDP ports 10000-20000 in your firewall AND cloud security group
  6. Disable SIP ALG on your router/NAT device
  7. Verify rtp.conf has the correct port range
  8. Reload Asterisk after changes: asterisk -rx "sip reload" or asterisk -rx "pjsip reload"
← Back to All Asterisk Solutions|Asterisk Complete Guide →