Allow support for RFC3262 provisional ACK tags
Condense MWI notifications into a single NOTIFY.
Media Codec(s) to allow
Enable RFC3578 overlap dialing support.
AoR(s) to be used with the endpoint
Authentication Object(s) associated with the endpoint
CallerID information for the endpoint
Default privacy level
Internal id_tag for the endpoint
Dialplan context for inbound sessions
Mitigation of direct media (re)INVITE glare
Direct Media method type
Accept Connected Line updates from this endpoint
Send Connected Line updates to this endpoint
Connected line method type
Determines whether media may flow directly between endpoints.
Disable direct media session refreshes when NAT obstructs the media session
Media Codec(s) to disallow
IP address used in SDP for media handling
Bind the RTP instance to the media_address
Force use of return port
Enable the ICE mechanism to help traverse NAT
Way(s) for the endpoint to be identified
How redirects received from an endpoint are handled
NOTIFY the endpoint when state changes for any of the specified mailboxes
An MWI subscribe will replace sending unsolicited NOTIFYs
The voicemail extension to send in the NOTIFY Message-Account header
Default Music On Hold class
Authentication object(s) used for outbound requests
Full SIP URI of the outbound proxy used to send requests
Allow Contact header to be rewritten with the source IP address-port
Allow use of IPv6 for RTP traffic
Enforce that RTP must be symmetric
Send the Diversion header, conveying the diversion information to the called user agent
Send the History-Info header, conveying the diversion information to the called and calling user agents
Send the P-Asserted-Identity header
Send the Remote-Party-ID header
Immediately send connected line updates on unanswered incoming calls.
Minimum session timers expiration period
Session timers for SIP packets
Maximum session timer expiration period
Explicit transport configuration to use
Accept identification information received from this endpoint
Send private identification details to the endpoint.
Must be of type 'endpoint'.
Use Endpoint's requested packetization interval
Determines whether res_pjsip will use and enforce usage of AVPF for this endpoint.
Determines whether res_pjsip will use and enforce usage of AVP, regardless of the RTP profile in use for this endpoint.
Determines whether res_pjsip will use the media transport received in the offer SDP in the corresponding answer SDP.
Determines whether res_pjsip will use and enforce usage of media encryption for this endpoint.
Determines whether encryption should be used if possible but does not terminate the session if not achieved.
Force g.726 to use AAL2 packing order when negotiating g.726 audio
Determines whether chan_pjsip will indicate ringing using inband progress.
The numeric pickup groups for a channel.
The numeric pickup groups that a channel can pickup.
The named pickup groups for a channel.
The named pickup groups that a channel can pickup.
The number of in-use channels which will cause busy to be returned as device state
Whether T.38 UDPTL support is enabled or not
T.38 UDPTL error correction method
T.38 UDPTL maximum datagram size
Whether CNG tone detection is enabled
How long into a call before fax_detect is disabled for the call
Whether NAT support is enabled on UDPTL sessions
Whether IPv6 is used for UDPTL Sessions
Bind the UDPTL instance to the media_adress
Set which country's indications to use for channels created for this endpoint.
Set the default language to use for channels created for this endpoint.
Determines whether one-touch recording is allowed for this endpoint.
The feature to enact when one-touch recording is turned on.
The feature to enact when one-touch recording is turned off.
Name of the RTP engine to use for channels created for this endpoint
Determines whether SIP REFER transfers are allowed for this endpoint
Determines whether a user=phone parameter is placed into the request URI if the user is determined to be a phone number
Determines whether hold and unhold will be passed through using re-INVITEs with recvonly and sendrecv to the remote side
String placed as the username portion of an SDP origin (o=) line.
String used for the SDP session (s=) line.
DSCP TOS bits for audio streams
DSCP TOS bits for video streams
Priority for audio streams
Priority for video streams
Determines if endpoint is allowed to initiate subscriptions with Asterisk.
The minimum allowed expiry time for subscriptions initiated by the endpoint.
Username to use in From header for requests to this endpoint.
Username to use in From header for unsolicited MWI NOTIFYs to this endpoint.
Domain to user in From header for requests to this endpoint.
Verify that the provided peer certificate is valid
Interval at which to renegotiate the TLS session and rekey the SRTP session
Whether or not to automatically generate an ephemeral X.509 certificate
Path to certificate file to present to peer
Path to private key for certificate file
Cipher to use for DTLS negotiation
Path to certificate authority certificate
Path to a directory containing certificate authority certificates
Whether we are willing to accept connections, connect to the other party, or both.
Type of hash to use for the DTLS fingerprint in the SDP.
Determines whether 32 byte tags should be used instead of 80 byte tags.
Variable set on a channel involving the endpoint.
Context to route incoming MESSAGE requests to.
An accountcode to set automatically on any channels created for this endpoint.
Respond to a SIP invite with the single most preferred codec rather than advertising all joint codec capabilities. This limits the other side's codec choice to exactly what we prefer.
Number of seconds between RTP comfort noise keepalive packets.
Maximum number of seconds without receiving RTP (while off hold) before terminating call.
Maximum number of seconds without receiving RTP (while on hold) before terminating call.
List of IP ACL section names in acl.conf
List of IP addresses to deny access from
List of IP addresses to permit access from
List of Contact ACL section names in acl.conf
List of Contact header addresses to deny
List of Contact header addresses to permit
Context for incoming MESSAGE requests.
Force the user on the outgoing Contact header to this value.
Allow the sending and receiving RTP codec to differ
Enable RFC 5761 RTCP multiplexing on the RTP port
Whether to notifies all the progress details on blind transfer
Whether to notifies dialog-info 'early' on InUse&Ringing state
The maximum number of allowed audio streams for the endpoint
The maximum number of allowed video streams for the endpoint
Enable RTP bundling
Defaults and enables some options that are relevant to WebRTC
Mailbox name to use when incoming MWI NOTIFYs are received
Follow SDP forked media when To tag is different
Accept multiple SDP answers on non-100rel responses
Suppress Q.850 Reason headers for this endpoint
Do not forward 183 when it doesn't contain SDP
Enable STIR/SHAKEN support on this endpoint
STIR/SHAKEN profile containing additional configuration options
Skip authentication when receiving OPTIONS requests
Configuration Option Descriptions
When enabled the UDPTL stack will use IPv6.
If media_address is specified, this option causes the UDPTL instance to be bound to the specified ip address which causes the packets to be sent from that address.
It can be one of the following values:
no- meaning no verificaton verification is done.
fingerprint- meaning to verify the remote fingerprint.
certificate- meaning to verify the remote certificate.
yes- meaning to verify both the remote fingerprint and certificate.
Enable STIR/SHAKEN support on this endpoint. On incoming INVITEs, the Identity header will be checked for validity. On outgoing INVITEs, an Identity header will be added.
A STIR/SHAKEN profile that is defined in stir_shaken.conf. Contains several options and rules used for STIR/SHAKEN.
RFC 3261 says that the response to an OPTIONS request MUST be the same had the request been an INVITE. Some UAs use OPTIONS requests like a 'ping' and the expectation is that they will return a 200 OK.
allow_unauthenticated_options will skip authentication of OPTIONS requests for the given endpoint.
There are security implications to enabling this setting as it can allow information disclosure to occur - specifically, if enabled, an external party could enumerate and find the endpoint name by sending OPTIONS requests and examining the responses.
Configuration Option Reference
This option specifies which of the password style config options should be read when trying to authenticate an endpoint inbound request. If set to
userpass then we'll read from the 'password' option. For
md5 we'll read from 'md5_cred'. The following values are valid:
This setting only describes whether the password is in plain text or has been pre-hashed with MD5. It doesn't describe the acceptable digest algorithms we'll accept in a received challenge.
Only used when auth_type is
md5. As an alternative to specifying a plain text password, you can hash the username, realm and password together one time and place the hash value here. The input to the hash function must be in the following format:
For incoming authentication (asterisk is the server), the realm must match either the realm set in this object or the
default_realm set in in the global object.
For outgoing authentication (asterisk is the UAC), the realm must match what the server will be sending in their WWW-Authenticate header. It can't be blank unless you expect the server to be sending a blank realm in the header. You can't use pre-hashed passwords with a wildcard auth object. You can generate the hash with the following shell command:
$ echo -n "myname:myrealm:mypassword" | md5sum
Note the '-n'. You don't want a newline to be part of the hash.
The treatment of this value depends upon how the authentication object is used.
When used as an inbound authentication object, the realm is sent as part of the challenge so the peer can know which key to use when responding. An empty value will use the global sectionFor incoming authentication (asterisk is the UAS), this is the realm to be sent on WWW-Authenticate headers. If not specified, the global object's
default_realm value when issuing a challenge.When used as an outbound authentication object, the realm is matched with the received challenge realm to determine which authentication object to use when responding to the challenge. An empty value matches any challenging realm when determining which authentication object matches a received challenge will be used.
For outgoing authentication (asterisk is the UAC), this must either be the realm the server is expected to send, or left blank or contain a single '*' to automatically use the realm sent by the server. If you have multiple auth objects for an endpoint, the realm is also used to match the auth object to the realm the server sent.
Using the same auth section for inbound and outbound authentication is not recommended. There is a difference in meaning for an empty realm setting between inbound and outbound authentication uses.
If more than one auth object with the same realm or more than one wildcard auth object associated to an endpoint, we can only use the first one of each defined on the endpoint.
Configuration Option Reference
Number of simultaneous Asynchronous Operations, can no longer be set, always set to 1
IP Address and optional port to bind to for this transport
File containing a list of certificates to read (TLS ONLY, not WSS)
Path to directory containing a list of certificates to read (TLS ONLY, not WSS)
Certificate file for endpoint (TLS ONLY, not WSS)
Preferred cryptography cipher names (TLS ONLY, not WSS)
Domain the transport comes from
External IP address to use in RTP handling
External address for SIP signalling
External port for SIP signalling
Method of SSL transport (TLS ONLY, not WSS)
Network to consider local (used for NAT purposes).
Password required for transport
Private key file (TLS ONLY, not WSS)
Protocol to use for SIP traffic
Require client certificate (TLS ONLY, not WSS)
Must be of type 'transport'.
Require verification of client certificate (TLS ONLY, not WSS)
Require verification of server certificate (TLS ONLY, not WSS)
Enable TOS for the signalling sent over this transport
Enable COS for the signalling sent over this transport
The timeout (in milliseconds) to set on WebSocket connections.
Allow this transport to be reloaded.
Allow use of wildcards in certificates (TLS ONLY)
Use the same transport for outgoing requests as incoming ones.
If a websocket connection accepts input slowly, the timeout for writes to it can be increased to keep it from being disconnected. Value is in milliseconds; default is 100 ms.
Allow this transport to be reloaded when res_pjsip is reloaded. This option defaults to "no" because reloading a transport may disrupt in-progress calls.
In combination with verify_server, when enabled allow use of wildcards, i.e. '.' in certs for common,and subject alt names of type DNS for TLS transport types. Names must start with the wildcard. Partial wildcards, e.g. 'f.example.com' and 'foo..com' are not allowed. As well, names only match against a single level meaning '.example.com' matches 'foo.example.com', but not 'foo.bar.example.com'.
Permanent contacts assigned to AoR
Default expiration time in seconds for contacts that are dynamically bound to an AoR.
Allow subscriptions for the specified mailbox(es)
The voicemail extension to send in the NOTIFY Message-Account header
Maximum time to keep an AoR
Maximum number of contacts that can bind to an AoR
Minimum keep alive time for an AoR
Determines whether new contacts replace existing ones.
Determines whether new contacts should replace unavailable ones.
Must be of type 'aor'.
Interval at which to qualify an AoR
Timeout for qualify
Authenticates a qualify challenge response if needed
Outbound proxy used when sending OPTIONS request
Enables Path support for REGISTER requests and Route support for other requests.
The rewrite_contact option registers the source address as the contact address to help with NAT and reusing connection oriented transports such as TCP and TLS. Unfortunately, refreshing a registration may register a different contact address and exceed max_contacts. The remove_existing option and remove_unavailable options can help by removing either the soonest to expire or unavailable contact(s) over max_contacts which is likely the old rewrite_contact contact source address being refreshed.
This should be set to
The effect of this setting depends on the setting of remove_existing.
If remove_existing is set to
no (default), setting remove_unavailable to
yes will remove only unavailable contacts that exceed _max_contacts_to allow an incoming REGISTER to complete sucessfully.
If remove_existing is set to
yes, setting remove_unavailable to
yes will prioritize unavailable contacts for removal instead of just removing the contact that expires the soonest.
See remove_existing and max_contacts for further information about how these 3 settings interact.
Value used in Max-Forwards header for SIP requests.
The interval (in seconds) to send keepalives to active connection-oriented transports.
The interval (in seconds) to check for expired contacts.
Disable Multi Domain support
The maximum amount of time from startup that qualifies should be attempted on all contacts. If greater than the qualify_frequency for an aor, qualify_frequency will be used instead.
The number of seconds over which to accumulate unidentified requests.
The number of unidentified requests from a single IP to allow.
The interval at which unidentified requests are older than twice the unidentified_request_period are pruned.
Must be of type 'global' UNLESS the object name is 'global'.
Value used in User-Agent header for SIP requests and Server header for SIP responses.
When set, Asterisk will dynamically create and destroy a NoOp priority 1 extension for a given peer who registers or unregisters with us.
Endpoint to use when sending an outbound request to a URI without a specified endpoint.
The voicemail extension to send in the NOTIFY Message-Account header if not specified on endpoint or aor
Enable/Disable SIP debug logging. Valid options include yes, no, or a host address
The order by which endpoint identifiers are processed and checked. Identifier names are usually derived from and can be found in the endpoint identifier module itself (res_pjsip_endpoint_identifier_*). You can use the CLI command "pjsip show identifiers" to see the identifiers currently available.
When Asterisk generates an outgoing SIP request, the From header username will be set to this value if there is no better option (such as CallerID) to be used.
When Asterisk generates a challenge, the digest realm will be set to this value if there is no better option (such as auth/realm) to be used.
MWI taskprocessor high water alert trigger level.
MWI taskprocessor low water clear alert level.
Enable/Disable sending unsolicited MWI to all endpoints on startup.
Enable/Disable ignoring SIP URI user field options.
Place caller-id information into Contact header
Enable sending AMI ContactStatus event when a device refreshes its registration.
Trigger scope for taskprocessor overloads
Advertise support for RFC4488 REFER subscription suppression
Allow 180 after 183
Configuration Option Descriptions
The caller-id and redirecting number strings obtained from incoming SIP URI user fields are always truncated at the first semicolon.
global- (default) Any taskprocessor overload will trigger.
pjsip_only- Only pjsip taskprocessor overloads will trigger.
none- No overload detection will be performed.
Warning title Warning
The "none" and "pjsip_only" options should be used with extreme caution and only to mitigate specific issues. Under certain conditions they could make things worse.
Allow Asterisk to send 180 Ringing to an endpoint after 183 Session Progress has been send. If disabled Asterisk will instead send only a 183 Session Progress to the endpoint. (default: "no")
This documentation was imported from Asterisk Version GIT-16-0b835f251a79fd