Common NAT & Firewall Issues That Break Duplex Audio in Asterisk

Real-time full-duplex voice in Asterisk depends on one critical assumption: RTP packets must successfully flow in both directions without distortion, delay, or port confusion.

In controlled lab environments this usually works. In real production networks — behind NAT, enterprise firewalls, cloud load balancers, and SBC layers — duplex audio frequently collapses into:

• One-way audio
• Delayed barge-in detection
• Silent outbound AI speech
• Random RTP dropouts under load

These failures are rarely caused by Asterisk bugs. They are almost always caused by NAT traversal and firewall state behavior interacting with RTP timing.

This article explains the exact production failure modes and how VoiceBridge’s RTP engine and ARI architecture are designed to survive them.

Source repository:
https://github.com/mylinehub/omnichannel-crm/tree/main/mylinehub-voicebridge

Why NAT Is the #1 Cause of Broken Duplex Audio

RTP is stateless UDP. NAT devices must guess how to map internal → external ports and when to expire them.

Duplex audio requires:

• Stable external UDP mapping
• Bidirectional packet flow within timeout windows
• No asymmetric routing

NAT breaks duplex when:

• Outbound RTP opens a mapping, but inbound RTP arrives from a different IP/port.
• Firewall closes UDP state before reverse audio begins.
• Port translation rewrites RTP destination mid-call.

Symptom Pattern: One-Way Audio During AI Playback

The most common production failure:

• Caller can hear AI speech.
• AI cannot hear caller interruption.

Root cause:

• Outbound RTP from ExternalMedia opened NAT pinhole.
• Inbound RTP from caller arrives on a different port.
• Firewall drops reverse packets → duplex collapses to half-duplex.

VoiceBridge solves this using symmetric RTP learning.

VoiceBridge Symmetric RTP Defense

Implemented in:

• RtpSymmetricEndpoint.java
  src/main/java/com/mylinehub/voicebridge/rtp/RtpSymmetricEndpoint.java

Responsibilities:

• Learn actual remote RTP source IP/port from first inbound packet
• Redirect outbound RTP to learned endpoint
• Maintain bidirectional stability across NAT rebinding

Without this, duplex fails in nearly every cloud or enterprise deployment.

Firewall UDP Timeout vs RTP Frame Timing

Enterprise firewalls often expire UDP mappings in 15–30 seconds.

If RTP pauses (for example during AI thinking time):

• NAT mapping expires
• Reverse RTP path disappears
• Next packet is silently dropped

VoiceBridge prevents this with:

• Continuous RTP cadence enforcement
• 20ms packet pacing even during silence

Implemented in:

• RtpPacketizer.java

Port Collision Under High Concurrency

Large-scale deployments fail duplex when:

• Multiple calls reuse the same RTP port
• NAT mapping overlaps sessions
• Firewall associates packets with wrong flow

VoiceBridge prevents this via deterministic port allocation:

• RtpPortAllocator.java
  Guarantees:
  • Even-number RTP ports
  • No reuse during active session
  • Thread-safe allocation under load

Cloud Load Balancer RTP Asymmetry

In Kubernetes or cloud SIP edges:

• Inbound RTP may arrive from different IP than outbound target.
• Stateful firewalls reject asymmetric return path.

Duplex fails because:

• Asterisk sends RTP to IP-A
• Caller sends RTP from IP-B
• Firewall drops packets as spoofed

VoiceBridge symmetric endpoint learning corrects this automatically.

Why AGI Architectures Fail Harder Under NAT

AGI systems:

• Pause RTP during playback
• Use file-based media instead of continuous streaming

This causes:

• UDP mapping expiration
• Lost reverse audio
• Permanent one-way speech after AI response

VoiceBridge avoids this by maintaining continuous bidirectional RTP via ARI ExternalMedia.

ARI ExternalMedia and NAT Stability

Managed by:

• ExternalMediaManagerImpl.java
• AriBridgeImpl.java

These components:

• Create mixing bridges dynamically
• Attach ExternalMedia RTP channels
• Keep RTP flowing regardless of AI latency

Continuous media flow keeps firewall state alive → duplex survives.

Real Production Debug Signals

If NAT/firewall is breaking duplex, you will observe:

• RTP seen only in one direction in packet capture
• SSRC resets after silence gap
• Audio resumes only after caller speaks again

These directly map to:

• UDP timeout
• Port rebinding
• Asymmetric routing

Why VoiceBridge Survives Real Networks

VoiceBridge was engineered for:

• Carrier NAT
• Enterprise firewalls
• Cloud SIP edges
• High concurrency RTP scaling

It achieves stable duplex using:

• Symmetric RTP learning
• Continuous packet pacing
• Deterministic port allocation
• ARI mixing bridge architecture

Final Conclusion

Broken duplex audio in Asterisk is rarely an application bug. It is almost always a NAT or firewall state failure interacting with RTP timing.

VoiceBridge solves this at the correct layer: RTP engineering, symmetric endpoint control, and ARI-driven continuous media flow.

That is why duplex audio remains stable in real production networks — not just in lab demos.