Teams Direct Routing SIP Troubleshooting

1. How Teams Direct Routing works

Direct Routing connects Microsoft Teams Phone System to the PSTN via a certified SBC. The call flow: Teams client → Microsoft SIP proxy (sip.pstnhub.microsoft.com) → Your SBC (TLS/SRTP) → SIP trunk or PBX → PSTN.

All signaling between Teams and your SBC uses TLS on port 5061. Media uses SRTP. Teams supports SILK, G.722, G.711, G.729, and Opus codecs. The SBC must be on Microsoft's certified SBC list or Teams will refuse to connect.

2. SBC requirements for Direct Routing

• SBC must be on the Microsoft certified SBC list
• TLS 1.2 minimum — TLS 1.0/1.1 not accepted
• Public CA-signed certificate (self-signed not accepted by Teams)
• Certificate CN or SAN must match the FQDN configured in Teams admin center
• SRTP for all media (plain RTP not accepted)
• SBC must respond to OPTIONS pings from Microsoft SIP proxy
• Outbound port 5061 to sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com, sip3.pstnhub.microsoft.com

3. TLS and certificate requirements

TLS certificate issues are the most common cause of Direct Routing failures. Requirements:

4. Common SIP failures in Direct Routing

5. Media bypass troubleshooting

Media bypass allows Teams clients to send media directly to the SBC, bypassing Microsoft media processors. This reduces latency but requires the SBC to have a public IP reachable by Teams clients.

Media bypass requirements: SBC public IP must be in the Microsoft bypass allow list. Teams client must not be behind a symmetric NAT that blocks direct media. The SBC must advertise the correct public IP in the SDP.

If media bypass calls fail but non-bypass calls work: Disable media bypass as a test. If calls succeed, the issue is SBC public IP reachability from Teams clients. Check that the SBC's media IP in the SDP matches its public IP and that UDP RTP ports are open.

6. Diagnostic tools

Teams Admin Center: Direct Routing → Health Dashboard shows SBC status, OPTIONS ping health, and recent call failures with SIP response codes.

PowerShell:

SBC-side capture: Capture SIP on the SBC for calls to/from Teams. Look for TLS handshake failures (no SIP messages after TCP connect), 4xx responses, and SDP codec lines to diagnose mismatches.

Frequently asked questions

What are the SIP requirements for Teams Direct Routing?

Teams Direct Routing requires: a certified SBC, TLS 1.2 on port 5061, a public CA-signed certificate matching the SBC FQDN in Teams admin, SRTP for all media, and the SBC must respond to OPTIONS pings from Microsoft SIP proxies. Self-signed certificates and plain RTP are not accepted.

How do I fix a 503 error in Teams Direct Routing?

A 503 from Teams Direct Routing means Teams cannot reach your SBC. Check that your firewall allows inbound TLS port 5061 from Microsoft IP ranges (published in the O365 IP list). Verify your SBC responds to OPTIONS pings from sip.pstnhub.microsoft.com. Check the Teams Admin Center Direct Routing health dashboard for specific error details.

How do I troubleshoot no audio in Teams Direct Routing?

No audio in Teams Direct Routing is usually a SRTP configuration issue or media bypass problem. Verify SRTP is enabled on the Teams-facing SBC leg. If using media bypass, check the SBC has a public IP reachable by Teams clients and that UDP RTP ports are open. Disable media bypass as a test — if audio works without bypass, the issue is direct media reachability.