VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
universe at truemetal.org
Guest
|
 Posted: Wed Feb 19, 2014 12:54 pm Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
 |
|
Hi list,
I have a fresh install of Asterisk 12.0.0 and I'm going to use it only
as a client. I'm trying to SIP REGISTER with a remote SIP provider.
The situation is that Asterisk is running in a VMware VM with a RFC IP
address (192.168.1.2). The provider of the VM performs static NAT from
the RFC IP address to a dedicated public IP address, however, they are
rewriting ports at will. That's the problem.
Here's an excerpt from tcpdump:
IP 192.168.1.2.5060 > my.provider.com.5060: UDP, length 411
REGISTER sip:my.provider.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bK25a36d76
Max-Forwards: 70
From: <sip:1234@my.provider.com>;tag=as762d7322
To: <sip:1234@my.provider.com>
Call-ID: 778c50f84e80a9db60dcd35a2f8a1498@127.0.0.1
CSeq: 228 REGISTER
Supported: replaces, timer
User-Agent: Asterisk PBX 12.0.0
Expires: 120
Contact: <sip:1234@192.168.1.2:5060>
Content-Length: 0
Then the remote SIP provider answers of course with "401 Unauthorized"
but that reply never makes it to Asterisk, because it doesn't come in on
port 5060, where it actually originated on the VM, but on a random port
that the VM hosting providers' NAT router rewrote to, in the below case
port 63664. And the remote SIP provider tries to send the reply back on
that random port. Note MY.PUBLIC.IP.ADDRESS and rport below:
IP my.provider.com.5060 > 192.168.1.2.63664: UDP, length 534
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
192.168.1.2:5060;branch=z9hG4bK25a36d76;received=MY.PUBLIC.IP.ADDRESS;rport=63664
From: <sip:1234@my.provider.com>;tag=as762d7322
To: <sip:1234@my.provider.com>;tag=as45cffa11
Call-ID: 778c50f84e80a9db60dcd35a2f8a1498@127.0.0.1
CSeq: 228 REGISTER
Server: FPBX-2.10.0(1.8.15.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="1d46fec6"
Content-Length: 0
I'm thinking the answer is "no", but is there any option how I can get
the remote SIP provider to answer me on port 5060? Without having them
to change anything in their config.
Thank you!
Markus
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
rnewton at digium.com
Guest
|
| Posted: Thu Feb 20, 2014 4:21 pm Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
|
|
On Wed, Feb 19, 2014 at 11:53 AM, Markus <universe@truemetal.org> wrote:
| Quote: | Hi list,
I have a fresh install of Asterisk 12.0.0 and I'm going to use it only as a
client. I'm trying to SIP REGISTER with a remote SIP provider.
The situation is that Asterisk is running in a VMware VM with a RFC IP
address (192.168.1.2). The provider of the VM performs static NAT from the
RFC IP address to a dedicated public IP address, however, they are rewriting
ports at will. That's the problem.
Here's an excerpt from tcpdump:
|
<snip>
| Quote: |
I'm thinking the answer is "no", but is there any option how I can get the
remote SIP provider to answer me on port 5060? Without having them to change
anything in their config.
|
http://www.ietf.org/rfc/rfc3581.txt
To force RFC3581 support for outbound REGISTER messages, you can set
"nat=force_rport" in the general section of your sip.conf. (This also
forces RFC3581 compliance for inbound messages, for any peers that
inherit this general option)
In my testing this results in the outbound REGISTER setting rport like
"Via: SIP/2.0/UDP X.X.X.X:5060;branch=z9hG4bK493d3405;rport"
If the far end supports RFC3581 it should respond back to the port
from what it received requests. That should be 5060 if they receive
the message from 5060. However.. if your VM/Network provider is
rewriting things, then they could potentially remove your rport value,
send it out over a different port, or do any number of crazy things.
Depending on what they have going on in their network, receiving it
back at 5060 is no guarantee it'll get back to your Asterisk VM.
--
Rusty Newton
Digium, Inc. | Community Support Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
direct: +1 256 428 6200
Check us out at: http://digium.com & http://asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
universe at truemetal.org
Guest
|
| Posted: Thu Feb 20, 2014 6:45 pm Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
|
|
Am 20.02.2014 22:20, schrieb Rusty Newton:
| Quote: | To force RFC3581 support for outbound REGISTER messages, you can set
"nat=force_rport" in the general section of your sip.conf. (This also
forces RFC3581 compliance for inbound messages, for any peers that
inherit this general option)
[...]
|
Thank you for the suggestion, I just tried that. Unfortunately it
doesn't help in my case. The problem remains that my hosting provider is
rewriting ports:
Packets on the hosted VM (1.1.1.1) where Asterisk "client" is running:
IP 1.1.1.1.5060 > 2.2.2.2.5060: UDP, length 428
IP 2.2.2.2.5060 > 1.1.1.1.16025: UDP, length 544
IP 1.1.1.1 > 2.2.2.2: ICMP 1.1.1.1 udp port 16025
unreachable, length 556
And on 2.2.2.2, the remote SIP server (another Asterisk box for testing):
IP 1.1.1.1.16025 > 2.2.2.2.5060: UDP, length 428
IP 2.2.2.2.5060 > 1.1.1.1.16025: UDP, length 544
IP 1.1.1.1 > 2.2.2.2: ICMP 1.1.1.1 udp port 16025
unreachable, length 556
The initial REGISTER received from 1.1.1.1 without force_rport:
Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK1780c521
And with force_rport enabled:
Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport
But of course, Asterisk on 2.2.2.2 will reply on the port where the
request originated, in the above case, port 16025 which was rewritten
from 5060 to 16052 by the evil hosting provider. This is what the Via
header looks like when 2.2.2.2 answers to 1.1.1.1:
Via: SIP/2.0/UDP
1.1.1.1:5060;branch=z9hG4bK279a0a9b;received=1.1.1.1;rport=16025
So, if there would be some kind of implementation that said "Ignore the
actual port that the request originated from, instead force answer on a
port that is transmitted via some header setting", that would help me.
Some fantasy option in sip.conf:
nat_rport_forced=5060
Could generate a header in the initial REGISTER from 1.1.1.1 to 2.2.2.2
like this:
Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport_forced=5060
And now, even though 2.2.2.2 received the request originating from port
16025, it would honor the "rport_forced" setting and reply back on port
5060 instead of 16025.
Maybe such an option exists, I just haven't found it yet? 
Thank you!
Markus
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
EWieling at nyigc.com
Guest
|
| Posted: Thu Feb 20, 2014 7:33 pm Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
|
|
To be fair NAT is rewriting your SIP packet source port. This happens all day, on almost every NAT device out there. Stop thinking it is purely a port rewriting issue, something else is going on.
Have you set localnet and externip in sip.conf. Maybe the NAT device has a short UDP translation timeout -- try setting qualifyfreq=15 in sip.conf to generate traffic so the NAT box does not close the translations
Here is an example sip show peers on one my my boxes. Three different locations are show. The ones you see with 5060 are either not NAT'd or they have a proxy at the customer location. The ones with a different port are NAT'd.
2212012/2212012 xxx.27.201.xxx D N 5060 OK (57 ms)
2212008/2212008 xxx.27.201.xxx D N 5060 OK (50 ms)
2212000/2212000 xxx.27.201.xxx D N 5060 OK (51 ms)
220810/220810 xxx.242.17.xxx D N 53277 OK (728 ms)
220807/220807 xxx.242.17.xxx D N 4121 OK (44 ms)
220806/220806 xxx.242.17.xxx D N 47822 OK (57 ms)
220805/220805 xxx.242.17.xxx D N 31820 OK (44 ms)
220804/220804 xxx.242.17.xxx D N 4175 OK (42 ms)
220803/220803 xxx.242.17.xxx D N 15386 OK (42 ms)
220802/220802 xxx.242.17.xxx D N 28632 OK (44 ms)
220800/220800 xxx.242.17.xxx D N 47043 OK (44 ms)
219249/219249 xxx.99.200.xxx D 5060 OK (47 ms)
219244/219244 xxx.99.200.xx D 5060 OK (49 ms)
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Markus
Sent: Thursday, February 20, 2014 6:45 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Asterisk as a client: can I get the remote SIP server to ignore rport?
Am 20.02.2014 22:20, schrieb Rusty Newton:
| Quote: | To force RFC3581 support for outbound REGISTER messages, you can set
"nat=force_rport" in the general section of your sip.conf. (This also
forces RFC3581 compliance for inbound messages, for any peers that
inherit this general option) [...]
|
Thank you for the suggestion, I just tried that. Unfortunately it doesn't help in my case. The problem remains that my hosting provider is rewriting ports:
Packets on the hosted VM (1.1.1.1) where Asterisk "client" is running:
IP 1.1.1.1.5060 > 2.2.2.2.5060: UDP, length 428 IP 2.2.2.2.5060 > 1.1.1.1.16025: UDP, length 544 IP 1.1.1.1 > 2.2.2.2: ICMP 1.1.1.1 udp port 16025 unreachable, length 556
And on 2.2.2.2, the remote SIP server (another Asterisk box for testing):
IP 1.1.1.1.16025 > 2.2.2.2.5060: UDP, length 428 IP 2.2.2.2.5060 > 1.1.1.1.16025: UDP, length 544 IP 1.1.1.1 > 2.2.2.2: ICMP 1.1.1.1 udp port 16025 unreachable, length 556
The initial REGISTER received from 1.1.1.1 without force_rport:
Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK1780c521
And with force_rport enabled:
Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport
But of course, Asterisk on 2.2.2.2 will reply on the port where the request originated, in the above case, port 16025 which was rewritten from 5060 to 16052 by the evil hosting provider. This is what the Via header looks like when 2.2.2.2 answers to 1.1.1.1:
Via: SIP/2.0/UDP
1.1.1.1:5060;branch=z9hG4bK279a0a9b;received=1.1.1.1;rport=16025
So, if there would be some kind of implementation that said "Ignore the actual port that the request originated from, instead force answer on a port that is transmitted via some header setting", that would help me.
Some fantasy option in sip.conf:
nat_rport_forced=5060
Could generate a header in the initial REGISTER from 1.1.1.1 to 2.2.2.2 like this:
Via: SIP/2.0/UDP 1.1.1.1:5060;branch=z9hG4bK279a0a9b;rport_forced=5060
And now, even though 2.2.2.2 received the request originating from port 16025, it would honor the "rport_forced" setting and reply back on port
5060 instead of 16025.
Maybe such an option exists, I just haven't found it yet?
Thank you!
Markus
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
universe at truemetal.org
Guest
|
| Posted: Thu Feb 20, 2014 8:13 pm Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
|
|
Am 21.02.2014 01:33, schrieb Eric Wieling:
| Quote: | To be fair NAT is rewriting your SIP packet source port. This happens all day, on almost every NAT device out there. Stop thinking it is purely a port rewriting issue, something else is going on.
|
In the meantime, the provider has reconfigured the VM to work with the
public IP address. That means the RFC IP address was removed and the
public IP is now configured on the VM directly. The effect is the same,
ports on outgoing packets still get rewritten.
| Quote: | Have you set localnet and externip in sip.conf. Maybe the NAT device has a short UDP translation timeout -- try setting qualifyfreq=15 in sip.conf to generate traffic so the NAT box does not close the translations
|
Yes, I have played around with local and externaddr. But the IP is not
the problem, the port is. I think the translation timeout doesn't
matter, because the router rewrites outgoing packets to a different
port, but doesn't do so on incoming packets, and that's the issue.
| Quote: | Here is an example sip show peers on one my my boxes. Three different locations are show. The ones you see with 5060 are either not NAT'd or they have a proxy at the customer location. The ones with a different port are NAT'd.
|
And I'm pretty sure if you look at any of those peers that have a
non-5060 port, the routers in front of them will rewrite packets
destined for ports 53277, 4121, 47822 etc. to the proper corresponding
internal IP:port where something is listening. The router of my provider
won't. It rewrites ports on outgoing packets, but it passes incoming
packets 1:1 to the VM.
IMHO, my hosting provider is at fault, and I'm working with them to get
it fixed. I was just wondering if there is some magic switch which can
fix such a broken scenario.
Thank you!
Markus
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
andres at telesip.net
Guest
|
| Posted: Fri Feb 21, 2014 9:12 am Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
|
|
| Quote: | And I'm pretty sure if you look at any of those peers that have a
non-5060 port, the routers in front of them will rewrite packets
destined for ports 53277, 4121, 47822 etc. to the proper corresponding
internal IP:port where something is listening. The router of my
provider won't. It rewrites ports on outgoing packets, but it passes
incoming packets 1:1 to the VM.
|
Wow, if this is the case then I would be changing VM providers
immediately. You would have problems not only with Asterisk but with
most other services you wanted to host on it. There are many VM
providers out there that work just fine with Asterisk even on a 1:1 NAT
like Amazon Web Services.
| Quote: |
IMHO, my hosting provider is at fault, and I'm working with them to
get it fixed. I was just wondering if there is some magic switch which
can fix such a broken scenario.
Thank you!
Markus
|
--
Technical Support
http://www.cellroute.net
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
universe at truemetal.org
Guest
|
| Posted: Fri Feb 21, 2014 10:07 am Post subject: [asterisk-users] Asterisk as a client: can I get the remote |
|
|
Am 21.02.2014 15:12, schrieb Andres:
| Quote: | Wow, if this is the case then I would be changing VM providers
immediately. You would have problems not only with Asterisk but with
most other services you wanted to host on it. There are many VM
providers out there that work just fine with Asterisk even on a 1:1 NAT
like Amazon Web Services.
|
Update: the VPS provider has fixed the issue with their router and now
everything works as expected. Unfortunately, in this particular "exotic"
country, it seems there is exactly *1* VPS hosting provider, so
switching to another provider would not be really feasible, and
switching to another country is not at option either.
All is good now!
Thanks!
Markus
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
