Hi,
We have noticed that the server tries to connect to user's contact IP:port when there is no existing TCP connection with the client. This can happen when the client-server TLS connection brakes for some reason (for example flaky Internet). After that when consequent requests need to be proxied to that user (NOTIFYs, SUBSCRIBEs) we can see in the logs that the server tries to connect to the user's IP and port because there is not existing TCP (TLS) connection with it. In our setup though the cients are behind NAT and the serveer is in the public Internet.
In most such cases the server fails "normally" after 10 seconds and during that time if the same client tries to REGISTER, the REGISTER packets are processed on the server by the same process that has been blocked for 10 seconds, after the blocking 10 secs have elapsed. In effect this makes it harder for the clent to re-REGISTER when the connection has been broken.
There are cases though, when we can see in the server logs that there are no logs for more than 3 minutes and we can see that two server processes have been trying outgoing connection to the old client's IP:port for more than 3 minutes and we can see how both processes report unsuccessfull tcp blocking connect to the client after the logs resume after more than 3 minutes have elapsed. During such cases the server simply doesn't respond to client's attempts to REGISTER and is in effect blocked.
We have no clue as to why the server is blocked for more than 3 minutes since the tcp connect timeout seems to be just 10 seconds.
What we think is best is if we can configure the server to not try outgoing TCP connections to clients (when TCP conenction doesn't exist)? Is there a configration setting for that? If there is no configuration for that, what is the best place in code to make this change in the code? If this is not easy or not recommended, can we set the server's timeout for outgoing TCP connection to something smaller, for example 1-2 seconds, or even 0 seconds? We feel in our setup it will be better if the server does not try to connect at all, becasue anyway the connection attempt will fail.
Any information will be appreciated.
Thanks in advance,
Ivan
El Lunes, 22 de Junio de 2009, Ivan Genov escribió:
Hi,
Hi Ivan, you have sent this mail to this list (SIP-Ruter devel) and to OpenSIPs devel maillists.
They are two different projects. Please don't same the same question to both lists.
On Jun 22, 2009 at 12:37, Ivan Genov ivangg_q@yahoo.com wrote:
Hi,
[...]
There are cases though, when we can see in the server logs that there are no logs for more than 3 minutes and we can see that two server processes have been trying outgoing connection to the old client's IP:port for more than 3 minutes and we can see how both processes report unsuccessfull tcp blocking connect to the client after the logs resume after?more than 3 minutes have elapsed. During such cases?the server simply doesn't respond to client's attempts to REGISTER and is in effect blocked.
We have no clue as to why the server is blocked for more than 3 minutes since the tcp connect timeout seems to be just 10 seconds.
What we think is best is if we can?configure the server to not try outgoing TCP connections to clients (when TCP conenction doesn't exist)? Is there a configration setting for that? If there is no configuration for that, what is the best place in code to make this change in the code? If this is not easy or not recommended,?can we set the server's timeout for outgoing TCP connection to something smaller, for example 1-2 seconds, or even 0 seconds? We feel in our setup?it will be better if?the server does not try to connect at all, becasue anyway the connection attempt?will fail.
Any information will be appreciated.
It depends on what are you using: pre-sip-router kamailio, pre-sip-router ser or the latest sip-router code.
If you are using sip-router or a recent ser (e.g 2.1), then the tcp code does not block (you can make it block if you want though). However this is not yet true for tls (the tls code is not yet async.). For the same "versions" (ser 2.1 or sip-router) you can stop outgoing connects by setting tcp_no_connect to yes. You can do this any time, even even if sip-router is already started (in this case using sercmd cfg.set_now_int tcp no_connect 1).
If you are using kamailio then you can wait for the next official version (based on sip-router) or you could try upgrading to sip-router now (but note that right now there is only a devel version which might still have some problems). However even for current kamailio the connect should never block more then tcp_connect_timeout (in your case 10s). There is a small bug that could make this timeout smaller, but never greater. You could also try making tcp_connect_timeout 0 or 1 and see if you ever get those 3 min. delays (they might be caused by something else).
Andrei
We are using openser-1.3.0-tls. I assume what we can do there is to decrease the tcp connect timeout or get into the code and short-circuit the server to not try outgoing tcp connections.
----- Original Message ---- From: Andrei Pelinescu-Onciul andrei@iptel.org To: Ivan Genov ivangg_q@yahoo.com Cc: sr-dev@lists.sip-router.org Sent: Monday, June 22, 2009 2:13:50 PM Subject: Re: [sr-dev] Server trying outgoing TCP (TLS) connection, gets blocked
On Jun 22, 2009 at 12:37, Ivan Genov ivangg_q@yahoo.com wrote:
Hi,
[...]
There are cases though, when we can see in the server logs that there are no logs for more than 3 minutes and we can see that two server processes have been trying outgoing connection to the old client's IP:port for more than 3 minutes and we can see how both processes report unsuccessfull tcp blocking connect to the client after the logs resume after?more than 3 minutes have elapsed. During such cases?the server simply doesn't respond to client's attempts to REGISTER and is in effect blocked.
We have no clue as to why the server is blocked for more than 3 minutes since the tcp connect timeout seems to be just 10 seconds.
What we think is best is if we can?configure the server to not try outgoing TCP connections to clients (when TCP conenction doesn't exist)? Is there a configration setting for that? If there is no configuration for that, what is the best place in code to make this change in the code? If this is not easy or not recommended,?can we set the server's timeout for outgoing TCP connection to something smaller, for example 1-2 seconds, or even 0 seconds? We feel in our setup?it will be better if?the server does not try to connect at all, becasue anyway the connection attempt?will fail.
Any information will be appreciated.
It depends on what are you using: pre-sip-router kamailio, pre-sip-router ser or the latest sip-router code.
If you are using sip-router or a recent ser (e.g 2.1), then the tcp code does not block (you can make it block if you want though). However this is not yet true for tls (the tls code is not yet async.). For the same "versions" (ser 2.1 or sip-router) you can stop outgoing connects by setting tcp_no_connect to yes. You can do this any time, even even if sip-router is already started (in this case using sercmd cfg.set_now_int tcp no_connect 1).
If you are using kamailio then you can wait for the next official version (based on sip-router) or you could try upgrading to sip-router now (but note that right now there is only a devel version which might still have some problems). However even for current kamailio the connect should never block more then tcp_connect_timeout (in your case 10s). There is a small bug that could make this timeout smaller, but never greater. You could also try making tcp_connect_timeout 0 or 1 and see if you ever get those 3 min. delays (they might be caused by something else).
Andrei
Ivan Genov schrieb:
We are using openser-1.3.0-tls. I assume what we can do there is to decrease the tcp connect timeout
You should configure both: tcp_send_timeout and tcp_connect_timeout. Because openser first tries to send using the existing connection, after send_timeout it detects that the TCP connection has gone (e.g. NAT timeout) and it tries to open a new connection until connect_timeout triggers.
or get into the code and short-circuit the server to not try outgoing tcp connections.
I tried it once but it was actually not that easy - there are lots of places in openser which trigger sending message. Maybe you can backport the feature from ser.
regards klaus
----- Original Message ---- From: Andrei Pelinescu-Onciul andrei@iptel.org To: Ivan Genov ivangg_q@yahoo.com Cc: sr-dev@lists.sip-router.org Sent: Monday, June 22, 2009 2:13:50 PM Subject: Re: [sr-dev] Server trying outgoing TCP (TLS) connection, gets blocked
On Jun 22, 2009 at 12:37, Ivan Genov ivangg_q@yahoo.com wrote:
Hi,
[...]
There are cases though, when we can see in the server logs that there are no logs for more than 3 minutes and we can see that two server processes have been trying outgoing connection to the old client's IP:port for more than 3 minutes and we can see how both processes report unsuccessfull tcp blocking connect to the client after the logs resume after?more than 3 minutes have elapsed. During such cases?the server simply doesn't respond to client's attempts to REGISTER and is in effect blocked.
We have no clue as to why the server is blocked for more than 3 minutes since the tcp connect timeout seems to be just 10 seconds.
What we think is best is if we can?configure the server to not try outgoing TCP connections to clients (when TCP conenction doesn't exist)? Is there a configration setting for that? If there is no configuration for that, what is the best place in code to make this change in the code? If this is not easy or not recommended,?can we set the server's timeout for outgoing TCP connection to something smaller, for example 1-2 seconds, or even 0 seconds? We feel in our setup?it will be better if?the server does not try to connect at all, becasue anyway the connection attempt?will fail.
Any information will be appreciated.
It depends on what are you using: pre-sip-router kamailio, pre-sip-router ser or the latest sip-router code.
If you are using sip-router or a recent ser (e.g 2.1), then the tcp code does not block (you can make it block if you want though). However this is not yet true for tls (the tls code is not yet async.). For the same "versions" (ser 2.1 or sip-router) you can stop outgoing connects by setting tcp_no_connect to yes. You can do this any time, even even if sip-router is already started (in this case using sercmd cfg.set_now_int tcp no_connect 1).
If you are using kamailio then you can wait for the next official version (based on sip-router) or you could try upgrading to sip-router now (but note that right now there is only a devel version which might still have some problems). However even for current kamailio the connect should never block more then tcp_connect_timeout (in your case 10s). There is a small bug that could make this timeout smaller, but never greater. You could also try making tcp_connect_timeout 0 or 1 and see if you ever get those 3 min. delays (they might be caused by something else).
Andrei
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Hi Andrei!
Andrei Pelinescu-Onciul schrieb:
For the same "versions" (ser 2.1 or sip-router) you can stop outgoing connects by setting tcp_no_connect to yes. You can do this any time, even even if sip-router is already started (in this case using sercmd cfg.set_now_int tcp no_connect 1).
Cool. I did not knew this feature.
But it would be great if this feature can be activated/deactivated per message. For example I want sr to open new TCP connections to trsuted nodes (gateways, SIP proxies, peering partners) but not to user agents.
Thus, it would be great if triggering of this feature can be done with a function call or a flag.
regards klaus
On Jun 23, 2009 at 09:51, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Hi Andrei!
Andrei Pelinescu-Onciul schrieb:
For the same "versions" (ser 2.1 or sip-router) you can stop outgoing connects by setting tcp_no_connect to yes. You can do this any time, even even if sip-router is already started (in this case using sercmd cfg.set_now_int tcp no_connect 1).
Cool. I did not knew this feature.
But it would be great if this feature can be activated/deactivated per message. For example I want sr to open new TCP connections to trsuted nodes (gateways, SIP proxies, peering partners) but not to user agents.
Thus, it would be great if triggering of this feature can be done with a function call or a flag.
This is not so easy because it would involve changing the whole send part of the transport api (right now the raw transport api does not know anything about sip messages or extra flags). I plan to do it along with full INADDR_ANY support (which would require lots of small changes), but at some later undefined point in time. Async tls would come before that.
Andrei
Hi Andrei,
On Jun 22, 2009 at 12:37, Ivan Genov ivangg_q@yahoo.com wrote:
It depends on what are you using: pre-sip-router kamailio, pre-sip-router ser or the latest sip-router code.
If you are using sip-router or a recent ser (e.g 2.1), then the tcp code does not block (you can make it block if you want though). However this is not yet true for tls (the tls code is not yet async.). For the same "versions" (ser 2.1 or sip-router) you can stop outgoing connects by setting tcp_no_connect to yes. You can do this any time, even even if sip-router is already started (in this case using sercmd cfg.set_now_int tcp no_connect 1).
this is a system wide config option, right? Is or would it be possible to have this option on a transaction/user base? I'm thinking since quite some time that it would be ideal to decide as result from the NAT detection if it is worth trying to re-establish a TCP connection from the proxy to the UA or not.
Thanks Nils
2009/6/23 Nils Ohlmeier nils@iptel.org:
this is a system wide config option, right? Is or would it be possible to have this option on a transaction/user base? I'm thinking since quite some time that it would be ideal to decide as result from the NAT detection if it is worth trying to re-establish a TCP connection from the proxy to the UA or not.
Good point. Trying to reconnect a TCP connexion with a TCP natted client is useless.
-
Andrei Pelinescu-Onciul -
Ivan Genov -
Iñaki Baz Castillo -
Klaus Darilion -
Nils Ohlmeier