I could fix some of my problems by using a proper conntrack kernel module in my router - now the phones behind the same NAT remain reachable; at least as long as there is no server restart or one of the phones goes offline and online again without doing a unregister.
Still a lot of
er[27588]: ERROR: tcp_blocking_connect: SO_ERROR (111) Connection
refused ser[27588]: ERROR: tcpconn_connect: tcp_blocking_connect failed ser[27588]: ERROR: tcp_send: connect failed ser[27588]: msg_send: ERROR: tcp_send failed ser[27588]: ERROR: t_forward_nonack: sending request failed
errors (especially on bye/cancel/acks which results in failure to detect call terminations) while t_relay is issued.
Anyone has an idea/pointer whats wrong here?
There is another problem with my INVITEs - for some reason they don't get a 'Route:' header added; as it maybe is supposed to be.
#if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && ! search("^Route:")) #{ # sl_send_reply("479", "forward request to private ip address denied"); # break; #};
Could anybody please post me a correct INVITE to CANCEL/BYE session with two phones behind the same nat?
Thanks in advance, Bernd
On Thu, 2005-06-23 at 13:15 +0200, Bernd Froemel wrote:
Dear list,
I have some wired problem between users behind the same NAT connected to a multihomed ser server (public&private IP). Ser is listening only on the public interface (ser.ip.address). The NATed clients have official.ip.address as their official IP address and 192.168.10.1 and 192.168.10.2 are their IP addresses behind NAT.
Now after a register I get for the NATed clients the following entries into the location table:
UA1: contact: sip:test@192.168.10.1:2050;transport=tcp;line=1hzwxw3z received: sip:official.ip.address:2050;transport=TCP flags: 1
UA2: contact: sip:test2@192.168.10.2:2050;transport=tcp;line=1hzwxw3z received: sip:official.ip.address:2050;transport=TCP flags: 1
which looks quite good (why is the flag 1 and not 6?), but then on INVITE/SUBSCRIBE/ (everthing which issues a t_relay) my logs get full of:
ser[27588]: ERROR: tcp_blocking_connect: SO_ERROR (111) Connection refused ser[27588]: ERROR: tcpconn_connect: tcp_blocking_connect failed ser[27588]: ERROR: tcp_send: connect failed ser[27588]: msg_send: ERROR: tcp_send failed ser[27588]: ERROR: t_forward_nonack: sending request failed
and the UA which issued the command receives a: 477 Unfortunately error on sending to next hop occurred message.
I think it has something to do with the lookup of the target UA - at least I always get the uri back which contains the private IP. (debugging output:
befor lookup 80.123.216.181 - - sip:test@domain.com after lookup 80.123.216.181 - - sip:test@192.168.10.1:2050;transport=tcp;line=lhzwxw3z )
Also I guess that the commented part which is uncommented in the default cfg shouldn't prevent all NAT calls, but only calls to real private IPs.
( found in route[1] beginning, the nat route)
#if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && ! search("^Route:")) #{ # sl_send_reply("479", "forward request to private ip address denied"); # break; #}; )
But to due the lookup returning me a private IP uri this would result in a 479 error.
My current test config is basically the one found in cvs/etc/ser.cfg.m4 with inserted values. I already tried other cfgs - even the example in modules/nathelper -- no success. Yes rtpproxy is running, I can even call the other UA and audio is working full duplex, but only at the very beginning. After a few minutes idleing or a server restart, without clearing the sql location table a call results always in the 477 error.
Please help me - what am I missing here?
Thanks in advance, Bernd
Here my cfg and some SIP messages during REGISTER and INVITE (I have removed IPs and unnecessary parts, Asterisk gw is 192.168.xx.xx):
# # ----------- global configuration parameters ------------------------
[...]
check_via=no # (cmd. line: -v) dns=yes # (cmd. line: -r) rev_dns=no # (cmd. line: -R) mhomed=1
[...]
# ------------------ module loading ----------------------------------
[...]
# ----------------- setting module-specific parameters ---------------
[...]
modparam("nathelper", "natping_interval", 15) modparam("nathelper", "ping_nated_only", 1) modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
modparam("registrar", "nat_flag", 6) modparam("registrar", "use_domain", 1)
modparam("acc", "report_ack", 1) modparam("acc", "log_level", 1) #if BYE fails (telephone is dead, record-routing broken, etc.), generate #a report nevertheless -- otherwise we would have no STOP event; => 1 modparam("acc", "failed_transactions", 1)
modparam("acc", "log_flag", 1) modparam("acc", "db_flag", 1) modparam("acc", "log_missed_flag", 3) modparam("acc", "db_missed_flag", 3)
modparam("usrloc", "db_mode", 0) modparam("usrloc", "db_mode", 2) modparam("usrloc", "use_domain", 1) modparam("usrloc", "timer_interval", 10)
modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") modparam("auth", "nonce_expire", 300)
modparam("rr", "enable_full_lr", 1)
modparam("tm", "fr_timer", 20) modparam("tm", "fr_inv_timer", 90) modparam("tm", "wt_timer", 20)
#modparam("enum", "domain_suffix", "e164.arpa.")
modparam("msilo", "registrar", "sip:registrar@xxxxxxxx")
alias=domain1.com alias=domain2.com
/* flags: 1 ... ACCOUNT 3 ... MISSED CALLS 4 ... VOICEMAIL 6 ... NAT */
# ------------------------- request routing logic -------------------
# main routing logic
route { # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","too many hops (loop?)"); break; }; if (msg:len >= 2048 ) { sl_send_reply("513", "message too large"); break; };
if (nat_uac_test("3")) { if (method=="REGISTER" || !search("^Record-Route:")) { if (method=="REGISTER") { fix_nated_register(); } else { fix_nated_contact(); }; if (method=="INVITE") { log(1,"natted caller sent invite!\n"); fix_nated_sdp("1"); }; force_rport(); setflag(6); log(1, "natted caller detected\n"); append_to_reply("P-NATed-Caller: Yes\r\n"); } else { log(1, "something wrong here..\n"); }; };
#antispam
if ( search("(From|F):.*@(domain1.com)|(domain2.com)|(192.168.xx .xx)") ) { if ( (method=="INVITE" || method=="SUBSCRIBE") && !(src_ip == SER_IP || src_ip == 192.168.xx.xx) ) { if (!(proxy_authorize("","subscriber"))) { proxy_challenge("","0"); break; }; if (!check_from()) { log("LOG: From Cheating attempt in INVITE!\n"); sl_send_reply("403", "use From=id"); break; }; #consume_credentials(); }; #non-REGISTER from other domain } else if ((method=="INVITE" || method=="SUBSCRIBE" || method=="REGISTER") && !(uri==myself || uri=~"(@(192.168.xx .xx)([;:].*)*)") ) { sl_send_reply("403", "no relaying"); break; };
if (!(method=="REGISTER")) { record_route(); };
#if (method=="BYE" || method=="CANCEL") #{ # unforce_rtp_proxy(); #};
# subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { if ((method=="INVITE" || method=="ACK" || method=="CANCEL") && uri=~"(@(192.168.xx.xx)([;:].*)*)") { route(4); # to asterisk } else { append_hf("P-hint: rr-enforced\r\n"); if (method=="BYE") { setflag(1); }; log(1, "and directly to nat..\n"); route(1); # to nat }; break; };
if (!(uri==myself || uri=~"(@(192.168.xx.xx)([;:].*)*)")) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); log(1, "outbound\n"); route(1); # to nat break; };
# ---->request is for our domains!<---- #
if (method=="REGISTER") { if (!www_authorize("","subscriber")) { www_challenge("","0"); break; }; if (!check_to()) { log("LOG: To Cheating attempt\n"); sl_send_reply("403", "use From=id"); break; }; log(1, "(un)register successful\n"); if (!save("location")) { sl_reply_error(); }; m_dump(); break; };
if (uri=~"sip:daemon@") { sl_send_reply("410", "daemon is gone"); break; };
lookup("aliases");
if (!(uri==myself || uri=~"(@(192.168.xx.xx)([;:].*)*)")) { append_hf("P-hint: ALIASED-OUTBOUND\r\n"); route(1); #to nat break; };
if (uri=~"^[a-zA-Z]+:+[0-9]+@") { strip(1); prefix("00"); };
if (!does_uri_exist()) { if(uri=~"^[a-zA-Z]+:[0-9]+@") { route(4); #to pstn } else { sl_send_reply("604", "does not exist anywhere"); }; break; };
if (is_user_in("Request-URI", "voicemail")) { setflag(4); };
exec_msg("echo befor lookup $SIP_SRCIP - $SIP_ORURI - $SIP_RURI
/tmp/ser.log");
if (!lookup("location")) { log(1, "lookup failed\n"); route(6); break; } else { log(1, "lookup successful\n"); }; exec_msg("echo after lookup $SIP_SRCIP - $SIP_ORURI - $SIP_RURI
/tmp/ser.log");
if (uri=~"(@(192.168.xx.xx)([;:].*)*)") { log(1, "LOG: Gateway address in UsrLoc!\n"); route(4); # to PSTN break; };
if (method=="INVITE" && isflagset(4)) { t_on_failure("1"); };
setflag(3);
append_hf("P-hint: USRLOC\r\n"); log(1, "nearly at end and going to nat..\n"); exec_msg("echo $SIP_SRCIP - $SIP_ORURI - $SIP_RURI >> /tmp/ser.log"); route(1); # to nat }
route[1] {
#if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && ! search("^Route:")) #{ # sl_send_reply("479", "forward request to private ip address denied"); # break; #};
if (isflagset(6)) { if(!is_present_hf("P-RTP-Proxy")) { force_rtp_proxy(); append_hf("P-RTP-Proxy: Yes\r\n"); log(1, "rtp proxied\n"); }; log(1,"natted calee\n"); append_hf("P=NATed-Calee: Yes\r\n"); }; exec_msg("echo :: $SIP_SRCIP - $SIP_ORURI - $SIP_RURI
/tmp/ser.log");
log(1, "1\n"); t_on_reply("1"); log(1, "2\n"); if (!t_relay()) { sl_reply_error(); break; }; log(1, "3\n"); }
route[4] { [...] }
onreply_route[1] { log(1, "taking onreply route\n"); if(isflagset(6) && status=~"(183)|2[0-9][0-9]" && !search("^Content-Length:\ +0")) { log(1,"onreply fixing nat\n"); fix_nated_contact(); force_rtp_proxy(); } else if (nat_uac_test("1")) { log (1, "onreply fixing nat alternate\n"); fix_nated_contact(); }; }
route[4] { [...] }
route[6] { [...] }
REGISTER
T official.ip.address:2062 -> ser.ip.address:5060 [A] REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.1:2062;br anch=z9hG4bK-wekq229vr3vn;rport..From: "Test" sip:test@domain.com;tag=3q2blh64wf..To: "Test" sip:test@domain.com..Call-ID: 3c26818830d4-ugwagbaz5vkz@snom360..CSeq: 22 REGISTER..Max- Forwards: 70..Contact: <sip:test@192.168.10.1:2062;transport=tcp;line= lhzwxw3z>;q=1.0; +sip.instance="urn:uuid:0c541696-09aa-4d0c-b8ca-fb9889cc61ad" ;audio;mobility="fixed";duplex="full";description="snom360";actor="principal"; events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY ,SUBSCRIBE,PRACK,MESSAGE,INFO"..User-Agent: snom360/3.60k..Supported: gruu. .Allow-Events: dialog..X-Real-IP: 192.168.0.191..WWW-Contact: http://192.168.10.1:80..WWW-Contact: https://192.168.10.1:443..Expires: 3600..Content-Length: 0
T ser.ip.address:5060 -> official.ip.address:2062 [AP] SIP/2.0 401 Unauthorized..Via: SIP/2.0/TCP 192.168.10.1:2062;branch=z9hG4b K-wekq229vr3vn;rport=2062;received=official.ip.address..From: "Test" sip:test@domain.com;tag=3q2blh64wf..To: "Test" <sip: test@domain.com>;tag=5431d75005d8ed216f7c100a44746400.19d5..Call-ID : 3c26818830d4-ugwagbaz5vkz@snom360..CSeq: 22 REGISTER..P-NATed-Caller: Yes ..WWW-Authenticate: Digest realm="domain.com", nonce="42baac51779c17ebe ec20a5ee2f9492821bd723e"..Server: Sip EXpress router (0.9.3 (i386/linux)).. Content-Length: 0..Warning: ser.ip.address:5060 "Noisy feedback tells: p id=27776 req_src_ip=official.ip.address req_src_port=2062 in_uri=sip:domain.com out_uri=sip:domain.com via_cnt==1"
T official.ip.address:2062 -> ser.ip.address:5060 [A] REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.1:2062;br anch=z9hG4bK-6s4mq8dda681;rport..From: "Test" sip:test@domain.com;tag=3q2blh64wf..To: "Test" sip:test@domain.com..Call-ID: 3c26818830d4-ugwagbaz5vkz@snom360..CSeq: 23 REGISTER..Max- Forwards: 70..Contact: <sip:test@domain.com:2062;transport=tcp;line= lhzwxw3z>;q=1.0; +sip.instance="<urn:uuid:0c541696-09aa-4d0c-b8ca-fb9889cc61 ad>";audio;mobility="fixed";duplex="full";description="snom360"; actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY ,SUBSCRIBE,PRACK,MESSAGE,INFO"..User-Agent: snom360/3.60k..Supported: gruu. .Allow-Events: dialog..X-Real-IP: 192.168.10.1..WWW-Contact: <http://192.1 68.10.1:80>..WWW-Contact: https://192.168.10.1:443..Authorization: Digestusername="test",realm="domain.com",nonce="42baac51779c17ebeec20a
5ee2f9492821bd723e",uri="sip:domain.com",response="d2415424805014aac504 b643ea489795",algorithm=md5..Expires: 3600..Content-Length: 0....
T ser.ip.address:5060 -> official.ip.address:2062 [AP] SIP/2.0 200 OK..Via: SIP/2.0/TCP 192.168.10.1:2062;branch=z9hG4bK-6s4mq8dd a681;rport=2062;received=official.ip.address..From: "Test" sip:test@domain.com;tag=3q2blh64wf..To: "Test" sip:test@domain.com;tag=5431d75005d8ed216f7c100a44746400.d02e..Call-ID: 3c268188 30d4-ugwagbaz5vkz@snom360..CSeq: 23 REGISTER..P-NATed-Caller: Yes..Contact:
sip:test@192.168.10.1:2056;transport=tcp;line=lhzwxw3z;q=1;expires= 2204;received="sip:official.ip.address:2056;transport=TCP", sip:test@192.168.10.1:2055;transport=tcp;line=lhzwxw3z;q=1;expires=1551; received="sip:official.ip.address:2055;transport=TCP", sip:test@192.168.10.1:2062;transport=tcp;line=lhzwxw3z;q=1;expires=3600; received="sip:official.ip.address:2062;transport=TCP"..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length: 0.. Warning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776 req_ src_ip=official.ip.address req_src_port=2062 in_uri=sip:domain.com out_uri=sip:domain.com via_cnt==1"
INVITE
T official.ip.address:33255 -> ser.ip.address:5060 [AP] INVITE sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2; branch=z9hG4bK3AA2CBD1;alias..CSeq: 2681 INVITE..To: <sip:test@domain .com>..Content-Type: application/sdp..From: "test2" <sip:test2@domain.com
;tag=67807379..Call-ID: 1766830276@192.168.10.2..Subject: sip:test
@domain.com..Content-Length: 230..User-Agent: kphone/4.1.1..Contac t: "test" sip:test@192.168.10.2;transport=tcp....v=0..o=username 0 0 IN IP4 192.168.10.2..s=The Funky Flow..c=IN IP4 192.168.10.2..t=0 0..m=audio 32874 RTP/AVP 0 97 8 3..a=rtpmap:0 PCMU/8000..a=rtpmap:3 GSM/8000..a=rtpma p:8 PCMA/8000..a=rtpmap:97 iLBC/8000..a=fmtp:97 mode=30.. ## T ser.ip.address:5060 -> official.ip.address:33255 [AP] SIP/2.0 407 Proxy Authentication Required..Via: SIP/2.0/TCP 192.168.10.2;b
ranch=z9hG4bK3AA2CBD1;alias;rport=33255;received=official.ip.address..CSeq: 2681 INVITE..To: sip:test@domain.com;tag=5431d75005d8ed216f7c100a4474 6400.5110..From: "test" sip:test2@domain.com;tag=67807379..Call-I D: 1766830276@192.168.10.2..P-NATed-Caller: Yes..Proxy-Authenticate: Diges t realm="domain.com", nonce="42baaf784cd57486fa11fe10929ade10b8fc4 3ec"..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length: 0..W arning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776 req_src_ip= official.ip.address req_src_port=33255 in_uri=sip:test@domain.com out_ur i=sip:test@domain.com via_cnt==1".... ## T official.ip.address:33255 -> ser.ip.address:5060 [AP] ACK sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;bra nch=z9hG4bK3AA2CBD1;alias..CSeq: 2681 ACK..To: <sip:test@domain.com
;tag=5431d75005d8ed216f7c100a44746400.5110..From: "test2" <sip:test2@
domain.com>;tag=67807379..Call-ID: 1766830276@192.168.10.2..Content-Leng th: 0..User-Agent: kphone/4.1.1..Contact: "test" <sip:test@192.168.10.2;tr ansport=tcp>.... ## T official.ip.address:33255 -> ser.ip.address:5060 [AP] INVITE sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2; branch=z9hG4bK36EBCF00;alias..CSeq: 2682 INVITE..To: <sip:test@domain.com
..Proxy-Authorization: Digest username="test2@domain.com", r
ealm="domain.com", nonce="42baaf784cd57486fa11fe10929ade10b8fc43ec ", uri="sip:test@domain.com", cnonce="abcdefghi", nc=00000001, resp onse="2c088d59cb24c70c61d890245fe0f5ca", opaque="", algorithm="MD5"..Conten t-Type: application/sdp..From: "test2" sip:test2@domain.com;tag=67 807379..Call-ID: 1766830276@192.168.10.2..Subject: sip:test2@domain.com ..Content-Length: 230..User-Agent: kphone/4.1.1..Contact: "test" <sip: test@192.168.10.2;transport=tcp>....v=0..o=username 0 0 IN IP4 192.168.0.1 03..s=The Funky Flow..c=IN IP4 192.168.10.2..t=0 0..m=audio 32874 RTP/AVP 0 97 8 3..a=rtpmap:0 PCMU/8000..a=rtpmap:3 GSM/8000..a=rtpmap:8 PCMA/8000.. a=rtpmap:97 iLBC/8000..a=fmtp:97 mode=30.. ## T ser.ip.address:5060 -> official.ip.address:33255 [AP] SIP/2.0 100 trying -- your call is important to us..Via: SIP/2.0/TCP 192.16
8.10.2;branch=z9hG4bK36EBCF00;alias;rport=33255;received=official.ip.address..C Seq: 2682 INVITE..To: sip:test@domain.com..From: "test" <sip:test @domain.com>;tag=67807379..Call-ID: 1766830276@192.168.10.2..P-NA Ted-Caller: Yes..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-L ength: 0..Warning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776 req_src_ip=official.ip.address req_src_port=33255 in_uri=sip:test@domain.com out_uri=sip:test@192.168.10.1:2056;transport=tcp;line=lhzwxw3z vi a_cnt==1".... ## T ser.ip.address:5060 -> official.ip.address:33255 [AP] SIP/2.0 477 Unfortunately error on sending to next hop occurred (477/TM)..V ia: SIP/2.0/TCP 192.168.10.2;branch=z9hG4bK36EBCF00;alias;rport=33255;rece ived=official.ip.address..CSeq: 2682 INVITE..To: sip:test@domain.com;t ag=a0de3507a8823f96a254cc0a187acbf0-2573..From: "test2" <sip:test2@domain.com
;tag=67807379..Call-ID: 1766830276@192.168.10.2..P-NATed-Caller:
Yes..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length: 0..W arning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776 req_src_ip= official.ip.address req_src_port=33255 in_uri=sip:test@domain.com out_ur i=sip:test@192.168.10.1:2056;transport=tcp;line=lhzwxw3z via_cnt==1".. .. ## T official.ip.address:33255 -> ser.ip.address:5060 [AP] ACK sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;bra nch=z9hG4bK36EBCF00;alias..CSeq: 2682 ACK..To: <sip:test@domain.com
;tag=a0de3507a8823f96a254cc0a187acbf0-2573..From: "test2"
<sip:test2@domain .com>;tag=67807379..Call-ID: 1766830276@192.168.10.2..Content-Leng th: 0..User-Agent: kphone/4.1.1..Contact: "test" <sip:test@192.168.10.2;tr ansport=tcp>.... #