2 Dec
2010
2 Dec
'10
2:42 p.m.
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in
further ) configured, so UAC registers at K and when it sends a call,
it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so
unregistered UAC could not send INVITE requests. Simply cannot find
anything.
I'm making registration, using www_authorize() and checking all INVITES
with proxy_authorize(). Just after kamailio is started - everything
works fine and as planned: registered UAC can call and not registered -
cannot. But after aproximately 40 seconds everything is stopped. Not
calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on
K is authorized? It seems to me that I'm doing that in wrong way.
Thank you.
3 Dec
3 Dec
12:20 p.m.
Hello,
On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in
further ) configured, so UAC registers at K and when it sends a call,
it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so
unregistered UAC could not send INVITE requests. Simply cannot find
anything.
I'm making registration, using www_authorize() and checking all INVITES
with proxy_authorize(). Just after kamailio is started - everything
works fine and as planned: registered UAC can call and not registered -
cannot. But after aproximately 40 seconds everything is stopped. Not
calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on
K is authorized? It seems to me that I'm doing that in wrong way.
you have to
do proxy_authorize() for each invite you want to authorize
(if you look at default config file for v3.1.x and search for WITH_AUTH,
you will see the config actions for authentication). The asterisks must
accept SIP traffic based on source ip filtering, allowing only calls
coming from kamailio.
If you mean that the calls are interrupted after 40 seconds, then it is
very likely ACK is not routed properly. If you mean something else,
capture the SIP traffic via ngrep/wireshark, run kamailio in higher
debug lever (debug=3 in config) and send the SIP trace and the syslog
messages. Also, try to describe in more details what actually seems to
go wrong. All these will help people here on mailing list to give you
proper hints how to solve.
Cheers,
Daniel
--
Daniel-Constantin Mierla
Kamailio (OpenSER) Advanced Training
Jan 24-26, 2011, Irvine, CA, USA
http://www.asipto.com
1:08 p.m.
Thank you for your reply.
I will insert part of configuration file, to show where is problem occurs.
Block is pretty simple:
if (method=="INVITE") {
if (!proxy_authorize("", "sipusers")) {
xlog("L_NOTICE", "[$Tf] Detected INVITE before
authorization $fU -> $tU\n");
proxy_challenge("", "0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
}
consume_credentials();
}
ds_select_dst("1", "4");
xlog("L_NOTICE", "Balancing call to asterisk => $du, from $fU
\n");
route(RELAY);
exit;
This is Kamailio 3.0.3. I've tried on recently released 3.1.1 - problem is
the same.
Also, I've started running debug, to find out how exactly auth requests are
processed. And I've figured out that failing requests differs on following:
After all authorization staff ends:
6(1678) DEBUG: auth [api.c:246]: authorization is OK
6(1678) DEBUG: auth [api.c:194]: nonce index= 9
6(1678) DEBUG: auth [index.c:187]: nonce already used
6(1678) DEBUG: auth [api.c:198]: nonce index not valid
After that, core is freeing resources and I receive "Detected INVITE before
authorization" message, which means that proxy_authorize returned false. So
this is not ACK routing problem. Why this error occur and how I can deal
with it?
Also I've made investigation with packet dumps and they are correct. If you
like, I can put them here, but it senseless, cause UA is replying in same
way every time:
1. -> INVITE
2. <- 407 from K
3. -> ACK
4. -> DIGEST
Hope this will help.
On Fri, 03 Dec 2010 11:20:38 +0100, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in
further ) configured, so UAC registers at K and when it sends a call,
it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so
unregistered UAC could not send INVITE requests. Simply cannot find
anything.
I'm making registration, using www_authorize() and checking all INVITES
with proxy_authorize(). Just after kamailio is started - everything
works fine and as planned: registered UAC can call and not registered -
cannot. But after aproximately 40 seconds everything is stopped. Not
calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on
K is authorized? It seems to me that I'm doing that in wrong way.
you have to
do proxy_authorize() for each invite you want to authorize
(if you look at default config file for v3.1.x and search for WITH_AUTH,
you will see the config actions for authentication). The asterisks must
accept SIP traffic based on source ip filtering, allowing only calls
coming from kamailio.
If you mean that the calls are interrupted after 40 seconds, then it is
very likely ACK is not routed properly. If you mean something else,
capture the SIP traffic via ngrep/wireshark, run kamailio in higher
debug lever (debug=3 in config) and send the SIP trace and the syslog
messages. Also, try to describe in more details what actually seems to
go wrong. All these will help people here on mailing list to give you
proper hints how to solve.
Cheers,
Daniel
--
Daniel-Constantin Mierla
Kamailio (OpenSER) Advanced Training
Jan 24-26, 2011, Irvine, CA, USA
http://www.asipto.com
4:30 p.m.
Problem was solved and the issue was in the script causing double proxy_authorize check.
Due to one nonce index on authorization, kamailio failed authorization with wrong index in
debug.
Still cannot get why it worked for 40 seconds.
On Fri, 03 Dec 2010 11:20:38 +0100, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in
further ) configured, so UAC registers at K and when it sends a call,
it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so
unregistered UAC could not send INVITE requests. Simply cannot find
anything.
I'm making registration, using www_authorize() and checking all INVITES
with proxy_authorize(). Just after kamailio is started - everything
works fine and as planned: registered UAC can call and not registered -
cannot. But after aproximately 40 seconds everything is stopped. Not
calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on
K is authorized? It seems to me that I'm doing that in wrong way.
you have to
do proxy_authorize() for each invite you want to authorize
(if you look at default config file for v3.1.x and search for WITH_AUTH,
you will see the config actions for authentication). The asterisks must
accept SIP traffic based on source ip filtering, allowing only calls
coming from kamailio.
If you mean that the calls are interrupted after 40 seconds, then it is
very likely ACK is not routed properly. If you mean something else,
capture the SIP traffic via ngrep/wireshark, run kamailio in higher
debug lever (debug=3 in config) and send the SIP trace and the syslog
messages. Also, try to describe in more details what actually seems to
go wrong. All these will help people here on mailing list to give you
proper hints how to solve.
Cheers,
Daniel
--
Daniel-Constantin Mierla
Kamailio (OpenSER) Advanced Training
Jan 24-26, 2011, Irvine, CA, USA
http://www.asipto.com
5107
days inactive
5108
days old
3 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Spinov Evgeniy