Re: [SR-Users] kamailio loadbalancer with TLS problem forwarding INVITE back to UA - sr-users

28 Jun 2013

      Hi Allen!
Again on-list, please do not use private emails unless you have to 
provide sensitive data.
On 28.06.2013 01:17, Allen Zhang wrote:
...
Hi Klaus,
I dived into it and found the problem:
When UA2 send a REGISTER to the load balancer, fix_nated_register() is called and source ip of the UA is stored in the connection hash by tcpconn_new(), instead of the port from the contact header field.
But when proxy tries to send the INVITE to UA2 via the load balancer, the load balancer calls tcpconn_find() with the port from the contact header field.
Hence can't match the connection stored in hash.
I do not understand that.
fix_nated_register stores both info: the original contact + 
src-ip:port:transport.
After lookup(), the Request-URI is filled with the original contact, but 
$du (destination URI, internally used by Kamailio for routing) is 
populated with src-ip:port:transport. Thus, Kamailio should use the $du 
to find the TCP connection.
Anyway, TLS debugging is always difficult. I suggest to try to make it 
running with TCP. If TCP works, TLS will work too.
regards
Klaus
...
I need to use fix_nated_register() because the UA will be behind NAT in the future. How do I let the LB use aliased port instead of the port from the contact header field?
Regards,
Allen
-----Original Message-----
From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at]
Sent: Thursday, 27 June 2013 10:54 p.m.
To: Kamailio (SER) - Users Mailing List
Cc: Allen Zhang; Shane Harrison
Subject: Re: [SR-Users] kamailio loadbalancer with TLS problem forwarding INVITE back to UA
make sure to also use 	handle_ruri_alias()
http://kamailio.org/docs/modules/4.0.x/modules/nathelper.html#idp16851488
for requests from the proxy->lb->client
see the default kamailio config for proper usage of handle_ruri_alias() and add_contact_alias()
regards
klaus
On 27.06.2013 02:34, Allen Zhang wrote:
...
Hi,
Our set up:
UA1 -----
------  Proxy1
     \
           /

                     Loadbalancer (dispatcher module)

                 /                                                                        \

UA2-----
------  Proxy2
Both proxies have registrar module loaded and share the same database.
REGISTERs work fine.
The problem is this:
                  TLS                                        TCP

UA1  ----------------------> LB --------------------> Proxy
          INVITE(to UA2)                  INVITE(to UA2)

                TLS                       TCP

UA1  <------------- LB <------------- Proxy
                                        100 Trying

                TLS                               TCP

UA1  <------------- LB <----------------------- Proxy
                                           INVITE(to UA2)

                    TLS
                        TCP

UA1  <----------------------- LB <----------------------- Proxy
              100 Trying

All above worked fine. Below is what's expected but never happened:
                    TLS
                        TCP

UA2  <----------------------- LB <----------------------- Proxy
              INVITE(to UA2)

We'd like the LB to reuse the TLS connection initiated by UA2. But LB
can't find an open connection and tries to start a new TLS connection.
The new connection fails.
UAs are not behind NAT at the moment but will be in the future.
Tried this approaches on LB:
route(ADD_CONTACT_ALIAS);
If (not from proxy)
              t_relay();

else
              do load balancing

No luck.
Any help is appreciated.
Regards,
Allen

SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users