[Serusers] RE: STUN and SER problem - sr-users

2 Mar 2004

I did not have a problem with STUN and SER when I was
using the latest dev code checked out of CVS. I have
recently downgraded to the stable SER 0.8.12-tcp_nonb
checked out of CVS and started seeing issues for
X-lite clients behind NAT (non-symmetric) in SIP
registration where SER is saving the private IP of the
client rather than the "req_src_ip". X-lite log and
SER config provided below. Is this a known limitation
in 0.8.12 or is it a configuration issue?
Please provide guidance.

******ser.cfg***************
# $Id: ser.cfg,v 1.21.4.1 2003/11/10 15:35:15 andrei
Exp $
#
# simple quick-start config script
#

# ----------- global configuration parameters
------------------------

#debug=3         # debug level (cmd line: -dddddddddd)
#fork=yes
#log_stderror=no        # (cmd line: -E)

/* Uncomment these lines to enter debugging mode
debug=7
fork=no
log_stderror=yes
*/

check_via=no    # (cmd. line: -v)
dns=no           # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
#port=5060
#children=4
fifo="/tmp/ser_fifo"
fifo_mode=0666
# ------------------ module loading
----------------------------------

# Uncomment this if you want to use SQL database
loadmodule "/usr/local/lib/ser/modules/mysql.so"

loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"

# Uncomment this if you want digest authentication
# mysql.so must be loaded !
loadmodule "/usr/local/lib/ser/modules/auth.so"
loadmodule "/usr/local/lib/ser/modules/auth_db.so"

# ----------------- setting module-specific parameters
---------------

# -- usrloc params --

#modparam("usrloc", "db_mode",   0)

# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)

# -- auth params --
# Uncomment if you are using auth module
#
modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which
true in this config),
# uncomment also the following parameter)
#
modparam("auth_db", "password_column", "password")

# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)

# -------------------------  request routing logic
-------------------

# main routing logic
alias=sip01.mydomain.net

route{
        # initial sanity checks -- messages with
        # max_forwards==0, or excessively long
requests
        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483","Too Many Hops");
                break;
        };
        if ( msg:len > max_len ) {
                sl_send_reply("513", "Message too
big");
                break;
        };

        # we record-route all messages -- to make sure
that
        # subsequent messages will go through our
proxy; that's
        # particularly good if upstream and downstream
entities
        # use different transport protocol
        record_route();
        # loose-route processing
        if (loose_route()) {
                t_relay();
                break;
        };

        # if the request is for other domain use
UsrLoc
        # (in case, it does not work, use the
following command
        # with proper names and addresses in it)
        if (uri==myself) {
                if (method=="REGISTER") {

# Uncomment this if you want to use digest
authentication
                        if
(!www_authorize("mydomain.net", "subscriber")) {

www_challenge("mydomain.net", "0");
                                break;
                        };
                        save("location");
                        break;
                };
                lookup("aliases");

                # native SIP destinations are handled
using our USRLOC DB
                if (!lookup("location")) {
                        sl_send_reply("404", "Not
Found");
                        break;
                };
        };
        # forward to current uri now; use stateful
forwarding; that
        # works reliably even if we forward from TCP
to UDP
        if (!t_relay()) {
                sl_reply_error();
        };

}
****************************

******X-lite log***************
(c)2003 Xten Networks Inc. All rights reserved.
Private build: 1101
License key: 3AF6626C2FDE4D299EF7D63AC35AAD70

Established SIP protocol listen on: 192.168.0.5:5060

Discovered Port Restricted Cone NAT Firewall

SIP: 192.168.0.5:5060
RTP: 192.168.0.5:8000
NAT: 2xx.9x.1x.2x

PROXY#0: 6x.1xx.2x.2xx:5060

OUTBOUND-PROXY#0: 6x.1xx.2x.2xx:5060

SEND >> 6x.1xx.2x.2xx:5060
REGISTER sip:sip01.mydomain.net SIP/2.0
Via: SIP/2.0/UDP
192.168.0.5:5060;rport;branch=z9hG4bK2471A18BED4E42C9BB13A280DD7DF278
From: User 1 <sip:8444@sip01.mydomain.net>
To: User 1 <sip:8444@sip01.mydomain.net>
Contact: "User 1" <sip:8444@192.168.0.5:5060>
Call-ID:
3876234D9BC344B28AF7F67942511C61(a)sip01.mydomain.net
CSeq: 36317 REGISTER
Expires: 1800
Max-Forwards: 70
User-Agent: X-Lite build 1101
Content-Length: 0

RECEIVE << 6x.1xx.2x.2xx:5060
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
2xx.9x.1x.2x:42418;rport=5060;branch=z9hG4bK2471A18BED4E42C9BB13A280DD7DF278
From: User 1 <sip:8444@sip01.mydomain.net>
To: User 1
<sip:8444@sip01.mydomain.net>;tag=b27e1a1d33761e85846fc98f5f3a7e58.ceb7
Call-ID:
3876234D9BC344B28AF7F67942511C61(a)sip01.mydomain.net
CSeq: 36317 REGISTER
WWW-Authenticate: Digest realm="mydomain.net",
nonce="40444a547dbb3567146e616e74096f4d56465461"
Server: Sip EXpress router (0.8.12-tcp_nonb
(i386/linux))
Content-Length: 0
Warning: 392 6x.1xx.2x.2xx:5060 "Noisy feedback tells:
 pid=30339 req_src_ip=2xx.9x.1x.2x req_src_port=5060
in_uri=

sip:sip01.mydomain.net out_uri=sip:sip01.mydomain.net
via_cnt==1"

SEND >> 6x.1xx.2x.2xx:5060
REGISTER sip:sip01.mydomain.net SIP/2.0
Via: SIP/2.0/UDP
192.168.0.5:5060;rport;branch=z9hG4bKB3D25AC35E8449E1A33A5210805F0BF2
From: User 1 <sip:8444@sip01.mydomain.net>
To: User 1 <sip:8444@sip01.mydomain.net>
Contact: "User 1" <sip:8444@192.168.0.5:5060>
Call-ID:
3876234D9BC344B28AF7F67942511C61(a)sip01.mydomain.net
CSeq: 36318 REGISTER
Expires: 1800
Authorization: Digest
username="8444",realm="mydomain.net",nonce="40444a547dbb3567146e616e74096f4d56465461",response

="d5314f1a24e2759a5e2efbb5a283c03a",uri="sip:sip01.mydomain.net"
Max-Forwards: 70
User-Agent: X-Lite build 1101
Content-Length: 0

RECEIVE << 6x.1xx.2x.2xx:5060
SIP/2.0 200 OK
Via: SIP/2.0/UDP
2xx.9x.1x.2x:42418;rport=5060;branch=z9hG4bKB3D25AC35E8449E1A33A5210805F0BF2
From: User 1 <sip:8444@sip01.mydomain.net>
To: User 1
<sip:8444@sip01.mydomain.net>;tag=b27e1a1d33761e85846fc98f5f3a7e58.79a6
Call-ID:
3876234D9BC344B28AF7F67942511C61(a)sip01.mydomain.net
CSeq: 36318 REGISTER
Contact:
<sip:8444@192.168.0.5:5060>;q=0.00;expires=1800
Server: Sip EXpress router (0.8.12-tcp_nonb
(i386/linux))
Content-Length: 0
Warning: 392 6x.1xx.2x.2xx:5060 "Noisy feedback tells:
 pid=30321 req_src_ip=2xx.9x.1x.2x req_src_port=5060
in_uri=

sip:sip01.mydomain.net out_uri=sip:sip01.mydomain.net
via_cnt==1"
*************************

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you�re looking for faster
http://search.yahoo.com