New subject: [Serusers] Re: NAT problem

23 Jun 2005


      Dear list,
I have some wired problem between users behind the same NAT connected to
a multihomed ser server (public&private IP). Ser is listening only on
the public interface (ser.ip.address). The NATed clients have
official.ip.address as their official IP address and 192.168.10.1 and
192.168.10.2 are their IP addresses behind NAT.
Now after a register I get for the NATed clients the following entries
into the location table:
UA1:
contact: sip:test@192.168.10.1:2050;transport=tcp;line=1hzwxw3z 
received: sip:official.ip.address:2050;transport=TCP
flags: 1
UA2:
contact: sip:test2@192.168.10.2:2050;transport=tcp;line=1hzwxw3z 
received: sip:official.ip.address:2050;transport=TCP
flags: 1
which looks quite good (why is the flag 1 and not 6?), but then on
INVITE/SUBSCRIBE/ (everthing which issues a t_relay) my logs get full
of:
ser[27588]: ERROR: tcp_blocking_connect: SO_ERROR (111) Connection
refused
ser[27588]: ERROR: tcpconn_connect: tcp_blocking_connect failed
ser[27588]: ERROR: tcp_send: connect failed
ser[27588]: msg_send: ERROR: tcp_send failed
ser[27588]: ERROR: t_forward_nonack: sending request failed
and the UA which issued the command receives a: 477 Unfortunately error
on sending to next hop occurred message.
I think it has something to do with the lookup of the target UA - at
least I always get the uri back which contains the private IP.
(debugging output:
befor lookup 80.123.216.181 - - sip:test@domain.com
after lookup 80.123.216.181 - -
sip:test@192.168.10.1:2050;transport=tcp;line=lhzwxw3z
)
Also I guess that the commented part which is uncommented in the default
cfg shouldn't prevent all NAT calls, but only calls to real private IPs.
( found in route[1] beginning, the nat route)
    
    #if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !
search("^Route:"))
    #{
    #	sl_send_reply("479", "forward request to private ip address denied");
    #	break;
    #};
)
But to due the lookup returning me a private IP uri this would result in
a 479 error.
My current test config is basically the one found in cvs/etc/ser.cfg.m4
with inserted values. I already tried other cfgs - even the example in
modules/nathelper -- no success. Yes rtpproxy is running, I can even
call the other UA and audio is working full duplex, but only at the very
beginning. After a few minutes idleing or a server restart, without
clearing the sql location table a call results always in the 477 error.
Please help me - what am I missing here?
Thanks in advance,
 Bernd
-----
Here my cfg and some SIP messages during REGISTER and INVITE
(I have removed IPs and unnecessary parts, Asterisk gw is
192.168.xx.xx):
#
# ----------- global configuration parameters ------------------------
[...]
check_via=no	# (cmd. line: -v)
dns=yes           # (cmd. line: -r)
rev_dns=no      # (cmd. line: -R)
mhomed=1
[...]
# ------------------ module loading ----------------------------------
[...]
# ----------------- setting module-specific parameters ---------------
[...]
modparam("nathelper", "natping_interval", 15)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "log_level", 1)
#if BYE fails (telephone is dead, record-routing broken, etc.), generate
#a report nevertheless -- otherwise we would have no STOP event; => 1
modparam("acc", "failed_transactions", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "log_missed_flag", 3)
modparam("acc", "db_missed_flag", 3)
modparam("usrloc", "db_mode",   0)
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "use_domain", 1)
modparam("usrloc", "timer_interval", 10)
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth", "nonce_expire", 300)
modparam("rr", "enable_full_lr", 1)
modparam("tm", "fr_timer", 20)
modparam("tm", "fr_inv_timer", 90)
modparam("tm", "wt_timer", 20)
#modparam("enum", "domain_suffix", "e164.arpa.")
modparam("msilo", "registrar", "sip:registrar@xxxxxxxx")
alias=domain1.com
alias=domain2.com
/* 
flags:
1 ... ACCOUNT
3 ... MISSED CALLS
4 ... VOICEMAIL
6 ... NAT
*/
# -------------------------  request routing logic -------------------
# main routing logic
route
{
    # initial sanity checks -- messages with
    # max_forwards==0, or excessively long requests
    if (!mf_process_maxfwd_header("10")) 
    {
    	sl_send_reply("483","too many hops (loop?)");
    	break;
    };
    if (msg:len >=  2048 ) 
    {
    	sl_send_reply("513", "message too large");
    	break;
    };
if (nat_uac_test("3"))
    {
    	if (method=="REGISTER" || !search("^Record-Route:"))
    	{
    		if (method=="REGISTER")
    		{
    			fix_nated_register();
    		} else
    		{
    			fix_nated_contact();
    		};
    		if (method=="INVITE")
    		{
    			log(1,"natted caller sent invite!\n");
    			fix_nated_sdp("1");
    		};
    		force_rport();
    		setflag(6);
    		log(1, "natted caller detected\n");
    		append_to_reply("P-NATed-Caller: Yes\r\n");
    	} else 
    	{
    		log(1, "something wrong here..\n");
    	};
    };
#antispam
if ( search("(From|F):.*@(domain1.com)|(domain2.com)|(192.168.xx
.xx)") )
    {
    	if ( (method=="INVITE" || method=="SUBSCRIBE") && !(src_ip == SER_IP
|| src_ip == 192.168.xx.xx) )
    	{
    		if (!(proxy_authorize("","subscriber")))
    		{
    			proxy_challenge("","0");
    			break;
    		};
    		if (!check_from())
    		{
    			log("LOG: From Cheating attempt in INVITE!\n");
    			sl_send_reply("403", "use From=id");
    			break;
    		};
    		#consume_credentials();
    	}; #non-REGISTER from other domain
    } else if ((method=="INVITE" || method=="SUBSCRIBE" ||
method=="REGISTER") && !(uri==myself || uri=~"(@(192.168.xx
.xx)([;:].*)*)") )
    {
    	sl_send_reply("403", "no relaying");
    	break;
    };
if (!(method=="REGISTER"))
    {
    	record_route();
    };
#if (method=="BYE" || method=="CANCEL") 
    #{
    #	unforce_rtp_proxy();
    #};
# subsequent messages withing a dialog should take the
    # path determined by record-routing
    if (loose_route()) {
    	if ((method=="INVITE" || method=="ACK" || method=="CANCEL") &&
uri=~"(@(192.168.xx.xx)([;:].*)*)")
    	{
    		route(4); # to asterisk
    	} 
    	else 
    	{
    		append_hf("P-hint: rr-enforced\r\n"); 
    		if (method=="BYE")
    		{
    			setflag(1);
    		};
    		log(1, "and directly to nat..\n");
    		route(1); # to nat
    	};
    	break;
    };
if (!(uri==myself || uri=~"(@(192.168.xx.xx)([;:].*)*)")) 
    {
    	# mark routing logic in request
    	append_hf("P-hint: outbound\r\n"); 
    	log(1, "outbound\n");
    	route(1); # to nat
    	break;
    };
# ---->request is for our domains!<---- #
if (method=="REGISTER")
    {
    	if (!www_authorize("","subscriber"))
    	{
    		www_challenge("","0");
    		break;
    	};
    	if (!check_to())
    	{
    		log("LOG: To Cheating attempt\n");
    		sl_send_reply("403", "use From=id");
    		break;
    	};
    	log(1, "(un)register successful\n");	
    	if (!save("location"))
    	{
    		sl_reply_error();
    	};
    	m_dump();
    	break;
    };
if (uri=~"sip:daemon@")
    {
    	sl_send_reply("410", "daemon is gone");
    	break;
    };
lookup("aliases");
if (!(uri==myself || uri=~"(@(192.168.xx.xx)([;:].*)*)"))
    {
    	append_hf("P-hint: ALIASED-OUTBOUND\r\n");
    	route(1); #to nat
    	break;
    };
if (uri=~"^[a-zA-Z]+:+[0-9]+@")
    {
    	strip(1);
    	prefix("00");
    };
if (!does_uri_exist())
    {
    	if(uri=~"^[a-zA-Z]+:[0-9]+@") 
    	{
    		route(4); #to pstn
    	}
    	else
    	{
    		sl_send_reply("604", "does not exist anywhere");
    	};
    	break;
    };
if (is_user_in("Request-URI", "voicemail"))
    {
    	setflag(4);
    };
exec_msg("echo befor lookup $SIP_SRCIP - $SIP_ORURI  -  $SIP_RURI
...
...
/tmp/ser.log");
if (!lookup("location"))
    {
    	log(1, "lookup failed\n");
    	route(6);
    	break;
    } else 
    {
    	log(1, "lookup successful\n");
    };
    exec_msg("echo after lookup $SIP_SRCIP - $SIP_ORURI  -  $SIP_RURI
...
...
/tmp/ser.log");
if (uri=~"(@(192.168.xx.xx)([;:].*)*)")
    {
    	log(1, "LOG: Gateway address in UsrLoc!\n");
    	route(4); # to PSTN
    	break;
    };
if (method=="INVITE" && isflagset(4))
    {
    	t_on_failure("1");
    };
setflag(3);
    
    append_hf("P-hint: USRLOC\r\n");
    log(1, "nearly at end and going to nat..\n");
    exec_msg("echo $SIP_SRCIP - $SIP_ORURI  -  $SIP_RURI >> /tmp/ser.log");
    route(1); # to nat
}
route[1] 
{
    
    #if (uri=~"[@:](192.168.|10.|172.(1[6-9]|2[0-9]|3[0-1]).)" && !
search("^Route:"))
    #{
    #	sl_send_reply("479", "forward request to private ip address denied");
    #	break;
    #};
if (isflagset(6))
    {
    	if(!is_present_hf("P-RTP-Proxy"))
    	{
    		force_rtp_proxy();
    		append_hf("P-RTP-Proxy: Yes\r\n");
    		log(1, "rtp proxied\n");
    	};
    	log(1,"natted calee\n");
    	append_hf("P=NATed-Calee: Yes\r\n");
    };
    exec_msg("echo :: $SIP_SRCIP - $SIP_ORURI  -  $SIP_RURI
...
...
/tmp/ser.log");
log(1, "1\n");
    t_on_reply("1");
    log(1, "2\n");
    if (!t_relay()) {
    	sl_reply_error();
    	break;
    };
    log(1, "3\n");
}
route[4]
{
[...]	
}
onreply_route[1]
{
    log(1, "taking onreply route\n");
    if(isflagset(6) && status=~"(183)|2[0-9][0-9]" && 
    	!search("^Content-Length:\ +0")) 
    	{
    		log(1,"onreply fixing nat\n");
    		fix_nated_contact();
    		force_rtp_proxy();
    } else if (nat_uac_test("1")) 
    {
    	log (1, "onreply fixing nat alternate\n");
    	fix_nated_contact();
    };
}
route[4]
{
[...]
}
route[6]
{
[...]
}
-----------
REGISTER
-----------
T official.ip.address:2062 -> ser.ip.address:5060 [A]
  REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.1:2062;br
  anch=z9hG4bK-wekq229vr3vn;rport..From: "Test"
sip:test@domain.com;tag=3q2blh64wf..To: "Test"
sip:test@domain.com..Call-ID: 3c26818830d4-ugwagbaz5vkz@snom360..CSeq:
22 REGISTER..Max-
  Forwards: 70..Contact: <sip:test@192.168.10.1:2062;transport=tcp;line=
  lhzwxw3z>;q=1.0;
+sip.instance="urn:uuid:0c541696-09aa-4d0c-b8ca-fb9889cc61ad"
;audio;mobility="fixed";duplex="full";description="snom360";actor="principal";
events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY
  ,SUBSCRIBE,PRACK,MESSAGE,INFO"..User-Agent: snom360/3.60k..Supported:
gruu.
  .Allow-Events: dialog..X-Real-IP: 192.168.0.191..WWW-Contact:
http://192.168.10.1:80..WWW-Contact:
https://192.168.10.1:443..Expires: 3600..Content-Length: 0
T ser.ip.address:5060 -> official.ip.address:2062 [AP]
  SIP/2.0 401 Unauthorized..Via: SIP/2.0/TCP
192.168.10.1:2062;branch=z9hG4b
  K-wekq229vr3vn;rport=2062;received=official.ip.address..From: "Test"
   sip:test@domain.com;tag=3q2blh64wf..To: "Test" <sip:
  test@domain.com>;tag=5431d75005d8ed216f7c100a44746400.19d5..Call-ID
  : 3c26818830d4-ugwagbaz5vkz@snom360..CSeq: 22
REGISTER..P-NATed-Caller: Yes
  ..WWW-Authenticate: Digest realm="domain.com",
nonce="42baac51779c17ebe
  ec20a5ee2f9492821bd723e"..Server: Sip EXpress router (0.9.3
(i386/linux))..
  Content-Length: 0..Warning: ser.ip.address:5060 "Noisy feedback tells:
p
  id=27776 req_src_ip=official.ip.address req_src_port=2062
in_uri=sip:domain.com out_uri=sip:domain.com via_cnt==1"
T official.ip.address:2062 -> ser.ip.address:5060 [A]
  REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.1:2062;br
  anch=z9hG4bK-6s4mq8dda681;rport..From: "Test"
sip:test@domain.com;tag=3q2blh64wf..To: "Test"
sip:test@domain.com..Call-ID: 3c26818830d4-ugwagbaz5vkz@snom360..CSeq:
23 REGISTER..Max-
  Forwards: 70..Contact: <sip:test@domain.com:2062;transport=tcp;line=
  lhzwxw3z>;q=1.0;
+sip.instance="<urn:uuid:0c541696-09aa-4d0c-b8ca-fb9889cc61
  ad>";audio;mobility="fixed";duplex="full";description="snom360";
actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY
  ,SUBSCRIBE,PRACK,MESSAGE,INFO"..User-Agent: snom360/3.60k..Supported:
gruu.
  .Allow-Events: dialog..X-Real-IP: 192.168.10.1..WWW-Contact:
<http://192.1
  68.10.1:80>..WWW-Contact: https://192.168.10.1:443..Authorization:
Digestusername="test",realm="domain.com",nonce="42baac51779c17ebeec20a
5ee2f9492821bd723e",uri="sip:domain.com",response="d2415424805014aac504
  b643ea489795",algorithm=md5..Expires: 3600..Content-Length: 0....
T ser.ip.address:5060 -> official.ip.address:2062 [AP]
  SIP/2.0 200 OK..Via: SIP/2.0/TCP
192.168.10.1:2062;branch=z9hG4bK-6s4mq8dd
  a681;rport=2062;received=official.ip.address..From: "Test"
sip:test@domain.com;tag=3q2blh64wf..To: "Test"
sip:test@domain.com;tag=5431d75005d8ed216f7c100a44746400.d02e..Call-ID: 3c268188
  30d4-ugwagbaz5vkz@snom360..CSeq: 23 REGISTER..P-NATed-Caller:
Yes..Contact:
sip:test@192.168.10.1:2056;transport=tcp;line=lhzwxw3z;q=1;expires=
  2204;received="sip:official.ip.address:2056;transport=TCP",
sip:test@192.168.10.1:2055;transport=tcp;line=lhzwxw3z;q=1;expires=1551;
received="sip:official.ip.address:2055;transport=TCP",
sip:test@192.168.10.1:2062;transport=tcp;line=lhzwxw3z;q=1;expires=3600;
received="sip:official.ip.address:2062;transport=TCP"..Server: Sip
EXpress router (0.9.3 (i386/linux))..Content-Length: 0..
Warning: 392 ser.ip.address:5060 "Noisy feedback tells:  pid=27776 req_
  src_ip=official.ip.address req_src_port=2062 in_uri=sip:domain.com
out_uri=sip:domain.com via_cnt==1"
-----------
INVITE
-----------
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
  INVITE sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;
  branch=z9hG4bK3AA2CBD1;alias..CSeq: 2681 INVITE..To: <sip:test@domain
  .com>..Content-Type: application/sdp..From: "test2"
<sip:test2@domain.com
...
;tag=67807379..Call-ID: 1766830276@192.168.10.2..Subject: sip:test
@domain.com..Content-Length: 230..User-Agent: kphone/4.1.1..Contac
  t: "test" sip:test@192.168.10.2;transport=tcp....v=0..o=username 0 0
IN
  IP4 192.168.10.2..s=The Funky Flow..c=IN IP4 192.168.10.2..t=0
0..m=audio
   32874 RTP/AVP 0 97 8 3..a=rtpmap:0 PCMU/8000..a=rtpmap:3
GSM/8000..a=rtpma
  p:8 PCMA/8000..a=rtpmap:97 iLBC/8000..a=fmtp:97 mode=30..
##
T ser.ip.address:5060 -> official.ip.address:33255 [AP]
  SIP/2.0 407 Proxy Authentication Required..Via: SIP/2.0/TCP
192.168.10.2;b
ranch=z9hG4bK3AA2CBD1;alias;rport=33255;received=official.ip.address..CSeq: 2681
   INVITE..To: sip:test@domain.com;tag=5431d75005d8ed216f7c100a4474
  6400.5110..From: "test" sip:test2@domain.com;tag=67807379..Call-I
  D: 1766830276@192.168.10.2..P-NATed-Caller: Yes..Proxy-Authenticate:
Diges
  t realm="domain.com", nonce="42baaf784cd57486fa11fe10929ade10b8fc4
  3ec"..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length:
0..W
  arning: 392 ser.ip.address:5060 "Noisy feedback tells:  pid=27776
req_src_ip=
  official.ip.address req_src_port=33255 in_uri=sip:test@domain.com
out_ur
  i=sip:test@domain.com via_cnt==1"....
##
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
  ACK sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;bra
  nch=z9hG4bK3AA2CBD1;alias..CSeq: 2681 ACK..To: <sip:test@domain.com
...
;tag=5431d75005d8ed216f7c100a44746400.5110..From: "test2" <sip:test2@
domain.com>;tag=67807379..Call-ID:
1766830276@192.168.10.2..Content-Leng
  th: 0..User-Agent: kphone/4.1.1..Contact: "test"
<sip:test@192.168.10.2;tr
  ansport=tcp>....
##
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
  INVITE sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;
  branch=z9hG4bK36EBCF00;alias..CSeq: 2682 INVITE..To:
<sip:test@domain.com
...
..Proxy-Authorization: Digest username="test2@domain.com", r
ealm="domain.com", nonce="42baaf784cd57486fa11fe10929ade10b8fc43ec
  ", uri="sip:test@domain.com", cnonce="abcdefghi", nc=00000001, resp
  onse="2c088d59cb24c70c61d890245fe0f5ca", opaque="",
algorithm="MD5"..Conten
  t-Type: application/sdp..From: "test2" sip:test2@domain.com;tag=67
  807379..Call-ID: 1766830276@192.168.10.2..Subject:
sip:test2@domain.com
 ..Content-Length: 230..User-Agent: kphone/4.1.1..Contact: "test" <sip:
  test@192.168.10.2;transport=tcp>....v=0..o=username 0 0 IN IP4
192.168.0.1
  03..s=The Funky Flow..c=IN IP4 192.168.10.2..t=0 0..m=audio 32874
RTP/AVP
  0 97 8 3..a=rtpmap:0 PCMU/8000..a=rtpmap:3 GSM/8000..a=rtpmap:8
PCMA/8000..
  a=rtpmap:97 iLBC/8000..a=fmtp:97 mode=30..
##
T ser.ip.address:5060 -> official.ip.address:33255 [AP]
  SIP/2.0 100 trying -- your call is important to us..Via: SIP/2.0/TCP
192.16
8.10.2;branch=z9hG4bK36EBCF00;alias;rport=33255;received=official.ip.address..C
  Seq: 2682 INVITE..To: sip:test@domain.com..From: "test" <sip:test
  @domain.com>;tag=67807379..Call-ID: 1766830276@192.168.10.2..P-NA
  Ted-Caller: Yes..Server: Sip EXpress router (0.9.3
(i386/linux))..Content-L
  ength: 0..Warning: 392 ser.ip.address:5060 "Noisy feedback tells:
pid=27776
  req_src_ip=official.ip.address req_src_port=33255
in_uri=sip:test@domain.com
  out_uri=sip:test@192.168.10.1:2056;transport=tcp;line=lhzwxw3z vi
  a_cnt==1"....
##
T ser.ip.address:5060 -> official.ip.address:33255 [AP]
  SIP/2.0 477 Unfortunately error on sending to next hop occurred
(477/TM)..V
  ia: SIP/2.0/TCP
192.168.10.2;branch=z9hG4bK36EBCF00;alias;rport=33255;rece
  ived=official.ip.address..CSeq: 2682 INVITE..To:
sip:test@domain.com;t
  ag=a0de3507a8823f96a254cc0a187acbf0-2573..From: "test2"
<sip:test2@domain.com
...
;tag=67807379..Call-ID: 1766830276@192.168.10.2..P-NATed-Caller:
Yes..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length:
0..W
  arning: 392 ser.ip.address:5060 "Noisy feedback tells:  pid=27776
req_src_ip=
  official.ip.address req_src_port=33255 in_uri=sip:test@domain.com
out_ur
  i=sip:test@192.168.10.1:2056;transport=tcp;line=lhzwxw3z via_cnt==1"..
  ..
##
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
  ACK sip:test@domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;bra
  nch=z9hG4bK36EBCF00;alias..CSeq: 2682 ACK..To: <sip:test@domain.com
...
;tag=a0de3507a8823f96a254cc0a187acbf0-2573..From: "test2"
<sip:test2@domain
  .com>;tag=67807379..Call-ID: 1766830276@192.168.10.2..Content-Leng
  th: 0..User-Agent: kphone/4.1.1..Contact: "test"
<sip:test@192.168.10.2;tr
  ansport=tcp>....
#

[Serusers] NAT problem

REGISTER

INVITE

REGISTER

INVITE

REGISTER

INVITE

# ----------- global configuration parameters

# ------------------ module loading

# ----------------- setting module-specific parameters

# ------------------------- request routing logic

REGISTER

INVITE

# ----------- global configuration parameters

# ------------------ module loading

# ----------------- setting module-specific parameters

# ------------------------- request routing logic

REGISTER

INVITE

# ----------- global configuration parameters

# ------------------ module loading

# ----------------- setting module-specific parameters

# ------------------------- request routing logic

REGISTER

INVITE