Hi,
I have a problem using SER, i have a client behind CheckPoint FW, when the client tries to register, SER receives the SIP REGISTER message and SER reply to the source IP and source PORT, but because the client is behind CheckPoint FW if the source port is not 5060 the FW blocks it, so i need SER to reply not to the source port of the client but to port 5060.
i'll attach ngrep on the SER server:
client sends REGISTER to the SER server at 192.168.0.161:5060.
U 2008/06/12 21:36:01.654005 10.6.67.10:31472 -> 192.168.0.161:5060 REGISTER sip:213.8.57.218 SIP/2.0..Via: SIP/2.0/UDP 10.6.67.10:31472;branch=z9hG4bK-d87543-de5ac063e 9293020-1--d87543-;rport..Max-Forwards: 70..Contact: sip:200@10.6.67.10:31472;rinstance=82602d40693 d48a6;expires=0..To: "test1"sip:200@213.8.57.218..From: "test1"sip:200@213.8.57.218;tag=5c6b793 a..Call-ID: NmI4MTUyMWY5MTEwYTI3ZjY2ZTE2ZTMzNzk5ZGFmZWI...CSeq: 5 REGISTER..Allow: INVITE, ACK, CANC EL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO..User-Agent: X-Lite release 1011s stamp 41 150..Authorization: Digest username="200",realm="localhost",nonce="48516daafb5a3406078621 http://www.snapanumber.com/9a55fdb4908 9064386",uri="sip:213.8.57.218",response="b8501a2d0c096b934320be23363dee32",algorithm=MD5..Content-L
ength: 0.... #
SER server response to the source IP and source port
U 2008/06/12 21:36:01.654992 192.168.0.161:5060 -> 10.6.67.10:31472 SIP/2.0 200 OK..Via: SIP/2.0/UDP 10.6.67.10:31472;branch=z9hG4bK-d87543-de5ac063e9293020-1--d87543-; rport=31472..To: "test1"sip:200@213.8.57.218;tag=40c9dbfbe83fe4e1cec231af33432933.321f..From: "tes t1"sip:200@213.8.57.218;tag=5c6b793a..Call-ID: NmI4MTUyMWY5MTEwYTI3ZjY2ZTE2ZTMzNzk5ZGFmZWI...CSeq: 5 REGISTER..Server: OpenSER (1.3.2-notls (i386/linux))..Content-Length: 0....
but i need to response to port 5060 and not the source port , i'm not using rport, i also talk to CheckPoint service and they claim that they are working according RFC 3261, and that my SER server should reply to port 5060
any suggestions?
Thanks In Advance,
David Lubarski,
On Tue, Jun 17, 2008 at 05:31:46PM +0300, David Lubarski wrote:
but i need to response to port 5060 and not the source port , i'm not using rport, i also talk to CheckPoint service and they claim that they are working according RFC 3261, and that my SER server should reply to port 5060
SER replies to the address and port found in the topmost Via header of the request. This is exactly what is required by RFC 3261. As there is no NAT involved in this case, this is definitely the correct behaviour.
If SER just sent the reply to port 5060 the client wouldn't know what to do with it as it is expecting a reply on the port from which it sent its request. (It _is_ possible to configure it this way, but as said this wouldn't buy you much.)
Maybe Checkpoint service is trying to tell you that you should configure your _client_ to use 5060 as its source port. This, too, is in no way required by RFC 3261 but maybe it is required by Checkpoint's interpretation of it. I'm not a Checkpoint expert.
Just my $0.02...
Regards, Jan
as i understand from checkpoint they have some kind of SIP table that saves the clients call ID, source IP, source Port, destination IP and Port.
they checking to see if it's a SIP message form the client and saving it in the table.
and In order to answer the client i have to reply only to port 5060 because they are not allowing any other ports through the FW.
David.
Jan Andres wrote:
On Tue, Jun 17, 2008 at 05:31:46PM +0300, David Lubarski wrote:
but i need to response to port 5060 and not the source port , i'm not using rport, i also talk to CheckPoint service and they claim that they are working according RFC 3261, and that my SER server should reply to port 5060
SER replies to the address and port found in the topmost Via header of the request. This is exactly what is required by RFC 3261. As there is no NAT involved in this case, this is definitely the correct behaviour.
If SER just sent the reply to port 5060 the client wouldn't know what to do with it as it is expecting a reply on the port from which it sent its request. (It _is_ possible to configure it this way, but as said this wouldn't buy you much.)
Maybe Checkpoint service is trying to tell you that you should configure your _client_ to use 5060 as its source port. This, too, is in no way required by RFC 3261 but maybe it is required by Checkpoint's interpretation of it. I'm not a Checkpoint expert.
Just my $0.02...
Regards, Jan
On Tue, Jun 17, 2008 at 09:46:39PM +0300, David Lubarski wrote:
and In order to answer the client i have to reply only to port 5060 because they are not allowing any other ports through the FW.
While I don't quite understand the purpose of this restriction, it may well be that Checkpoint does have it. As I said I don't know Checkpoint...
If so, anyway, you should configure your client to send its requests _from_ port 5060 then. Then SER will of course reply to port 5060, too. I don't see any other solution that could work, if Checkpoints really works the way you describe.
Besides, I should have checked in depth before stating that it's possible in SER to override the port for the reply. It's not. You can override the port for requests, but not for replies. (And I guess this is so for a good reason.:-)
Regards, Jan
David,
You might have in your SER cfg the "force_rport()" directive, since, as you see, the Via in the reply contains the "rport" param. Once you comment that out (or don't run it for this particular client), you should get your desired behavior.
Bogdan.
David Lubarski wrote:
Hi,
I have a problem using SER, i have a client behind CheckPoint FW, when the client tries to register, SER receives the SIP REGISTER message and SER reply to the source IP and source PORT, but because the client is behind CheckPoint FW if the source port is not 5060 the FW blocks it, so i need SER to reply not to the source port of the client but to port 5060.
i'll attach ngrep on the SER server:
client sends REGISTER to the SER server at 192.168.0.161:5060.
U 2008/06/12 21:36:01.654005 10.6.67.10:31472 -> 192.168.0.161:5060 REGISTER sip:213.8.57.218 SIP/2.0..Via: SIP/2.0/UDP 10.6.67.10:31472;branch=z9hG4bK-d87543-de5ac063e 9293020-1--d87543-;rport..Max-Forwards: 70..Contact: sip:200@10.6.67.10:31472;rinstance=82602d40693 d48a6;expires=0..To: "test1"sip:200@213.8.57.218..From: "test1"sip:200@213.8.57.218;tag=5c6b793 a..Call-ID: NmI4MTUyMWY5MTEwYTI3ZjY2ZTE2ZTMzNzk5ZGFmZWI...CSeq: 5 REGISTER..Allow: INVITE, ACK, CANC EL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO..User-Agent: X-Lite release 1011s stamp 41 150..Authorization: Digest username="200",realm="localhost",nonce="48516daafb5a3406078621 http://www.snapanumber.com/9a55fdb4908 9064386",uri="sip:213.8.57.218",response="b8501a2d0c096b934320be23363dee32",algorithm=MD5..Content-L
ength: 0.... #
SER server response to the source IP and source port
U 2008/06/12 21:36:01.654992 192.168.0.161:5060 -> 10.6.67.10:31472 SIP/2.0 200 OK..Via: SIP/2.0/UDP 10.6.67.10:31472;branch=z9hG4bK-d87543-de5ac063e9293020-1--d87543-; rport=31472..To: "test1"sip:200@213.8.57.218;tag=40c9dbfbe83fe4e1cec231af33432933.321f..From: "tes t1"sip:200@213.8.57.218;tag=5c6b793a..Call-ID: NmI4MTUyMWY5MTEwYTI3ZjY2ZTE2ZTMzNzk5ZGFmZWI...CSeq: 5 REGISTER..Server: OpenSER (1.3.2-notls (i386/linux))..Content-Length: 0....
but i need to response to port 5060 and not the source port , i'm not using rport, i also talk to CheckPoint service and they claim that they are working according RFC 3261, and that my SER server should reply to port 5060
any suggestions?
Thanks In Advance,
David Lubarski, _______________________________________________ Serusers mailing list Serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Bogdan Pintea -
David Lubarski -
Jan Andres