On Tue, 2009-08-25 at 21:07 -0400, John A. Sullivan III wrote: > Hello, all. Since implementing an iptables firewall between the > Asterisk PBX and several SIP phones, the Asterisk PBX ability to > "reinvite" has been broken even when the phones are on the same network > (i.e., no firewall between the phones). We've been beating our heads > against the wall thinking it was the complex rule set but it appears the > issue is ip_conntrack_sip. > > Before I drop another day into verifying this, may I ask if anyone else > has had a similar problem and found a solution? It appears conntrack is > rewriting the SDP so that the address is reverted to the PBX address. > > Here are the relevant SDP portion of a reinvite captured on the PBX > using tcpdump and displayed in Wireshark. The PBX is at 172.x.x.8 and > the phone is at 10.x.x.193: > > Owner/Creator, Session Id (o): root 1417450700 1417450701 IN IP4 > 10.x.x.183 > Owner Address: 10.x.x.183 > Connection Information (c): IN IP4 10.x.x.183 > Connection Address: 10.x.x.183 > > Here is a similar sequence but captured from the phone itself: > Owner/Creator, Session Id (o): root 595629021 595629022 IN IP4 172.x.x.8 > Owner Address: 172.x.x.8 > Connection Information (c): IN IP4 172.x.x.8 > Connection Address: 172.x.x.8 > > It would appear conntrack is incorrectly "fixed" the packet. > > I noticed newer kernels have sip_direct_media and sip_direct_signalling > options. I don't know if those apply but they do not seem to be present > in our CentOS 5.3 kernel. > > I'll probably spend most of tomorrow confirming this hypothesis and > investigating solutions so I'd be deeply appreciative for any > time-saving advice. Thanks - John > The ip_nat_sip conntrack module was indeed the culprit. Apparently this can be fixed in newer kernels by setting the sip_direct_media=0 option for ip_conntrack_sip in modprobe.conf. However, since our CentOS 5.3 version of the kernel does not support this, we disabled ip_nat_sip and returned responsibility for managing NAT to sip.conf. Hope this helps someone else - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com
http://www.spiritualoutreach.com Making Christianity intelligible to secular society _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users