Thanks for the responses everyone! I'll explain a bit more. NAT shouldn't be involved for the internal phones, but I suspect that what Mark described (the DNS query goes to the router instead of Asterisk, returns the public IP, and the registration tries to hairpin), is what's happening here. The phones are auto provisioned with a template that puts Asterisk as the primary DNS and uses DHCP for the secondary. This allows someone to provision a phone, and then take it home without additional config.
The other option here is to have DNS pulled by DHCP for both the primary and secondary, and then fake the DNS record for the registration server to point to Asterisk's internal IP on the DNS server for the network where Asterisk resides. The problem here is that we don't own the network, just the VoIP appliance. So our config needs to be one that we know will work no matter where the phones are, and no matter what the rest of the network looks like. We do have NAT keep alives enabled (thanks Doug!), but we really shouldn't need it for the internal phones. The traffic shouldn't be NAT'ed, it should never leave the switch (as John suggested). We have one of the routers coming to our office for testing next week, so I'm going to see if I can verify that DNS queries are going to the secondary server instead of the primary at that point. I'm not sure what else it could be. The issue reminded me a lot of a DNS cache poisoning attack. Everything looks fine, but then all of a sudden legitimate traffic is going places it shouldn't be. -- Alex Robar [email protected] Google+: gplus.to/alexrobar Facebook: facebook.com/alex.robar Twitter: twitter.com/alex_robar On Fri, Nov 2, 2012 at 11:05 AM, Mark Brown <[email protected]> wrote: > On 11/2/2012 9:48 AM, Alex Robar wrote: > >> Configuration looked like this: >> >> Bell Modem -> Switch -> Phones & Asterisk >> >> DHCP leases came from the Bell modem. Phones were configured to use >> Asterisk for primary DNS, Bell Modem as their secondary DNS. Phones are >> Cisco SPA 303s. >> >> Seems like a strange network setup. You didn't state if NAT was > involved here. Are you taking multiple addresses (modem configured in > bridge mode)? > > Regardless - it seems odd to configure an external DNS on the phones. The > external DNS will likely not have the internal address for the Asterisk > server. The resolver lookups may round robin between the DNS entries on > the phones, rather than a fall-though situation. > > Just a couple of ideas.... > > /M > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
