Re: [SR-Users] Possible causes of calls being terminated (ACK packet never received)
El 26/05/14 11:05, Alex Villacís Lasso escribió:
My current working theory is that the Record-Route headers are incorrect in the
original trace. The trace, as captured in the firewall, looks like this:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e
Record-Route:
sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
Record-Route:
sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
The first value is 127.0.0.1 and the second one is 192.168.10.10 . I believe
that when received by 38.126.208.41, this is interpreted as a request to send
the ACK to the remote server's idea of 192.168.10.10, which breaks routing back
to my server.
Now a bit of background. The firewall is a Linux (Zentyal) system that is rewriting the SIP traffic before routing it between the Kamailio (inside the LAN) and the carrier IP (38.126.208.41). This rewrite (kernel modules nf_conntrack_sip, nf_nat_sip)
affects the Via and To headers but leaves the Record-Route header unchanged, which causes the issue. I think I have to force a Record-Route header that shows my public IP where the 192.168.10.10 is currently shown. However, this is becoming difficult.
When I use record_route() (original situation), I get the following set of
headers:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e
Record-Route:
sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
Record-Route:
sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
If I figure out that the SIP dialog is crossing the NAT firewall, and use
record_route_advertised_address(), I end up with the following headers at the
firewall:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=a54dd5cb61364e93c84315902262fab8
Record-Route:
sip:201.234.196.171;ftag=3609873405-620577;lr=on;vsf=AGhZVFtaUHNUW1lMRAAAOjEwMzE-;nat=yes
Please note that record_route_advertised_address() is inserting just one value (not two, despite relying on the rr parameter enable_double_rr to remain at its default value of ON), with the value of my public IP. This results in the ACK packet being
sent from the carrier IP, and routed through the firewall and to the Kamailio server. However, once there, it is not further routed to the Asterisk instance at 127.0.0.1:5080, which results in the same situation as before.
If I try to call both record_route() and record_route_advertised_address() , in any
order, I get the behavior matching the first call, and the second call is ignored with a
message in the logs stating Double attempt to record-route.
If I try using record_route() along with set_advertised_address(), I get the
following set of headers:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=d7bd9bac7e62d56026365e5aa7b257f7
Record-Route:
sip:201.234.196.171;r2=on;lr=on;ftag=3609874172-119227;vsf=AGhZVl9aUXtSUllBRQAAOjEwMzE-;nat=yes
Record-Route:
sip:192.168.10.10;r2=on;lr=on;ftag=3609874172-119227;vsf=AGhZVl9aUXtSUllBRQAAOjEwMzE-;nat=yes
That is, I get 127.0.0.1 replaced with the public IP, and the private IP
remains in place as the last value. This again results in ACK never reaching
the firewall, much less the Kamailio server.
What I think is needed is a way to *conditionally* make Kamailio emit, from
inside the LAN, a packet like this:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=blah
Record-Route: sip:127.0.0.1;r2=on;lr=on;blah...
Record-Route: sip:201.234.196.171;r2=on;lr=on;blah...
The way I am trying to build the Record-Route headers is with this block:
# Value of $var(rr_advertise_address) is set in route(MHOMED_ELASTIX)
route[MHOMED_RR] {
if ($var(rr_advertise_address) != 0) {
xlog(L_ALERT, MHOMED_RR using rr advertised address
$var(rr_advertise_address)\n);
record_route_advertised_address($var(rr_advertise_address));
} else {
record_route();
}
}
The idea is that, for calls that do not route to internal addresses in the LAN, I have to set $var(rr_advertise_address), otherwise it remains as $null. If I do this, I get the single Record-Route with the advertised address instead of two values (one
with the advertised address, the other with 127.0.0.1) as I would like it to run. However, if I invoke record_route() unconditionally, I get the two header values.
Why the difference in behavior?
Is there any additional information I might provide to solve this?
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Possible causes of calls being terminated (ACK packet never received)
My current working theory is that the Record-Route headers are incorrect in the
original trace. The trace, as captured in the firewall, looks like this:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e
Record-Route:
sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
Record-Route:
sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
The first value is 127.0.0.1 and the second one is 192.168.10.10 . I believe
that when received by 38.126.208.41, this is interpreted as a request to send
the ACK to the remote server's idea of 192.168.10.10, which breaks routing back
to my server.
Now a bit of background. The firewall is a Linux (Zentyal) system that is rewriting the SIP traffic before routing it between the Kamailio (inside the LAN) and the carrier IP (38.126.208.41). This rewrite (kernel modules nf_conntrack_sip, nf_nat_sip)
affects the Via and To headers but leaves the Record-Route header unchanged, which causes the issue. I think I have to force a Record-Route header that shows my public IP where the 192.168.10.10 is currently shown. However, this is becoming difficult.
When I use record_route() (original situation), I get the following set of
headers:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e
Record-Route:
sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
Record-Route:
sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes
If I figure out that the SIP dialog is crossing the NAT firewall, and use
record_route_advertised_address(), I end up with the following headers at the
firewall:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=a54dd5cb61364e93c84315902262fab8
Record-Route:
sip:201.234.196.171;ftag=3609873405-620577;lr=on;vsf=AGhZVFtaUHNUW1lMRAAAOjEwMzE-;nat=yes
Please note that record_route_advertised_address() is inserting just one value (not two, despite relying on the rr parameter enable_double_rr to remain at its default value of ON), with the value of my public IP. This results in the ACK packet being sent
from the carrier IP, and routed through the firewall and to the Kamailio server. However, once there, it is not further routed to the Asterisk instance at 127.0.0.1:5080, which results in the same situation as before.
If I try to call both record_route() and record_route_advertised_address() , in any
order, I get the behavior matching the first call, and the second call is ignored with a
message in the logs stating Double attempt to record-route.
If I try using record_route() along with set_advertised_address(), I get the
following set of headers:
SIP/2.0 200 OK
Via: SIP/2.0/UDP
38.126.208.41:5060;rport=5060;branch=d7bd9bac7e62d56026365e5aa7b257f7
Record-Route:
sip:201.234.196.171;r2=on;lr=on;ftag=3609874172-119227;vsf=AGhZVl9aUXtSUllBRQAAOjEwMzE-;nat=yes
Record-Route:
sip:192.168.10.10;r2=on;lr=on;ftag=3609874172-119227;vsf=AGhZVl9aUXtSUllBRQAAOjEwMzE-;nat=yes
That is, I get 127.0.0.1 replaced with the public IP, and the private IP
remains in place as the last value. This again results in ACK never reaching
the firewall, much less the Kamailio server.
What I think is needed is a way to *conditionally* make Kamailio emit, from
inside the LAN, a packet like this:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=blah
Record-Route: sip:127.0.0.1;r2=on;lr=on;blah...
Record-Route: sip:201.234.196.171;r2=on;lr=on;blah...
The way I am trying to build the Record-Route headers is with this block:
# Value of $var(rr_advertise_address) is set in route(MHOMED_ELASTIX)
route[MHOMED_RR] {
if ($var(rr_advertise_address) != 0) {
xlog(L_ALERT, MHOMED_RR using rr advertised address
$var(rr_advertise_address)\n);
record_route_advertised_address($var(rr_advertise_address));
} else {
record_route();
}
}
The idea is that, for calls that do not route to internal addresses in the LAN, I have to set $var(rr_advertise_address), otherwise it remains as $null. If I do this, I get the single Record-Route with the advertised address instead of two values (one with
the advertised address, the other with 127.0.0.1) as I would like it to run. However, if I invoke record_route() unconditionally, I get the two header values.
Why the difference in behavior?
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Possible causes of calls being terminated (ACK packet never received)
El 21/05/14 11:41, Alex Villacís Lasso escribió: El 21/05/14 10:28, Alex Villacís Lasso escribió: El 21/05/14 00:52, Juha Heinanen escribió: Alex Villacís Lasso writes: I am trying to explain the situation to our carrier, but I want to rule out possible misconfigurations on our side. Are there common misconfigurations that produce the symptoms described here? Are there any issues evident from the attached traffic? 200 ok matches invite if from tag matches, call id matches and cseq is the same as in invite. All of these look like a match from my side, between the received INVITE and the 200 OK. Are there any other issues that could be picked up from the sample traffic? For more information, the carrier has said that the remote device is a Nextone. My current working theory is that the Record-Route headers are incorrect in the original trace. The trace, as captured in the firewall, looks like this: SIP/2.0 200 OK Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e Record-Route: sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes Record-Route: sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes The first value is 127.0.0.1 and the second one is 192.168.10.10 . I believe that when received by 38.126.208.41, this is interpreted as a request to send the ACK to the remote server's idea of 192.168.10.10, which breaks routing back to my server. Now a bit of background. The firewall is a Linux (Zentyal) system that is rewriting the SIP traffic before routing it between the Kamailio (inside the LAN) and the carrier IP (38.126.208.41). This rewrite (kernel modules nf_conntrack_sip, nf_nat_sip) affects the Via and To headers but leaves the Record-Route header unchanged, which causes the issue. I think I have to force a Record-Route header that shows my public IP where the 192.168.10.10 is currently shown. However, this is becoming difficult. When I use record_route() (original situation), I get the following set of headers: SIP/2.0 200 OK Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e Record-Route: sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes Record-Route: sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes If I figure out that the SIP dialog is crossing the NAT firewall, and use record_route_advertised_address(), I end up with the following headers at the firewall: SIP/2.0 200 OK Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=a54dd5cb61364e93c84315902262fab8 Record-Route: sip:201.234.196.171;ftag=3609873405-620577;lr=on;vsf=AGhZVFtaUHNUW1lMRAAAOjEwMzE-;nat=yes Please note that record_route_advertised_address() is inserting just one value (not two, despite relying on the rr parameter enable_double_rr to remain at its default value of ON), with the value of my public IP. This results in the ACK packet being sent from the carrier IP, and routed through the firewall and to the Kamailio server. However, once there, it is not further routed to the Asterisk instance at 127.0.0.1:5080, which results in the same situation as before. If I try to call both record_route() and record_route_advertised_address() , in any order, I get the behavior matching the first call, and the second call is ignored with a message in the logs stating Double attempt to record-route. If I try using record_route() along with set_advertised_address(), I get the following set of headers: SIP/2.0 200 OK Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=d7bd9bac7e62d56026365e5aa7b257f7 Record-Route: sip:201.234.196.171;r2=on;lr=on;ftag=3609874172-119227;vsf=AGhZVl9aUXtSUllBRQAAOjEwMzE-;nat=yes Record-Route: sip:192.168.10.10;r2=on;lr=on;ftag=3609874172-119227;vsf=AGhZVl9aUXtSUllBRQAAOjEwMzE-;nat=yes That is, I get 127.0.0.1 replaced with the public IP, and the private IP remains in place as the last value. This again results in ACK never reaching the firewall, much less the Kamailio server. What I think is needed is a way to *conditionally* make Kamailio emit, from inside the LAN, a packet like this: SIP/2.0 200 OK Via: SIP/2.0/UDP 38.126.208.41:5060;rport=5060;branch=blah Record-Route: sip:127.0.0.1;r2=on;lr=on;blah... Record-Route: sip:201.234.196.171;r2=on;lr=on;blah... The network administrator is reluctant to expose the Kamailio server directly to the internet, but that setup does work for the short time it was tried. That setup resulted in a 200 OK packet exactly like what I show above. Is this analysis sensible? If so, is there a way to do what I want? If not, could this work if the kernel SIP modules at the firewall are blacklisted and Kamailio is made to do all the heavy lifting itself? Is there an
Re: [SR-Users] Possible causes of calls being terminated (ACK packet never received)
El 21/05/14 00:52, Juha Heinanen escribió: Alex Villacís Lasso writes: I am trying to explain the situation to our carrier, but I want to rule out possible misconfigurations on our side. Are there common misconfigurations that produce the symptoms described here? Are there any issues evident from the attached traffic? 200 ok matches invite if from tag matches, call id matches and cseq is the same as in invite. All of these look like a match from my side, between the received INVITE and the 200 OK. Are there any other issues that could be picked up from the sample traffic? ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Possible causes of calls being terminated (ACK packet never received)
El 21/05/14 10:28, Alex Villacís Lasso escribió: El 21/05/14 00:52, Juha Heinanen escribió: Alex Villacís Lasso writes: I am trying to explain the situation to our carrier, but I want to rule out possible misconfigurations on our side. Are there common misconfigurations that produce the symptoms described here? Are there any issues evident from the attached traffic? 200 ok matches invite if from tag matches, call id matches and cseq is the same as in invite. All of these look like a match from my side, between the received INVITE and the 200 OK. Are there any other issues that could be picked up from the sample traffic? For more information, the carrier has said that the remote device is a Nextone. ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Possible causes of calls being terminated (ACK packet never received)
I am trying to diagnose a SIP issue between our carrier and our network. The carrier has a CARRIER_IP and a different CARRIER_MEDIA_IP, and it submits an INVITE packet to MY_PUBLIC_IP using MY_DID. The firewall at our public IP (where the attached traffic sample was taken) redirects it to a particular Kamailio server at 192.168.10.10 inside the LAN, and it in turn routes it to the Asterisk instance in localhost. The issue is that the INVITE is received, then the SIP/2.0 100 Trying and then SIP/2.0 200 OK are routed back (or so I think), and then the expected ACK from is never received, even though the caller already hears the media from the Asterisk IVR. After a timeout, our Asterisk closes the call, in the middle of the conversation. I am trying to explain the situation to our carrier, but I want to rule out possible misconfigurations on our side. Are there common misconfigurations that produce the symptoms described here? Are there any issues evident from the attached traffic? 10:55:02.721271 IP CARRIER_IP.5060 MY_PUBLIC_IP.5060: SIP, length: 870 EH@.~.).n..INVITE sip:MY_DID@MY_PUBLIC_IP:5060 SIP/2.0 Max-Forwards: 69 Session-Expires: 3600;Refresher=uac Supported: timer To: unknown sip:MY_DID@MY_PUBLIC_IP:5060 From: WIRELESS CALLER sip:CALLER_ID@CARRIER_IP;tag=3609590102-643763 P-Asserted-Identity:WIRELESS CALLERsip:CALLER_ID@CALLER_SOURCE_IP:5060 Call-ID: 90553-3609590102-643720@msw1 CSeq: 1 INVITE Via: SIP/2.0/UDP CARRIER_IP:5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e Contact: sip:CALLER_ID@CARRIER_IP:5060 Content-Type: application/sdp Content-Length: 303 v=0 o=carrierhostname 1234 0 IN IP4 CARRIER_MEDIA_IP s=sip call c=IN IP4 CARRIER_MEDIA_IP t=0 0 m=audio 27630 RTP/AVP 18 0 8 101 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=maxptime:20 10:55:02.749669 IP MY_PUBLIC_IP.5060 CARRIER_IP.5060: SIP, length: 396 E]..?...~.)SIP/2.0 100 trying -- your call is important to us To: unknown sip:MY_DID@MY_PUBLIC_IP:5060 From: WIRELESS CALLER sip:CALLER_ID@CARRIER_IP:5060;tag=3609590102-643763 Call-ID: 90553-3609590102-643720@msw1 CSeq: 1 INVITE Via: SIP/2.0/UDP CARRIER_IP:5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e;rport=5060 Server: kamailio (4.1.3 (x86_64/linux)) Content-Length: 0 10:55:03.757740 IP MY_PUBLIC_IP.5060 CARRIER_IP.5060: SIP, length: 1171 E^..?...~.)SIP/2.0 200 OK Via: SIP/2.0/UDP CARRIER_IP:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e Record-Route: sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes Record-Route: sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes From: WIRELESS CALLER sip:CALLER_ID@CARRIER_IP:5060;tag=3609590102-643763 To: unknown sip:MY_DID@MY_PUBLIC_IP:5060;tag=as0d5ffe67 Call-ID: 90553-3609590102-643720@msw1 CSeq: 1 INVITE Server: Asterisk PBX 11.8.1 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Session-Expires: 1800;refresher=uac Contact: sip:MY_DID@MY_PUBLIC_IP:5080;alias=127.0.0.1~5080~1 Content-Type: application/sdp Require: timer Content-Length: 281 v=0 o=root 607970891 607970891 IN IP4 MY_PUBLIC_IP s=Asterisk PBX 11.8.1 c=IN IP4 MY_PUBLIC_IP t=0 0 m=audio 17780 RTP/AVP 0 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=sendrecv a=nortpproxy:yes 10:55:04.257451 IP MY_PUBLIC_IP.5060 CARRIER_IP.5060: SIP, length: 1171 E_..?...~.)SIP/2.0 200 OK Via: SIP/2.0/UDP CARRIER_IP:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e Record-Route: sip:127.0.0.1;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes Record-Route: sip:192.168.10.10;r2=on;lr=on;ftag=3609590102-643763;vsf=AGhZVlxTUnJZUllGSQAAOjEzNTI-;nat=yes From: WIRELESS CALLER sip:CALLER_ID@CARRIER_IP:5060;tag=3609590102-643763 To: unknown sip:MY_DID@MY_PUBLIC_IP:5060;tag=as0d5ffe67 Call-ID: 90553-3609590102-643720@msw1 CSeq: 1 INVITE Server: Asterisk PBX 11.8.1 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Session-Expires: 1800;refresher=uac Contact: sip:MY_DID@MY_PUBLIC_IP:5080;alias=127.0.0.1~5080~1 Content-Type: application/sdp Require: timer Content-Length: 281 v=0 o=root 607970891 607970891 IN IP4 MY_PUBLIC_IP s=Asterisk PBX 11.8.1 c=IN IP4 MY_PUBLIC_IP t=0 0 m=audio 17780 RTP/AVP 0 8 101 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=sendrecv a=nortpproxy:yes 10:55:05.258278 IP MY_PUBLIC_IP.5060 CARRIER_IP.5060: SIP, length: 1171 E`..?...~.)SIP/2.0 200 OK Via: SIP/2.0/UDP CARRIER_IP:5060;rport=5060;branch=b18bbcc394bb5dae43946b12f5d5fe0e Record-Route:
[SR-Users] Possible causes of calls being terminated (ACK packet never received)
Alex Villacís Lasso writes: I am trying to explain the situation to our carrier, but I want to rule out possible misconfigurations on our side. Are there common misconfigurations that produce the symptoms described here? Are there any issues evident from the attached traffic? 200 ok matches invite if from tag matches, call id matches and cseq is the same as in invite. -- juha ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
