Hi,
I'm not 100% sure but don't wanted to leave it uncommented.
It sounds very similar to basic cases with SST. Since I don't want to
write it down I will quote one article from the web.
SOURCE:
http://biztechstore.com/blog/?p=176=26
QUOTE:
VOIP Calls Dropping After 30 Minutes
We have had an ongoing complaint from one of our customers about their
VOIP calls dropping after 30 minutes. I admit to some scepticism at
first, but after checking their activity logs, I discovered that any
long calls they placed would disconnect after exactly 30 minutes.
I did some research, and found that others with various providers had
reported similar issues. Most people were accusing the carriers of
dropping the calls intentionally to save money, but nobody offered any
evidence to back this claim up. I then contacted both the VOIP vendor
and TalkSwitch. Both were helpful, but neither could figure out the
issue. The customer agreed to run a trace on the next call they
expected to be long, but they understandably could never seem to start a
trace on a call that turned out to be long. As such, the issue just
sat.
Last week, a second customer began reporting the same issue. I spoke to
both service providers again. While we were all searching for a way to
identify the issue, I had the "fortune" to experience the problem myself
on a conference call. Since I have a full firewall with extensive
logging capabilities, I was able to compare my log with the VOIP
vendor's log, and we had the answer.
It seems that nexVortex, the VOIP carrier in this case, sends a SIP
re-invite after 30 minutes just to make sure the call is really still
active. They understandably do not want to tie up resources on a call
that had already ended. nexVortex was always sending the re-invite on
the port from which it was seeing the initial connection. After 30
minute, my firewall no longer was associating that port with my initial
connection, and dropped the packet. As such, the TalkSwitch never saw
the re-invite and thus never responded. When nexVortex never got a
response, it figured the call was dead and dropped it. The fix for me
was relatively easy. On my SonicWall TZ-210, there is a option to
"Enable Consistent NAT", which makes sure the firewall always sends
outbound traffic on consistent port and IP address pairs. Since I route
inbound traffic for the standard VOIP ports to my TalkSwitch, it should
cease to be an issue.
In your case I would try this:
Asterisk provides support for SIP Session Timers (RFC 4028) through
parameters in sip.conf. It provides a keep-alive mechanism. However,
they quite often don't work properly and cause calls to drop. The
simplest fix is to disable them with "session-timers=refuse".
As always in those cases a tcpdump would be helpful. I doubt shorewall
does anything to or with this traffic in that manner.
Regards,
Martin
Von: Victor Galino [mailto:[email protected]]
Gesendet: Montag, 19. Mai 2014 11:22
An: [email protected]
Betreff: [Shorewall-users] Shorewall Asterisk SIP Callls Stop at 30
minutes
Hello
I Configure shorewall for a Asterisk server.
Need to add on /etc/shorewall/start
rmmod nf_nat_sip &> /dev/null
rmmod nf_conntrack_sip &> /dev/null
And works fine.
The only problem i detect its when i have a call stablished, , on the 30
minutes mark, the call is down, and need to do another call
Configuration its on a Centos 6.5 Final and kernel 2.6.32-431.17.1,
Shorewall 4.5.4
I Send the parts of shorewall dump related to the modules and
nfconntrack, i understand its something generic with tcp connections or
nf_conntraf (netfilter)
Thanks in advance
Regards
Victor
/proc
/proc/version = Linux version 2.6.32-431.17.1.el6.x86_64
([email protected]) (gcc version 4.4.7 20120313 (Red
Hat 4.4.7-4) (GCC) ) #1 SMP Wed May 7 23:32:49 UTC 2014
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/tun3/proxy_arp = 0
/proc/sys/net/ipv4/conf/tun3/arp_filter = 0
/proc/sys/net/ipv4/conf/tun3/arp_ignore = 0
/proc/sys/net/ipv4/conf/tun3/rp_filter = 0
/proc/sys/net/ipv4/conf/tun3/log_martians = 1
Modules
ip_set 30977 1 xt_set
iptable_filter 2793 1
iptable_mangle 3349 1
iptable_nat 6158 0
iptable_raw 2264 0
ip_tables 17831 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype 2153 5
ipt_ah 1247 0
ipt_CLUSTERIP 6796 0
ipt_ecn 1507 0
ipt_ECN 1955 0
ipt_LOG 5845 9
ipt_MASQUERADE 2466 0
ipt_NETMAP 1832 0
ipt_REDIRECT 1840 0
ipt_REJECT 2351 4
ipt_ULOG 10765 0
nf_conntrack 79758 32
xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,
nf_conntrack_snmp,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_a
manda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntra
ck_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_
proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broa
dcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_c
onntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrac
k_ipv4
nf_conntrack_amanda 2979 1 nf_nat_amanda
nf_conntrack_broadcast 1471 2
nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp 12913 1 nf_nat_ftp
nf_conntrack_h323 67696 1 nf_nat_h323
nf_conntrack_ipv4 9506 16 iptable_nat,nf_nat
nf_conntrack_irc 5530 1 nf_nat_irc
nf_conntrack_netbios_ns 1323 0
nf_conntrack_netlink 17392 0
nf_conntrack_pptp 12166 1 nf_nat_pptp
nf_conntrack_proto_gre 7003 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 12482 0
nf_conntrack_proto_udplite 3348 0
nf_conntrack_sane 5716 0
nf_conntrack_snmp 1651 1 nf_nat_snmp_basic
nf_conntrack_tftp 4878 1 nf_nat_tftp
nf_defrag_ipv4 1483 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 11156 1 xt_TPROXY
nf_nat 22759 11
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_pptp,nf_nat_pr
oto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda 1277 0
nf_nat_ftp 3507 0
nf_nat_h323 8830 0
nf_nat_irc 1883 0
nf_nat_pptp 4653 0
nf_nat_proto_gre 3028 1 nf_nat_pptp
nf_nat_snmp_basic 8553 0
nf_nat_tftp 987 0
nf_tproxy_core 1332 1 xt_TPROXY,[permanent]
xt_AUDIT 3064 0
xt_CLASSIFY 1069 0
xt_comment 1034 9
xt_connlimit 3238 0
xt_connmark 1347 0
xt_CONNMARK 1507 0
xt_conntrack 2776 13
xt_dccp 2215 0
xt_dscp 1831 0
xt_DSCP 2279 0
xt_hashlimit 9685 0
xt_helper 1497 0
xt_iprange 2312 0
xt_length 1322 0
xt_limit 2118 0
xt_mac 1118 0
xt_mark 1057 0
xt_MARK 1057 1
xt_multiport 2700 2
xt_NFLOG 1195 0
xt_NFQUEUE 2213 0
xt_owner 1252 0
xt_physdev 1741 0
xt_pkttype 1194 0
xt_policy 2616 0
xt_realm 1060 0
xt_recent 7932 0
xt_set 4032 0
xt_state 1492 0
xt_statistic 1524 0
xt_tcpmss 1607 0
xt_time 2183 0
xt_TPROXY 9249 0
Shorewall has detected the following iptables/netfilter capabilities:
NAT (NAT_ENABLED): Available
Packet Mangling (MANGLE_ENABLED): Available
Multi-port Match (MULTIPORT): Available
Extended Multi-port Match (XMULIPORT): Available
Connection Tracking Match (CONNTRACK_MATCH): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH):
Available
Packet Type Match (USEPKTTYPE): Available
Policy Match (POLICY_MATCH): Available
Physdev Match (PHYSDEV_MATCH): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Packet length Match (LENGTH_MATCH): Available
IP range Match(IPRANGE_MATCH): Available
Recent Match (RECENT_MATCH): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
CONNMARK Target (CONNMARK): Available
Extended CONNMARK Target (XCONNMARK): Available
Connmark Match (CONNMARK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Raw Table (RAW_TABLE): Available
Rawpost Table (RAWPOST_TABLE): Not available
IPP2P Match (IPP2P_MATCH): Not available
CLASSIFY Target (CLASSIFY_TARGET): Available
Extended REJECT (ENHANCED_REJECT): Available
Repeat match (KLUDGEFREE): Available
MARK Target (MARK): Available
Extended MARK Target (XMARK): Available
Extended MARK Target 2 (EXMARK): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Comments (COMMENTS): Available
Address Type Match (ADDRTYPE): Available
TCPMSS Match (TCPMSS_MATCH): Available
Hashlimit Match (HASHLIMIT_MATCH): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Realm Match (REALM_MATCH): Available
Helper Match (HELPER_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Time Match (TIME_MATCH): Available
Goto Support (GOTO_TARGET): Available
LOGMARK Target (LOGMARK_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
ULOG Target (ULOG_TARGET): Available
NFLOG Target (NFLOG_TARGET): Available
Persistent SNAT (PERSISTENT_SNAT): Available
TPROXY Target (TPROXY_TARGET): Available
FLOW Classifier (FLOW_FILTER): Available
fwmark route mask (FWMARK_RT_MASK): Available
Mark in any table (MARK_ANYWHERE): Available
Header Match (HEADER_MATCH): Not available
ACCOUNT Target (ACCOUNT_TARGET): Not available
AUDIT Target (AUDIT_TARGET): Available
ipset V5 (IPSET_V5): Not available
Condition Match (CONDITION_MATCH): Not available
Statistic Match (STATISTIC_MATCH): Available
IMQ Target (IMQ_TARGET): Not available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Geo IP match: Not available
iptables -S (IPTABLES_S): Available
Basic Filter (BASIC_FILTER): Available
CT Target (CT_TARGET): Not available
Traffic Control
Device eth0:
qdisc mq 0: root
Sent 1346296381 bytes 11623838 pkt (dropped 0, overlimits 0 requeues 7)
rate 0bit 0pps backlog 0b 0p requeues 7
class mq :1 root
Sent 842127610 bytes 5697988 pkt (dropped 0, overlimits 0 requeues 1)
backlog 0b 0p requeues 1
class mq :2 root
Sent 504168771 bytes 5925850 pkt (dropped 0, overlimits 0 requeues 6)
backlog 0b 0p requeues 6
Device tun3:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
Sent 38445759 bytes 443154 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device tun3:
________________________________
This e-mail has been scanned by comendo.com <http://www.comendo.com>
and does not contain virus.
________________________________
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
