Re: [Shorewall-users] Asterisk/SIP stops working...

Mon, 19 Jun 2017 20:27:43 -0700 


Le 20/06/2017 à 02:26, Tom Eastep a écrit :

On 06/19/2017 04:48 PM, Ryan Joiner wrote:


On 6/19/2017 1:57 PM, Ian Jones wrote:

I am becoming more convinced that this is a nat issue, since I have
installed Asterisk on the firewall itself, and it seems to run
normally with no issues when restarting. The feedback from the
Asterisk peer support site was that: Asterisk is sending OPTIONs, but
the peer is not replying, or the request or replies are getting lost,
in the network. Possibly an automatic NAT or firewall rule has timed
out. There is no evidence of anything wrong with Asterisk.

Is there anyway to specify the UDP connection timeout?

Regards

Ian



Ian,
I should have looked at your dump first. I see the helpers are still
loaded despite you telling them to not load. That could be because
something other than shorewall loaded them.

I know on CentOS it is rmmod "module", so rmmod nf_conntrack_sip. I'm
not so sure for Debian. Maybe it is:

modprobe -r nf_conntrack_sip
modprobe -r nf_nat_sip

Then see if the remote extensions magically reconnect.


Here are the problem requests:

udp      17 3596 src=192.168.71.8 dst=109.176.95.130 sport=5060
dport=5060 [UNREPLIED] src=109.176.95.130 dst=xx.xx.xx.xx sport=5060
dport=5060 mark=0 use=2

(that is a Masqueraded request from the local server to 109.176.95.130)

udp      17 2522 src=94.23.212.19 dst=xx.xx.xx.xx sport=5229 dport=5060
[UNREPLIED] src=192.168.71.8 dst=94.23.212.19 sport=5060 dport=5229
mark=0 use=2

(that is a DNATed request from 94.23.212.19 that is redirected to the
local server)

udp      17 1228 src=195.154.185.103 dst=xx.xx.xx.xx sport=5105
dport=5060 [UNREPLIED] src=192.168.71.8 dst=195.154.185.103 sport=5060
dport=5105 mark=0 use=2

(another DNATed request)

All that I can say is that these entries are consistent with the ruleset.

-Tom


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users



Curiouser and curiouser... There is no way to change the timeout values 
then?


Regards
Ian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users























					Reply via email to