Re: [sipx-users] Connecting Multiple SipX PBX Sites on 3.10.3

Thu, 09 Jul 2009 14:26:52 -0700

I'll cross check the ip route between sites. Btw, do we need to disable iptables (selinux disabled by default) ? With 4.01 troubleshooting I'm rather confused if its required to be on or off in 3.10.3..
Do you think/foresee any issues with my DNS configuration, i.e. listing SRV and NAPTR records for all sites in each server: 

quoting from earlier e-mail:
---------------------------

- In each site's Sipx DNS, the* /var/named/company.com zone* file 
configured to contain each Site's A, SRV and NAPTR after local site;



This zone configuration approach followed in each site's DNS server. 
After connecting all sites (2-way) via VPN, I can confirm the SRV 
resolution as well as verify the A record and node with tracert


[r...@site1]# *tracert site1.company.com*
traceroute to site1.company.com (192.168.5.2), 30 hops max, 40 byte packets

* 1  192.168.5.2 (192.168.5.2)  82.247 ms  84.355 ms  85.791 ms   <--  
(1 hop connectivity to other sites with VPN)*


[r...@site1]#* nslookup* *-type=SRV* _sip._udp.*site2.company*.com
Server:         127.0.0.1
Address:        127.0.0.1#53

*_sip._udp.site2.company.com    service = 1 0 5060 site2.company.com. 
<-- (SRV resolves OK alongside A record)*





As for the DNS configuration, following gives an idea of  current config 
which i've been using since day 1 of the installation;


*Site1:  /var/named/company.com.zone*
$TTL 1D
@       IN      SOA    ns1.company.com.  root.company.com. (
                      200602132       ; serial#
                      3600            ; refresh, seconds
                      3600            ; retry, seconds
                      3600            ; expire, seconds
                      3600 )          ; minimum TTL, seconds
               NS     ns1.company.com.   ; Inet Address of nameserver
company.com.     MX     10 mail           ; Primary Mail Exchanger
ns1             CNAME  site1

*;* *SITE1 *A, SRV, NAPTR records:
*site1.company.com.  *                IN      A       192.168.1.2

/*;* site1.company.com.                IN      A       203.0.0.1 /* ;  
/Public IP commented for VPN tests./*
*site1.company.com.*                  IN      NAPTR   2 0 "s" "SIP+D2T" 
"" _sip._tcp.*site1*.company.com.
*site1*.company.com. * *                 IN      NAPTR   2 0 "s" 
"SIP+D2U" "" _sip._udp.*site1.c*ompany.com.
_sip._tcp.*site1.*company.com.    IN      SRV     1 0 5060 
*site1.*company.com.
_sip._udp.*site1.*company.com.   IN      SRV     1 0 5060 
*site1.*company.com.


; *SITE2 *A, SRV, NAPTR records:

*site2.company.com.*                  IN      A       *192.168.2.2* ; 
*using its LAN IP as all SITEs are connected with VPN(PPTP)
*/*;* site2.company.com.                IN      A       203.0.0.2 /* ;  
/Public IP commented for VPN tests./
**site2.company.com*.                  IN      NAPTR   2 0 "s" "SIP+D2T" 
"" _sip._tcp.*site2.*company.com.
*site2.company.com.  *                IN      NAPTR   2 0 "s" "SIP+D2U" 
"" _sip._udp.*site2.*company.com.
_sip._tcp.*site2.company.com.*   IN      SRV     1 0 5060 
*site2.*company.com.
_sip._udp.*site2.company.com*.  IN      SRV     1 0 5060 
*site2.*company.com*.*


; *SITE3* A, SRV, NAPTR records:

*site3.company.com.*                  IN      A       *192.168.3.2* ; 
*using its LAN IP as all SITEs are connected with VPN(PPTP)*
/*;* site3.company.com.                IN      A       203.0.0.3 /* ;  
/Public IP commented for VPN tests./*
*site3.company.com*.                  IN      NAPTR   2 0 "s" "SIP+D2T" 
"" _sip._tcp.*site3.*company.com.
*site3.company.com.  *                IN      NAPTR   2 0 "s" "SIP+D2U" 
"" _sip._udp.*site3.*company.com.
_sip._tcp.*site3.company.com.*   IN      SRV     1 0 5060 
*site3.*company.com.
_sip._udp.*site3.company.com*.  IN      SRV     1 0 5060 
*site3.*company.com*.


*

Tony Graziano wrote:

Then I would check my routing between two of the servers (both 
directions) to ensure it is taking a private path.


After that set a proxy to debug, and tail the proxy log

(tail -f /var/log/sipxpbx/sipXproxy.log)


to see what is it complaining about. I don't think there should be any 
permissions necessary or set on the dialplan though.


>>> Cuneyt M 07/09/09 5:07 PM >>> Hi Tony,


Thank you for the super fast reponse. It seems i've ignored that 
section assuming its all about SBC config.



I have now updated all servers' intranet domain to be   *.company.com 
so site1,2,3,4 should be included (?)

and also added each lan IP to intranet subnets in all systems;
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24


and then submit successfully, went through the dial plan activation 
screen and restarted.



However, when i try to dial  from  one site (192.168.4.2 sipx to 
192.168.1.2 sipx) to another with  the valid  dialplan, i still get 
Proxy Authentication Failed response.



Did check permissions, dialplan, gateways and subnets one more time 
but all looks in order.


Any idea what might be standing on the way?

Thank you in advance!
Tony Graziano wrote:

In 3.10.3 after adding the gateway and dial plan you must add the 
remote subnet via "System>Internet Calling>Intranet Subnets" of all 
sites interconnected (at each system). Authentication issues will 
ensue if you do not do this.


>>> "Tony Graziano" <[email protected]> 07/09/09 4:22 PM >>>

You must add each site to the intranet list of every connected site 
or calls will fail.

-----Original Message-----
From: Cuneyt M <[email protected]>
To: <[email protected]>
To: <[email protected]>

Sent: 7/9/2009 4:18:39 PM
Subject: [sipx-users] Connecting Multiple SipX PBX Sites on 3.10.3

Dear All,

I am still using 3.10.3, as my previous attempts to upgrade to 4.01
failed and had to leave that aside as I didn't have more down time to
try updated Wiki page for 3.10.x to 4.0.1 yum update - yet.

The current issue on 3.10.3 briefly(!) when all sites are VPNed and i
-create a gateway for of the other- in each site, along with the
dial-plan and publish (checked user's permission etc.), I receive Call
Failed: Proxy Authentication Required in Xlite 3.0 (with latest updates)
when i register with Xlite at any of the site (or outside with STUN) and
use its dial-plan to call the other. It fails with Proxy Authentication
Required.

As far as I know, there is no setting to loose sipx 3.10.3 proxy
authentication rule from webconfig and I assumed configuring each site
as gateway of other should work but it doesnt for some reason. (i.
followed the wiki page on connecting 2 sites with sipx and custom dial
plan page)

I am not really good with the log parsing and using sipViewer (no X
installed on boxes and wanna keep it that way for now) and I believe the
issue is not a bug but a rather a configuration issue as I read people
with success stories on same built.
I do hope the following info. would give you the required background on
the configuration:


There is one aspect of the installation/configuration which I am not
quite safe about; (which gets screwed further in my attempts to upgrade
4.01 but thats another story):

- There are 4 different Sipx sites, all behind the router/NAT, running
on CentOS 5 (installed from ISO 3.8 and yum updated all the way to
3.10.3) and these machines also functions as internal DNS,DHCP to the
site's LAN. I have installed *PPTPD *and *PPTP *for Windows VPN users as
well as to connect all 4 sites between themselves to overcome NAT issues
while connecting each site's PBX to each other (didnt have budget for
SBC or external box).

- Each site's domain name were given as *sub-domains* of the main
*company.com* domain;
*site1.company.com *- PublicStaticIP<-ROUTER(NAT) with ports
5060,5061 forwarded to <- SipX *IP 192.168.1.2
Extension Pool 200-499
* * site2.company.com *- PublicStaticIP<-ROUTER(NAT) with ports
5060,5061 forwarded to <- SipX *IP 192.168.2.2*
* Extension Pool 500-599*
*site3.company.com* - PublicStaticIP<-ROUTER(NAT) with ports
5060,5061 forwarded to <- SipX *IP 192.168.3.2*
* Extension Pool 600-699*
* site4.company.com *- PublicStaticIP<-ROUTER(NAT) with ports
5060,5061 forwarded to <- SipX *IP 192.168.4.2*
* Extension Pool 700-799*

- In each site's Sipx DNS, the* /var/named/company.com zone* file
configured to contain each Site's A, SRV and NAPTR after local site;

This zone configuration approach followed in each site's DNS server.
After connecting all sites (2-way) via VPN, I can confirm the SRV
resolution as well as verify the A record and node with tracert

[r...@site1]# *tracert site1.company.com*

traceroute to site1.company.com (192.168.5.2), 30 hops max, 40 byte 
packets

* 1 192.168.5.2 (192.168.5.2) 82.247 ms 84.355 ms 85.791 ms <--
(1 hop connectivity to other sites with VPN)*

[r...@site1]#* nslookup* *-type=SRV* _sip._udp.*site2.company*.com
Server: 127.0.0.1
Address: 127.0.0.1#53
*_sip._udp.site2.company.com service = 1 0 5060 site2.company.com.
<-- (SRV resolves OK alongside A record)*



As for the DNS configuration, following gives an idea of current config
which i've been using since day 1 of the installation;

*Site1: /var/named/company.com.zone*
$TTL 1D
@ IN SOA ns1.company.com. root.company.com. (
200602132 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum TTL, seconds
NS ns1.company.com. ; Inet Address of nameserver
company.com. MX 10 mail ; Primary Mail Exchanger
ns1 CNAME site1

*;* *SITE1 *A, SRV, NAPTR records:
*site1.company.com. * IN A 192.168.1.2
/*;* site1.company.com. IN A 203.0.0.1 /* ;
/Public IP commented for VPN tests./*
*site1.company.com.* IN NAPTR 2 0 "s" "SIP+D2T"
"" _sip._tcp.*site1*.company.com.
*site1*.company.com. * * IN NAPTR 2 0 "s"
"SIP+D2U" "" _sip._udp.*site1.c*ompany.com.
_sip._tcp.*site1.*company.com. IN SRV 1 0 5060
*site1.*company.com.
_sip._udp.*site1.*company.com. IN SRV 1 0 5060
*site1.*company.com.

; *SITE2 *A, SRV, NAPTR records:
*site2.company.com.* IN A *192.168.2.2* ;
*using its LAN IP as all SITEs are connected with VPN(PPTP)
*/*;* site2.company..com. IN A 203.0.0.2 /* ;
/Public IP commented for VPN tests./
**site2.company.com*. IN NAPTR 2 0 "s" "SIP+D2T"
"" _sip._tcp.*site2.*company.com.
*site2.company.com. * IN NAPTR 2 0 "s" "SIP+D2U"
"" _sip._udp.*site2.*company.com.
_sip._tcp.*site2.company.com.* IN SRV 1 0 5060
*site2.*company.com.
_sip._udp.*site2.company.com*. IN SRV 1 0 5060
*site2.*company.com*.*

; *SITE3* A, SRV, NAPTR records:
*site3.company.com.* IN A *192.168.3.2* ;
*using its LAN IP as all SITEs are connected with VPN(PPTP)*
/*;* site3.company.com. IN A 203.0.0.3 /* ;
/Public IP commented for VPN tests./*
*site3.company..com*. IN NAPTR 2 0 "s" "SIP+D2T"
"" _sip._tcp.*site3.*company.com.
*site3.company.com. * IN NAPTR 2 0 "s" "SIP+D2U"
"" _sip._udp.*site3.*company.com.
_sip._tcp.*site3.company.com.* IN SRV 1 0 5060
*site3.*company.com.
_sip._udp.*site3.company.com*. IN SRV 1 0 5060
*site3.*company.com*.

*
It would be highly appreciated if anyone can shed some light on the
issue, interconnecting multiple sites - where all sites VPNed with PPTP
- with above configuration and gateways,dialplans in place as per the
wiki pages - what might be causing Proxy Authentication Failure and
whether there is any solution by optimizing the config accordingly.*
*
All the best!

_______________________________________________
sipx-users mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
sipXecs IP PBX -- http://www.sipfoundry.org/

_______________________________________________
sipx-users mailing list [email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
sipXecs IP PBX -- http://www.sipfoundry.org/





















					Reply via email to