At last! I know what the problem is!!! Turns out many firewalls are beginning to add source port randomization as a security measure... helps prevent host OS fingerprinting and other miscellaneous issues. I don't know how many of you heard about the DNS vulnerabilities discovered in the not so distant past, but one of the issues was the source port randomization of vulnerable DNS servers.
Anyhow, some firewalls (in my case pfsense and m0n0wall) randomize outbound ports which can screw with SIP. That is; if the source port for the REGISTER does not match the source port for the INVITE you may get an error 403. The solution in pfsense is here: http://doc.pfsense.org/index.php/Static_Port Basically you configure manual outbound NAT and specify the static port option. I had been looking in the wrong place (between my ears) and in the sipx configuration settings. Turns out it was just one level deeper in the packets... I hope I haven't annoyed all of you with my seemingly nonsensical rants, but I seriously hope this helps the next person that comes along to configure sipx behind some of these great open source firewalls. And for others, I'm sure source port randomization will visit you at some point so consider this a friendly reminder. Once I configured static ports and reset all my "troubleshooting" settings back to the settings outlined in the SIP trunking wiki page: http://sipx-wiki.calivia.com/index.php/SIP_Trunking_with_sipXecs:_Overview_a nd_Configuration outbound calls worked fine! Yay! Jonathan Ontra LLC www.ontraonline.com -----Original Message----- From: M. Ranganathan [mailto:[email protected]] Sent: Thursday, August 06, 2009 6:40 PM To: Jonathan Petersen Cc: [email protected]; [email protected] Subject: Re: [sipx-users] SIP Trunking woes... On Thu, Aug 6, 2009 at 8:17 PM, Jonathan Petersen<[email protected]> wrote: > Todd, > > > > I appreciate your response, and so quickly too. ;) > > > > I have successfully configured x-lite to work with the providers all of > them actually albeit I cannot test call transfers (maybe I should kick for > the full version). > > > > I have followed explicitly, over and over again for a week or more pretty > much non stop (changed firewalls, reinstalled, checked dns, etc) the SIP > Trunking wiki page not to mention scouring the internet for information, > engaging various people on the list (Thanks Ranga, Tony and others) > http://list.sipfoundry.org/archive/sipx-users/msg15966.html > > > > I see Voxitas is on the list but callcentric is too. Here is what their > support has to say about it. > > > > We have reviewed our logs, and from our side, while we are seeing outgoing > calls place under your account; it seems that the calls are failing due to a > Network Failure. Are you using your Sipx behind a NAT? We have had trouble > with this particular IP PBX, when used behind a NAT however on a public IP > it seems to be more reliable. > > > > Ill admit that Voxitas is the provider that I have spent the least amount > of time with but believe me that is a decent amount of time perhaps I am > really dense perhaps I am missing something really obvious perhaps I > cannot figure out how to transfer the settings that work in x-lite into the > sipx configuration??? But something is definitely not clicking and after > all the time Ive invested Im starting to think Im crazy Id be happy > to rebuild the entire test network up from scratch, provide all of the > configs, whatever it takes; but there has to be some very low level detail > that is screwing with me here??? > > > > Thanks, > > > > Jonathan > > > > Ontra LLC > > www.ontraonline.com > Not much can be concluded without a sipx-snapshot. Try the outbound call and send me a sipx-snapshot after making the settings in the "problem reporting" section of the "overview and configuration" Wiki page. I hope you applied the patch pointed to from that page. My _suspicion_ would be that you are bypassing sipxbridge altogether when making the outbound call ; however, I cannot be sure until you send me a trace with the oubound call that gives you trouble. Regards Ranga > ________________________________ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
