Hello,
We see an intermittent issue in our on premise deployments with Kamailio behind
HAProxy. After several hours of idle time, some mobile clients cannot receive
inbound calls, although they remain registered and can place outbound calls.
Topology:
Mobile Client → Internet → Customer Firewall → HAProxy → Kamailio
Transport is SIP over TLS. HAProxy works in TCP mode and terminates nothing. It
forwards TLS to Kamailio.
Client behavior
• REGISTER with Expires 600 seconds
• Re-register every 7 minutes
• TLS connection from client to HAProxy stays up
• Outbound calls from client work
• During the failure window, client continues to send REGISTER
and receives 200 OK
Failure scenario
• Several devices placed idle overnight
• In the morning, some cannot receive inbound calls
• Kamailio tries to send INVITE to the contact
• Kamailio opens a new TCP connection to HAProxy IP and an
ephemeral port
• HAProxy responds with RST
Example log from Kamailio:
INFO: request_route: method [INVITE] from [sip:[email protected]] to
[sip:[email protected]]
ERROR: tcpconn_1st_send(): connect 10.233.124.50:40398 failed (RST) Connection
refused
ERROR: tcpconn_1st_send(): 10.233.124.50:40398: connect & send failed
WARNING: t_send_branch(): sending request on branch 0 failed
PCAP confirms:
• Kamailio sends SYN to 10.233.124.50:40398
• HAProxy replies RST, ACK
Important observations
1. usrloc contact host and port match the peer address seen in
tls.list (src_ip + src_port).
2. At the time of failure, the client is still able to send
REGISTER and get 200 OK.
3. If the same client initiates a call, the call is established
successfully.
It looks like Kamailio sometimes fails to match the stored contact to an
existing TLS connection and attempts to open a new TCP connection to the
Contact host:port.
In our case, Contact host resolves to HAProxy IP and port.
Questions
1. Under which conditions does Kamailio decide to open a new TCP
connection to the Contact instead of reusing an existing TLS connection?
2. If connection ID lookup fails, is fallback to active connect
the expected behavior?
Environment
• Kamailio versions: 5.8.5, 6.0.5 (reproduced on both)
• HAProxy: TCP mode, no TLS termination
• Clients uses TLS only, no UDP
Kamailio relevant configuration:
tcp_connection_lifetime=605
modparam("registrar", "max_expires", 600)
modparam("registrar", "use_path", 1)
modparam("usrloc", "handle_lost_tcp", 1)
modparam("usrloc", "close_expired_tcp", 1)
HAProxy configuration:
frontend client-kamailio-sip
mode tcp
option tcpka
timeout client 600
default_backend server-kamailio-sip
backend server-kamailio-sip from haproxytech
mode tcp
option tcpka
timeout connect 30s
timeout server 600s
timeout tunnel 600s
Any guidance on correct architectural pattern or configuration for SIP TLS
behind HAProxy would be appreciated.
Thank you.
Joey.
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions --
[email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
