Here is a good INVITE I have from being behind a firewall The firewall has an IP of 75.X.X.158 The internal network the IP phone is on is 192.168.33.X The OpenSIPS server is 173.X.X.88
U 2010/12/07 16:12:14.459659 75.X.X.158:2048 -> 173.X.X.88:5060 INVITE sip:[email protected] <sip%[email protected]>;user=phone SIP/2.0. Via: SIP/2.0/UDP 192.168.33.23:2048;branch=z9hG4bK-9se1atq58cbk;rport. From: "Moo " <sip:[email protected] <sip%[email protected]>>;tag=tq7cj9lj3c. To: <sip:[email protected] <sip%[email protected]>;user=phone>. Call-ID: 3c28c61f517f-au6e4a6vh38t. CSeq: 1 INVITE. Max-Forwards: 70. Contact: <sip:[email protected]:2048;line=qtgpvpl1>;reg-id=1. X-Serialnumber: 0004132902C9. P-Key-Flags: resolution="31x13", keys="4". User-Agent: snom360/8.4.18. Accept: application/sdp. Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE. Allow-Events: talk, hold, refer, call-info. Supported: timer, 100rel, replaces, from-change. Session-Expires: 3600;refresher=uas. Min-SE: 90. Content-Type: application/sdp. Content-Length: 475. . v=0. o=root 217266021 217266021 IN IP4 192.168.33.23. s=call. c=IN IP4 192.168.33.23. t=0 0. m=audio 60836 RTP/AVP 0 8 9 99 3 18 4 101. a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:KDdT1DXlQP7n5ulSDPGv9aOWWmKQzMwlqqpUI8Zc. a=rtpmap:0 pcmu/8000. a=rtpmap:8 pcma/8000. a=rtpmap:9 g722/8000. a=rtpmap:99 g726-32/8000. a=rtpmap:3 gsm/8000. a=rtpmap:18 g729/8000. a=fmtp:18 annexb=no. a=rtpmap:4 g723/8000. a=rtpmap:101 telephone-event/8000. a=fmtp:101 0-16. a=ptime:20. a=sendrecv. # U 2010/12/07 16:12:14.459991 173.X.X.88:5060 -> 75.X.X.158:2048 SIP/2.0 407 Proxy Authentication Required. Via: SIP/2.0/UDP 192.168.33.23:2048 ;branch=z9hG4bK-9se1atq58cbk;rport=2048;received=75.X.X.158. From: "Moo " <sip:[email protected] <sip%[email protected]> >;tag=tq7cj9lj3c. To: <sip:[email protected] <sip%[email protected]> ;user=phone>;tag=c97b4d1cb1f3d0da549e06a8d482ef63.9234. Call-ID: 3c28c61f517f-au6e4a6vh38t. CSeq: 1 INVITE. Proxy-Authenticate: Digest realm="irock.com", nonce="4cfeb15c93b5eb253383911370bef215dfed2212", qop="auth". Server: OpenSIPS (1.6.3-notls (x86_64/linux)). Content-Length: 0. When you don't have NAT enabled on the phone are you still seeing the "407 Authentication Required" message being sent to the firewall and getting blocked? Just trying to see if the 407 message is not actually being sent to a private IP which won't work. I am only guessing it is getting sent to the Firewall when NAT is disabled on the phone because you show "nat.ip:2260" in your output. On Tue, Dec 7, 2010 at 3:14 PM, James Lamanna <[email protected]> wrote: > On Tue, Dec 7, 2010 at 11:42 AM, Duane Larson <[email protected]> > wrote: > > From your original post before you set up nat enable on the Cisco phone > > OpenSIPS was replying back on the 2260 port > > > > U nat.ip:2260 -> opensips.ip:5060 > > REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP > > > > # > > U opensips.ip:5060 -> nat.ip:2260 > > SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP > > > > So right there without configuring NatEnable on the Cisco phone OpenSIPS > is > > sending back to the original port that the Cisco phone used correct? > > Yes, that is correct. > That is with nat_enable : 0. > > -- James > > > > > > > On Tue, Dec 7, 2010 at 1:34 PM, James Lamanna <[email protected]> > wrote: > >> > >> On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <[email protected]> > >> wrote: > >> > From your SIP message > >> > > >> > U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip > >> > SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb.. > >> > From: <sip:[email protected];user=phone>..To: > >> > <sip:[email protected];user=phone>..Call-ID: > >> > [email protected]: Mon, 06 Dec 2010 > >> > 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent > >> > : CSCO/7..Contact: <sip:[email protected]:8427>..Content-Length: > >> > 0..Expires: 45.... > >> > > >> > In the VIA header I believe your phone is saying "Talk to me over > >> > nat.ip:8427" > >> > > >> > You might want to set up logging on your PIX/ASA firewall to see whats > >> > getting blocked, but from the way you've explained the issue it > doesn't > >> > sound like an OpenSIPS issue. Sounds like a firewall issue or Cisco > >> > phone > >> > issue. > >> > >> Logging on the PIX definitely sees packets coming back 8427, which > >> since they aren't part of an established connection get dropped. > >> Maybe going to opensips these phones need sip fixup on, though going > >> directly to Asterisk, they have been working with sip fixup off... > >> > >> -- James > >> > >> > >> > > >> > On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <[email protected]> > >> > wrote: > >> >> > >> >> Hi Bogdan, > >> >> I guess I'm confused as to why you say its being transmitted back to > >> >> the same IP:Port: > >> >> > >> >> U nat.ip:2370 -> opensips.ip:5060 > >> >> U opensips.ip:5060 -> nat.ip:8427 > >> >> > >> >> Shouldn't it be going back to port 2370? And not 8427? > >> >> > >> >> -- James > >> >> > >> >> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu > >> >> <[email protected]> wrote: > >> >> > Hi James, > >> >> > > >> >> > From proxy point of view, everything looks ok - I see the reply > sent > >> >> > back to > >> >> > the exact IP:port where the request came from....So the reply > should > >> >> > make it > >> >> > through the NAT...But it seams it doesn't as the phone keeps > >> >> > retransmitting > >> >> > the REGISTER.. > >> >> > > >> >> > Again, from NAT pov, opensips is doing the right stuff (doing > >> >> > symmetric > >> >> > signalling) - there is nothing more you can do here for > >> >> > opensips..Maybe > >> >> > it > >> >> > is something specific to the NAT device - any possibility to > >> >> > debug/trace > >> >> > on > >> >> > it ? > >> >> > > >> >> > Regards, > >> >> > Bogdan > >> >> > > >> >> > James Lamanna wrote: > >> >> >> > >> >> >> Hi, > >> >> >> I was wondering if anyone had any experience getting a Cisco 7960 > >> >> >> phone to register to opensips when the phone is behind a PIX > >> >> >> firewall. > >> >> >> I'm having a hell of a time getting it to register. > >> >> >> I see these messages: > >> >> >> > >> >> >> U nat.ip:2260 -> opensips.ip:5060 > >> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP > >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: < > >> >> >> sip:[email protected];user=phone>..To: > >> >> >> <sip:[email protected];user=phone>..Call-ID: 0003 > >> >> >> [email protected]: Mon, 06 Dec > 2010 > >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER > >> >> >> ..User-Agent: CSCO/7..Contact: > >> >> >> <sip:[email protected]:5060>..Content-Length: 0..Expires: > 45.... > >> >> >> # > >> >> >> U opensips.ip:5060 -> nat.ip:2260 > >> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP > >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv > >> >> >> ed=208.90.184.123..From: > >> >> >> <sip:[email protected];user=phone>..To: > >> >> >> <sip:[email protected]; > >> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID: > >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@ > >> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest > >> >> >> realm="asterisk", nonce="4cfd27fe0000780d7 > >> >> >> 1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls > >> >> >> (x86_64/linux))..Content-Length: 0.. > >> >> >> .. > >> >> >> # > >> >> >> U nat.ip:2260 -> opensips.ip:5060 > >> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP > >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: < > >> >> >> sip:[email protected];user=phone>..To: > >> >> >> <sip:[email protected];user=phone>..Call-ID: 0003 > >> >> >> [email protected]: Mon, 06 Dec > 2010 > >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER > >> >> >> ..User-Agent: CSCO/7..Contact: > >> >> >> <sip:[email protected]:5060>..Content-Length: 0..Expires: > 45.... > >> >> >> # > >> >> >> U opensips.ip:5060 -> nat.ip:2260 > >> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP > >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv > >> >> >> ed=208.90.184.123..From: <sip:[email protected] > ;user=phone>..To: > >> >> >> <sip:[email protected]; > >> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID: > >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@ > >> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest > >> >> >> realm="asterisk", nonce="4cfd28000000780e5 > >> >> >> c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls > >> >> >> (x86_64/linux))..Content-Length: 0.. > >> >> >> > >> >> >> This suggests the 401 response is not making it back to the > >> >> >> phone....but I'm not sure why the PIX would be blocking it. > >> >> >> All sip fixup is off. > >> >> >> > >> >> >> Any configuration suggestions would be much appreciated. > >> >> >> The phone has: > >> >> >> nat_enable: 0 > >> >> >> nat_received_processing: 0 > >> >> >> > >> >> >> That was the only way I could get opensips to send the responses > >> >> >> back > >> >> >> to the correct port. > >> >> >> > >> >> >> Thanks. > >> >> >> > >> >> >> -- James > >> >> >> > >> >> >> _______________________________________________ > >> >> >> Users mailing list > >> >> >> [email protected] > >> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> >> >> > >> >> >> > >> >> > > >> >> > > >> >> > -- > >> >> > Bogdan-Andrei Iancu > >> >> > OpenSIPS Bootcamp > >> >> > 15 - 19 November 2010, Edison, New Jersey, USA > >> >> > www.voice-system.ro > >> >> > > >> >> > > >> >> > _______________________________________________ > >> >> > Users mailing list > >> >> > [email protected] > >> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> >> > > >> >> > >> >> _______________________________________________ > >> >> Users mailing list > >> >> [email protected] > >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> > > >> > > >> > > >> > -- > >> > -- > >> > *--*--*--*--*--* > >> > Duane > >> > *--*--*--*--*--* > >> > -- > >> > > >> > _______________________________________________ > >> > Users mailing list > >> > [email protected] > >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >> > > >> > > >> > >> _______________________________________________ > >> Users mailing list > >> [email protected] > >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > > > -- > > -- > > *--*--*--*--*--* > > Duane > > *--*--*--*--*--* > > -- > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- -- *--*--*--*--*--* Duane *--*--*--*--*--* --
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
