[VoIP] SIP/firewall problem - the saga
Greg Blakely
greg at vyger.net
Fri Nov 10 21:20:48 CST 2006
I hate SIP.
I don't know if this will help, but, when I do a "sip show peers," I get
some really odd ports for Dennis and for Jim:
voipgw*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status
10/10 (Unspecified) D N 0
Unmonitored
952.949.6767/952.949.6767 (Unspecified) D N 0
Unmonitored
2697/2697 (Unspecified) D 0 UNKNOWN
gblakely2/gblakely2 172.26.0.3 D N 5060 OK (56
ms)
gblakely/gblakely 172.26.0.3 D N 5060 OK (57
ms)
jday/jday 69.37.44.178 D N 60010 OK (109
ms)
dhock/dhock 68.61.110.28 D N 61152 OK (75
ms)
iconnect/12345678 213.137.73.140 N 5060
Unmonitored
guest (Unspecified) N 5060
Unmonitored
9 sip peers [8 online , 1 offline]
The first five entries above are for my own soft phones and for a Cisco
7940 telephone.
You can see that Jim is using port 60010, and Dennis' old connection
(which is still live) uses port 61152.
I'm not sure whether those odd numbers are on their end or on mine, but
(knock on wood) they appear to be working.
My asterisk box is NATted behind an IP-COP linux firewall. I have port
5060 forwarded to my asterisk box, but the RTP ports are just opened up
-- not forwarded anywhere.
And I'm starting to lose my mind, too. But that's a different story.
> -----Original Message-----
> From: voip-bounces at ckts.info [mailto:voip-bounces at ckts.info] On Behalf
Of
> Chad Perkins
> Sent: Friday, November 10, 2006 8:59 PM
> To: Voice Over IP Tandem for Analog Switches
> Subject: [VoIP] SIP/firewall problem - the saga
>
> I hope someone can shed some light on a problem I'm having. I
recently
> deployed a
> couple two line SIP ATAs (Sipura SPA-2002 & Linksys PAP2). They are
> enroute to a
> couple Telephone Museum members (to whom I have assigned individual
CNET
> numbers off the tandem here on Line 2 of the ATA). The ATAs went on
the
> road with
> me Monday and installed at a test site across town. They tested
> perfectly. Home
> free. Wrong.
>
> The test site (my work) has three broadband drops with three different
> firewall
> routers. After testing on one I relocated to my workbench which has
it's
> own drop
> verified basic connectivity then I had to leave. After getting home
> Monday I find
> errors on the Asterisk console.
>
> NOTICE[98310]: chan_sip.c:7641 handle_request: Registration from
> '<sip:ATA2L2 at agstmexx700.homeip.net>' failed for '76.179.29.137'
>
> some time later (much longer than 30 seconds though, however
> Register_Expires: is
> set to 30 seconds in the ATAs):
> -- Registered SIP 'ATA2L2' at 76.179.29.137 port 5061 expires 30
>
> I have confirmed that registration is failing on the CNET lines from
time
> to time (as far
> as Asterisk is concerned).
> AGSTMESEPS0*CLI> sip show peers
> ATA3L2 (Unspecified) D N 255.255.255.255 0
> Unmonitored
> ATA2L2/ATA2L2 (Unspecified) D N 255.255.255.255 0
> Unmonitored
> ATA1L2/ATA1L2 198.182.163.2 D N 255.255.255.255 32845
> Unmonitored
>
> Line 1 is subscribed to Stanaphone on one and BroadVoice on the other;
> they
> appear to be fine. I didn't know but having two units connecting back
to
> the same ip
> (for Asterisk) on the same port (5060) might be causing a conflict on
the
> nat/router/firewall; so I moved one ATA to the third drop Tuesday (the
> first drop is not
> mine to play with).
>
> Tuesday night I get home and find the errors continue. I am starting
to
> wonder if I
> am having port 5060 conflicts between the Line 1 and Line 2, so I set
the
> port to
> 5061 in sip.conf and change Line 2 (back) to 5061 in the ATAs
Wednesday.
> Sip
> show peers as of Wednesday night follows.
>
> AGSTMESEPS0*CLI> sip show peers
> ATA3L2 (Unspecified) D N 255.255.255.255
0
> Unmonitored
> ATA2L2/ATA2L2 76.179.29.137 D N 255.255.255.255 5061
> Unmonitored
> ATA1L2/ATA1L2 198.182.163.2 D N 255.255.255.255 32845
> Unmonitored
> [snip]
>
> Problem continues. Thursday I discover things are broken in the audio
> path and
> calls are NOT connecting properly (even when registered)! I continue
to
> think about
> NAT, etc. so I enable STUN. No dice; this had worked for my
Grandstream a
> year or
> so ago.
>
> Today I routed one of the ATAs through a test ethernet switch in the
lab
> that has 6
> LEDs per port so I could see what was going on a little better. What
I
> found out is
> that the audio path is one way (transmitting); it confirms that I hear
> nothing because
> there is nothing in the way of RTP making it to the ATA.
>
> Okay so I'm starting to loose my mind. I break down the test network
and
> recable
> the ATA via the test switch to the Linksys router on Broadband 1.
Presto
> bingo,
> switch lights up and I have two-way audio! I can't leave it there so
I
> don't know
> whether the registration problem returns.
>
> So I know this is a Firewall/NAT problem of sorts. I am little
puzzled as
> to why I have
> this problem and how to fix it; the VoIP provider on Line 1 is always
> fine. One
> obvious difference is I am also NATed; they are not. I have UDP
5060-5063
> and
> 10000-20000 port forwarded to Asterisk, but that doesn't totally
eliminate
> the effects
> of NAT on SIP. I am confused.
>
> I am at a loss why is works on the Linksys but not on the Netgear (or
the
> Smoothwall). I am really not looking forward to SIP debug and packet
> captures,
> though I am equipped. This end is Asterisk 1.0 via standard 3Mb
Verizon
> ADSL and
> the Westell VersaLink 327W firewall/router/four port switch/wireless
> access point.
>
> Chad
> +1 955-9924
> (US EST)
>
>
> [ATA3L2]
> type=friend
> secret=PAP2
> callerid="Unassigned - L2" < 17007272>
> host=dynamic
> port=5061 ; Line 2 port 11-9-2006
> nat=yes ; behind a NAT router, 11-7-2006
> canreinvite=no
> disallow=all
> allow=alaw
> allow=ulaw
> context=cnet
> outgoinglimit=1
> ;incominglimit=1
> mailbox=7007272
>
>
>
More information about the VoIP
mailing list