[VoIP] SIP/firewall problem - the saga

Chad Perkins chad at maine.maine.edu
Sat Nov 11 11:33:58 CST 2006 

> I hate SIP.
> I don't know if this will help, but, when I do a "sip show peers," I
> get some really odd ports for Dennis and for Jim:
> 
> voipgw*CLI> sip show peers
> Name/username              Host            Dyn Nat ACL Port     Status
> 10/10                                      (Unspecified)    D   N      0 Unmonitored
> 952.949.6767/952.949.6767  (Unspecified)    D   N      0 Unmonitored
> 2697/2697                              (Unspecified)    D          0       UNKNOWN
> gblakely2/gblakely2        172.26.0.3       D   N      5060     OK (56 ms) 
> gblakely/gblakely          172.26.0.3       D   N      5060     OK (57 ms) 
> jday/jday                  69.37.44.178     D   N      60010    OK (109 ms) 
> dhock/dhock                68.61.110.28     D   N     61152    OK (75 ms) 
> iconnect/12345678          213.137.73.140       N     5060 Unmonitored 
> guest                      (Unspecified)        N      5060 Unmonitored
> 9 sip peers [8 online , 1 offline]
> 
> The first five entries above are for my own soft phones and for a
> Cisco 7940 telephone.
> You can see that Jim is using port 60010, and Dennis' old connection
> (which is still live) uses port 61152.
> I'm not sure whether those odd numbers are on their end or on mine,
> but (knock on wood) they appear to be working.  

>From what I can tell, those port numbers are the NA(P)T port numbers assigned to 
the connection by their router/firewall on egress during "registration"; so that is the 
port number Asterisk sees them coming FROM (in other words their src port - dst 
port should still be 5060).  

69.37.44.178:60010 ---> 209.98.47.194:5060

This behavior varies by vendor/model as there are 4 "types" of NAT.  High/odd port 
number *do* signify NAT, however the absence of high port number does *not* 
signify the absence of NAT (as some types of NAT don't play that game).  

This totally raises hell with SIP, H.323, RTP, etc.  This is where the STUN protocol 
comes in handy as STUN can figure out if, and which type of, NAT is present and 
pass that information to a UDP application (i.e. SIP/RTP).
 
> My asterisk box is NATted behind an IP-COP linux firewall.  I have
> port 5060 forwarded to my asterisk box, but the RTP ports are just
> opened up -- not forwarded anywhere.

I'm confused as to how the RTP knows where to go if not forwarded.  Is Asterisk on 
an "Orange" DMZ port?  Atleast IP-Cop should have some logs that help with this 
sort of thing.  Too many COTS firewall/routers have zipo.  :(

> And I'm starting to lose my mind, too.  But that's a different story.
Ah as one gets older there so many good reasons! 
> > -----Original Message-----
> > From: voip-bounces at ckts.info [mailto:voip-bounces at ckts.info] On
> > Behalf
> Of
> > Chad Perkins
> > Sent: Friday, November 10, 2006 8:59 PM
> > To: Voice Over IP Tandem for Analog Switches
> > Subject: [VoIP] SIP/firewall problem - the saga
> > 
> > I hope someone can shed some light on a problem I'm having.  I
> recently
> > deployed a
> > couple two line SIP ATAs (Sipura SPA-2002 & Linksys PAP2).  They are
> > enroute to a couple Telephone Museum members (to whom I have
> > assigned individual
> CNET
> > numbers off the tandem here on Line 2 of the ATA).  The ATAs went on
> the
> > road with
> > me Monday and installed at a test site across town.  They tested
> > perfectly.  Home free.  Wrong.
> > 
> > The test site (my work) has three broadband drops with three
> > different firewall routers.  After testing on one I relocated to my
> > workbench which has
> it's
> > own drop
> > verified basic connectivity then I had to leave.  After getting home
> > Monday I find errors on the Asterisk console.
> > 
> > NOTICE[98310]: chan_sip.c:7641 handle_request: Registration from
> > '<sip:ATA2L2 at agstmexx700.homeip.net>' failed for '76.179.29.137'
> > 
> > some time later (much longer than 30 seconds though, however
> > Register_Expires: is
> > set to 30 seconds in the ATAs):
> >     -- Registered SIP 'ATA2L2' at 76.179.29.137 port 5061 expires 30
> > 
> > I have confirmed that registration is failing on the CNET lines from
> time
> > to time (as far
> > as Asterisk is concerned).
> > AGSTMESEPS0*CLI> sip show peers
> > ATA3L2                  (Unspecified)    D   N      255.255.255.255 
> > 0 Unmonitored ATA2L2/ATA2L2    (Unspecified)    D   N     
> > 255.255.255.255  0 Unmonitored ATA1L2/ATA1L2    198.182.163.2    D  
> > N      255.255.255.255  32845 Unmonitored
> > 
> > Line 1 is subscribed to Stanaphone on one and BroadVoice on the
> > other; they appear to be fine.  I didn't know but having two units
> > connecting back
> to
> > the same ip
> > (for Asterisk) on the same port (5060) might be causing a conflict
> > on
> the
> > nat/router/firewall; so I moved one ATA to the third drop Tuesday
> > (the first drop is not mine to play with).
> > 
> > Tuesday night I get home and find the errors continue.  I am
> > starting
> to
> > wonder if I
> > am having port 5060 conflicts between the Line 1 and Line 2, so I
> > set
> the
> > port to
> > 5061 in sip.conf and change Line 2 (back) to 5061 in the ATAs
> Wednesday.
> > Sip
> > show peers as of Wednesday night follows.
> > 
> > AGSTMESEPS0*CLI> sip show peers
> > ATA3L2                    (Unspecified)    D   N     
> > 255.255.255.255
> 0
> > Unmonitored
> > ATA2L2/ATA2L2    76.179.29.137    D   N      255.255.255.255  5061
> > Unmonitored ATA1L2/ATA1L2    198.182.163.2    D   N     
> > 255.255.255.255  32845 Unmonitored [snip]
> > 
> > Problem continues.  Thursday I discover things are broken in the
> > audio path and calls are NOT connecting properly (even when
> > registered)!  I continue
> to
> > think about
> > NAT, etc. so I enable STUN.  No dice; this had worked for my
> Grandstream a
> > year or
> > so ago.
> > 
> > Today I routed one of the ATAs through a test ethernet switch in the
> lab
> > that has 6
> > LEDs per port so I could see what was going on a little better. 
> > What
> I
> > found out is
> > that the audio path is one way (transmitting); it confirms that I
> > hear nothing because there is nothing in the way of RTP making it to
> > the ATA.
> > 
> > Okay so I'm starting to loose my mind.  I break down the test
> > network
> and
> > recable
> > the ATA via the test switch to the Linksys router on Broadband 1.
> Presto
> > bingo,
> > switch lights up and I have two-way audio!  I can't leave it there
> > so
> I
> > don't know
> > whether the registration problem returns.
> > 
> > So I know this is a Firewall/NAT problem of sorts.  I am little
> puzzled as
> > to why I have
> > this problem and how to fix it; the VoIP provider on Line 1 is
> > always fine.  One obvious difference is I am also NATed; they are
> > not. I have UDP
> 5060-5063
> > and
> > 10000-20000 port forwarded to Asterisk, but that doesn't totally
> eliminate
> > the effects
> > of NAT on SIP.  I am confused.
> > 
> > I am at a loss why is works on the Linksys but not on the Netgear
> > (or
> the
> > Smoothwall).  I am really not looking forward to SIP debug and
> > packet captures, though I am equipped.  This end is Asterisk 1.0 via
> > standard 3Mb
> Verizon
> > ADSL and
> > the Westell VersaLink 327W firewall/router/four port switch/wireless
> > access point.
> > 
> > Chad
> > +1 955-9924
> > (US EST)
> > 
> > 
> > [ATA3L2]
> > type=friend
> > secret=PAP2
> > callerid="Unassigned - L2" <  17007272>
> > host=dynamic
> > port=5061                       ; Line 2 port 11-9-2006
> > nat=yes                         ; behind a NAT router, 11-7-2006
> > canreinvite=no disallow=all allow=alaw allow=ulaw context=cnet
> > outgoinglimit=1 ;incominglimit=1 mailbox=7007272
>

More information about the VoIP mailing list