[VoIP] SIP/firewall problem - the saga

Jayson Smith ratguy at bellsouth.net
Sat Nov 11 12:33:05 CST 2006 

Hi,
HMMM, sound familiar?  Of course, in my situation, I'm appearing to be
accepting IAX2 connections on a random high port rather than 4569 (is that
the right port or am I losing my mind too?).  Yeah, some NAT systems do
really strange things!
Jayson.

----- Original Message ----- 
From: "Chad Perkins" <chad at maine.maine.edu>
To: "Voice Over IP Tandem for Analog Switches" <voip at ckts.info>
Sent: Saturday, November 11, 2006 12:33 PM
Subject: Re: [VoIP] SIP/firewall problem - the saga


> > I hate SIP.
> > I don't know if this will help, but, when I do a "sip show peers," I
> > get some really odd ports for Dennis and for Jim:
> >
> > voipgw*CLI> sip show peers
> > Name/username              Host            Dyn Nat ACL Port     Status
> > 10/10                                      (Unspecified)    D   N      0
Unmonitored
> > 952.949.6767/952.949.6767  (Unspecified)    D   N      0 Unmonitored
> > 2697/2697                              (Unspecified)    D          0
UNKNOWN
> > gblakely2/gblakely2        172.26.0.3       D   N      5060     OK (56
ms)
> > gblakely/gblakely          172.26.0.3       D   N      5060     OK (57
ms)
> > jday/jday                  69.37.44.178     D   N      60010    OK (109
ms)
> > dhock/dhock                68.61.110.28     D   N     61152    OK (75
ms)
> > iconnect/12345678          213.137.73.140       N     5060 Unmonitored
> > guest                      (Unspecified)        N      5060 Unmonitored
> > 9 sip peers [8 online , 1 offline]
> >
> > The first five entries above are for my own soft phones and for a
> > Cisco 7940 telephone.
> > You can see that Jim is using port 60010, and Dennis' old connection
> > (which is still live) uses port 61152.
> > I'm not sure whether those odd numbers are on their end or on mine,
> > but (knock on wood) they appear to be working.
>
> >From what I can tell, those port numbers are the NA(P)T port numbers
assigned to
> the connection by their router/firewall on egress during "registration";
so that is the
> port number Asterisk sees them coming FROM (in other words their src
port - dst
> port should still be 5060).
>
> 69.37.44.178:60010 ---> 209.98.47.194:5060
>
> This behavior varies by vendor/model as there are 4 "types" of NAT.
High/odd port
> number *do* signify NAT, however the absence of high port number does
*not*
> signify the absence of NAT (as some types of NAT don't play that game).
>
> This totally raises hell with SIP, H.323, RTP, etc.  This is where the
STUN protocol
> comes in handy as STUN can figure out if, and which type of, NAT is
present and
> pass that information to a UDP application (i.e. SIP/RTP).
>
> > My asterisk box is NATted behind an IP-COP linux firewall.  I have
> > port 5060 forwarded to my asterisk box, but the RTP ports are just
> > opened up -- not forwarded anywhere.
>
> I'm confused as to how the RTP knows where to go if not forwarded.  Is
Asterisk on
> an "Orange" DMZ port?  Atleast IP-Cop should have some logs that help with
this
> sort of thing.  Too many COTS firewall/routers have zipo.  :(
>
> > And I'm starting to lose my mind, too.  But that's a different story.
> Ah as one gets older there so many good reasons!
> > > -----Original Message-----
> > > From: voip-bounces at ckts.info [mailto:voip-bounces at ckts.info] On
> > > Behalf
> > Of
> > > Chad Perkins
> > > Sent: Friday, November 10, 2006 8:59 PM
> > > To: Voice Over IP Tandem for Analog Switches
> > > Subject: [VoIP] SIP/firewall problem - the saga
> > >
> > > I hope someone can shed some light on a problem I'm having.  I
> > recently
> > > deployed a
> > > couple two line SIP ATAs (Sipura SPA-2002 & Linksys PAP2).  They are
> > > enroute to a couple Telephone Museum members (to whom I have
> > > assigned individual
> > CNET
> > > numbers off the tandem here on Line 2 of the ATA).  The ATAs went on
> > the
> > > road with
> > > me Monday and installed at a test site across town.  They tested
> > > perfectly.  Home free.  Wrong.
> > >
> > > The test site (my work) has three broadband drops with three
> > > different firewall routers.  After testing on one I relocated to my
> > > workbench which has
> > it's
> > > own drop
> > > verified basic connectivity then I had to leave.  After getting home
> > > Monday I find errors on the Asterisk console.
> > >
> > > NOTICE[98310]: chan_sip.c:7641 handle_request: Registration from
> > > '<sip:ATA2L2 at agstmexx700.homeip.net>' failed for '76.179.29.137'
> > >
> > > some time later (much longer than 30 seconds though, however
> > > Register_Expires: is
> > > set to 30 seconds in the ATAs):
> > >     -- Registered SIP 'ATA2L2' at 76.179.29.137 port 5061 expires 30
> > >
> > > I have confirmed that registration is failing on the CNET lines from
> > time
> > > to time (as far
> > > as Asterisk is concerned).
> > > AGSTMESEPS0*CLI> sip show peers
> > > ATA3L2                  (Unspecified)    D   N      255.255.255.255
> > > 0 Unmonitored ATA2L2/ATA2L2    (Unspecified)    D   N
> > > 255.255.255.255  0 Unmonitored ATA1L2/ATA1L2    198.182.163.2    D
> > > N      255.255.255.255  32845 Unmonitored
> > >
> > > Line 1 is subscribed to Stanaphone on one and BroadVoice on the
> > > other; they appear to be fine.  I didn't know but having two units
> > > connecting back
> > to
> > > the same ip
> > > (for Asterisk) on the same port (5060) might be causing a conflict
> > > on
> > the
> > > nat/router/firewall; so I moved one ATA to the third drop Tuesday
> > > (the first drop is not mine to play with).
> > >
> > > Tuesday night I get home and find the errors continue.  I am
> > > starting
> > to
> > > wonder if I
> > > am having port 5060 conflicts between the Line 1 and Line 2, so I
> > > set
> > the
> > > port to
> > > 5061 in sip.conf and change Line 2 (back) to 5061 in the ATAs
> > Wednesday.
> > > Sip
> > > show peers as of Wednesday night follows.
> > >
> > > AGSTMESEPS0*CLI> sip show peers
> > > ATA3L2                    (Unspecified)    D   N
> > > 255.255.255.255
> > 0
> > > Unmonitored
> > > ATA2L2/ATA2L2    76.179.29.137    D   N      255.255.255.255  5061
> > > Unmonitored ATA1L2/ATA1L2    198.182.163.2    D   N
> > > 255.255.255.255  32845 Unmonitored [snip]
> > >
> > > Problem continues.  Thursday I discover things are broken in the
> > > audio path and calls are NOT connecting properly (even when
> > > registered)!  I continue
> > to
> > > think about
> > > NAT, etc. so I enable STUN.  No dice; this had worked for my
> > Grandstream a
> > > year or
> > > so ago.
> > >
> > > Today I routed one of the ATAs through a test ethernet switch in the
> > lab
> > > that has 6
> > > LEDs per port so I could see what was going on a little better.
> > > What
> > I
> > > found out is
> > > that the audio path is one way (transmitting); it confirms that I
> > > hear nothing because there is nothing in the way of RTP making it to
> > > the ATA.
> > >
> > > Okay so I'm starting to loose my mind.  I break down the test
> > > network
> > and
> > > recable
> > > the ATA via the test switch to the Linksys router on Broadband 1.
> > Presto
> > > bingo,
> > > switch lights up and I have two-way audio!  I can't leave it there
> > > so
> > I
> > > don't know
> > > whether the registration problem returns.
> > >
> > > So I know this is a Firewall/NAT problem of sorts.  I am little
> > puzzled as
> > > to why I have
> > > this problem and how to fix it; the VoIP provider on Line 1 is
> > > always fine.  One obvious difference is I am also NATed; they are
> > > not. I have UDP
> > 5060-5063
> > > and
> > > 10000-20000 port forwarded to Asterisk, but that doesn't totally
> > eliminate
> > > the effects
> > > of NAT on SIP.  I am confused.
> > >
> > > I am at a loss why is works on the Linksys but not on the Netgear
> > > (or
> > the
> > > Smoothwall).  I am really not looking forward to SIP debug and
> > > packet captures, though I am equipped.  This end is Asterisk 1.0 via
> > > standard 3Mb
> > Verizon
> > > ADSL and
> > > the Westell VersaLink 327W firewall/router/four port switch/wireless
> > > access point.
> > >
> > > Chad
> > > +1 955-9924
> > > (US EST)
> > >
> > >
> > > [ATA3L2]
> > > type=friend
> > > secret=PAP2
> > > callerid="Unassigned - L2" <  17007272>
> > > host=dynamic
> > > port=5061                       ; Line 2 port 11-9-2006
> > > nat=yes                         ; behind a NAT router, 11-7-2006
> > > canreinvite=no disallow=all allow=alaw allow=ulaw context=cnet
> > > outgoinglimit=1 ;incominglimit=1 mailbox=7007272
> >
>
>
> _______________________________________________
> VoIP mailing list
> VoIP at ckts.info
> http://lists.ckts.info/mailman/listinfo/voip
> Project Web Page: http://www.ckts.info/
>

More information about the VoIP mailing list