Some (but not all) NAT devices have a UDP timeout
of 60s. So, if nothing
comes through the port mapping within that 60s, the association will be
deleted from the NAT device memory. After that, any packet from the
WAN side
with this association will be dropped.
I notice that your nat ping interval is exactly 60s. Maybe you can try
something smaller than that, say 55s. I have a good result with 50s
for most
residential ADSL routers.
Like Andres said, the best way to deal with NAT is to turn on
keep-live on
the UA.
Zeus
-----Original Message-----
From: serusers-bounces(a)iptel.org [mailto:serusers-bounces@lists.iptel.org]
On Behalf Of Jev
Sent: Friday, 25 June 2004 4:12 AM
To: serusers(a)lists.iptel.org
Subject: [Serusers] nat_ping problems
Hi all,
Following up on my post a couple days ago;
http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
I have now tested with rtpproxy/nathelper and mediaproxy and I seem
to be having the same results.
As of now my test environment is as follows;
I have two networks,
192.168.123.0/24 SER server
192.168.100.0/24 UAC (Grandstream HardPhone)
Currently I have a D-Link NAT router separating both networks. I have
SER (CVS checkout from HEAD as of ~22nd June) running on FreeBSD 5.2.1-R
I have had the same issue with both Maxims nathelper/rtproxy and
Adrians mediaproxy. The below traces are from mediaproxy, as my most
recent testing has been done here. I would like to have done the same
analysis with nathelper/rtpproxy but I live under time constraints...
09:48:06 Register From UAC through NAT to ser Completed 09:48:44 UDP
Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP Ping Ser -> Nat Firewall
-> UAC 09:50:45 UDP Ping Ser -> Nat Firewall -> UAC 09:51:45 UDP Ping
Ser -> Nat Firewall -> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall ->
XXXXX 09:53:47 UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP
Ping Ser -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser ->
Nat Firewall -> XXXXX
Example of two UDP packet from SER to Nat Firewall:
09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408:
udp 4 [tos 0x10]
0x0000 4510 0020 7c7d 0000 4011 8627 c0a8 7b65 E...|}..@..'..{e
0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408:
udp 4 [tos 0x10]
0x0000 4510 0020 7c83 0000 4011 8621 c0a8 7b65 E...|...@..!..{e
0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Example of the two corresponding UDP packets inside
the NAT Firewall from NAT Firewall to the UAC
09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: udp 4
[tos 0x10]
0x0000 4510 0020 7c7d 0000 3f11 0225 c0a8 7b65 E...|}..?..%..{e
0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2....
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: udp 4
[tos 0x10]
0x0000 4510 0020 7c83 0000 3f11 021f c0a8 7b65 E...|...?.....{e
0x0010 c0a8 0065 13c4 13c4 000c db32 0000 0000 ...e.......2....
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
Here is an example of two packets that get sent from
SER to the NAT Firewall but never get past the NAT firewall.
10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408:
udp 4 [tos 0x10]
0x0000 4510 0020 8193 0000 4011 8111 c0a8 7b65 E.......@.....{e
0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408:
udp 4 [tos 0x10]
0x0000 4510 0020 8198 0000 4011 810c c0a8 7b65 E.......@.....{e
0x0010 c0a8 7b62 13c4 ebf8 000c 8800 0000 0000 ..{b............
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
It appears that the NAT firewall stops transmitting the packets, nor
does it reject them, they just silently get dropped, and ser just
continues to send them with no idea if they are getting through or
not. If I set the phone to a very low register time then everything
works fine, as it keeps the nat mapping current, and I can make calls
from outside the nat to the UAC on the inside.
I have attached my current config (mediaproxy) file.
Finally, I have had the same problems while Cisco IOS, and a cheap
U.S. Robotics (Lucent based I think) for natting, which makes me
assume that this is not a nat router specific issue.
Is there something basic I'm missing here? How have people made this
configuration work? Is there anyone actual using nathelper/rtpproxy
or mediaproxy in production?
If anyone wants more specific debug information then just let me
know! :)
Thanks for your help,
-Jev
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers