[Serusers] SER, STUN and NAT not playing togther.

Dear Group,

A few years ago I successfully configured SER. My UA's were both sitting behind Firewall FVS318 and I was able to use X-Ten lite and a public STUN server and hold conversations with various people across the NET.

I have tried to recreate the same environment and I'm running into difficulties. I have provided as much information as possible so that someone may be able to add some ideas to help me resolve this problem.

My SER server -------------

192.168.0.1 || LINUX FIRWALL NAT || 65.X.Y.64 (public IP Address)

I have mapped UDP/TCP 5060 from 65.X.Y.64 to 192.168.0.1

UA1 ---

192.168.0.10 || FVS318 FIREWALL ||84.X.Y.Z (Public IP Address) UA2 ---

192.168.1.12|| Nortel 221 Firewal||84.X.Y.A

My first test is always to try and call myself!

I have placed a packet sniffer outside of my FVS318, on on the UA LAN and I'm running an ethereal capture on the SER server.

Here is what I see;

UA1 FVS318 LINUX FIREWALL SER ------------------------------------------------------------ INVITE-->

SRC Port 5060 SRC Port 18564 SRC Port 18564 SRC Port 5060 DST Port 5060 DST Port 5060 DST Port 5060 DST Port 5060

<--TRYING SRC Port 5060 SRC 5060 SRC port 5060 SRC Port 5060 DST Port 5060 DST Port 5060 DST Port 5060 DST Port 5060

<--INVITE SRC Port 5060 SRC Port 5060 DENY DST Port 5060 SRC Port 5060 <--INVITE SRC Port 5060 SRC Port 5060 DENY DST Port 5060 SRC Port 5060 <--INVITE SRC Port 5060 SRC Port 5060 DENY DST Port 5060 SRC Port 5060

etc... until we time out.

Here is the sip digest (email continues after the digest :);

SIP MESSAGE 1 84.X.Y.Z:18425() -> 192.168.0.1:5060() UDP Frame 538 24/Mar/06 10:26:48.2393 TimeFromPreviousSipFrame=20.2531 TimeFromStart=20.2531 INVITE sip:shad@65.X.Y.642 SIP/2.0 Via: SIP/2.0/UDP 84.X.Y.Z:5060;rport;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010 From: Shad sip:Shad@65.X.Y.642;tag=2118835080 To: sip:shad@65.X.Y.642 Contact: sip:Shad@84.X.Y.Z:5060 Call-ID: AB162664-BB4A-11DA-AE75-000393A75010@192.168.0.3 CSeq: 40569 INVITE Max-Forwards: 70 Content-Type: application/sdp User-Agent: X-Lite release 1105x Content-Length: 282

v=0 o=Shad 194756629 194756693 IN IP4 84.X.Y.Z s=X-Lite c=IN IP4 84.X.Y.Z t=0 0 m=audio 8000 RTP/AVP 0 8 98 97 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:98 iLBC/8000 a=rtpmap:97 speex/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv

======================================================================== ====

SIP MESSAGE 2 192.168.0.1:5060() -> 84.X.Y.Z:18425() UDP Frame 539 24/Mar/06 10:26:48.2514 TimeFromPreviousSipFrame=0.0121 TimeFromStart=20.2652 SIP/2.0 100 trying -- your call is important to us Via: SIP/2.0/UDP 84.X.Y.Z:5060;rport=18425;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010

From: Shad sip:Shad@65.X.Y.642;tag=2118835080 To: sip:shad@65.X.Y.642 Call-ID: AB162664-BB4A-11DA-AE75-000393A75010@192.168.0.3 CSeq: 40569 INVITE Server: Sip EXpress router (0.8.12 (i386/linux)) Content-Length: 0 Warning: 392 192.168.0.1:5060 "Noisy feedback tells: pid=30110 req_src_ip=84.X.Y.Z req_src_port=18425 in_uri=sip:shad@65.X.Y.642 out_uri=sip:Shad@84.X.Y.Z:5060 via_cnt==1"

======================================================================== ====

SIP MESSAGE 3 192.168.0.1:5060() -> 84.X.Y.Z:5060() UDP Frame 540 24/Mar/06 10:26:48.2592 TimeFromPreviousSipFrame=0.0078 TimeFromStart=20.2730 INVITE sip:Shad@84.X.Y.Z:5060 SIP/2.0 Record-Route: sip:shad@192.168.0.1;ftag=2118835080;lr=on Via: SIP/2.0/UDP 192.168.0.1;branch=z9hG4bK00fc.855877d1.0 Via: SIP/2.0/UDP 84.X.Y.Z:5060;rport=18425;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010

From: Shad sip:Shad@65.X.Y.642;tag=2118835080 To: sip:shad@65.X.Y.642 Contact: sip:Shad@84.X.Y.Z:5060 Call-ID: AB162664-BB4A-11DA-AE75-000393A75010@192.168.0.3 CSeq: 40569 INVITE Max-Forwards: 69 Content-Type: application/sdp User-Agent: X-Lite release 1105x Content-Length: 282

v=0 o=Shad 194756629 194756693 IN IP4 84.X.Y.Z s=X-Lite c=IN IP4 84.X.Y.Z t=0 0 m=audio 8000 RTP/AVP 0 8 98 97 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:98 iLBC/8000 a=rtpmap:97 speex/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv

======================================================================== ====

SIP MESSAGE 4 192.168.0.1:5060() -> 84.X.Y.Z:5060() UDP Frame 596 24/Mar/06 10:26:49.1709 TimeFromPreviousSipFrame=0.9117 TimeFromStart=21.1847 INVITE sip:Shad@84.X.Y.Z:5060 SIP/2.0 Record-Route: sip:shad@192.168.0.1;ftag=2118835080;lr=on Via: SIP/2.0/UDP 192.168.0.1;branch=z9hG4bK00fc.855877d1.0 Via: SIP/2.0/UDP 84.X.Y.Z:5060;rport=18425;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010

From: Shad sip:Shad@65.X.Y.642;tag=2118835080 To: sip:shad@65.X.Y.642 Contact: sip:Shad@84.X.Y.Z:5060 Call-ID: AB162664-BB4A-11DA-AE75-000393A75010@192.168.0.3 CSeq: 40569 INVITE Max-Forwards: 69 Content-Type: application/sdp User-Agent: X-Lite release 1105x Content-Length: 282

v=0 o=Shad 194756629 194756693 IN IP4 84.X.Y.Z s=X-Lite c=IN IP4 84.X.Y.Z t=0 0 m=audio 8000 RTP/AVP 0 8 98 97 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:98 iLBC/8000 a=rtpmap:97 speex/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv

======================================================================== ====

Obviously if the INVITE from the SER Server goes through on Port 5060 this is going to break !

I see the same thing if I try and call from UA2 to UA1 (More Email after the digest :))

======================================================================== ==== SIP MESSAGE 1 84.X.Y.A:24575() -> 192.168.0.1:5060() UDP Frame 103 24/Mar/06 11:40:14.4074 TimeFromPreviousSipFrame=1.7003 TimeFromStart=1.7003 OPTIONS sip:65.X.Y.64:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.6.50;rport;branch=z9hG4bKc0a8063200000010442420ee0000369900000f1 b Content-Length: 0 Call-ID: CE4F0254-4004-4129-9E4B-51CE8AAEE198@192.168.6.50 CSeq: 61 OPTIONS From: sip:bart@65.X.Y.64:5060;tag=2925878122169 Max-Forwards: 70 To: sip:65.X.Y.64:5060

======================================================================== ==== SIP MESSAGE 2 192.168.0.1:5060() -> 84.X.Y.A:24575() UDP Frame 104 24/Mar/06 11:40:14.4078 TimeFromPreviousSipFrame=0.0004 TimeFromStart=1.7007 SIP/2.0 404 Not Found Via: SIP/2.0/UDP 192.168.6.50;rport=24575;branch=z9hG4bKc0a8063200000010442420ee000036990 0000f1b;received=84.X.Y.A Call-ID: CE4F0254-4004-4129-9E4B-51CE8AAEE198@192.168.6.50 CSeq: 61 OPTIONS From: sip:bart@65.X.Y.64:5060;tag=2925878122169 To: sip:65.X.Y.64:5060;tag=b27e1a1d33761e85846fc98f5f3a7e58.c661 Server: Sip EXpress router (0.8.12 (i386/linux)) Content-Length: 0 Warning: 392 192.168.0.1:5060 "Noisy feedback tells: pid=30107 req_src_ip=84.X.Y.A req_src_port=24575 in_uri=sip:65.X.Y.64:5060 out_uri=sip:65.X.Y.64:5060 via_cnt==1"

======================================================================== ==== SIP MESSAGE 3 84.X.Y.A:24575() -> 192.168.0.1:5060() UDP Frame 699 24/Mar/06 11:40:29.5842 TimeFromPreviousSipFrame=15.1763 TimeFromStart=16.8771 INVITE sip:shad@65.X.Y.64:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.6.50;rport;branch=z9hG4bKc0a8063200000225442420fd0000740600000f1 d Content-Length: 264 Contact: sip:bart@84.X.Y.A:5060 Call-ID: 27CA29B7-302C-4FA1-BD57-AA2C4ADD5C69@192.168.6.50 Content-Type: application/sdp CSeq: 1 INVITE From: "unknown"sip:bart@65.X.Y.64:5060;tag=292738906749 Max-Forwards: 70 To: sip:shad@65.X.Y.64:5060 User-Agent: SJphone/1.60.289a (SJ Labs)

v=0 o=- 3352207229 3352207229 IN IP4 84.X.Y.A s=SJphone c=IN IP4 84.X.Y.A t=0 0 a=direction:active m=audio 49180 RTP/AVP 3 0 8 101 a=rtpmap:3 GSM/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-11,16

======================================================================== ====

SIP MESSAGE 4 192.168.0.1:5060() -> 84.X.Y.A:24575() UDP Frame 701 24/Mar/06 11:40:29.6111 TimeFromPreviousSipFrame=0.0270 TimeFromStart=16.9040 SIP/2.0 100 trying -- your call is important to us Via: SIP/2.0/UDP 192.168.6.50;rport=24575;branch=z9hG4bKc0a8063200000225442420fd000074060 0000f1d;received=84.X.Y.A Call-ID: 27CA29B7-302C-4FA1-BD57-AA2C4ADD5C69@192.168.6.50 CSeq: 1 INVITE From: "unknown"sip:bart@65.X.Y.64:5060;tag=292738906749 To: sip:shad@65.X.Y.64:5060 Server: Sip EXpress router (0.8.12 (i386/linux)) Content-Length: 0 Warning: 392 192.168.0.1:5060 "Noisy feedback tells: pid=30097 req_src_ip=84.X.Y.A req_src_port=24575 in_uri=sip:shad@65.X.Y.64:5060 out_uri=sip:Shad@84.X.Y.Z:5060 via_cnt==1"

======================================================================== ====

SIP MESSAGE 5 192.168.0.1:5060() -> 84.X.Y.Z:5060() UDP Frame 702 24/Mar/06 11:40:29.6114 TimeFromPreviousSipFrame=0.0003 TimeFromStart=16.9043 INVITE sip:Shad@84.X.Y.Z:5060 SIP/2.0 Record-Route: sip:shad@192.168.0.1;ftag=292738906749;lr=on Via: SIP/2.0/UDP 192.168.0.1;branch=z9hG4bK779f.4d153ff7.0 Via: SIP/2.0/UDP 192.168.6.50;received=84.X.Y.A;rport=24575;branch=z9hG4bKc0a806320000022 5442420fd0000740600000f1d Content-Length: 264 Contact: sip:bart@84.X.Y.A:5060 Call-ID: 27CA29B7-302C-4FA1-BD57-AA2C4ADD5C69@192.168.6.50 Content-Type: application/sdp CSeq: 1 INVITE From: "unknown"sip:bart@65.X.Y.64:5060;tag=292738906749 Max-Forwards: 69 To: sip:shad@65.X.Y.64:5060 User-Agent: SJphone/1.60.289a (SJ Labs)

v=0 o=- 3352207229 3352207229 IN IP4 84.X.Y.A s=SJphone c=IN IP4 84.X.Y.A t=0 0 a=direction:active m=audio 49180 RTP/AVP 3 0 8 101 a=rtpmap:3 GSM/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-11,16

======================================================================== ==== I see STUN packets being sent to the public STUN server, I see UDP packets keeping the firewall ports open, the problem is unless the INVITE from the ser server is initiated on on open port this is never going to work !

As a final test if I R-NAT UDP 5060 on the FVS318 it obviously work. This is great if I have only one user that needs to use the service? however what happens when I want to have 2 or 3?

I would appreciate some help.

Thanks and Regards

Shad Mortazavi ------------------------------------------------------ Nexus Group Technical Manager n|m Nexus Management Inc