The ACK was indeed broken. The problem was at the SBC, where I did not expect it. Everything works as it should. Thank you very much for your help. Martin ______________________________________________________________
Od: "Klaus Darilion" Komu: Dátum: 28.08.2012 09:36 Predmet: Re: [SR-Users] Possible bug in authentication
CC: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List", miconda@gmail.com
On 24.08.2012 14:41, martian@centrum.sk wrote:
The Route and Record-route headers are identical.
From debug (when alias=domain.ch:5060):
----authentication of INVITE:
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: : ---------------------- In route(AUTH), just before from_uri==myself ----------------------
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == []
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==9 && [domain.ch] == [127.0.0.1]
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:583]: grep_sock_info - checking if host==us: 10==15 && [domain.ch] == []
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: DEBUG: [socket_info.c:587]: grep_sock_info - checking if port 5060 (advertise 0) matches port 5060
Aug 24 14:22:44 server /usr/sbin/kamailio[8588]: NOTICE: : ---------------------- from_uri==myself evaluated as TRUE!! ----------------------
Is this really a complete log? According to the log uri==myself should return FALSE as the compared strings are never the same.
When I set alias=server.domain.ch:5060, from_uri==myself returns false (when determining if INVITE should be authenticated,resulting in replying 100 trying instead of 407 Proxy Auth Req) and loose_route() starts returning true and relays the ACK correctly.
I can post more debug from this case also, but I didn't want to spam so much in one message.
If you would like to see it, please let me know.
So .. Shall I consider the loose_route() part fixed and assume that there MUST be a full name (hostname.domain:port) in the alias, when Kamailio is not used as a primary proxy for the domain?
No. It is rather simple: domain.ch is not identical to domain.ch:5060 (as the first URI results in NAPTR+SRV lookups and my use another port than 5060).
Thus, if you want that Kamailio detects domain.ch as local domain, add "alias=domain.ch". If you want that Kamailio detects domain.ch:5060 as local domain add alias=domain.ch:5060 (not sure if quotes are needed here).
If you want that Kamailio accepts both domains as local domains, then add both alias.
Regardind loose_route: As Daniel mentioned, the ACK is broken.
regards Klaus
What about the from_uri==myself part?
Martin
> Od: "Klaus Darilion" > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List" > Dátum: 23.08.2012 15:04 > Predmet: Re: [SR-Users] Possible bug in authentication >
> CC: miconda@gmail.com
The Route URI (sent by SBC) must be identical to the Record-Route URI (inserted by Kamailio).
To find out why loose_route returns FALSE increase log-level. loose_route uses the "ismyself" function to evaluate if the Route header addresses this Kamailio server. And the "ismyself" is very verbose when doing this check.
regards Klaus
On 23.08.2012 13:51, martian@centrum.sk wrote: > Ok, so .. I have a session border controller device that is a contact > point for my SIP domain (SRV record in DNS set to its IP). All the > trafic goes through it and it does things like topology hiding etc.. The > device forwards the INVITE messages to Kamailio, because of the routing. > > The loose_route was working strangely, because it did not behave as > described in the documentation. > > Here is the sip message that it was suppose to pass: > > ACK sip:acc1@domain.ch:5060 SIP/2.0 > > Via: SIP/2.0/UDP domain.ch;branch=z9hG4bKac386033013 > > Max-Forwards: 70 > > From: "acc2" ;tag=1c1749458918 > > To: ;tag=1c1892801634 > > Call-ID: 17494024742382012111116@ > > CSeq: 2 ACK > > Contact: > > Route: > > Supported: em,timer,replaces,path,resource-priority > > Allow: > REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATE > > User-Agent: SBC_DEVICE > > Content-Length: 0 > > As you can see, there is a Route header and a To_tag .. so the > loose_route function should return true. But instead, it returned false, > then t_check_trans() also returned false and the routing logic exited > (exit;). > > This happens when the value of alias is not enclosed in double quotes. > > PS.: There is a "-" symbol in the domain name. Can't that be a problem > causing the need for the double quotes? > > PS2: Should there be only a domain name in the alias? or also the > hostname part? ... for example: domain.ch:5060 or server.domain.ch:5060 > > Martin > > ______________________________________________________________ > > Od: "Daniel-Constantin Mierla" > > Komu: "SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - > Users Mailing List" > > Dátum: 23.08.2012 12:21 > > Predmet: Re: [SR-Users] Possible bug in authentication > > > > Hello, > > On 8/23/12 11:54 AM, martian@centrum.sk wrote: > > Hello to everybody. > > I am currently working with Kamailio 3.3.1 on RedHat. > > The "loose_route" function was not working correctly and I observed > some very strange behaviour (not as one described in the > documentation of the function). > > I have found that there needs to be a port included in the "alias" > variable for the loose_route function to work correctly. > > However, upon adding the port to alias, the INVITE messages were no > longer authenticated (Kamailio just accepted them and didn't send > proxy-auth header in 407 message). > > My alias: > > alias="domain.ch:5060" > > Examining default routing logic, I found the problem here: > > if (is_method("REGISTER") || from_uri==myself) > > { > > # authenticate requests > > ... > > } > > The "from_uri==myself" was no longer evaluated as true, because > there was a port at the end of the alias. > > The FROM Header of the INVITE messages looks like: > > From: "acc1" ;tag=12345 > > ..so .. no port number there. > > Btw, I have fixed this with replacing the "myself" list with my own > defined variable MY_DOMAIN. > > #!define MY_DOMAIN ".*@domain.ch" > > So now the condition looks like this: > > if (is_method("REGISTER") || from_uri=~MY_DOMAIN) > > { > > ... > > } > > I am not sure if this is a bug that needs to be fixed or not. I am > just pointing my finger at it and I hope it will contribute to the > development. > > Also, a valid description of this behavior (when using port in > alias) would be appreciated. > > > if you enclose the value of the alias parameter in double quotes, then > it is taken as string value. If you want to set it to a host:port, then > remove the double quotes: > > alias=domain.ch:5060 > > > Why do you say the loose_route() was working strangely? Do you add the > hostname as record-route, not the IP address? Detail more about what you > think is wrong with record routing/loose routing. > > > Cheers, > Daniel > > -- Daniel-Constantin Mierla -http://www.asipto.comhttp://twitter.com/# !/miconda -http://www.linkedin.com/in/micondaKamailio Advanced Training, Berlin, Nov 5-8, 2012 -http://asipto.com/u/kat > > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >