Hi all,
I have a problem when using two UACs behind same NAT on Linksys WRT54GL router. Registrations, Invites, ... are handled correctly, but after 30sec in the call UACs hangs up the call (RTP goes directly between clients). This happens because UAC#1 (which answerd the call with OK) didn't recive ACK from UAC#2. This isn't happening when I have this same clinets behind NAT on PIX525 and everything is working fine. Everithing is also fine when UAC#1 calls someone on PSTN (RTP is handled by RTPProxy) or someone behind other NAT.
Strange thing is that UAC#1 sends Ringing response and OK message with this information in Contact header: Contact: sip:bob@public_ip_address:31479;rinstance=e0f8548cf68b5b6e
but proxy forwards this Ringing response and OK message to UAC#2 with this information in Contact header: Contact: sip:bob@public_ip_address:0;rinstance=b18efeaa8a0e3f0f
so port is "0" and with ngrep on proxy I saw that this port is replaced with port "5060" and ACK is sent to the UAC#1 with this parameters public_ip_address:5060 which isn't correct because UAC#1 is using 31478-31488 port range and expects traffic on these ports.
Some of debug messages that i see on proxy are: 1. sl_filter_ACK: to late to be a local ACK!, 2. e2e proxy ACK found building branch for end2end ACK totag for e2e ACK found: 1
I'm using Kamailio 1.5.0 with standard kamailio.cfg and newest XLite (with STUN and ICE options turn on).
I would be greatfull if someone can give me any guidelines what to look next in order to solve this issue.
Best regards
Dubravko
2009/5/4 dubravko caric dubravko_caric@yahoo.com:
Hi all,
Please, don't use rich text (HTML formated) for creating your mails. I can't read your mail since the text is really small (using plain text would allow my mail client using my pre-configured text size).
Strange thing is that UAC#1 sends Ringing response and OK message with this information in Contact header: Contact: sip:bob@public_ip_address:31479;rinstance=e0f8548cf68b5b6e
Questions: - Does this router use the painful SIP ALG? http://www.voip-info.org/wiki/view/Routers+SIP+ALG
but proxy forwards this Ringing response and OK message to UAC#2 with this information in Contact header: Contact: sip:bob@public_ip_address:0;rinstance=b18efeaa8a0e3f0f
How is possible that the proxy replaces 31479 with 0 ??? You must be doing something wrong with the Contact header.
-- Iñaki Baz Castillo ibc@aliax.net
Hi,
________________________________ From: Iñaki Baz Castillo ibc@aliax.net Cc: users@lists.kamailio.org Sent: Monday, May 4, 2009 3:32:59 PM Subject: Re: [Kamailio-Users] two UACs behind same NAT
2009/5/4 dubravko caric dubravko_caric@yahoo.com:
Strange thing is that UAC#1 sends Ringing response and OK message with this information in Contact header: Contact: sip:bob@public_ip_address:31479;rinstance=e0f8548cf68b5b6e
Questions:
- Does this router use the painful SIP ALG? http://www.voip-info.org/wiki/view/Routers+SIP+ALG
didn't find anything regarding SIP and ALG in the device specification but I did find this http://www.easyofficephone.com/support/router-compatibility#linksys_wrt54g:
"This router is not recommended for use with voice over ip services using the stock firmware from Linksys. This model router is known to damage and modify SIP packets in such a way that it prevents voice over ip packets from being formatted correctly and can cause a multitude of problems."
i'll check everything once more...
but proxy forwards this Ringing response and OK message to UAC#2 with this information in Contact header: Contact: sip:bob@public_ip_address:0;rinstance=b18efeaa8a0e3f0f
How is possible that the proxy replaces 31479 with 0 ??? You must be doing something wrong with the Contact header.
i'm not doing any manipulation with Contact header, all other scenarios are working fine as long as I don't use two clients behind this specific router.
Thank you very much for your reply
Dubravko
-- Iñaki Baz Castillo ibc@aliax.net
_______________________________________________ Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
2009/5/4 Dubravko Caric dubravko_caric@yahoo.com:
Questions:
- Does this router use the painful SIP ALG?
didn't find anything regarding SIP and ALG in the device specification but I did find this http://www.easyofficephone.com/support/router-compatibility#linksys_wrt54g:
"This router is not recommended for use with voice over ip services using the stock firmware from Linksys. This model router is known to damage and modify SIP packets in such a way that it prevents voice over ip packets from being formatted correctly and can cause a multitude of problems."
i'll check everything once more...
There is a really easy way to detect if a router is performing SIP ALG: - Configure you UA in the LAN with *no* STUN/ICE, just private IP. - Capture a INVITE/REGISTER from that UA in the proxy (in the public network). - Check if "Via" and/or "Contact" headers contain the router public IP instead of the UA private IP. - If so, you are behind a *fucking* router with SIP ALG enabled.
If you can dissable it (by web, telnet...) please add that information to the wiki page: http://www.voip-info.org/wiki/view/Routers+SIP+ALG (or sent it to me directly and I'll add it).
How is possible that the proxy replaces 31479 with 0 ??? You must be doing something wrong with the Contact header.
i'm not doing any manipulation with Contact header, all other scenarios are working fine as long as I don't use two clients behind this specific router.
Let me understand:
- UA1 sends "200 OK" and when you capture it in the proxy it has port 31479 in Contact header, is it? - When this "200 OK" leaves the proxy it has 0 in Contact header, is it?
Hi,
----- Original Message ---- From: Iñaki Baz Castillo ibc@aliax.net Cc: users@lists.kamailio.org Sent: Monday, May 4, 2009 5:07:38 PM Subject: Re: [Kamailio-Users] two UACs behind same NAT
There is a really easy way to detect if a router is performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public network).
- Check if "Via" and/or "Contact" headers contain the router public IP
instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
I did everything as you described and I can confirm that this router has SIP ALG enabled.
If you can dissable it (by web, telnet...) please add that information to the wiki page: http://www.voip-info.org/wiki/view/Routers+SIP+ALG (or sent it to me directly and I'll add it).
there is no way to change this (turn ON/OFF) because there is no such option in the web interface of the router. what i will try to do (over this weekend) is to load DD-WRT firmware (which isn't Linksys firmware) and if this goes well I'll put this solution on wiki.
How is possible that the proxy replaces 31479 with 0 ??? You must be doing something wrong with the Contact header.
i'm not doing any manipulation with Contact header, all other scenarios are working fine as long as I don't use two clients behind this specific router.
Let me understand:
- UA1 sends "200 OK" and when you capture it in the proxy it has port
31479 in Contact header, is it?
- When this "200 OK" leaves the proxy it has 0 in Contact header, is it?
I checked this closely once more and I was wrong (I had too much traces open) :( what really happens is that UAC sends "OK" with right port in Contact header towards the router but the router is the one that changes this port to "0" and sends this malformed message to the proxy.
Thanks once more
Dubravko
El Lunes, 4 de Mayo de 2009, Dubravko Caric escribió:
There is a really easy way to detect if a router is performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public
network). - Check if "Via" and/or "Contact" headers contain the router public IP instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
I did everything as you described and I can confirm that this router has SIP ALG enabled.
Bad luck then... :( SIP ALG is the worst enemy for SIP.
If you can dissable it (by web, telnet...) please add that information to the wiki page: http://www.voip-info.org/wiki/view/Routers+SIP+ALG (or sent it to me directly and I'll add it).
there is no way to change this (turn ON/OFF) because there is no such option in the web interface of the router.
Have you tryed via telnet? Most of the commercial routers don't show the SIP ALG option in the web interface, but via telnet.
what i will try to do (over this weekend) is to load DD-WRT firmware (which isn't Linksys firmware) and if this goes well I'll put this solution on wiki.
I checked this closely once more and I was wrong (I had too much traces open) :( what really happens is that UAC sends "OK" with right port in Contact header towards the router but the router is the one that changes this port to "0" and sends this malformed message to the proxy.
Yes, setting a "cool" port (as 0) is a common "feature" in SIP ALG enabled routers. It's also very common to see ports like 12333453 (yes, greater than 2^16).
Thanks once more
Please, add any information you get to dissable SIP ALG in this router to the Wiki I suggested. Also, you can add information about the issues you had due to this SIP ALG router. Really thanks for it. :)
On 05/04/2009 11:43 PM, Iñaki Baz Castillo wrote:
El Lunes, 4 de Mayo de 2009, Dubravko Caric escribió:
There is a really easy way to detect if a router is performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public
network). - Check if "Via" and/or "Contact" headers contain the router public IP instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
I did everything as you described and I can confirm that this router has SIP ALG enabled.
Bad luck then... :( SIP ALG is the worst enemy for SIP.
workarounds could be: - run sip server also on a different port than 5060 (say 5070) - kamailio is just fine doing it. Point the users behind such ALGs to this port. Still alg can detect it, but most of them do the detection by port 5060 - use TCP if the phone supports it - most of algs do not touch TCP connections, but ... - use TLS if the phone supports it - safest - the alg cannot touch it - recommended - send back the router and ask for money return
Cheers, Daniel
If you can dissable it (by web, telnet...) please add that information to the wiki page: http://www.voip-info.org/wiki/view/Routers+SIP+ALG (or sent it to me directly and I'll add it).
there is no way to change this (turn ON/OFF) because there is no such option in the web interface of the router.
Have you tryed via telnet? Most of the commercial routers don't show the SIP ALG option in the web interface, but via telnet.
what i will try to do (over this weekend) is to load DD-WRT firmware (which isn't Linksys firmware) and if this goes well I'll put this solution on wiki.
I checked this closely once more and I was wrong (I had too much traces open) :( what really happens is that UAC sends "OK" with right port in Contact header towards the router but the router is the one that changes this port to "0" and sends this malformed message to the proxy.
Yes, setting a "cool" port (as 0) is a common "feature" in SIP ALG enabled routers. It's also very common to see ports like 12333453 (yes, greater than 2^16).
Thanks once more
Please, add any information you get to dissable SIP ALG in this router to the Wiki I suggested. Also, you can add information about the issues you had due to this SIP ALG router. Really thanks for it. :)
-
Daniel-Constantin Mierla -
dubravko caric -
Iñaki Baz Castillo