4 May
2009
4 May
'09
4:16 p.m.
Hi all,
I have a problem when using two UACs
behind same NAT on Linksys WRT54GL router. Registrations, Invites, ...
are handled correctly, but after 30sec in the call UACs hangs up the
call (RTP goes directly between clients). This happens because UAC#1
(which answerd the call with OK) didn't recive ACK from UAC#2. This isn't
happening when I have this same clinets behind NAT on PIX525 and everything is working
fine. Everithing is also fine when UAC#1 calls someone on PSTN (RTP is handled by
RTPProxy) or someone behind other NAT.
Strange thing is that UAC#1 sends Ringing response and OK message with this information in
Contact header:
Contact: <sip:bob@public_ip_address:31479;rinstance=e0f8548cf68b5b6e>
but proxy forwards this Ringing response and OK message to UAC#2 with this information in
Contact header:
Contact: <sip:bob@public_ip_address:0;rinstance=b18efeaa8a0e3f0f>
so port is "0" and with ngrep on proxy I saw that this port is replaced
with port "5060" and ACK is sent to the UAC#1 with this parameters
public_ip_address:5060 which isn't correct because UAC#1 is using
31478-31488 port range and expects traffic on these ports.
Some of debug messages that i see on proxy are:
1. sl_filter_ACK: to late to be a local ACK!,
2. e2e proxy ACK found
building branch for end2end ACK
totag for e2e ACK found: 1
I'm using Kamailio 1.5.0 with standard kamailio.cfg and newest XLite (with STUN and
ICE options turn on).
I would be greatfull if someone can give me any guidelines what to look next in order to
solve this issue.
Best regards
Dubravko
4 May
4 May
4:32 p.m.
2009/5/4 dubravko caric <dubravko_caric(a)yahoo.com>om>:
Hi all,
Please, don't use rich text (HTML formated) for creating your mails. I
can't read your mail since the text is really small (using plain text
would allow my mail client using my pre-configured text size).
Strange thing is that UAC#1 sends Ringing response and
OK message with this
information in Contact header:
Contact: <sip:bob@public_ip_address:31479;rinstance=e0f8548cf68b5b6e>
Questions:
- Does this router use the painful SIP ALG?
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
but proxy forwards this Ringing response and OK
message to UAC#2 with this
information in Contact header:
Contact: <sip:bob@public_ip_address:0;rinstance=b18efeaa8a0e3f0f>
How is possible that the proxy replaces 31479 with 0 ???
You must be doing something wrong with the Contact header.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
5:59 p.m.
Hi,
________________________________
From: Iñaki Baz Castillo <ibc(a)aliax.net>
Cc: users(a)lists.kamailio.org
Sent: Monday, May 4, 2009 3:32:59 PM
Subject: Re: [Kamailio-Users] two UACs behind same NAT
2009/5/4 dubravko caric <dubravko_caric(a)yahoo.com>om>:
> Strange thing is that UAC#1 sends Ringing response
and OK message with this
> information in Contact header:
> Contact: <sip:bob@public_ip_address:31479;rinstance=e0f8548cf68b5b6e>
Questions:
- Does this router use the painful SIP ALG?
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
didn't find anything regarding SIP and ALG in the device specification but I did find
this http://www.easyofficephone.com/support/router-compatibility#linksys_wrt54g:
"This router is not recommended for use with voice over ip services
using the stock firmware from Linksys. This model router is known to
damage and modify SIP packets in such a way that it prevents voice over
ip packets from being formatted correctly and can cause a multitude of
problems."
i'll check everything once more...
> but proxy forwards this Ringing response and OK
message to UAC#2 with this
> information in Contact header:
> Contact: <sip:bob@public_ip_address:0;rinstance=b18efeaa8a0e3f0f>
How is possible that the proxy replaces 31479 with 0
???
You must be doing something wrong with the Contact header.
i'm
not doing any manipulation with Contact header, all other scenarios are
working fine as long as I don't use two clients behind this specific
router.
Thank you very much for your reply
Dubravko
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
6:07 p.m.
2009/5/4 Dubravko Caric <dubravko_caric(a)yahoo.com>om>:
There is a really easy way to detect if a router is performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public network).
- Check if "Via" and/or "Contact" headers contain the router public
IP
instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
If you can dissable it (by web, telnet...) please add that information
to the wiki page:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
(or sent it to me directly and I'll add it).
Let me understand:
- UA1 sends "200 OK" and when you capture it in the proxy it has port
31479 in Contact header, is it?
- When this "200 OK" leaves the proxy it has 0 in Contact header, is it?
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
Questions:
- Does this router use the painful SIP ALG?
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
didn't find anything regarding SIP and ALG in the device specification but I did find
this http://www.easyofficephone.com/support/router-compatibility#linksys_wrt54g:
"This router is not recommended for use with voice over ip services
using the stock firmware from Linksys. This model router is known to
damage and modify SIP packets in such a way that it prevents voice over
ip packets from being formatted correctly and can cause a multitude of
problems."
i'll check everything once more... How is possible
that the proxy replaces 31479 with 0 ???
You must be doing something wrong with the Contact header.
i'm
not doing any manipulation with Contact header, all other scenarios are
working fine as long as I don't use two clients behind this specific
router.
11:20 p.m.
Hi,
----- Original Message ----
From: Iñaki Baz Castillo <ibc(a)aliax.net>
Cc: users(a)lists.kamailio.org
Sent: Monday, May 4, 2009 5:07:38 PM
Subject: Re: [Kamailio-Users] two UACs behind same NAT
There is a really easy way to detect if a router is
performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public network).
- Check if "Via" and/or "Contact" headers contain the router public
IP
instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
I did everything as you described and I can confirm that this router has SIP ALG enabled.
If you can dissable it (by web, telnet...) please add
that information
to the wiki page:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
(or sent it to me directly and I'll add it).
there is no way to change this (turn ON/OFF) because there is no such option in the web
interface of the router. what i will try to do (over this weekend) is to load DD-WRT
firmware (which isn't Linksys firmware) and if this goes well I'll put this
solution on wiki.
>>How is possible that the proxy replaces 31479
with 0 ???
>>You must be doing something wrong with the Contact header.
>
> i'm
> not doing any manipulation with Contact header, all other scenarios are
> working fine as long as I don't use two clients behind this specific
> router.
Let me understand:
- UA1 sends "200 OK" and when you capture it in the proxy it has port
31479 in Contact header, is it?
- When this "200 OK" leaves the proxy it has 0 in Contact header, is it?
I checked this closely once more and I was wrong (I had too much traces open) :( what
really happens is that UAC sends "OK" with right port in Contact header towards
the router but the router is the one that changes this port to "0" and sends
this malformed message to the proxy.
Thanks once more
Dubravko
11:43 p.m.
El Lunes, 4 de Mayo de 2009, Dubravko Caric escribió:
Bad luck then... :(
SIP ALG is the worst enemy for SIP.
Have you tryed via telnet? Most of the commercial routers don't show the SIP
ALG option in the web interface, but via telnet.
There is a
really easy way to detect if a router is performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public
network). - Check if "Via" and/or "Contact" headers contain the
router
public IP instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
I did everything as you described and I can confirm that this router has
SIP ALG enabled. If you can
dissable it (by web, telnet...) please add that information
to the wiki page:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
(or sent it to me directly and I'll add it).
there is no way to change this (turn ON/OFF) because there is no such
option in the web interface of the router. what i will try to do (over this
weekend) is to load DD-WRT firmware (which isn't Linksys firmware) and if
this goes well I'll put this solution on wiki.
I checked this closely once more and I was wrong (I
had too much traces
open) :( what really happens is that UAC sends "OK" with right port in
Contact header towards the router but the router is the one that changes
this port to "0" and sends this malformed message to the proxy.
Yes, setting a "cool" port (as 0) is a common "feature" in SIP ALG
enabled
routers. It's also very common to see ports like 12333453 (yes, greater than
2^16).
Thanks once more
Please, add any information you get to dissable SIP ALG in this router to the
Wiki I suggested. Also, you can add information about the issues you had due
to this SIP ALG router. Really thanks for it. :)
--
Iñaki Baz Castillo <ibc(a)aliax.net>
11 May
11 May
11:04 a.m.
On 05/04/2009 11:43 PM, Iñaki Baz Castillo wrote:
Have you tryed via telnet? Most of the commercial routers don't show the SIP
ALG option in the web interface, but via telnet.
--
Daniel-Constantin Mierla
http://www.asipto.com/
El Lunes, 4 de Mayo de 2009, Dubravko Caric escribió:
Bad luck then... :(
SIP ALG is the worst enemy for SIP.
workarounds could be:
- run sip server also on a different port than 5060 (say 5070) -
kamailio is just fine doing it. Point the users behind such ALGs to this
port. Still alg can detect it, but most of them do the detection by port
5060
- use TCP if the phone supports it - most of algs do not touch TCP
connections, but ...
- use TLS if the phone supports it - safest - the alg cannot touch it
- recommended - send back the router and ask for money return
Cheers,
Daniel
There is
a really easy way to detect if a router is performing SIP ALG:
- Configure you UA in the LAN with *no* STUN/ICE, just private IP.
- Capture a INVITE/REGISTER from that UA in the proxy (in the public
network). - Check if "Via" and/or "Contact" headers contain the
router
public IP instead of the UA private IP.
- If so, you are behind a *fucking* router with SIP ALG enabled.
I did everything as you described and I can confirm that this router has
SIP ALG enabled.
If you
can dissable it (by web, telnet...) please add that information
to the wiki page:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG
(or sent it to me directly and I'll add it).
there is no way to change this (turn ON/OFF) because there is no such
option in the web interface of the router.
what i will try to do (over this
weekend) is to load DD-WRT firmware (which isn't Linksys firmware) and if
this goes well I'll put this solution on wiki.
I checked this closely once more and I was wrong
(I had too much traces
open) :( what really happens is that UAC sends "OK" with right port in
Contact header towards the router but the router is the one that changes
this port to "0" and sends this malformed message to the proxy.
Yes, setting a "cool" port (as 0) is a common "feature" in SIP ALG
enabled
routers. It's also very common to see ports like 12333453 (yes, greater than
2^16).
Thanks once more
Please, add any information you get to dissable SIP ALG in this router to the
Wiki I suggested. Also, you can add information about the issues you had due
to this SIP ALG router. Really thanks for it. :)
5680
days inactive
5687
days old
6 comments
3 participants
participants (3)
-
Daniel-Constantin Mierla -
dubravko caric -
Iñaki Baz Castillo