Re: [SR-Users] kamailio loadbalancer with TLS problem forwarding INVITE back to UA - sr-users

28 Jun 2013

Hi Allen!

Again on-list, please do not use private emails unless you have to 
provide sensitive data.

On 28.06.2013 01:17, Allen Zhang wrote:
...
  Hi Klaus,

 I dived into it and found the problem:

 When UA2 send a REGISTER to the load balancer, fix_nated_register() is called and source
ip of the UA is stored in the connection hash by tcpconn_new(), instead of the port from
the contact header field.
 But when proxy tries to send the INVITE to UA2 via the load balancer, the load balancer
calls tcpconn_find() with the port from the contact header field.
 Hence can't match the connection stored in hash. 
I do not understand that.

fix_nated_register stores both info: the original contact + 
src-ip:port:transport.

After lookup(), the Request-URI is filled with the original contact, but 
$du (destination URI, internally used by Kamailio for routing) is 
populated with src-ip:port:transport. Thus, Kamailio should use the $du 
to find the TCP connection.

Anyway, TLS debugging is always difficult. I suggest to try to make it 
running with TCP. If TCP works, TLS will work too.

regards
Klaus

...

 I need to use fix_nated_register() because the UA will be behind NAT in the future. How
do I let the LB use aliased port instead of the port from the contact header field?

 Regards,

 Allen

 -----Original Message-----
 From: Klaus Darilion [mailto:klaus.mailinglists@pernau.at]
 Sent: Thursday, 27 June 2013 10:54 p.m.
 To: Kamailio (SER) - Users Mailing List
 Cc: Allen Zhang; Shane Harrison
 Subject: Re: [SR-Users] kamailio loadbalancer with TLS problem forwarding INVITE back to
UA

 make sure to also use 	handle_ruri_alias()
 http://kamailio.org/docs/modules/4.0.x/modules/nathelper.html#idp16851488
 for requests from the proxy->lb->client

 see the default kamailio config for proper usage of handle_ruri_alias() and
add_contact_alias()

 regards
 klaus

 On 27.06.2013 02:34, Allen Zhang wrote:
  Hi,

 Our set up:

 UA1 -----

 ------  Proxy1

          \
                /

                          Loadbalancer (dispatcher module)

                      /                                                                   
    \

 UA2-----

 ------  Proxy2

 Both proxies have registrar module loaded and share the same database.

 REGISTERs work fine.

 The problem is this:

                       TLS                                        TCP

 UA1  ----------------------> LB --------------------> Proxy

               INVITE(to UA2)                  INVITE(to UA2)

                     TLS                       TCP

 UA1  <------------- LB <------------- Proxy

                                             100 Trying

                     TLS                               TCP

 UA1  <------------- LB <----------------------- Proxy

                                                INVITE(to UA2)

                         TLS
                             TCP

 UA1  <----------------------- LB <----------------------- Proxy

                   100 Trying

 All above worked fine. Below is what's expected but never happened:

                         TLS
                             TCP

 UA2  <----------------------- LB <----------------------- Proxy

                   INVITE(to UA2)

 We'd like the LB to reuse the TLS connection initiated by UA2. But LB
 can't find an open connection and tries to start a new TLS connection.
 The new connection fails.

 UAs are not behind NAT at the moment but will be in the future.

 Tried this approaches on LB:

 route(ADD_CONTACT_ALIAS);

 If (not from proxy)

                   t_relay();

 else

                   do load balancing

 No luck.

 Any help is appreciated.

 Regards,

 Allen

 _______________________________________________
 SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
 list sr-users(a)lists.sip-router.org
 http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users