Hello,
Thank you for your help
The REGISTER request is getting to kamailio. I attach my tcpdump output: http://pastebin.com/3RV9wG5G
Regards,
Kostas
On Jan 15, 2014, at 11:09 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
what do you mean by "register fails"?
Is the REGISTER request getting to kamailio? Is there a reply for it?
A ngrep output taken on kamailio server for such registration would help to figure out where is the issue.
Cheers, Daniel
On 13/01/14 18:08, meres wrote:
I have kamailio 4.1.0 running on a server on a real ip and behind a firewall. NAT detection is enabled on kamailio because many remote clients are behind NAT, so NAT is working fine along with rtpproxy. Everything else (incoming, outgoing) is working fine except the following:
Users who are connected to our openvpn server (bridged mode) which is on the same subnet with kamailio, fail to register. I suspect that kamailio detects NAT on these clients as all of them are behind NAT, but they also have obtained a real ip from our openvpn server on their tap interface and as a result, REGISTER fails.
One solution, but not the best is to exclude kamailio from our openvpn routes but I would not prefer this because I wil not be able to manage the server remotely
My config: http://pastebin.com/JSxzgmKH
Any suggestions?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Jan 15, 2014, at 5:35 AM, meres meresgr@gmail.com wrote:
Hello,
Thank you for your help
The REGISTER request is getting to kamailio. I attach my tcpdump output: http://pastebin.com/3RV9wG5G
Your client is never responding to the authentication challenge returned by Kamailio in the WWW-Authenticate header. Your client should be attempting a second REGISTER with an Authorization header containing a response to Kamailio's challenge. Do the clients have authentication enabled?
andrew
On Jan 15, 2014, at 11:09 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
what do you mean by "register fails"?
Is the REGISTER request getting to kamailio? Is there a reply for it?
A ngrep output taken on kamailio server for such registration would help to figure out where is the issue.
Cheers, Daniel
On 13/01/14 18:08, meres wrote:
I have kamailio 4.1.0 running on a server on a real ip and behind a firewall. NAT detection is enabled on kamailio because many remote clients are behind NAT, so NAT is working fine along with rtpproxy. Everything else (incoming, outgoing) is working fine except the following:
Users who are connected to our openvpn server (bridged mode) which is on the same subnet with kamailio, fail to register. I suspect that kamailio detects NAT on these clients as all of them are behind NAT, but they also have obtained a real ip from our openvpn server on their tap interface and as a result, REGISTER fails.
One solution, but not the best is to exclude kamailio from our openvpn routes but I would not prefer this because I wil not be able to manage the server remotely
My config: http://pastebin.com/JSxzgmKH
Any suggestions?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
The clients manage to authenticate successfully from remote subnets or from our local subnet but NOT while connected to our openvpn server, so it is not an authentication issue.
On Jan 15, 2014, at 4:16 PM, Andrew Mortensen admorten@isc.upenn.edu wrote:
On Jan 15, 2014, at 5:35 AM, meres meresgr@gmail.com wrote:
Hello,
Thank you for your help
The REGISTER request is getting to kamailio. I attach my tcpdump output: http://pastebin.com/3RV9wG5G
Your client is never responding to the authentication challenge returned by Kamailio in the WWW-Authenticate header. Your client should be attempting a second REGISTER with an Authorization header containing a response to Kamailio's challenge. Do the clients have authentication enabled?
andrew
On Jan 15, 2014, at 11:09 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
what do you mean by "register fails"?
Is the REGISTER request getting to kamailio? Is there a reply for it?
A ngrep output taken on kamailio server for such registration would help to figure out where is the issue.
Cheers, Daniel
On 13/01/14 18:08, meres wrote:
I have kamailio 4.1.0 running on a server on a real ip and behind a firewall. NAT detection is enabled on kamailio because many remote clients are behind NAT, so NAT is working fine along with rtpproxy. Everything else (incoming, outgoing) is working fine except the following:
Users who are connected to our openvpn server (bridged mode) which is on the same subnet with kamailio, fail to register. I suspect that kamailio detects NAT on these clients as all of them are behind NAT, but they also have obtained a real ip from our openvpn server on their tap interface and as a result, REGISTER fails.
One solution, but not the best is to exclude kamailio from our openvpn routes but I would not prefer this because I wil not be able to manage the server remotely
My config: http://pastebin.com/JSxzgmKH
Any suggestions?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Jan 15, 2014, at 10:41 AM, meres meresgr@gmail.com wrote:
The clients manage to authenticate successfully from remote subnets or from our local subnet but NOT while connected to our openvpn server, so it is not an authentication issue.
The clients aren't responding to the authentication challenge. How OpenVPN is contributing to that I can't say. Are the clients actually seeing the responses from Kamailio?
andrew
On Jan 15, 2014, at 4:16 PM, Andrew Mortensen admorten@isc.upenn.edu wrote:
On Jan 15, 2014, at 5:35 AM, meres meresgr@gmail.com wrote:
Hello,
Thank you for your help
The REGISTER request is getting to kamailio. I attach my tcpdump output: http://pastebin.com/3RV9wG5G
Your client is never responding to the authentication challenge returned by Kamailio in the WWW-Authenticate header. Your client should be attempting a second REGISTER with an Authorization header containing a response to Kamailio's challenge. Do the clients have authentication enabled?
andrew
On Jan 15, 2014, at 11:09 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
what do you mean by "register fails"?
Is the REGISTER request getting to kamailio? Is there a reply for it?
A ngrep output taken on kamailio server for such registration would help to figure out where is the issue.
Cheers, Daniel
On 13/01/14 18:08, meres wrote:
I have kamailio 4.1.0 running on a server on a real ip and behind a firewall. NAT detection is enabled on kamailio because many remote clients are behind NAT, so NAT is working fine along with rtpproxy. Everything else (incoming, outgoing) is working fine except the following:
Users who are connected to our openvpn server (bridged mode) which is on the same subnet with kamailio, fail to register. I suspect that kamailio detects NAT on these clients as all of them are behind NAT, but they also have obtained a real ip from our openvpn server on their tap interface and as a result, REGISTER fails.
One solution, but not the best is to exclude kamailio from our openvpn routes but I would not prefer this because I wil not be able to manage the server remotely
My config: http://pastebin.com/JSxzgmKH
Any suggestions?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Are you sure this isn't an issue of responses taking a different route (i.e. down the tunnel) than the requests, or vice versa?
Tcpdump shows that responses are sent from kamailio to the clients, but clients don’t seem to receive them while connected to openvpn.
Packets are sent from the server (165.231.27.134) to my client (165.231.27.107): 20:30:30.668831 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:30.669155 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551 20:30:31.181348 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:31.181554 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551 20:30:32.167106 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:32.167355 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551 20:30:34.164427 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:34.164626 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551
but clients receive nothing:
20:30:30.669199 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:31.168801 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:32.169467 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568 20:30:34.170137 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
I suspect that the problems occurs because of the via header:
20:59:46.104703 IP (tos 0x10, ttl 64, id 25843, offset 0, flags [none], proto UDP (17), length 579) 165.231.27.134.5060 > 165.231.27.107.54497: SIP, length: 551 SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 212.194.26.254:54497;rport=54497;branch=z9hG4bKPjP5IK8W3I7iRqE1hlDxhFqSubJFadI9L3;received=165.231.27.107 From: "meresmac-ser" sip:6278@165.231.27.134;tag=UhBz6N0PU.HrNRpL7oJeIjjW4Bw4ORvg To: "meresmac-ser" sip:6278@165.231.27.134;tag=b27e1a1d33761e85846fc98f5f3a7e58.b8c8 Call-ID: 6UCLEfPOYP8iXs8zRKeohVQk2vnlR0CG CSeq: 19234 REGISTER WWW-Authenticate: Digest realm="165.231.27.134", nonce="UtbbzlLW2qKmzbnwe7FyKhQl+Tzk6gPT", qop="auth" Server: kamailio (4.1.0 (i386/linux)) Content-Length: 0
Via: SIP/2.0/UDP 212.194.26.254: this is the ip address of my internet gateway
but when disabling openvpn everything is fine, this is the first packet sent from kamailio and received by my client:
21:07:55.597158 IP (tos 0x10, ttl 64, id 56684, offset 0, flags [none], proto UDP (17), length 560) 165.231.27.134.5060 > 212.194.26.254.4216: SIP, length: 532 SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 192.168.1.209:4216;branch=z9hG4bKoL3qdL2fa2GCOGeG;rport=4216;received=212.194.26.254 From: "meres-ser" sip:6278@165.231.27.134;tag=433AE961A89F2A8DE811E8397EDBAB0C To: "meres-ser" sip:6278@165.231.27.134;tag=b27e1a1d33761e85846fc98f5f3a7e58.a2a3 Call-ID: B5C301517F108CDA7A860BE1A469F2A7F718E61B CSeq: 14578 REGISTER WWW-Authenticate: Digest realm="165.231.27.134", nonce="Utbdt1LW3IsugLC5WPoop28GYXb7rwuy", qop="auth" Server: kamailio (4.1.0 (i386/linux)) Content-Length: 0
client sends REGISTER again, and server responds:
21:07:55.797353 IP (tos 0x10, ttl 64, id 56685, offset 0, flags [none], proto UDP (17), length 534) 165.231.27.134.5060 > 212.194.26.254.4216: SIP, length: 506 SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.1.209:4216;branch=z9hG4bKeyaFfDUzfUzDzmxg;rport=4216;received=212.194.26.254 From: "meres-ser" sip:6278@165.231.27.134;tag=433AE961A89F2A8DE811E8397EDBAB0C To: "meres-ser" sip:6278@165.231.27.134;tag=b27e1a1d33761e85846fc98f5f3a7e58.0fd3 Call-ID: B5C301517F108CDA7A860BE1A469F2A7F718E61B CSeq: 14579 REGISTER Contact: sip:6278@192.168.1.209:4216;expires=600;received="sip:212.194.26.254:4216" Server: kamailio (4.1.0 (i386/linux)) Content-Length: 0
So here the Via header has the client’s NAT ip (192.168.1.209) Maybe the first packet (over openvpn) is not properly inspected by our Cisco firewall, and/or the via header is totally incorrect
Regards,
Kostas
On Jan 15, 2014, at 6:02 PM, Alex Balashov abalashov@evaristesys.com wrote:
Are you sure this isn't an issue of responses taking a different route (i.e. down the tunnel) than the requests, or vice versa?
-- Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Alex Balashov -
Andrew Mortensen -
meres