[Serusers] nat test based on rfc1918 address in call-id field
Greger V. Teigre
greger at teigre.com
Wed Dec 8 13:24:26 CET 2004
>>> One thing though: For example Grandstream will use stun to keep nat
>>> open on
>>> all but symmetric NAT. If incoming keepalives (from the SIP
>>> server) are discarded, the NAT port assignment will time out. GS
>>> must be configured with NAT Yes and empty STUN server and it will
>>> send keepalives to the SIP server. I'm not sure why this is not
>>> done automatically when SNAT is detected...
>> Incoming keepalives would not refresh the conntrack timer, only an
>> outbound packet can. For this reason, we already disable the
>> nat-ping in ser. We rely on the UA to send out keepalive.
>
> Are you sure? The initial REGISTER is the oubound packet and the nat
> pings are "replies" from the conntrack point of view. The
> corresponding conntrack entry should be in the ESTABLISHED or ASSURED
> state, if the timeouts are low enough (or the nat pings are sent
> often enough, <<30s).
>
> (see udp_packet() in ip_conntrack_proto_udp.c and ip_conntrack_in() in
> ip_conntrack_core.c)
Our experience is that for most symmetric NATs the SIP server NAT pings work
ok, however, we have had problems with LinkSys where inbound pings every 20
s do not seem to be able to keep the connection open.
g-)
More information about the sr-users
mailing list