[Serusers] nat_ping problems

Zeus Ng zeus.ng at isquare.com.au
Fri Jun 25 05:18:04 CEST 2004


Some (but not all) NAT devices have a UDP timeout of 60s. So, if nothing
comes through the port mapping within that 60s, the association will be
deleted from the NAT device memory. After that, any packet from the WAN side
with this association will be dropped.

I notice that your nat ping interval is exactly 60s. Maybe you can try
something smaller than that, say 55s. I have a good result with 50s for most
residential ADSL routers.

Like Andres said, the best way to deal with NAT is to turn on keep-live on
the UA. 


Zeus

> -----Original Message-----
> From: serusers-bounces at lists.iptel.org 
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Jev
> Sent: Friday, 25 June 2004 4:12 AM
> To: serusers at lists.iptel.org
> Subject: [Serusers] nat_ping problems
> 
> 
> Hi all,
> 
> Following up on my post a couple days ago; 
> http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
> 
> I have now tested with rtpproxy/nathelper and mediaproxy and 
> I seem to 
> be having the same results.
> 
> As of now my test environment is as follows;
> 
> I have two networks,
> 192.168.123.0/24	SER server
> 192.168.100.0/24	UAC (Grandstream HardPhone)
> 
> Currently I have a D-Link NAT router separating both networks. I have 
> SER (CVS checkout from HEAD as of ~22nd June) running on 
> FreeBSD 5.2.1-R
> 
> I have had the same issue with both Maxims nathelper/rtproxy 
> and Adrians 
> mediaproxy. The below traces are from mediaproxy, as my most recent 
> testing has been done here. I would like to have done the 
> same analysis 
> with nathelper/rtpproxy but I live under time constraints...
> 
> 
> 09:48:06 Register From UAC through NAT to ser Completed 
> 09:48:44 UDP Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP 
> Ping Ser -> Nat Firewall -> UAC 09:50:45 UDP Ping Ser -> Nat 
> Firewall -> UAC 09:51:45 UDP Ping Ser -> Nat Firewall -> 
> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall -> XXXXX 09:53:47 
> UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP Ping Ser 
> -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser -> 
> Nat Firewall -> XXXXX
> 
> 
> Example of two UDP packet from SER to Nat Firewall:
> 
> 
> 09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408: 
> udp 4 [tos 0x10]
> 0x0000   4510 0020 7c7d 0000 4011 8627 c0a8 7b65        
> E...|}.. at ..'..{e
> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        
> ..{b............
> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
> 09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408: 
> udp 4 [tos 0x10]
> 0x0000   4510 0020 7c83 0000 4011 8621 c0a8 7b65        
> E...|... at ..!..{e
> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        
> ..{b............
> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
> 
> Example of the two corresponding UDP packets inside
> the NAT Firewall from NAT Firewall to the UAC
> 
> 09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: 
> udp 4 [tos 
> 0x10]
> 0x0000   4510 0020 7c7d 0000 3f11 0225 c0a8 7b65        
> E...|}..?..%..{e
> 0x0010   c0a8 0065 13c4 13c4 000c db32 0000 0000        
> ...e.......2....
> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
> 09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: 
> udp 4 [tos 
> 0x10]
> 0x0000   4510 0020 7c83 0000 3f11 021f c0a8 7b65        
> E...|...?.....{e
> 0x0010   c0a8 0065 13c4 13c4 000c db32 0000 0000        
> ...e.......2....
> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
> 
> 
> Here is an example of two packets that get sent from
> SER to the NAT Firewall but never get past the NAT firewall.
> 
> 10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408: 
> udp 4 [tos 0x10]
> 0x0000   4510 0020 8193 0000 4011 8111 c0a8 7b65        
> E....... at .....{e
> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        
> ..{b............
> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
> 10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408: 
> udp 4 [tos 0x10]
> 0x0000   4510 0020 8198 0000 4011 810c c0a8 7b65        
> E....... at .....{e
> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        
> ..{b............
> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
> 
> 
> It appears that the NAT firewall stops transmitting the packets, nor 
> does it reject them, they just silently get dropped, and ser just 
> continues to send them with no idea if they are getting 
> through or not. 
> If I set the phone to a very low register time then everything works 
> fine, as it keeps the nat mapping current, and I can make calls from 
> outside the nat to the UAC on the inside.
> 
> I have attached my current config (mediaproxy) file.
> 
> Finally, I have had the same problems while Cisco IOS, and a 
> cheap U.S. 
> Robotics (Lucent based I think) for natting, which makes me 
> assume that 
> this is not a nat router specific issue.
> 
> Is there something basic I'm missing here? How have people made this 
> configuration work? Is there anyone actual using 
> nathelper/rtpproxy or 
> mediaproxy in production?
> 
> If anyone wants more specific debug information then just let 
> me know! :)
> 
> Thanks for your help,
> -Jev
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
> 




More information about the sr-users mailing list