[Serusers] nat_ping problems

Jev jev at ecad.org
Fri Jun 25 18:15:54 CEST 2004 

I just verified this again at work just to be sure, I ran with 
natping_interval set to 5 seconds, and I see the udp packets every five 
seconds on both sides, 3 minutes and 8 seconds after the register and 
the nat router starts dropping packets. :(

Thanks for your help!
-Jev

Jev wrote:
> Hi Zeus,
> 
> I'm afraid I have even tested with the nat ping interval set at 5 
> seconds, and I have had the same results.
> 
> Do you have this, or a similar set up implemented and working?
> 
> Thanks,
> -Jev
> 
> Zeus Ng wrote:
> 
>> Some (but not all) NAT devices have a UDP timeout of 60s. So, if nothing
>> comes through the port mapping within that 60s, the association will be
>> deleted from the NAT device memory. After that, any packet from the 
>> WAN side
>> with this association will be dropped.
>>
>> I notice that your nat ping interval is exactly 60s. Maybe you can try
>> something smaller than that, say 55s. I have a good result with 50s 
>> for most
>> residential ADSL routers.
>>
>> Like Andres said, the best way to deal with NAT is to turn on 
>> keep-live on
>> the UA.
>>
>> Zeus
>>
>>
>>> -----Original Message-----
>>> From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org] 
>>> On Behalf Of Jev
>>> Sent: Friday, 25 June 2004 4:12 AM
>>> To: serusers at lists.iptel.org
>>> Subject: [Serusers] nat_ping problems
>>>
>>>
>>> Hi all,
>>>
>>> Following up on my post a couple days ago; 
>>> http://lists.iptel.org/pipermail/serusers/2004-June/008936.html
>>>
>>> I have now tested with rtpproxy/nathelper and mediaproxy and I seem 
>>> to be having the same results.
>>>
>>> As of now my test environment is as follows;
>>>
>>> I have two networks,
>>> 192.168.123.0/24    SER server
>>> 192.168.100.0/24    UAC (Grandstream HardPhone)
>>>
>>> Currently I have a D-Link NAT router separating both networks. I have 
>>> SER (CVS checkout from HEAD as of ~22nd June) running on FreeBSD 5.2.1-R
>>>
>>> I have had the same issue with both Maxims nathelper/rtproxy and 
>>> Adrians mediaproxy. The below traces are from mediaproxy, as my most 
>>> recent testing has been done here. I would like to have done the same 
>>> analysis with nathelper/rtpproxy but I live under time constraints...
>>>
>>>
>>> 09:48:06 Register From UAC through NAT to ser Completed 09:48:44 UDP 
>>> Ping Ser -> Nat Firewall -> UAC 09:49:44 UDP Ping Ser -> Nat Firewall 
>>> -> UAC 09:50:45 UDP Ping Ser -> Nat Firewall -> UAC 09:51:45 UDP Ping 
>>> Ser -> Nat Firewall -> XXXXX 09:52:46 UDP Ping Ser -> Nat Firewall -> 
>>> XXXXX 09:53:47 UDP Ping Ser -> Nat Firewall -> XXXXX 09:54:47 UDP 
>>> Ping Ser -> Nat Firewall -> XXXXX . . . . . 10:12:58 UDP Ping Ser -> 
>>> Nat Firewall -> XXXXX
>>>
>>>
>>> Example of two UDP packet from SER to Nat Firewall:
>>>
>>>
>>> 09:48:44.151998 bottom.example.com.5060 > dlinknat.example.com.60408: 
>>> udp 4 [tos 0x10]
>>> 0x0000   4510 0020 7c7d 0000 4011 8627 c0a8 7b65        E...|}.. at ..'..{e
>>> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        ..{b............
>>> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>>> 09:49:44.752972 bottom.example.com.5060 > dlinknat.example.com.60408: 
>>> udp 4 [tos 0x10]
>>> 0x0000   4510 0020 7c83 0000 4011 8621 c0a8 7b65        E...|... at ..!..{e
>>> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        ..{b............
>>> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>>>
>>> Example of the two corresponding UDP packets inside
>>> the NAT Firewall from NAT Firewall to the UAC
>>>
>>> 09:48:44.199818 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 
>>> [tos 0x10]
>>> 0x0000   4510 0020 7c7d 0000 3f11 0225 c0a8 7b65        E...|}..?..%..{e
>>> 0x0010   c0a8 0065 13c4 13c4 000c db32 0000 0000        ...e.......2....
>>> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>>> 09:49:44.807148 bottom.example.com.5060 > 192.168.0.101.5060: udp 4 
>>> [tos 0x10]
>>> 0x0000   4510 0020 7c83 0000 3f11 021f c0a8 7b65        E...|...?.....{e
>>> 0x0010   c0a8 0065 13c4 13c4 000c db32 0000 0000        ...e.......2....
>>> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>>>
>>>
>>> Here is an example of two packets that get sent from
>>> SER to the NAT Firewall but never get past the NAT firewall.
>>>
>>> 10:18:01.579051 bottom.example.com.5060 > dlinknat.example.com.60408: 
>>> udp 4 [tos 0x10]
>>> 0x0000   4510 0020 8193 0000 4011 8111 c0a8 7b65        E....... at .....{e
>>> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        ..{b............
>>> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>>> 10:19:02.179829 bottom.example.com.5060 > dlinknat.example.com.60408: 
>>> udp 4 [tos 0x10]
>>> 0x0000   4510 0020 8198 0000 4011 810c c0a8 7b65        E....... at .....{e
>>> 0x0010   c0a8 7b62 13c4 ebf8 000c 8800 0000 0000        ..{b............
>>> 0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
>>>
>>>
>>> It appears that the NAT firewall stops transmitting the packets, nor 
>>> does it reject them, they just silently get dropped, and ser just 
>>> continues to send them with no idea if they are getting through or 
>>> not. If I set the phone to a very low register time then everything 
>>> works fine, as it keeps the nat mapping current, and I can make calls 
>>> from outside the nat to the UAC on the inside.
>>>
>>> I have attached my current config (mediaproxy) file.
>>>
>>> Finally, I have had the same problems while Cisco IOS, and a cheap 
>>> U.S. Robotics (Lucent based I think) for natting, which makes me 
>>> assume that this is not a nat router specific issue.
>>>
>>> Is there something basic I'm missing here? How have people made this 
>>> configuration work? Is there anyone actual using nathelper/rtpproxy 
>>> or mediaproxy in production?
>>>
>>> If anyone wants more specific debug information then just let me 
>>> know! :)
>>>
>>> Thanks for your help,
>>> -Jev
>>>
>>> _______________________________________________
>>> Serusers mailing list
>>> serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
>>>
>>
>>
>>
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list