[Serusers] Can't solve the problem. Need help.
Greger V. Teigre
greger at teigre.com
Sat Apr 16 21:53:42 CEST 2005
Good observation! Grandstream (at least) firmware 10.5.16 has an error in
symmetric NAT handling with STUN. GS should NOT try to replace IP:port with
the public one, because it will be wrong.
nat_uac_test("16") will catch this through checking the Contact port with
the received port.
g-)
Atle Samuelsen wrote:
> I think the reason why this is happening is a broken ADSL router or
> simular, that has a ALG that thinks it supports SIP.
>
> try to turn off SIP_ALG or what it is called on your router. or change
> the port on your sipserver to 5062 or something simular.. if you do
> that I bet it will work.
>
> -Atle
>
> * Alex Vishnev <avishnev at optonline.net> [050416 19:41]:
>> Alex,
>>
>> I found this interesting and don't know if this is what is causing
>> your problem. Normally, when register is issued the Via header
>> indicates where UAS/proxy should respond. In your first packet, here
>> is what's happening:
>>
>> U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
>> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..
>> Via: SIP/2.0/UDP sourceip:22115;
>>
>> It looks like UA wants to receive the response back on port 22115.
>> Now, SER sends the response to that port, but it does not look like
>> UA is listening there, as UA just re-originates REGISTER. The
>> question I have is why do you have a strange port number, instead of
>> 5060? So it looks to me the reason why you never getting another
>> REGISTER with credentials is because 401 Unauthorized never makes it
>> to your Grandstream UA.
>>
>>
>> So I would do the following:
>>
>> 1. Check with Grandstream to see if your firmware is the
>> latest/stable version. I use Grandstream Bt100 and have not
>> problems. I know grandstream is pretty good in resolving problems.
>>
>> 2. If UA is behind NAT, please make sure that grandstream is
>> configured for NAT traversal.
>>
>> Hope this helps
>>
>> Alex Vishnev
>>
>> -----Original Message-----
>> From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org]
>> On Behalf Of Alex
>> Sent: Saturday, April 16, 2005 12:13 PM
>> To: aland at ox.org; freeradius-users at lists.freeradius.org;
>> serusers at lists.iptel.org; amack at fhm.edu; daniel at voice-system.ro
>> Subject: [Serusers] Can't solve the problem. Need help.
>>
>> This is the answer i got on the list :
>> The second REGISTER (the block 3) must contains the response to the
>> authentication challenge carried by 401 reply (block 2). That means
>> that the block 3 must contain an Authorization header with
>> authentication credentials computed according to HTTP-Digest
>> authentication mechanism (RFC2617).
>>
>> U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
>> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
>> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
>> <sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
>> <sip:phonenumber at sourceip:22115>..Call-ID:
>> c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
>> 3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
>> orwards: 70..Allow:
>> INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
>> 0....
>> #
>> U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
>> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
>> <sip:phonenumber at xxx.xxx.xxx.xxx>;
>> tag=94a44507e03df901..To:
>> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04.
>> .Call-I
>> D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
>> Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd595b3558cfdd4
>> 46b83b081d1e2d3cc480"..Server: Sip EXpress router (0.8.14
>> (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
>> Noisy feedback tells: pid=21363 req_src_ip=sourceip
>> req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
>> out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>
>> #
>> U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
>> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
>> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
>> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
>> <sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
>> <sip:phonenumber at sourceip:22115>..Call-ID:
>> c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
>> 3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
>> orwards: 70..Allow:
>> INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
>> 0....
>> #
>> U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
>> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
>> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
>> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04.
>> .Call-I
>> D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
>> Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd63c17bd54baef
>> 0f620d6b9b066c23c8ce"..Server: Sip EXpress router (0.8.14
>> (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
>> Noisy feedback tells: pid=21360 req_src_ip=sourceip
>> req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
>> out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
>>
>>
>> here is my ser debug:
>> -------------------------------------
>>
>> 12(21360) SIP Request:
>> 12(21360) method: <REGISTER>
>> 12(21360) uri: <sip:xxx.xxx.xxx.xxx>
>> 12(21360) version: <SIP/2.0>
>> 12(21360) parse_headers: flags=1
>> 12(21360) Found param type 232, <branch> = <z9hG4bKf776a5d04027adc6>;
>> state=16
>> 12(21360) end of header reached, state=5
>> 12(21360) parse_headers: Via found, flags=1
>> 12(21360) parse_headers: this is the first via
>> 12(21360) After parse_msg...
>> 12(21360) preparing to run routing scripts...
>> 12(21360) REGISTER message received
>> 12(21360) REGISTER: Authenticating user
>> 12(21360) parse_headers: flags=4
>> 12(21360) end of header reached, state=9
>> 12(21360) DEBUG: get_hdr_field: <To> [34];
>> uri=[sip:phonenumber at xxx.xxx.xxx.xxx]
>> 12(21360) DEBUG: to body [<sip:phonenumber at xxx.xxx.xxx.xxx>
>> ]
>> 12(21360) parse_headers: flags=4096
>> 12(21360) get_hdr_field: cseq <CSeq>: <100> <REGISTER>
>> 12(21360) DEBUG: get_hdr_body : content_length=0
>> 12(21360) found end of header
>> 12(21360) pre_auth(): Credentials with given realm not found
>> 12(21360) REGISTER: challenging user
>> 12(21360) build_auth_hf(): 'WWW-Authenticate: Digest
>> realm="xxx.xxx.xxx.xxx",
>> nonce="42613540bb4462c045f7f3fe7714c3a1d6c0bca9"
>> '
>> 12(21360) parse_headers: flags=-1
>> 12(21360) check_via_address(62.219.160.40, 62.219.160.40, 1)
>> 12(21360) DEBUG:destroy_avp_list: destroing list (nil)
>> 12(21360) receive_msg: cleaning up
>>
>> For some reason that i can not figure out i don't receive anything on
>> the radius logs.
>> it's looks like my granstream ATA286 not going through authectication
>> process.
>> when i change the ip of the sip server to different one (2-server)
>> it's working perfect.
>> The grandstream ATA286 sending same packets, on the 2 server it's
>> working, on 1- one nothing happens.
>> on the problematic server i have clean installation of
>> freeradius-1.02 radiusclient-4.8 ser-8.14
>>
>> I tested the installation of the freeradius with the :
>> radclient -f digest localhost auth testing123
>> Received response ID 134, code 2, length = 45
>> Reply-Message = "Hello, test with digest"
>>
>> radius logs:
>> ----------------------------------------------
>> rad_recv: Access-Request packet from host 127.0.0.1:32844, id=134,
>> length=140
>> User-Name = "test"
>> Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
>> Digest-Attributes = "\001\013testrealm"
>> Digest-Attributes = "\002\n1234abcd"
>> Digest-Attributes = "\003\010INVITE"
>> Digest-Attributes = "\004\034sip:5555551212 at example.com"
>> Digest-Attributes = "\006\005MD5"
>> Digest-Attributes = "\n\006test"
>> Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 0
>> modcall[authorize]: module "preprocess" returns ok for request 0
>> modcall[authorize]: module "chap" returns noop for request 0
>> modcall[authorize]: module "mschap" returns noop for request 0
>> rlm_digest: Converting Digest-Attributes to something sane...
>> Digest-Realm = "testrealm"
>> Digest-Nonce = "1234abcd"
>> Digest-Method = "INVITE"
>> Digest-URI = "sip:5555551212 at example.com"
>> Digest-Algorithm = "MD5"
>> Digest-User-Name = "test"
>> rlm_digest: Adding Auth-Type = DIGEST
>> modcall[authorize]: module "digest" returns ok for request 0
>> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>> rlm_realm: No such realm "NULL"
>> modcall[authorize]: module "suffix" returns noop for request 0
>> rlm_eap: No EAP-Message, not doing EAP
>> modcall[authorize]: module "eap" returns noop for request 0
>> users: Matched entry DEFAULT at line 152
>> users: Matched entry test at line 215
>> modcall[authorize]: module "files" returns ok for request 0
>> modcall: group authorize returns ok for request 0
>> rad_check_password: Found Auth-Type Digest
>> auth: type "digest"
>> Processing the authenticate section of radiusd.conf
>> modcall: entering group authenticate for request 0
>> A1 = test:testrealm:test
>> A2 = INVITE:sip:5555551212 at example.com
>> KD =
>> 1e00d6dbd30441265df6064b9d9b7da9:1234abcd:675b8c827b388805aa252ea38bfb6804
>> modcall[authenticate]: module "digest" returns ok for request 0
>> modcall: group authenticate returns ok for request 0
>> radius_xlat: 'Hello, test with digest'
>> Sending Access-Accept of id 134 to 127.0.0.1:32844
>> Reply-Message = "Hello, test with digest"
>> Finished request 0
>>
>> I need some help to figure out that's the problem with this server.
>> And what can be a reason what i don't see any authentication process
>> in the radius , when the packets coming from ATA286
>> to authenticate the the user.
>>
>>
>> Thanks for any help.
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>>
>> _______________________________________________
>> Serusers mailing list
>> serusers at lists.iptel.org
>> http://lists.iptel.org/mailman/listinfo/serusers
>>
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list