[Serusers] NAT problem
Bernd Froemel
bernd at nc6.net
Thu Jun 23 13:15:04 CEST 2005
Dear list,
I have some wired problem between users behind the same NAT connected to
a multihomed ser server (public&private IP). Ser is listening only on
the public interface (ser.ip.address). The NATed clients have
official.ip.address as their official IP address and 192.168.10.1 and
192.168.10.2 are their IP addresses behind NAT.
Now after a register I get for the NATed clients the following entries
into the location table:
UA1:
contact: sip:test at 192.168.10.1:2050;transport=tcp;line=1hzwxw3z
received: sip:official.ip.address:2050;transport=TCP
flags: 1
UA2:
contact: sip:test2 at 192.168.10.2:2050;transport=tcp;line=1hzwxw3z
received: sip:official.ip.address:2050;transport=TCP
flags: 1
which looks quite good (why is the flag 1 and not 6?), but then on
INVITE/SUBSCRIBE/ (everthing which issues a t_relay) my logs get full
of:
ser[27588]: ERROR: tcp_blocking_connect: SO_ERROR (111) Connection
refused
ser[27588]: ERROR: tcpconn_connect: tcp_blocking_connect failed
ser[27588]: ERROR: tcp_send: connect failed
ser[27588]: msg_send: ERROR: tcp_send failed
ser[27588]: ERROR: t_forward_nonack: sending request failed
and the UA which issued the command receives a: 477 Unfortunately error
on sending to next hop occurred message.
I think it has something to do with the lookup of the target UA - at
least I always get the uri back which contains the private IP.
(debugging output:
befor lookup 80.123.216.181 - - sip:test at domain.com
after lookup 80.123.216.181 - -
sip:test at 192.168.10.1:2050;transport=tcp;line=lhzwxw3z
)
Also I guess that the commented part which is uncommented in the default
cfg shouldn't prevent all NAT calls, but only calls to real private IPs.
( found in route[1] beginning, the nat route)
#if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !
search("^Route:"))
#{
# sl_send_reply("479", "forward request to private ip address denied");
# break;
#};
)
But to due the lookup returning me a private IP uri this would result in
a 479 error.
My current test config is basically the one found in cvs/etc/ser.cfg.m4
with inserted values. I already tried other cfgs - even the example in
modules/nathelper -- no success. Yes rtpproxy is running, I can even
call the other UA and audio is working full duplex, but only at the very
beginning. After a few minutes idleing or a server restart, without
clearing the sql location table a call results always in the 477 error.
Please help me - what am I missing here?
Thanks in advance,
Bernd
-----
Here my cfg and some SIP messages during REGISTER and INVITE
(I have removed IPs and unnecessary parts, Asterisk gw is
192.168.xx.xx):
#
# ----------- global configuration parameters ------------------------
[...]
check_via=no # (cmd. line: -v)
dns=yes # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
mhomed=1
[...]
# ------------------ module loading ----------------------------------
[...]
# ----------------- setting module-specific parameters ---------------
[...]
modparam("nathelper", "natping_interval", 15)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
modparam("registrar", "nat_flag", 6)
modparam("registrar", "use_domain", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "log_level", 1)
#if BYE fails (telephone is dead, record-routing broken, etc.), generate
#a report nevertheless -- otherwise we would have no STOP event; => 1
modparam("acc", "failed_transactions", 1)
modparam("acc", "log_flag", 1)
modparam("acc", "db_flag", 1)
modparam("acc", "log_missed_flag", 3)
modparam("acc", "db_missed_flag", 3)
modparam("usrloc", "db_mode", 0)
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "use_domain", 1)
modparam("usrloc", "timer_interval", 10)
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
modparam("auth", "nonce_expire", 300)
modparam("rr", "enable_full_lr", 1)
modparam("tm", "fr_timer", 20)
modparam("tm", "fr_inv_timer", 90)
modparam("tm", "wt_timer", 20)
#modparam("enum", "domain_suffix", "e164.arpa.")
modparam("msilo", "registrar", "sip:registrar at xxxxxxxx")
alias=domain1.com
alias=domain2.com
/*
flags:
1 ... ACCOUNT
3 ... MISSED CALLS
4 ... VOICEMAIL
6 ... NAT
*/
# ------------------------- request routing logic -------------------
# main routing logic
route
{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10"))
{
sl_send_reply("483","too many hops (loop?)");
break;
};
if (msg:len >= 2048 )
{
sl_send_reply("513", "message too large");
break;
};
if (nat_uac_test("3"))
{
if (method=="REGISTER" || !search("^Record-Route:"))
{
if (method=="REGISTER")
{
fix_nated_register();
} else
{
fix_nated_contact();
};
if (method=="INVITE")
{
log(1,"natted caller sent invite!\n");
fix_nated_sdp("1");
};
force_rport();
setflag(6);
log(1, "natted caller detected\n");
append_to_reply("P-NATed-Caller: Yes\r\n");
} else
{
log(1, "something wrong here..\n");
};
};
#antispam
if ( search("(From|F):.*@(domain1\.com)|(domain2\.com)|(192\.168\.xx
\.xx)") )
{
if ( (method=="INVITE" || method=="SUBSCRIBE") && !(src_ip == SER_IP
|| src_ip == 192.168.xx.xx) )
{
if (!(proxy_authorize("","subscriber")))
{
proxy_challenge("","0");
break;
};
if (!check_from())
{
log("LOG: From Cheating attempt in INVITE!\n");
sl_send_reply("403", "use From=id");
break;
};
#consume_credentials();
}; #non-REGISTER from other domain
} else if ((method=="INVITE" || method=="SUBSCRIBE" ||
method=="REGISTER") && !(uri==myself || uri=~"(@(192\.168\.xx
\.xx)([;:].*)*)") )
{
sl_send_reply("403", "no relaying");
break;
};
if (!(method=="REGISTER"))
{
record_route();
};
#if (method=="BYE" || method=="CANCEL")
#{
# unforce_rtp_proxy();
#};
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
if ((method=="INVITE" || method=="ACK" || method=="CANCEL") &&
uri=~"(@(192\.168\.xx\.xx)([;:].*)*)")
{
route(4); # to asterisk
}
else
{
append_hf("P-hint: rr-enforced\r\n");
if (method=="BYE")
{
setflag(1);
};
log(1, "and directly to nat..\n");
route(1); # to nat
};
break;
};
if (!(uri==myself || uri=~"(@(192\.168\.xx\.xx)([;:].*)*)"))
{
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
log(1, "outbound\n");
route(1); # to nat
break;
};
# ---->request is for our domains!<---- #
if (method=="REGISTER")
{
if (!www_authorize("","subscriber"))
{
www_challenge("","0");
break;
};
if (!check_to())
{
log("LOG: To Cheating attempt\n");
sl_send_reply("403", "use From=id");
break;
};
log(1, "(un)register successful\n");
if (!save("location"))
{
sl_reply_error();
};
m_dump();
break;
};
if (uri=~"sip:daemon@")
{
sl_send_reply("410", "daemon is gone");
break;
};
lookup("aliases");
if (!(uri==myself || uri=~"(@(192\.168\.xx\.xx)([;:].*)*)"))
{
append_hf("P-hint: ALIASED-OUTBOUND\r\n");
route(1); #to nat
break;
};
if (uri=~"^[a-zA-Z]+:\+[0-9]+@")
{
strip(1);
prefix("00");
};
if (!does_uri_exist())
{
if(uri=~"^[a-zA-Z]+:[0-9]+@")
{
route(4); #to pstn
}
else
{
sl_send_reply("604", "does not exist anywhere");
};
break;
};
if (is_user_in("Request-URI", "voicemail"))
{
setflag(4);
};
exec_msg("echo befor lookup $SIP_SRCIP - $SIP_ORURI - $SIP_RURI
>> /tmp/ser.log");
if (!lookup("location"))
{
log(1, "lookup failed\n");
route(6);
break;
} else
{
log(1, "lookup successful\n");
};
exec_msg("echo after lookup $SIP_SRCIP - $SIP_ORURI - $SIP_RURI
>> /tmp/ser.log");
if (uri=~"(@(192\.168\.xx\.xx)([;:].*)*)")
{
log(1, "LOG: Gateway address in UsrLoc!\n");
route(4); # to PSTN
break;
};
if (method=="INVITE" && isflagset(4))
{
t_on_failure("1");
};
setflag(3);
append_hf("P-hint: USRLOC\r\n");
log(1, "nearly at end and going to nat..\n");
exec_msg("echo $SIP_SRCIP - $SIP_ORURI - $SIP_RURI >> /tmp/ser.log");
route(1); # to nat
}
route[1]
{
#if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !
search("^Route:"))
#{
# sl_send_reply("479", "forward request to private ip address denied");
# break;
#};
if (isflagset(6))
{
if(!is_present_hf("P-RTP-Proxy"))
{
force_rtp_proxy();
append_hf("P-RTP-Proxy: Yes\r\n");
log(1, "rtp proxied\n");
};
log(1,"natted calee\n");
append_hf("P=NATed-Calee: Yes\r\n");
};
exec_msg("echo :: $SIP_SRCIP - $SIP_ORURI - $SIP_RURI
>> /tmp/ser.log");
log(1, "1\n");
t_on_reply("1");
log(1, "2\n");
if (!t_relay()) {
sl_reply_error();
break;
};
log(1, "3\n");
}
route[4]
{
[...]
}
onreply_route[1]
{
log(1, "taking onreply route\n");
if(isflagset(6) && status=~"(183)|2[0-9][0-9]" &&
!search("^Content-Length:\ +0"))
{
log(1,"onreply fixing nat\n");
fix_nated_contact();
force_rtp_proxy();
} else if (nat_uac_test("1"))
{
log (1, "onreply fixing nat alternate\n");
fix_nated_contact();
};
}
route[4]
{
[...]
}
route[6]
{
[...]
}
-----------
REGISTER
-----------
T official.ip.address:2062 -> ser.ip.address:5060 [A]
REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.1:2062;br
anch=z9hG4bK-wekq229vr3vn;rport..From: "Test"
<sip:test at domain.com>;tag=3q2blh64wf..To: "Test"
<sip:test at domain.com>..Call-ID: 3c26818830d4-ugwagbaz5vkz at snom360..CSeq:
22 REGISTER..Max-
Forwards: 70..Contact: <sip:test at 192.168.10.1:2062;transport=tcp;line=
lhzwxw3z>;q=1.0;
+sip.instance="<urn:uuid:0c541696-09aa-4d0c-b8ca-fb9889cc61ad>"
;audio;mobility="fixed";duplex="full";description="snom360";actor="principal";
events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY
,SUBSCRIBE,PRACK,MESSAGE,INFO"..User-Agent: snom360/3.60k..Supported:
gruu.
.Allow-Events: dialog..X-Real-IP: 192.168.0.191..WWW-Contact:
<http://192.168.10.1:80>..WWW-Contact:
<https://192.168.10.1:443>..Expires: 3600..Content-Length: 0
T ser.ip.address:5060 -> official.ip.address:2062 [AP]
SIP/2.0 401 Unauthorized..Via: SIP/2.0/TCP
192.168.10.1:2062;branch=z9hG4b
K-wekq229vr3vn;rport=2062;received=official.ip.address..From: "Test"
<sip:test at domain.com>;tag=3q2blh64wf..To: "Test" <sip:
test at domain.com>;tag=5431d75005d8ed216f7c100a44746400.19d5..Call-ID
: 3c26818830d4-ugwagbaz5vkz at snom360..CSeq: 22
REGISTER..P-NATed-Caller: Yes
..WWW-Authenticate: Digest realm="domain.com",
nonce="42baac51779c17ebe
ec20a5ee2f9492821bd723e"..Server: Sip EXpress router (0.9.3
(i386/linux))..
Content-Length: 0..Warning: ser.ip.address:5060 "Noisy feedback tells:
p
id=27776 req_src_ip=official.ip.address req_src_port=2062
in_uri=sip:domain.com out_uri=sip:domain.com via_cnt==1"
T official.ip.address:2062 -> ser.ip.address:5060 [A]
REGISTER sip:domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.1:2062;br
anch=z9hG4bK-6s4mq8dda681;rport..From: "Test"
<sip:test at domain.com>;tag=3q2blh64wf..To: "Test"
<sip:test at domain.com>..Call-ID: 3c26818830d4-ugwagbaz5vkz at snom360..CSeq:
23 REGISTER..Max-
Forwards: 70..Contact: <sip:test at domain.com:2062;transport=tcp;line=
lhzwxw3z>;q=1.0;
+sip.instance="<urn:uuid:0c541696-09aa-4d0c-b8ca-fb9889cc61
ad>";audio;mobility="fixed";duplex="full";description="snom360";
actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY
,SUBSCRIBE,PRACK,MESSAGE,INFO"..User-Agent: snom360/3.60k..Supported:
gruu.
.Allow-Events: dialog..X-Real-IP: 192.168.10.1..WWW-Contact:
<http://192.1
68.10.1:80>..WWW-Contact: <https://192.168.10.1:443>..Authorization:
Digestusername="test",realm="domain.com",nonce="42baac51779c17ebeec20a
5ee2f9492821bd723e",uri="sip:domain.com",response="d2415424805014aac504
b643ea489795",algorithm=md5..Expires: 3600..Content-Length: 0....
T ser.ip.address:5060 -> official.ip.address:2062 [AP]
SIP/2.0 200 OK..Via: SIP/2.0/TCP
192.168.10.1:2062;branch=z9hG4bK-6s4mq8dd
a681;rport=2062;received=official.ip.address..From: "Test"
<sip:test at domain.com>;tag=3q2blh64wf..To: "Test"
<sip:test at domain.com>;tag=5431d75005d8ed216f7c100a44746400.d02e..Call-ID: 3c268188
30d4-ugwagbaz5vkz at snom360..CSeq: 23 REGISTER..P-NATed-Caller:
Yes..Contact:
<sip:test at 192.168.10.1:2056;transport=tcp;line=lhzwxw3z>;q=1;expires=
2204;received="sip:official.ip.address:2056;transport=TCP",
<sip:test at 192.168.10.1:2055;transport=tcp;line=lhzwxw3z>;q=1;expires=1551;
received="sip:official.ip.address:2055;transport=TCP",
<sip:test at 192.168.10.1:2062;transport=tcp;line=lhzwxw3z>;q=1;expires=3600;
received="sip:official.ip.address:2062;transport=TCP"..Server: Sip
EXpress router (0.9.3 (i386/linux))..Content-Length: 0..
Warning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776 req_
src_ip=official.ip.address req_src_port=2062 in_uri=sip:domain.com
out_uri=sip:domain.com via_cnt==1"
-----------
INVITE
-----------
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
INVITE sip:test at domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;
branch=z9hG4bK3AA2CBD1;alias..CSeq: 2681 INVITE..To: <sip:test at domain
.com>..Content-Type: application/sdp..From: "test2"
<sip:test2 at domain.com
>;tag=67807379..Call-ID: 1766830276 at 192.168.10.2..Subject: sip:test
@domain.com..Content-Length: 230..User-Agent: kphone/4.1.1..Contac
t: "test" <sip:test at 192.168.10.2;transport=tcp>....v=0..o=username 0 0
IN
IP4 192.168.10.2..s=The Funky Flow..c=IN IP4 192.168.10.2..t=0
0..m=audio
32874 RTP/AVP 0 97 8 3..a=rtpmap:0 PCMU/8000..a=rtpmap:3
GSM/8000..a=rtpma
p:8 PCMA/8000..a=rtpmap:97 iLBC/8000..a=fmtp:97 mode=30..
##
T ser.ip.address:5060 -> official.ip.address:33255 [AP]
SIP/2.0 407 Proxy Authentication Required..Via: SIP/2.0/TCP
192.168.10.2;b
ranch=z9hG4bK3AA2CBD1;alias;rport=33255;received=official.ip.address..CSeq: 2681
INVITE..To: <sip:test at domain.com>;tag=5431d75005d8ed216f7c100a4474
6400.5110..From: "test" <sip:test2 at domain.com>;tag=67807379..Call-I
D: 1766830276 at 192.168.10.2..P-NATed-Caller: Yes..Proxy-Authenticate:
Diges
t realm="domain.com", nonce="42baaf784cd57486fa11fe10929ade10b8fc4
3ec"..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length:
0..W
arning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776
req_src_ip=
official.ip.address req_src_port=33255 in_uri=sip:test at domain.com
out_ur
i=sip:test at domain.com via_cnt==1"....
##
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
ACK sip:test at domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;bra
nch=z9hG4bK3AA2CBD1;alias..CSeq: 2681 ACK..To: <sip:test at domain.com
>;tag=5431d75005d8ed216f7c100a44746400.5110..From: "test2" <sip:test2@
domain.com>;tag=67807379..Call-ID:
1766830276 at 192.168.10.2..Content-Leng
th: 0..User-Agent: kphone/4.1.1..Contact: "test"
<sip:test at 192.168.10.2;tr
ansport=tcp>....
##
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
INVITE sip:test at domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;
branch=z9hG4bK36EBCF00;alias..CSeq: 2682 INVITE..To:
<sip:test at domain.com
>..Proxy-Authorization: Digest username="test2 at domain.com", r
ealm="domain.com", nonce="42baaf784cd57486fa11fe10929ade10b8fc43ec
", uri="sip:test at domain.com", cnonce="abcdefghi", nc=00000001, resp
onse="2c088d59cb24c70c61d890245fe0f5ca", opaque="",
algorithm="MD5"..Conten
t-Type: application/sdp..From: "test2" <sip:test2 at domain.com>;tag=67
807379..Call-ID: 1766830276 at 192.168.10.2..Subject:
sip:test2 at domain.com
..Content-Length: 230..User-Agent: kphone/4.1.1..Contact: "test" <sip:
test at 192.168.10.2;transport=tcp>....v=0..o=username 0 0 IN IP4
192.168.0.1
03..s=The Funky Flow..c=IN IP4 192.168.10.2..t=0 0..m=audio 32874
RTP/AVP
0 97 8 3..a=rtpmap:0 PCMU/8000..a=rtpmap:3 GSM/8000..a=rtpmap:8
PCMA/8000..
a=rtpmap:97 iLBC/8000..a=fmtp:97 mode=30..
##
T ser.ip.address:5060 -> official.ip.address:33255 [AP]
SIP/2.0 100 trying -- your call is important to us..Via: SIP/2.0/TCP
192.16
8.10.2;branch=z9hG4bK36EBCF00;alias;rport=33255;received=official.ip.address..C
Seq: 2682 INVITE..To: <sip:test at domain.com>..From: "test" <sip:test
@domain.com>;tag=67807379..Call-ID: 1766830276 at 192.168.10.2..P-NA
Ted-Caller: Yes..Server: Sip EXpress router (0.9.3
(i386/linux))..Content-L
ength: 0..Warning: 392 ser.ip.address:5060 "Noisy feedback tells:
pid=27776
req_src_ip=official.ip.address req_src_port=33255
in_uri=sip:test at domain.com
out_uri=sip:test at 192.168.10.1:2056;transport=tcp;line=lhzwxw3z vi
a_cnt==1"....
##
T ser.ip.address:5060 -> official.ip.address:33255 [AP]
SIP/2.0 477 Unfortunately error on sending to next hop occurred
(477/TM)..V
ia: SIP/2.0/TCP
192.168.10.2;branch=z9hG4bK36EBCF00;alias;rport=33255;rece
ived=official.ip.address..CSeq: 2682 INVITE..To:
<sip:test at domain.com>;t
ag=a0de3507a8823f96a254cc0a187acbf0-2573..From: "test2"
<sip:test2 at domain.com
>;tag=67807379..Call-ID: 1766830276 at 192.168.10.2..P-NATed-Caller:
Yes..Server: Sip EXpress router (0.9.3 (i386/linux))..Content-Length:
0..W
arning: 392 ser.ip.address:5060 "Noisy feedback tells: pid=27776
req_src_ip=
official.ip.address req_src_port=33255 in_uri=sip:test at domain.com
out_ur
i=sip:test at 192.168.10.1:2056;transport=tcp;line=lhzwxw3z via_cnt==1"..
..
##
T official.ip.address:33255 -> ser.ip.address:5060 [AP]
ACK sip:test at domain.com SIP/2.0..Via: SIP/2.0/TCP 192.168.10.2;bra
nch=z9hG4bK36EBCF00;alias..CSeq: 2682 ACK..To: <sip:test at domain.com
>;tag=a0de3507a8823f96a254cc0a187acbf0-2573..From: "test2"
<sip:test2 at domain
.com>;tag=67807379..Call-ID: 1766830276 at 192.168.10.2..Content-Leng
th: 0..User-Agent: kphone/4.1.1..Contact: "test"
<sip:test at 192.168.10.2;tr
ansport=tcp>....
#
More information about the sr-users
mailing list