[Serusers] SER, STUN and NAT not playing togther.

Shad Mortazavi Shad.Mortazavi at nexusmgmt.com
Fri Mar 24 18:00:16 CET 2006 

Dear Group,

A few years ago I successfully configured SER. My UA's were both sitting
behind Firewall FVS318 and I was able to use X-Ten lite and a public
STUN server and hold conversations with various people across the NET.

I have tried to recreate the same environment and I'm running into
difficulties. I have provided as much information as possible so that
someone may be able to add some ideas to help me resolve this problem.


My SER server
-------------


192.168.0.1   || LINUX FIRWALL NAT || 65.X.Y.64 (public IP Address)

I have mapped UDP/TCP 5060 from 65.X.Y.64 to 192.168.0.1



UA1
---

192.168.0.10 || FVS318 FIREWALL ||84.X.Y.Z (Public IP Address)
	
UA2
---

192.168.1.12|| Nortel 221 Firewal||84.X.Y.A 


My first test is always to try and call myself! 

I have placed a packet sniffer outside of my FVS318, on on the UA LAN
and I'm running an ethereal capture on the SER server.


Here is what I see;

UA1		FVS318		LINUX FIREWALL		SER 
------------------------------------------------------------
INVITE-->

SRC Port 5060	SRC Port 18564	SRC Port 18564	SRC Port 5060	
DST Port 5060	DST Port 5060	DST Port 5060	DST Port 5060

	
<--TRYING
							
SRC Port 5060	SRC 5060		SRC port 5060	SRC Port 5060
DST Port 5060	DST Port 5060	DST Port 5060	DST Port 5060

	
<--INVITE
						SRC Port 5060	SRC Port
5060
			DENY 			DST Port 5060	SRC Port
5060
		
	
<--INVITE
						SRC Port 5060	SRC Port
5060
			DENY 			DST Port 5060	SRC Port
5060
		
	
<--INVITE
						SRC Port 5060	SRC Port
5060
			DENY 			DST Port 5060	SRC Port
5060

etc... until we time out.

Here is the sip digest (email continues after the digest :);


SIP MESSAGE 1        84.X.Y.Z:18425() -> 192.168.0.1:5060()
UDP Frame 538      24/Mar/06 10:26:48.2393
TimeFromPreviousSipFrame=20.2531 TimeFromStart=20.2531 
INVITE sip:shad at 65.X.Y.642 SIP/2.0 
Via: SIP/2.0/UDP
84.X.Y.Z:5060;rport;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010 
From: Shad <sip:Shad at 65.X.Y.642>;tag=2118835080 
To: <sip:shad at 65.X.Y.642> 
Contact: <sip:Shad at 84.X.Y.Z:5060> 
Call-ID: AB162664-BB4A-11DA-AE75-000393A75010 at 192.168.0.3 
CSeq: 40569 INVITE 
Max-Forwards: 70 
Content-Type: application/sdp 
User-Agent: X-Lite release 1105x 
Content-Length: 282 
 
v=0 
o=Shad 194756629 194756693 IN IP4 84.X.Y.Z 
s=X-Lite 
c=IN IP4 84.X.Y.Z 
t=0 0 
m=audio 8000 RTP/AVP 0 8 98 97 101 
a=rtpmap:0 pcmu/8000 
a=rtpmap:8 pcma/8000 
a=rtpmap:98 iLBC/8000 
a=rtpmap:97 speex/8000 
a=rtpmap:101 telephone-event/8000 
a=fmtp:101 0-15 
a=sendrecv 

========================================================================
====

SIP MESSAGE 2        192.168.0.1:5060() -> 84.X.Y.Z:18425()
UDP Frame 539      24/Mar/06 10:26:48.2514
TimeFromPreviousSipFrame=0.0121 TimeFromStart=20.2652 
SIP/2.0 100 trying -- your call is important to us 
Via: SIP/2.0/UDP
84.X.Y.Z:5060;rport=18425;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010

From: Shad <sip:Shad at 65.X.Y.642>;tag=2118835080 
To: <sip:shad at 65.X.Y.642> 
Call-ID: AB162664-BB4A-11DA-AE75-000393A75010 at 192.168.0.3 
CSeq: 40569 INVITE 
Server: Sip EXpress router (0.8.12 (i386/linux)) 
Content-Length: 0 
Warning: 392 192.168.0.1:5060 "Noisy feedback tells:  pid=30110
req_src_ip=84.X.Y.Z req_src_port=18425 in_uri=sip:shad at 65.X.Y.642
out_uri=sip:Shad at 84.X.Y.Z:5060 via_cnt==1" 
 

========================================================================
====

SIP MESSAGE 3        192.168.0.1:5060() -> 84.X.Y.Z:5060()
UDP Frame 540      24/Mar/06 10:26:48.2592
TimeFromPreviousSipFrame=0.0078 TimeFromStart=20.2730 
INVITE sip:Shad at 84.X.Y.Z:5060 SIP/2.0 
Record-Route: <sip:shad at 192.168.0.1;ftag=2118835080;lr=on> 
Via: SIP/2.0/UDP 192.168.0.1;branch=z9hG4bK00fc.855877d1.0 
Via: SIP/2.0/UDP
84.X.Y.Z:5060;rport=18425;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010

From: Shad <sip:Shad at 65.X.Y.642>;tag=2118835080 
To: <sip:shad at 65.X.Y.642> 
Contact: <sip:Shad at 84.X.Y.Z:5060> 
Call-ID: AB162664-BB4A-11DA-AE75-000393A75010 at 192.168.0.3 
CSeq: 40569 INVITE 
Max-Forwards: 69 
Content-Type: application/sdp 
User-Agent: X-Lite release 1105x 
Content-Length: 282 
 
v=0 
o=Shad 194756629 194756693 IN IP4 84.X.Y.Z 
s=X-Lite 
c=IN IP4 84.X.Y.Z 
t=0 0 
m=audio 8000 RTP/AVP 0 8 98 97 101 
a=rtpmap:0 pcmu/8000 
a=rtpmap:8 pcma/8000 
a=rtpmap:98 iLBC/8000 
a=rtpmap:97 speex/8000 
a=rtpmap:101 telephone-event/8000 
a=fmtp:101 0-15 
a=sendrecv 

========================================================================
====

SIP MESSAGE 4        192.168.0.1:5060() -> 84.X.Y.Z:5060()
UDP Frame 596      24/Mar/06 10:26:49.1709
TimeFromPreviousSipFrame=0.9117 TimeFromStart=21.1847 
INVITE sip:Shad at 84.X.Y.Z:5060 SIP/2.0 
Record-Route: <sip:shad at 192.168.0.1;ftag=2118835080;lr=on> 
Via: SIP/2.0/UDP 192.168.0.1;branch=z9hG4bK00fc.855877d1.0 
Via: SIP/2.0/UDP
84.X.Y.Z:5060;rport=18425;branch=z9hG4bKAC3E8656BB4A11DAAE75000393A75010

From: Shad <sip:Shad at 65.X.Y.642>;tag=2118835080 
To: <sip:shad at 65.X.Y.642> 
Contact: <sip:Shad at 84.X.Y.Z:5060> 
Call-ID: AB162664-BB4A-11DA-AE75-000393A75010 at 192.168.0.3 
CSeq: 40569 INVITE 
Max-Forwards: 69 
Content-Type: application/sdp 
User-Agent: X-Lite release 1105x 
Content-Length: 282 
 
v=0 
o=Shad 194756629 194756693 IN IP4 84.X.Y.Z 
s=X-Lite 
c=IN IP4 84.X.Y.Z 
t=0 0 
m=audio 8000 RTP/AVP 0 8 98 97 101 
a=rtpmap:0 pcmu/8000 
a=rtpmap:8 pcma/8000 
a=rtpmap:98 iLBC/8000 
a=rtpmap:97 speex/8000 
a=rtpmap:101 telephone-event/8000 
a=fmtp:101 0-15 
a=sendrecv 

========================================================================
====

Obviously if the INVITE from the SER Server goes through on Port 5060
this is going to break !


I see the same thing if I try and call from UA2 to UA1 (More Email after
the digest :))


========================================================================
====
     SIP MESSAGE 1        84.X.Y.A:24575() -> 192.168.0.1:5060()
     UDP Frame 103      24/Mar/06 11:40:14.4074
TimeFromPreviousSipFrame=1.7003 TimeFromStart=1.7003 
OPTIONS sip:65.X.Y.64:5060 SIP/2.0 
Via: SIP/2.0/UDP
192.168.6.50;rport;branch=z9hG4bKc0a8063200000010442420ee0000369900000f1
b 
Content-Length: 0 
Call-ID: CE4F0254-4004-4129-9E4B-51CE8AAEE198 at 192.168.6.50 
CSeq: 61 OPTIONS 
From: <sip:bart at 65.X.Y.64:5060>;tag=2925878122169 
Max-Forwards: 70 
To: <sip:65.X.Y.64:5060> 
 

========================================================================
====
     SIP MESSAGE 2        192.168.0.1:5060() -> 84.X.Y.A:24575()
     UDP Frame 104      24/Mar/06 11:40:14.4078
TimeFromPreviousSipFrame=0.0004 TimeFromStart=1.7007 
SIP/2.0 404 Not Found 
Via: SIP/2.0/UDP
192.168.6.50;rport=24575;branch=z9hG4bKc0a8063200000010442420ee000036990
0000f1b;received=84.X.Y.A 
Call-ID: CE4F0254-4004-4129-9E4B-51CE8AAEE198 at 192.168.6.50 
CSeq: 61 OPTIONS 
From: <sip:bart at 65.X.Y.64:5060>;tag=2925878122169 
To: <sip:65.X.Y.64:5060>;tag=b27e1a1d33761e85846fc98f5f3a7e58.c661 
Server: Sip EXpress router (0.8.12 (i386/linux)) 
Content-Length: 0 
Warning: 392 192.168.0.1:5060 "Noisy feedback tells:  pid=30107
req_src_ip=84.X.Y.A req_src_port=24575 in_uri=sip:65.X.Y.64:5060
out_uri=sip:65.X.Y.64:5060 via_cnt==1" 
 

========================================================================
====
     SIP MESSAGE 3        84.X.Y.A:24575() -> 192.168.0.1:5060()
     UDP Frame 699      24/Mar/06 11:40:29.5842
TimeFromPreviousSipFrame=15.1763 TimeFromStart=16.8771 
INVITE sip:shad at 65.X.Y.64:5060 SIP/2.0 
Via: SIP/2.0/UDP
192.168.6.50;rport;branch=z9hG4bKc0a8063200000225442420fd0000740600000f1
d 
Content-Length: 264 
Contact: <sip:bart at 84.X.Y.A:5060> 
Call-ID: 27CA29B7-302C-4FA1-BD57-AA2C4ADD5C69 at 192.168.6.50 
Content-Type: application/sdp 
CSeq: 1 INVITE 
From: "unknown"<sip:bart at 65.X.Y.64:5060>;tag=292738906749 
Max-Forwards: 70 
To: <sip:shad at 65.X.Y.64:5060> 
User-Agent: SJphone/1.60.289a (SJ Labs) 
 
v=0 
o=- 3352207229 3352207229 IN IP4 84.X.Y.A 
s=SJphone 
c=IN IP4 84.X.Y.A 
t=0 0 
a=direction:active 
m=audio 49180 RTP/AVP 3 0 8 101 
a=rtpmap:3 GSM/8000 
a=rtpmap:0 PCMU/8000 
a=rtpmap:8 PCMA/8000 
a=rtpmap:101 telephone-event/8000 
a=fmtp:101 0-11,16 

========================================================================
====

     SIP MESSAGE 4        192.168.0.1:5060() -> 84.X.Y.A:24575()
     UDP Frame 701      24/Mar/06 11:40:29.6111
TimeFromPreviousSipFrame=0.0270 TimeFromStart=16.9040 
SIP/2.0 100 trying -- your call is important to us 
Via: SIP/2.0/UDP
192.168.6.50;rport=24575;branch=z9hG4bKc0a8063200000225442420fd000074060
0000f1d;received=84.X.Y.A 
Call-ID: 27CA29B7-302C-4FA1-BD57-AA2C4ADD5C69 at 192.168.6.50 
CSeq: 1 INVITE 
From: "unknown"<sip:bart at 65.X.Y.64:5060>;tag=292738906749 
To: <sip:shad at 65.X.Y.64:5060> 
Server: Sip EXpress router (0.8.12 (i386/linux)) 
Content-Length: 0 
Warning: 392 192.168.0.1:5060 "Noisy feedback tells:  pid=30097
req_src_ip=84.X.Y.A req_src_port=24575 in_uri=sip:shad at 65.X.Y.64:5060
out_uri=sip:Shad at 84.X.Y.Z:5060 via_cnt==1" 
 

========================================================================
====

     SIP MESSAGE 5        192.168.0.1:5060() -> 84.X.Y.Z:5060()
     UDP Frame 702      24/Mar/06 11:40:29.6114
TimeFromPreviousSipFrame=0.0003 TimeFromStart=16.9043 
INVITE sip:Shad at 84.X.Y.Z:5060 SIP/2.0 
Record-Route: <sip:shad at 192.168.0.1;ftag=292738906749;lr=on> 
Via: SIP/2.0/UDP 192.168.0.1;branch=z9hG4bK779f.4d153ff7.0 
Via: SIP/2.0/UDP
192.168.6.50;received=84.X.Y.A;rport=24575;branch=z9hG4bKc0a806320000022
5442420fd0000740600000f1d 
Content-Length: 264 
Contact: <sip:bart at 84.X.Y.A:5060> 
Call-ID: 27CA29B7-302C-4FA1-BD57-AA2C4ADD5C69 at 192.168.6.50 
Content-Type: application/sdp 
CSeq: 1 INVITE 
From: "unknown"<sip:bart at 65.X.Y.64:5060>;tag=292738906749 
Max-Forwards: 69 
To: <sip:shad at 65.X.Y.64:5060> 
User-Agent: SJphone/1.60.289a (SJ Labs) 
 
v=0 
o=- 3352207229 3352207229 IN IP4 84.X.Y.A 
s=SJphone 
c=IN IP4 84.X.Y.A 
t=0 0 
a=direction:active 
m=audio 49180 RTP/AVP 3 0 8 101 
a=rtpmap:3 GSM/8000 
a=rtpmap:0 PCMU/8000 
a=rtpmap:8 PCMA/8000 
a=rtpmap:101 telephone-event/8000 
a=fmtp:101 0-11,16 

========================================================================
====
I see STUN packets being sent to the public STUN server, I see UDP
packets keeping the firewall ports open, the problem is unless the
INVITE from the ser server is initiated on on open port this is never
going to work !

As a final test if I R-NAT UDP 5060 on the FVS318 it obviously work.
This is great if I have only one user that needs to use the service?
however what happens when I want to have 2 or 3?

I would appreciate some help.

Thanks and Regards

Shad Mortazavi
------------------------------------------------------
Nexus Group Technical Manager
n|m Nexus Management Inc

More information about the sr-users mailing list