[SR-Users] kamailio restart and TLS ( relay_to_tls() )
Dominguez Jover, Ricardo
djover at umh.es
Tue Dec 21 14:13:13 CET 2010
Klaus, it happens exactly what you said, duplicated TCP connection. Now I tell you about what I've found and timing variables. First to say there is no NAT in this scenario.
About the timing variables there is a re-register time in the client (by default 3600s) and a "minimum time" (20s). Every time I restart Kamailio, after the minimum time the client re-opens a session. The client is not sending any SIP keepalive (I've switched it OFF), and in Kamailio "tcp_connection_lifetime=120", so after this time the first TCP connection is closed.
But this happens only if I don't try to register again. If I do so, having the duplicated connection, then the first TCP connection only closes after the re-register timer finishes, and the second TCP connection closes every 120 seconds and then is re-opened after the 20s period.
In my config TCP ASYNC is set to NO and set_forward_no_connect() doesn't seem to do anything since there is no NAT.
I can reduce re-register time in the client side for a faster expiring time of the first TCP connection. But, how could I close the "corrupted" TCP connection from the server side? As I said since the second TCP connection is opened " tcp_connection_lifetime" doesn't affect the first one.
Kind regards,
Ricardo Dominguez
-----Mensaje original-----
De: Klaus Darilion [mailto:klaus.mailinglists at pernau.at]
Enviado el: martes, 21 de diciembre de 2010 10:47
Para: Dominguez Jover, Ricardo
CC: sr-users at lists.sip-router.org
Asunto: Re: [SR-Users] kamailio restart and TLS ( relay_to_tls() )
Am 21.12.2010 08:30, schrieb Dominguez Jover, Ricardo:
> Hi everybody,
>
> Since I implemented Kamailio 3.1 with TLS I've found a strange behavior.
> That is, with some clients (Bria and Blink) registered, if I restart
> Kamailio, then when the clients re-register the strange behaivour
> happens. This behavior consist on receiving calls, it took about 15
> seconds to receive the first tone since the call was made.
This sounds like some timeout.
Just think about what may happen: you restart Kamailio - thus the TCP
connection is terminated and probably the client will create a new
registration using a new TCP connection.
As the old registration was not deREGISTERed, you will have 2 entries in
your location table: one for the new registration (if the client already
registered) and one for the old one (pointing to a non-existing TCP
connection).
No on incoming call, Kamailio will try to estblish a TCP connection to
the old contact - which for sure will fail of the client is behind NAT
or a firewall.
There are several TCP parameters to tweak, e.g:
make sure TCP is non-blocking:
http://www.kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#tcp_async
do not try to open TCP connections to SIP clients when they are known to
be behind NAT/FW.
http://www.kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#set_forward_no_connect
There are also some more TCP functions which can be used to change the
behavior, just look around set_forward_no_connect() function in core
cookbook.
regards
klaus
regards
Klaus
>
> I made the following modification in the "route[Relay]" config. The
> reason is I wanted my gateway and Kamailio to make signaling by TLS.
> Without this modification the signaling was unencrypted (SIP):
>
> route[RELAY] {
>
> #!ifdef WITH_NAT
>
> if (check_route_param("nat=yes")) {
>
> setbflag(FLB_NATB);
>
> }
>
> if (isflagset(FLT_NATS) || isbflagset(FLB_NATB)) {
>
> route(RTPPROXY);
>
> }
>
> #!endif
>
> /* example how to enable some additional event routes */
>
> if (is_method("INVITE")) {
>
> #t_on_branch("BRANCH_ONE");
>
> t_on_reply("REPLY_ONE");
>
> t_on_failure("FAIL_ONE");
>
> }
>
> *# Se comunica con el GWa traves de TLS *
>
> ***if(!( ($od=~"mydomain.com") && ( ($rU=~"[a-z]{3,20}$") ||
> ($rU=~"^xx[0-9][0-9]$") ) ) ) { ### If I'm calling a PBX extension do
> the signaling by TLS with the gateway (Cisco 2811)*
>
> **
>
> * if (!t_relay_to_tls()) {*
>
> * sl_reply_error();*
>
> * }*
>
> } else if {
>
> if (!t_relay()) {
>
> sl_reply_error();
>
> }
>
> }
>
> exit;
>
> }
>
> The rest of functionalities are working really fine. Any idea about what
> is happening?
>
> Cheers!
>
> *Ricardo Domínguez*
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
More information about the sr-users
mailing list