[SR-Users] kamailio loadbalancer with TLS problem forwarding INVITE back to UA
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Jun 28 10:16:22 CEST 2013
Hi Allen!
Again on-list, please do not use private emails unless you have to
provide sensitive data.
On 28.06.2013 01:17, Allen Zhang wrote:
> Hi Klaus,
>
> I dived into it and found the problem:
>
> When UA2 send a REGISTER to the load balancer, fix_nated_register() is called and source ip of the UA is stored in the connection hash by tcpconn_new(), instead of the port from the contact header field.
> But when proxy tries to send the INVITE to UA2 via the load balancer, the load balancer calls tcpconn_find() with the port from the contact header field.
> Hence can't match the connection stored in hash.
I do not understand that.
fix_nated_register stores both info: the original contact +
src-ip:port:transport.
After lookup(), the Request-URI is filled with the original contact, but
$du (destination URI, internally used by Kamailio for routing) is
populated with src-ip:port:transport. Thus, Kamailio should use the $du
to find the TCP connection.
Anyway, TLS debugging is always difficult. I suggest to try to make it
running with TCP. If TCP works, TLS will work too.
regards
Klaus
>
> I need to use fix_nated_register() because the UA will be behind NAT in the future. How do I let the LB use aliased port instead of the port from the contact header field?
>
> Regards,
>
> Allen
>
>
> -----Original Message-----
> From: Klaus Darilion [mailto:klaus.mailinglists at pernau.at]
> Sent: Thursday, 27 June 2013 10:54 p.m.
> To: Kamailio (SER) - Users Mailing List
> Cc: Allen Zhang; Shane Harrison
> Subject: Re: [SR-Users] kamailio loadbalancer with TLS problem forwarding INVITE back to UA
>
> make sure to also use handle_ruri_alias()
> http://kamailio.org/docs/modules/4.0.x/modules/nathelper.html#idp16851488
> for requests from the proxy->lb->client
>
> see the default kamailio config for proper usage of handle_ruri_alias() and add_contact_alias()
>
> regards
> klaus
>
>
> On 27.06.2013 02:34, Allen Zhang wrote:
>> Hi,
>>
>> Our set up:
>>
>> UA1 -----
>>
>> ------ Proxy1
>>
>>
>> \
>> /
>>
>> Loadbalancer (dispatcher module)
>>
>> / \
>>
>> UA2-----
>>
>> ------ Proxy2
>>
>> Both proxies have registrar module loaded and share the same database.
>>
>> REGISTERs work fine.
>>
>> The problem is this:
>>
>> TLS TCP
>>
>> UA1 ----------------------> LB --------------------> Proxy
>>
>> INVITE(to UA2) INVITE(to UA2)
>>
>> TLS TCP
>>
>> UA1 <------------- LB <------------- Proxy
>>
>> 100 Trying
>>
>> TLS TCP
>>
>> UA1 <------------- LB <----------------------- Proxy
>>
>> INVITE(to UA2)
>>
>> TLS
>> TCP
>>
>> UA1 <----------------------- LB <----------------------- Proxy
>>
>> 100 Trying
>>
>> All above worked fine. Below is what's expected but never happened:
>>
>> TLS
>> TCP
>>
>> UA2 <----------------------- LB <----------------------- Proxy
>>
>> INVITE(to UA2)
>>
>> We'd like the LB to reuse the TLS connection initiated by UA2. But LB
>> can't find an open connection and tries to start a new TLS connection.
>> The new connection fails.
>>
>> UAs are not behind NAT at the moment but will be in the future.
>>
>> Tried this approaches on LB:
>>
>> route(ADD_CONTACT_ALIAS);
>>
>> If (not from proxy)
>>
>> t_relay();
>>
>> else
>>
>> do load balancing
>>
>> No luck.
>>
>> Any help is appreciated.
>>
>> Regards,
>>
>> Allen
>>
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
>> list sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>
More information about the sr-users
mailing list