[SR-Users] rtpengine - SRTP <> RTP missing a=crypto

Richard Fuchs rfuchs at sipwise.com
Thu Mar 3 15:11:34 CET 2022

On 03/03/2022 08.47, [EXT] Rhys Hanrahan wrote:
> Hi Richard,
> Yes, from what I’ve seen in the logs there are multiple branches 
> happening. One between Teams and Kamailio and one between Kamailio and 
> Asterisk.
> In terms of the rtpengine processing, I’ve tried lots of different 
> variations, but right now I’ve got:
>   * Rtpengine_manage() by itself for new branches and replies
>   * Rtpengine_manage(“RTP/AVP”) or rtpengine_manage(“RTP/SAVP”)
>     essentially in request_route for the initial invites to/from Teams
>   * I do also have the stock NATMANAGE using rtpengine but there’s no
>     NAT involved here so I don’t think it applies.
> So as far as I can tell, I shouldn’t be calling rtpengine_manage 
> multiple times. Is this bad to do? I did have previous configs where I 
> was doing this. E.g. during RELAY I would call it with general options 
> and then just modify AVP or SAVP in another section.
> Interestingly, I noticed that a new branch is created just as I answer 
> the call, and this is when it fails, so perhaps the issue is with how 
> I’m handling new branches then? Below is a bit of a log to try and 
> summarise what’s happening. Unfortunately it’s not logging the MS 
> Teams side of the call except for the initial invite.
What usually happens (and this is a common mistake that can be confirmed 
by looking at the logs produced by rtpengine) is that rtpengine is 
invoked multiple times for the same invite (once in each branch) with 
different options, but without telling rtpengine that these are 
branches. From rtpengine's POV these invites are all in the same branch 
then, and the options used in a later invocation are simply overriding 
the options used in previous invocations. So when the last invocation 
was using plain RTP and then the reply is using SRTP belonging to a 
different invocations, then rtpengine would not know about the SRTP 
attributes any more.

But without detailed logs this is just a speculation. You can see the 
actual signalling to rtpengine in the logs produced by rtpengine 
(especially with debug logging enabled). It's also possible that the 
signalling direction is reversed for example.

BTW we have a mailing list dedicated to rtpengine questions: 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220303/0641b992/attachment.htm>

More information about the sr-users mailing list