[asterisk-bugs] [Asterisk 0018048]: Incorrect registrations and/or Check Authorization of NAT SIP devices
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Sep 28 10:55:15 CDT 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=18048
======================================================================
Reported By: jlaguilar
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 18048
Category: Channels/chan_sip/Registration
Reproducibility: always
Severity: major
Priority: normal
Status: new
Asterisk Version: 1.6.2.13
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2010-09-24 12:51 CDT
Last Modified: 2010-09-28 10:55 CDT
======================================================================
Summary: Incorrect registrations and/or Check Authorization
of NAT SIP devices
Description:
When realtime SIP devices behind NAT register, the following fields get
populated by asterisk in the database: fullcontact, ipaddr, port.
We are currently experiencing that the fullcontact field gets populated
with the internal port used by the device in the LAN and the port fields
gets populated by the actual port used to contact asterisk in the public
internet. For example:
| name | fullcontact | ipaddr | port |
| 1003 | sip:1003 at 74.211.XXX.XXX:1066 | 74.211.XXX.XXX | 1073 |
| 1004 | sip:1004 at 74.211.XXX.XXX:1073 | 74.211.XXX.XXX | 1077 |
SIP device 1003 is using UDP port 1066 in the local network, but the
router is mapping that port to the external UDP port 1073 (public network),
which is the port asterisk is getting the network connection from (This is
the correct behavior for NAT devices). Likewise SIP device 1004 is using
UDP port 1073 in the LAN, and the router maps to port 1077 in the public
network.
In this scenario, both devices are able to receive inbound calls, but SIP
device 1004 is not able to dial out. It gets the following error: username
mismatch, have <1003>, digest has <1004>. SIP configuration (insecure=no).
Inbound calls work because asterisk is routing correctly to the IP address
and port it got from the network connections (NAT devices). In this case it
sends the call to IP 74.211.XXX.XXX and port 1073 for device 1003 and port
1077 for device 1004. The router maps to the internal ports and the calls
work.
For outbound calls, asterisk is trying to check peer authorization based
on the SIP header information which advertises the internal port (In our
example sip:1004 at 74.211.XXX.XXX:1073) instead of using the port of the
received network connection, and then tries to match the peer in its table
to the peer registered in IP address 74.211.XXX.XXX and port 1073. As you
can see, the peer registered in the external port 1073 is SIP device 1003
(Not 1004), and the call fails with the error: username mismatch, have
<1003>, digest has <1004>.
This only happens when an internal port number being used by one device
matches an external port being used by another device from the same IP
address (NAT). It doesn't happen a lot, but it does happen. If there are no
matches, the SIP device is authenticated correctly.
======================================================================
----------------------------------------------------------------------
(0127465) lmadsen (administrator) - 2010-09-28 10:55
https://issues.asterisk.org/view.php?id=18048#c127465
----------------------------------------------------------------------
This sounds like you should be using: insecure=port
I think this is the exact scenario that option was designed for. Give it a
shot and report back.
Issue History
Date Modified Username Field Change
======================================================================
2010-09-28 10:55 lmadsen Note Added: 0127465
======================================================================
More information about the asterisk-bugs
mailing list