[asterisk-bugs] [JIRA] (ASTERISK-24149) Routing problems on firewall with chan_pjsip packets on port 5060 (chan_sip and/or other port working)

Thu Aug 14 10:41:30 CDT 2014

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=221672#comment-221672 ] 

Matt Jordan commented on ASTERISK-24149:
----------------------------------------

Yes, I looked at the pcap, hence why I commented that the only difference between the two packets is the {{Contact}} header.

Let's look at your issue description:
{quote}
Have a very weird bug on routing chan_pjsip on the firewall. I thought it is a firewall/router problem but other ports than 5060 work and chan_sip works also on 5060.

Short: My phone is behind a SNAT attached to a bridge to the servernet and registers well. When I try to call the phone, the SNAT is reverted correctly but the SIP/Invite packet is not routed to the correct interface. Exactly same constellation works with chan_sip and with other ports tzhan 5060 (e.g. 5061 or 5000). Firewall rules are the same for 5060 and 5061.
{quote}

>From that, you're telling us that:
# {{chan_pjsip}} works on all ports but 5060.
# {{chan_sip}} works on all ports.

So the only time things fail to work is when {{chan_pjsip}} sends to port 5060.

Looking at your pcap, there are no ICMP destination unreachable errors. When transmitting to port 5060, using both {{chan_sip}} and {{chan_pjsip}}, Asterisk sends to the same destination address. The request lines are effectively the same; the {{From}} and {{To}} headers appear to be effectively the same. The only difference is in the {{Contact}} header, where {{chan_sip}} uses a much shorter user identifier in the URI and {{chan_pjsip}} ... does not.

A firewall doesn't explain this issue. If there was a firewall involved, I'd expect to see a Destination unreachable ICMP packet when {{chan_pjsip}}'s request gets bounced off. A SIP ALG *does* explain this, as a SIP ALG may choose to kill a packet in the router when it inspects the headers.

Hence: do you have an ALG in your router? Is it turned on? Is it displaying anything?

Right now, I don't know why the ALG would kill the packet. It _may_ be because of the Contact header in the packet that {{chan_pjsip}} sent out; it may not. Without further information, however, this bug will be closed. We aren't going to change things randomly in Asterisk in the vain hopes that something works.

> Routing problems on firewall with chan_pjsip packets on port 5060 (chan_sip and/or other port working)
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-24149
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24149
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_pjsip
>    Affects Versions: 12.4.0
>         Environment: CentOS 6.5
> FreePBX 12.0.1beta29
> Asterisk 12.4
> openVZ Container on Proxmox 3.1
>            Reporter: Martin
>            Assignee: Matt Jordan
>         Attachments: info_1.txt, issue_24149_1.cap, issue_24149_full_log_1
>
>
> Have a very weird bug on routing  chan_pjsip on the firewall. I thought it is a firewall/router problem but other ports than 5060 work and chan_sip works also on 5060.
> Short: My phone is behind a SNAT attached to a bridge to the servernet and registers well. When I try to call the phone, the SNAT is reverted correctly but the SIP/Invite packet is not routed to the correct interface. Exactly same constellation works with chan_sip and with other ports tzhan 5060 (e.g. 5061 or 5000). Firewall rules are the same for 5060 and 5061.
> Long: If it is okay, I would refer to this thread, it is explained there:
> http://community.freepbx.org/t/differences-in-nat-between-chan-sip-and-pjsip/23394
> If not, I will write one more summary.
> I know it sounds like a problem on the router/firewall, but there really is no special configuration. If there were a problem with port 5060 I think chan_sip would not work either.
> Are there any differences in packet construction between these sip stacks? I compared both invite packets in tcpdump/wireshark but I could not see a really offending problem.
> In pjsip the DF flag is set and the packet is larger than in sip, but is shorter than the MTU (1500). About 1120B length.

--
This message was sent by Atlassian JIRA
(v6.2#6252)