[asterisk-bugs] [JIRA] (ASTERISK-25007) Notify packet to private IP endpoint behind nat with pjsip tls transport

Fco Javier (JIRA) noreply at issues.asterisk.org
Fri Apr 24 04:47:33 CDT 2015 

Fco Javier created ASTERISK-25007:
-------------------------------------

             Summary: Notify packet to private IP endpoint behind nat with pjsip tls transport 
                 Key: ASTERISK-25007
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25007
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Resources/res_pjsip
    Affects Versions: 13.3.2
         Environment: Debian 7, Asterisk 13.3.2, Kernel 3.2, pjsip 2.3
            Reporter: Fco Javier


test scenario:
- two endpoints behind nat (yealink and jitsi)
- Asterisk 13.3.2 behind firewall
- pjsip 2.3 configured with tls transport

The endpoints register correctly and i can make calls. 
After register the phone, when asterisk sends a notify packet when the state change on another endpoint, this packet goes out with private ip of endpoint.

This is the transport configuration:

[transport-tls-nat]
type=transport
protocol=tls
bind=0.0.0.0:5071
local_net=192.168.1.0/24

external_media_address=222.222.222.222
external_signaling_address=222.222.222.222

;TLS
cert_file=/var/lib/asterisk/keys/asterisk.crt
priv_key_file=/var/lib/asterisk/keys/asterisk.key
ca_list_file=/var/lib/asterisk/keys/ca.crt
method=tlsv1
require_client_cert=yes
verify_client=yes
verify_server=yes


and this is the endpiont configuration:

[508]
type=endpoint
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes
device_state_busy_at=1
allow_subscribe=yes
sub_min_expiry=30
aggregate_mwi=yes
media_encryption=sdes
direct_media=no
disallow=all
allow=alaw
message_context=messages
context=pbx-incoming
language=es
call_group=1
pickup_group=1
callerid=EXT 508<508>
mailboxes=508 at default
mwi_from_user=508
aors=508
auth=508


This is the register for endpoint 508:

<--- Received SIP request (563 bytes) from TLS:79.168.115.36:17193 --->
REGISTER sip:222.222.222.222:5071 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.24:17193;branch=z9hG4bK1569966680
From: "508" <sip:508 at 222.222.222.222:5071>;tag=1202817422
To: "508" <sip:508 at 222.222.222.222:5071>
Call-ID: 1904297113 at 10.0.0.24
CSeq: 1 REGISTER
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0


<--- Transmitting SIP response (476 bytes) to TLS:79.168.115.36:17193 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.0.0.24:17193;rport=17193;received=79.168.115.36;branch=z9hG4bK1569966680
Call-ID: 1904297113 at 10.0.0.24
From: "508" <sip:508 at 222.222.222.222>;tag=1202817422
To: "508" <sip:508 at 222.222.222.222>;tag=z9hG4bK1569966680
CSeq: 1 REGISTER
WWW-Authenticate: Digest  realm="asterisk",nonce="1429863879/3c64b644dddf290b142711576e38cb78",opaque="20ffa10f43871d4c",algorithm=md5,qop="auth"
Server: Asterisk PBX 13.3.2
Content-Length:  0


<--- Received SIP request (844 bytes) from TLS:79.168.115.36:17193 --->
REGISTER sip:222.222.222.222:5071 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.24:17193;branch=z9hG4bK1919829619
From: "508" <sip:508 at 222.222.222.222:5071>;tag=1202817422
To: "508" <sip:508 at 222.222.222.222:5071>
Call-ID: 1904297113 at 10.0.0.24
CSeq: 2 REGISTER
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
Authorization: Digest username="pepito", realm="asterisk", nonce="1429863879/3c64b644dddf290b142711576e38cb78", uri="sip:222.222.222.222:5071", response="abd906a13f910b1d9365a6dd6de9a7fe", algorithm=MD5, cnonce="0a4f113b", opaque="20ffa10f43871d4c", qop=auth, nc=00000001
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0


    -- Added contact 'sip:508 at 79.168.115.36:17193;transport=TLS' to AOR '508' with expiration of 3600 seconds
<--- Transmitting SIP response (438 bytes) to TLS:79.168.115.36:17193 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.0.0.24:17193;rport=17193;received=79.168.115.36;branch=z9hG4bK1919829619
Call-ID: 1904297113 at 10.0.0.24
From: "508" <sip:508 at 222.222.222.222>;tag=1202817422
To: "508" <sip:508 at 222.222.222.222>;tag=z9hG4bK1919829619
CSeq: 2 REGISTER
Date: Fri, 24 Apr 2015 08:24:39 GMT
Contact: <sip:508 at 79.168.115.36:17193;transport=TLS>;expires=3599
Expires: 3600
Server: Asterisk PBX 13.3.2
Content-Length:  0


<--- Received SIP request (444 bytes) from TLS:79.168.115.36:17193 --->
SUBSCRIBE sip:503 at 222.222.222.222:5071 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.24:17193;branch=z9hG4bK1940910600
From: "508" <sip:508 at 222.222.222.222:5071>;tag=744674526
To: <sip:503 at 222.222.222.222:5071>
Call-ID: 1232464291 at 10.0.0.24
CSeq: 1 SUBSCRIBE
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
Accept: application/dialog-info+xml
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Expires: 1800
Event: dialog
Content-Length: 0


<--- Transmitting SIP response (470 bytes) to TLS:79.168.115.36:17193 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.0.0.24:17193;rport=17193;received=79.168.115.36;branch=z9hG4bK1940910600
Call-ID: 1232464291 at 10.0.0.24
From: "508" <sip:508 at 222.222.222.222>;tag=744674526
To: <sip:503 at 222.222.222.222>;tag=z9hG4bK1940910600
CSeq: 1 SUBSCRIBE
WWW-Authenticate: Digest  realm="asterisk",nonce="1429863879/3c64b644dddf290b142711576e38cb78",opaque="17d8f99064c34a01",algorithm=md5,qop="auth"
Server: Asterisk PBX 13.3.2
Content-Length:  0


<--- Received SIP request (465 bytes) from TLS:79.168.115.36:17193 --->
SUBSCRIBE sip:508 at 222.222.222.222:5071 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.24:17193;branch=z9hG4bK925409121
From: "508" <sip:508 at 222.222.222.222:5071>;tag=521164520
To: "508" <sip:508 at 222.222.222.222:5071>
Call-ID: 1245340423 at 10.0.0.24
CSeq: 1 SUBSCRIBE
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
Accept: application/simple-message-summary
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Expires: 3600
Event: message-summary
Content-Length: 0


<--- Transmitting SIP response (474 bytes) to TLS:79.168.115.36:17193 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 10.0.0.24:17193;rport=17193;received=79.168.115.36;branch=z9hG4bK925409121
Call-ID: 1245340423 at 10.0.0.24
From: "508" <sip:508 at 222.222.222.222>;tag=521164520
To: "508" <sip:508 at 222.222.222.222>;tag=z9hG4bK925409121
CSeq: 1 SUBSCRIBE
WWW-Authenticate: Digest  realm="asterisk",nonce="1429863879/3c64b644dddf290b142711576e38cb78",opaque="2271d35939c4549c",algorithm=md5,qop="auth"
Server: Asterisk PBX 13.3.2
Content-Length:  0


<--- Received SIP request (751 bytes) from TLS:79.168.115.36:17193 --->
SUBSCRIBE sip:508 at 222.222.222.222:5071 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.24:17193;branch=z9hG4bK1689103066
From: "508" <sip:508 at 222.222.222.222:5071>;tag=521164520
To: "508" <sip:508 at 222.222.222.222:5071>
Call-ID: 1245340423 at 10.0.0.24
CSeq: 2 SUBSCRIBE
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
Authorization: Digest username="pepito", realm="asterisk", nonce="1429863879/3c64b644dddf290b142711576e38cb78", uri="sip:508 at 222.222.222.222:5071", response="29e7d48d8f867288a8f7011c220c173b", algorithm=MD5, cnonce="0a4f113b", opaque="2271d35939c4549c", qop=auth, nc=00000001
Accept: application/simple-message-summary
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Expires: 3600
Event: message-summary
Content-Length: 0


<--- Transmitting SIP response (562 bytes) to TLS:79.168.115.36:17193 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.0.0.24:17193;rport=17193;received=79.168.115.36;branch=z9hG4bK1689103066
Call-ID: 1245340423 at 10.0.0.24
From: "508" <sip:508 at 222.222.222.222>;tag=521164520
To: "508" <sip:508 at 222.222.222.222>;tag=baa993ec-dc26-46fc-bd1a-6c2db441d988
CSeq: 2 SUBSCRIBE
Expires: 3600
Contact: <sip:222.222.222.222:5071;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REGISTER, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 13.3.2
Content-Length:  0


<--- Transmitting SIP request (684 bytes) to TLS:79.168.115.36:17193 --->
NOTIFY sip:508 at 79.168.115.36:17193;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 222.222.222.222:5071;rport;branch=z9hG4bKPjfc2ca8c2-b94e-4dac-805c-060495d28633;alias
From: "508" <sip:508 at 222.222.222.222>;tag=baa993ec-dc26-46fc-bd1a-6c2db441d988
To: "508" <sip:508 at 222.222.222.222>;tag=521164520
Contact: <sip:222.222.222.222:5071;transport=TLS>
Call-ID: 1245340423 at 10.0.0.24
CSeq: 28883 NOTIFY
Event: message-summary
Subscription-State: active;expires=3599
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.3.2
Content-Type: application/simple-message-summary
Content-Length:    48

Messages-Waiting: no
Voice-Message: 0/0 (0/0)

<--- Received SIP request (728 bytes) from TLS:79.168.115.36:17193 --->
SUBSCRIBE sip:503 at 222.222.222.222:5071 SIP/2.0
Via: SIP/2.0/TLS 10.0.0.24:17193;branch=z9hG4bK766939248
From: "508" <sip:508 at 222.222.222.222:5071>;tag=744674526
To: <sip:503 at 222.222.222.222:5071>
Call-ID: 1232464291 at 10.0.0.24
CSeq: 2 SUBSCRIBE
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
Authorization: Digest username="pepito", realm="asterisk", nonce="1429863879/3c64b644dddf290b142711576e38cb78", uri="sip:503 at 222.222.222.222:5071", response="01c1e7ab670f410eed0dc2a51a42279c", algorithm=MD5, cnonce="0a4f113b", opaque="17d8f99064c34a01", qop=auth, nc=00000001
Accept: application/dialog-info+xml
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Expires: 1800
Event: dialog
Content-Length: 0


<--- Transmitting SIP response (555 bytes) to TLS:79.168.115.36:17193 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.0.0.24:17193;rport=17193;received=79.168.115.36;branch=z9hG4bK766939248
Call-ID: 1232464291 at 10.0.0.24
From: "508" <sip:508 at 222.222.222.222>;tag=744674526
To: <sip:503 at 222.222.222.222>;tag=af671a2f-0001-42af-96cf-0f86e3d85c10
CSeq: 2 SUBSCRIBE
Expires: 1800
Contact: <sip:222.222.222.222:5071;transport=TLS>
Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REGISTER, REFER
Supported: 100rel, timer, replaces, norefersub
Server: Asterisk PBX 13.3.2
Content-Length:  0


<--- Transmitting SIP request (856 bytes) to TLS:79.168.115.36:17193 --->
NOTIFY sip:508 at 79.168.115.36:17193;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 222.222.222.222:5071;rport;branch=z9hG4bKPjb4b191b0-df38-41e9-bd93-11bf763f8106;alias
From: <sip:503 at 222.222.222.222>;tag=af671a2f-0001-42af-96cf-0f86e3d85c10
To: "508" <sip:508 at 222.222.222.222>;tag=744674526
Contact: <sip:222.222.222.222:5071;transport=TLS>
Call-ID: 1232464291 at 10.0.0.24
CSeq: 8461 NOTIFY
Event: dialog
Subscription-State: active;expires=1799
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.3.2
Content-Type: application/dialog-info+xml
Content-Length:   243

<?xml version="1.0" encoding="UTF-8"?>
<dialog-info xmlns="urn:ietf:params:xml:ns:dialog-info" version="0" state="full" entity="sip:503 at 192.168.1.6:5071;transport=TLS">
 <dialog id="503">
  <state>terminated</state>
 </dialog>
</dialog-info>

<--- Received SIP response (408 bytes) from TLS:79.168.115.36:17193 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 222.222.222.222:5071;rport;branch=z9hG4bKPjfc2ca8c2-b94e-4dac-805c-060495d28633;alias
From: "508" <sip:508 at 222.222.222.222>;tag=baa993ec-dc26-46fc-bd1a-6c2db441d988
To: "508" <sip:508 at 222.222.222.222>;tag=521164520
Call-ID: 1245340423 at 10.0.0.24
CSeq: 28883 NOTIFY
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
User-Agent: Yealink SIP-T28P 2.72.0.80
Content-Length: 0


<--- Received SIP response (401 bytes) from TLS:79.168.115.36:17193 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 222.222.222.222:5071;rport;branch=z9hG4bKPjb4b191b0-df38-41e9-bd93-11bf763f8106;alias
From: <sip:503 at 222.222.222.222>;tag=af671a2f-0001-42af-96cf-0f86e3d85c10
To: "508" <sip:508 at 222.222.222.222>;tag=744674526
Call-ID: 1232464291 at 10.0.0.24
CSeq: 8461 NOTIFY
Contact: <sip:508 at 10.0.0.24:17193;transport=TLS>
User-Agent: Yealink SIP-T28P 2.72.0.80
Content-Length: 0


And this is the asterisk nofity packet sent to endpoint 508 when 503 is busy:

<--- Transmitting SIP request (848 bytes) to TLS:10.0.0.24:17193 --->
NOTIFY sip:508 at 10.0.0.24:17193;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 192.168.1.6:58575;rport;branch=z9hG4bKPjad44ff79-019d-45c5-8134-4c1b85385f8b;alias
From: <sip:503 at 222.222.222.222>;tag=af671a2f-0001-42af-96cf-0f86e3d85c10
To: "508" <sip:508 at 222.222.222.222>;tag=744674526
Contact: <sip:192.168.1.6:58575;transport=TLS>
Call-ID: 1232464291 at 10.0.0.24
CSeq: 8462 NOTIFY
Event: dialog
Subscription-State: active;expires=1603
Allow-Events: message-summary, presence, dialog, refer
Max-Forwards: 70
User-Agent: Asterisk PBX 13.3.2
Content-Type: application/dialog-info+xml
Content-Length:   243

<?xml version="1.0" encoding="UTF-8"?>
<dialog-info xmlns="urn:ietf:params:xml:ns:dialog-info" version="1" state="full" entity="sip:503 at 192.168.1.6:5071;transport=TLS">
 <dialog id="503">
  <state>terminated</state>
 </dialog>
</dialog-info>

[Apr 24 10:27:55] ERROR[10900]: pjsip:0 <?>: 	 tlsc0x38004b8 TLS connect() error: No route to host [code=120113]
[Apr 24 10:27:55] WARNING[10900]: pjsip:0 <?>: 	  tsx0x3b868d8 Failed to send Request msg NOTIFY/cseq=8462 (tdta0x3f70160)! err=120113 (No route to host)


Thanks for your help.

Regards



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list