[asterisk-dev] SIP Registration Failing randomly (analyzed)
Olle E. Johansson
oej at edvina.net
Thu Sep 30 09:12:30 CDT 2010
30 sep 2010 kl. 15.45 skrev Timo Teräs:
> Hi all,
>
> I have had for a while pretty strange SIP Registration related issue.
> The client seems to randomly fail registration and the registry entry
> goes to REG_STATE_NOAUTH. I'm currently using Asterisk 1.6.2.13.
>
> Key observation was that my link seems to have random latency variation
> (normally it's maybe 10ms to the SIP Server; sometimes over 100ms).
>
> So what seems to happen is:
> 1. Asterisk sends (re)REGISTER
> 2. Time passes (~50-60ms), we are having more latency than normal,
> retransmit triggers and Asterisk sends REGISTER again thinking the
> previous was lost (on the resent packet Cseq is increased and From tag
> is new too; so it's maybe new registration attempt and not resend?)
> 3. Server receives 1st register and does not like reused nonce thus
> challenging us again for new authorization with 401 Unauthorized
> 4. Server receives 2nd register and does not like the old nonce at all
> anymore: it replies with 403 Forbidden
> 5. Asterisk receives 401 and after that 403. Receiving 403 makes
> asterisk go the REG_STATE_NOAUTH mode for the server in registry thus
> making the number not work at all, and giving up on all reregistration
> attempts.
>
> So my guestions are:
> 1. Why the nonce is reused at all? The regular digest is vulnurable to
> replay if nonce was accepted after reuse.
It doesn't hurt to reuse it and many providers depend on it.
> 2. Any ideas why the reregistration gets triggered after the 50-60ms
> with new Cseq and From tag?
Depends on if you have qualify turned on and the number of registration
attempts you have in sip.conf.
> 3. Why do we not attempt anything after the 403? I remember seeing
> posts on sip-implementers that it would be acceptable try after extended
> period of time that.
403 means "never come back at all". You need to reconfigure if you
get this. 503 is different, in that case you often have a retry-after
setting so you can come back.
We should propably implement "registry restart <name>" so you don't
have to run "sip reload" to restart the registrations.
/O
>
> Any more ideas how to further debug this?
>
> Cheers,
> Timo
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
More information about the asterisk-dev
mailing list