[asterisk-dev] "Security denial" error in calls from H323 trunk (ooh323.c)

[Alexander Anikin]

Gabriele,

It would be better if you create the issue on issues.asterisk.org tracker.
Unfotrunately i don't known what is "Polycom CMA" but i guess it's some
h.323 gateway or gatekeeper not a just endpoint.
To solve issue there will need some additional info and logs that you 
could attach to issue on the tracker.

Comparing socket and signalling ip do additional security checking for 
ulgly signalling, but looks like signalling and connection ip addresses 
can be differ in some cases for normal connection.


> Dears,
>
> Environment: Asterisk 11.4
> Objective: attempting H.323 trunk integration with "Polycom CMA" using
> ooh323 module.
>
> When placing H323 calls from the Polycom CMA, the call goes through the
> trunk (as shown by tcpdump) but is rejected by Asterisk with the
> following error in /var/log/asterisk/h323_log
>
> ==================
> 10:40:28:564 ERROR: Security denial remote sig IP isn't a socket ip,
> 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
> 10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming,
> ooh323c_1)
> ==================
>
> (In the log, 10.44.1.156 being IP address of H323 client registered to
> Polycom CMA, 10.71.0.55 being the address of Polycom CMA).
>
> tcpdump shows "disengageRequest" H.225 sent by Asterisk to Polycom CMA.
>
> I solved this problem by commenting these lines in ooh323.c and recompiling:
>
> =======================
> if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
> OOTRACEERR5("ERROR: Security denial remote sig IP isn't a socket ip, %s
> not %s "
> "(%s, %s)\n", remoteIP, call->remoteIP, call->callType,
> call->callToken);
> return OO_FAILED;
> }
> =======================
>
> I am not sure if the above code is correct at all, how can the trunk
> work with it? I suppose there might be a way to disable the check, in a
> more clean way, but I found no option like that.
>
> Thanks
>
> Kind Regards
>
> Gabriele Odone
>
>