[asterisk-dev] Asterisk / pjsip: Bug or feature? TCP/TLS connection is endless after unregistering the last trunk to the destination

Michael Maier m1278468 at mailbox.org
Sun Jan 10 14:09:46 CST 2021


On 10.01.21 at 19:56 Joshua C. Colp wrote:
> On Sun, Jan 10, 2021 at 2:46 PM Michael Maier <m1278468 at mailbox.org> wrote:
> 
>>
>> That's a pretty problematic behavior. ISPs (especially Deutsche Telekom
>> e.g.) want to tear down a tls connection if it isn't used any more (why
>> should a connection be hold active if
>> nobody uses it?). Therefore, after each unregister of a number, the
>> connection is teared down after 10s by ISP. Now, asterisk or probably
>> pjsip, reopens this connection again after
>> about 12s. Therefore, the ISP disconnects the connection automatically
>> after 30s again. And Asterisk reopens it again after 1 minute - and so on.
>> That's pretty broken.
>>
> 
> Without specific information or debug I can't really say why it would be
> doing that. The PJSIP layer should only open a new connection when a
> request is actually made. For example, if qualify is enabled then that
> would trigger a new connection as it establishes a connection to test
> viability. There is no ability to state "only ever attempt a connection
> when an outbound registration is being performed".

There is no other reason (the trunk was unregistered and the pcap trace
doesn't show any packet). And no asterisk log. The only log is from pjsip:

# netstat -n | grep 506
tcp        0      0 3.2.1.5:42961       217.0.20.195:5061       ESTABLISHED
tcp        0      0 3.2.1.5:54487       217.0.20.195:5061       ESTABLISHED
tcp        0      0 3.2.1.5:41067       217.0.20.195:5061       ESTABLISHED
tcp        0      0 3.2.1.5:60297       212.172.58.207:5061     ESTABLISHED


myfw*CLI> pjsip show registrations

 <Registration/ServerURI..............................>  <Auth..........>  <Status.......>
==========================================================================================

 easybellPJSIP/sip:secure.sip.easybell.de                easybellPJSIP     Registered
 telekomPJSIP-002/sip:tel.t-online.de                    telekomPJSIP-002  Registered
 telekomPJSIP-003/sip:tel.t-online.de                    telekomPJSIP-003  Registered
 telekomPJSIP-001/sip:tel.t-online.de                    telekomPJSIP-001  Registered

Objects found: 4

myfw*CLI> pjsip send unregister telekomPJSIP-003
[2021-01-10 12:06:46] DEBUG[26143]: pjproject: <?>:          sip_auth_client.c ...Unable to set auth for tdta0x3761e18: can not find credential for tel.t-online.de/Digest

-- Connection is dropped by ISP
[2021-01-10 12:06:56] DEBUG[26142]: pjproject: <?>:                        SSL 6 [SSL_ERROR_ZERO_RETURN] (Read) ret: 0 len: 65535
[2021-01-10 12:06:56] DEBUG[26142]: pjproject: <?>:              tlsc0x37d54e8 TLS connection closed
[2021-01-10 12:06:56] DEBUG[26142]: pjproject: <?>:            sip_transport.c Transport tlsc0x37d54e8 shutting down, force=0
myfw*CLI> quit

[root at myfw mnt]# netstat -n | grep 506
tcp        0      0 3.2.1.5:54487       217.0.20.195:5061       ESTABLISHED
tcp        0      0 3.2.1.5:41067       217.0.20.195:5061       ESTABLISHED
tcp        0      0 3.2.1.5:60297       212.172.58.207:5061     ESTABLISHED


# rasterisk
Asterisk 18.0.1, Copyright (C) 1999 - 2018, Digium, Inc. and others.
Created by Mark Spencer <markster at digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 18.0.1 currently running on myfw (pid = 26097)

-> Connection is restarted by Asterisk or pjsip
[2021-01-10 12:07:08] DEBUG[26143]: pjproject: <?>:            tlsc0x3769578 TLS client transport created
[2021-01-10 12:07:08] DEBUG[26143]: pjproject: <?>:            tlsc0x3769578 TLS transport 3.2.1.5:52817 is connecting to tel.t-online.de:5061...
[2021-01-10 12:07:08] DEBUG[26142]: pjproject: <?>:            tlsc0x3769578 TLS transport 3.2.1.5:52817 is connected to tel.t-online.de:5061

-> Connection is dropped again by ISP
[2021-01-10 12:07:38] DEBUG[26142]: pjproject: <?>:                        SSL 6 [SSL_ERROR_ZERO_RETURN] (Read) ret: 0 len: 65535
[2021-01-10 12:07:38] DEBUG[26142]: pjproject: <?>:              tlsc0x3769578 TLS connection closed
[2021-01-10 12:07:38] DEBUG[26142]: pjproject: <?>:            sip_transport.c Transport tlsc0x3769578 shutting down, force=0
[2021-01-10 12:07:38] DEBUG[26142]: pjproject: <?>:              tlsc0x3769578 TLS transport destroyed with reason 470006: EVP lib
myfw*CLI> pjsip show registrations

 <Registration/ServerURI..............................>  <Auth..........>  <Status.......>
==========================================================================================

 easybellPJSIP/sip:secure.sip.easybell.de                easybellPJSIP     Registered
 telekomPJSIP-002/sip:tel.t-online.de                    telekomPJSIP-002  Registered
 telekomPJSIP-003/sip:tel.t-online.de                    telekomPJSIP-003  Unregistered
 telekomPJSIP-001/sip:tel.t-online.de                    telekomPJSIP-001  Registered

Objects found: 4

myfw*CLI> pjsip send register telekomPJSIP-003
[2021-01-10 12:08:38] DEBUG[26143]: pjproject: <?>:              tlsc0x3211b98 TLS client transport created
[2021-01-10 12:08:38] DEBUG[26143]: pjproject: <?>:              tlsc0x3211b98 TLS transport 3.2.1.5:43757 is connecting to tel.t-online.de:5061...
[2021-01-10 12:08:38] DEBUG[26142]: pjproject: <?>:              tlsc0x37d54e8 TLS transport destroyed with reason 470006: EVP lib
[2021-01-10 12:08:38] DEBUG[26142]: pjproject: <?>:              tlsc0x3211b98 TLS transport 3.2.1.5:43757 is connected to tel.t-online.de:5061
[2021-01-10 12:08:40] DEBUG[26143]: pjproject: <?>:          sip_auth_client.c ...Unable to set auth for tdta0x333c778: can not find credential for tel.t-online.de/Digest
myfw*CLI> pjsip show registrations

 <Registration/ServerURI..............................>  <Auth..........>  <Status.......>
==========================================================================================

 easybellPJSIP/sip:secure.sip.easybell.de                easybellPJSIP     Registered
 telekomPJSIP-002/sip:tel.t-online.de                    telekomPJSIP-002  Registered
 telekomPJSIP-003/sip:tel.t-online.de                    telekomPJSIP-003  Registered
 telekomPJSIP-001/sip:tel.t-online.de                    telekomPJSIP-001  Registered

Objects found: 4


>> Register multiple numbers to one destination (Asterisk 18.0.1)
>> --------------------------------------------------------------
>> If you register more than one number to the same destination, asterisk
>> handles all registers through the same connection. This doesn't work (well)
>> with all ISPs. Deutsche Telekom /
>> AllIP e.g. supports it partly - means, you can register more than one
>> number - but if you deregister one of it, the complete connection is
>> dropped (because normally, they want to
>> have for each register an own connection). Besides that, there are
>> problems during reRegistration, if they are reRegistered all at the same
>> time (if they are reRegistered serially,
>> it's working - maybe Asterisk can't properly handle mutliple Registers to
>> the same destination via same connection).
>>
> 
> Connection reuse itself is a low level PJSIP thing.

Is it possible to disable it?

>> There is one more point I don't understand at the moment. Each configured
>> transport opens a listener port (you can't configure a transport w/o a
>> listener), like 5061 e.g. Each
>> configured trunk needs a transport. For a trunk, which only registers to
>> an ISP, you never need this listener, because the complete signaling in
>> both directions (in- and outbound
>> calls) is handled through the existing connection from asterisk / random
>> local port -> ISP / 5061 (that's why it's working anyway though the
>> Via-entry is totally broken). Why isn't
>> it possible to create transports w/o any listener port?
>>
> 
> PJSIP doesn't currently support this.
> 
> A lot of your issues come down to it being the way PJSIP currently works,
> as we rely on it to do such things or to support such things. Any changes
> as such would likely need changes in PJSIP, and then in Asterisk to use
> them.

Ok, the transport without listener feature is currently not a big deal for me (as I'm not using them and iptables secure those useless open ports).


Thanks
Michael



More information about the asterisk-dev mailing list