[Asterisk-Users] Maximum retries exceeded w/SIP
Rich Adamson
radamson at routers.com
Sat Sep 20 11:57:36 MST 2003
Brad,
I've played with XLite, but not with a firewall in this direction, so
my comments might be off base.
> redirect_port udp 10.0.0.253:10000-20000 10000-20000
> redirect_port udp 10.0.0.253:5060 5060
>
> * is set up with the demo/sandbox config.
>
> I'm using XLite as my SIP client and have configured it on PC to work with *.
> I'm able to do everything I've tried so far. I should, though - I'm on the inside.
>
> However, when trying to make a call from the outside (via Laptop), something's
> breaking. I've set up the SIP proxy in XLite to be the external interface on
> the firewall, and am able to log into the proxy without difficulty. And while I
> can begin conversations, I can't keep them going for long.
I'd guess that udp/5060 is working fine, but the voice channel is being
dropped for a couple of possible reasons. The Xlite doc suggests the voice
channel will be using udp/8000-8006 where 8000 & 8001 are used for line #1,
etc. Based on the redirect_port statement above, I wonder if one-half of
the voice port is being blocked (and therefore times out), or, nat table
timeout might might be an issue.
> Any ideas what could be going on? My first guess is the firewall, but I can't
> figure out why some of the packets would get through while others apparently are
> not. I'm at a loss.
I'd download ethereal (or whatever other sniffer you'd like) and watch the
flow of packets. It should give you a pretty good clue what's happening
for real.
I'm not so sure you're going to want to live with direction that you're
heading (asterisk on the inside) as the nat function is going to limit
what can be done. Example, even if you get this to work, trying to make
any other call through nat while the first one is happening will be a
problem; the first call nails up udp/5060, but the second call will have
the udp/5060 nat'ed to some other port which will fail.
Reversing the role of * and the laptop will work, and many others have that
very implementation working for a single instance of Xlite.
Depending upon what your real objectives are for *, I'd suggest either
moving * to the outside, or add another NIC to * and placing it on the
outside. You should be able to lock down that external interface in such
a way as to only allow selected tcp/udp ports to be used.
More information about the asterisk-users
mailing list