[asterisk-users] iax2: two users can't authenticate from same ip address

Sean Darcy seandarcy2 at gmail.com
Tue Sep 10 11:08:38 CDT 2013 

On 09/09/2013 07:48 PM, Eric Wieling wrote:
> Try this as an example of why it doesn't matter.
>
> 1) On windows open a cmd prompt or on linux open up a local terminal.
> 2) open a web browser and connect to a web site like cnn.com
> 3) on windows type "netstat -n" in the command prompt, in linux type netstat -n --ip
>
> For example on my system, the local IP is 172.17.3.111.  Notice below how the port on my local system is NOT 80, even though the port on the remote system is?   This is simply how TCP and UDP work.  When you are looking at your iax peers you are seeing the REMOTE IP and REMOTE port, which seldom matters.  It is the port on the client you are connecting TO which matters, not the port which you are connecting FROM.     TCP and UDP do not allow more than one connection using the same source IP/source port/destination IP/destination port (called a tuple).  For most things the source port does not matter so the operating system assigns whatever source port it wants to.   NAT routers will often change the source port when the connection is NAT'd.  These are fundamental IP networking concepts whi
>   ch all people doing VoIP should know, but most don't.     I'm sure there are many books on TCP/IP networking which explain it better than I have explained it.
>
> Active Connections
>
>    Proto  Local Address          Foreign Address        State
> TCP    172.17.3.111:22020     157.166.226.25:80      ESTABLISHED
>   TCP    172.17.3.111:22021     157.166.249.10:80      ESTABLISHED
>   TCP    172.17.3.111:22022     23.63.227.185:80       ESTABLISHED
>   TCP    172.17.3.111:22023     23.63.227.185:80       ESTABLISHED
>   TCP    172.17.3.111:22024     23.63.227.185:80       ESTABLISHED
>   TCP    172.17.3.111:22025     23.63.227.185:80       ESTABLISHED
>   TCP    172.17.3.111:22026     23.63.227.185:80       ESTABLISHED
>   TCP    172.17.3.111:22027     23.203.4.211:80        ESTABLISHED
>   TCP    172.17.3.111:22028     23.63.227.185:80       ESTABLISHED
>   TCP    172.17.3.111:22029     4.27.18.126:80         ESTABLISHED
>   TCP    172.17.3.111:22030     4.27.18.126:80         ESTABLISHED
>   TCP    172.17.3.111:22031     4.27.18.126:80         ESTABLISHED
>   TCP    172.17.3.111:22032     4.27.18.126:80         ESTABLISHED
>   TCP    172.17.3.111:22033     4.27.18.126:80         ESTABLISHED
>   TCP    172.17.3.111:22034     4.27.18.126:80         ESTABLISHED
>   TCP    172.17.3.111:22035     74.217.240.83:80       ESTABLISHED
>   TCP    172.17.3.111:22036     23.63.227.123:80       ESTABLISHED
>   TCP    172.17.3.111:22037     12.130.81.225:80       ESTABLISHED
>   TCP    172.17.3.111:22038     4.26.252.126:80        ESTABLISHED
>   TCP    172.17.3.111:22039     4.26.252.126:80        ESTABLISHED
>   TCP    172.17.3.111:22040     4.26.252.126:80        ESTABLISHED
>   TCP    172.17.3.111:22041     4.26.252.126:80        ESTABLISHED
>   TCP    172.17.3.111:22042     4.26.252.126:80        ESTABLISHED
>   TCP    172.17.3.111:22043     4.26.252.126:80        ESTABLISHED
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sean Darcy
> Sent: Monday, September 09, 2013 7:00 PM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] iax2: two users can't authenticate from same ip address
>
> On 09/09/2013 03:37 PM, Eric Wieling wrote:
>> Again, that port is assigned by your NAT router.  Asterisk cannot control the source port if the incoming packet.   That is set by your NAT router and client and likely has nothing to do with your problem.
>>
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com
>> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sean
>> Darcy
>> Sent: Monday, September 09, 2013 3:30 PM
>> To: asterisk-users at lists.digium.com
>> Subject: Re: [asterisk-users] iax2: two users can't authenticate from
>> same ip address
>>
>> Dial("IAX2/home-14358", "IAX2/gn") in new stack
>>        -- Called IAX2/gn
>> CLI> iax2 show peers
>> Name/Username    Host                 Mask             Port
>> Status      Description
>> gn               <gnipaddr>      (D)  255.255.255.255  9007          OK
>> (179 ms)
>> ............
>> [Sep  9 19:11:36] WARNING[530]: chan_iax2.c:3552 __attempt_transmit: Max retries exceeded to host <gnipaddr> on IAX2/gn-11311 (type = 6, subclass = 11, ts=10018, seqno=1)
>>        -- Hungup 'IAX2/gn-11311'
>>
>> Again, what's with this port 9007? Is asterisk assigning it? I thought all iax traffic went over 4569.
>>
>> Of course, this could be a zoiper problem.
>>
>> sean
>>
>
> But the problem is it's not MY nat router; it's amazon's. And if you only have only have one iax device registered, it's always 4569, So why does amazon assign a different port to the second iax device? How would it even "know"?
>
> sean
>

Well, I may be confused, but iax show peers is showing the remote port, 
the port it will connect TO, right?

netstat doesn't show the asterisk connections at all, just the STUN server:
netstat -nu  --ip
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address 
State
udp        0      0 <myipaddr>:60766     66.228.45.110:3478      ESTABLISHED

If the server sends out packets to port 9007 the client won't see it. 
The client (zoiper) must send to 4569, and if it didn't the amazon 
Security Group would drop it. I get NAT port translation, but I don't 
see how that applies here.

Maybe a different question would be helpful. Let's assume no NAT; the 
server is directly connected with an FQDN. Two iax devices register. 
Does asterisk assign them different ports?

sean

More information about the asterisk-users mailing list