[asterisk-users] problems with natted phones

Duncan Turnbull duncan at e-simple.co.nz
Mon Sep 6 16:05:27 CDT 2021



> On 7/09/2021, at 8:30 AM, Marek Greško <mgresko8 at gmail.com> wrote:
> 
> Hello,
> 
> it is only local nftables with nf_conntrack_sip on the asterisk
> server. Probably a kernel bug? It did not trigger with previous
> providers since they had working SIP ALG. Now I hear no audio in both
> directions because outgoing rtp stream from asterisk goes to private
> address space and incoming stream is blocked. So the outgoing rtp
> could not be learnt to send to nat addess.
> 
Maybe a bug but that’s less likely than a config error. Time to debug your nftables.

> Marek
> 
> 
> 2021-09-06 22:17 GMT+02:00, Duncan Turnbull <duncan at turnbull.co.nz>:
>> 
>> 
>>>> On 7/09/2021, at 3:08 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>> 
>>> Hello,
>>> 
>>> so when debugging RTP in asterisk there was no rtp income from the
>>> remote site. I did check remote nat ip address and it was same as the
>>> one in the pjsip show aors. So it is not due to ip address change. It
>>> seems the local firewall sip module does not allow rtp stream to get
>>> into. It was working previously with the other provider because of
>>> working SIP ALG on their gateways. But now with this provider and
>>> disabled SIP ALG it is not allowed. As I remeber in the past these
>>> setups did work. What are your experiences on this?
>>> 
>> You would need to provide a lot more explanation here. What is your
>> firewall? I am assuming you configure it so find the configuration that’s
>> blocking the ports and change it.
>> 
>> My experience as before was that something is blocking rtp, now you know
>> what that something is and it’s under your control so you need to check it’s
>> configuration and fix it. I don’t use a sip firewall. If I have external sip
>> clients I use a proxy.
>> 
>>> Thanks
>>> 
>>> Marek
>>> 
>>> 
>>> 2021-09-06 11:50 GMT+02:00, Marek Greško <mgresko8 at gmail.com>:
>>>> Sorry rtp set debug on showed something. So let try for the problem to
>>>> arise again.
>>>> 
>>>> Marek
>>>> 
>>>> 
>>>> 2021-09-06 11:48 GMT+02:00, Marek Greško <mgresko8 at gmail.com>:
>>>>> Hello,
>>>>> 
>>>>>>> I would expect that when asterisk is aware of nat, it does not send
>>>>>>> the rtp until it receives rtp from other side to learn the port, but
>>>>>>> OK, no problem to accept the behavior.
>>>>>>> 
>>>>>> That’s not how things work. You should google how sip rtp and Nat work
>>>>>> as
>>>>>> it
>>>>>> will help you
>>>>> 
>>>>> no problem if it is intended.
>>>>> 
>>>>>>> 
>>>>>>>> The question is why your asterisk didn't learn the external address
>>>>>>>> and
>>>>>>>> port from the received rtp packet
>>>>>>>> 
>>>>>>>> You can look at your logs with debug to see what decisions its
>>>>>>>> making.
>>>>>>>> You
>>>>>>>> can see if different rtp ports have different results.
>>>>>>>> Your phone provider has rtp on 5010 unsuccessfully and 5016
>>>>>>>> successfully.
>>>>>>>> Your asterisk uses rtp 13786 successfully and fails when using 18892.
>>>>>>>> Is
>>>>>>>> it
>>>>>>>> possible your firewall is blocking port 18892 and so asterisk never
>>>>>>>> sees
>>>>>>>> the returned packet and can't learn from it?
>>>>>>> 
>>>>>>> It is very unprobable. I see no reason for blocking the port. The
>>>>>>> problem is asterisk never learns the correct port, so there is nothing
>>>>>>> to block.
>>>>>> It wasn’t what is probable, look at the asterisk logs and see what it’s
>>>>>> actually doing. If asterisk never sees the reply then you will know
>>>>>> something is blocking or stealing the port for some other service
>>>>> 
>>>>> If it is stolen port for rtp, the next call would solve it, since it
>>>>> will use different one, and it does not solve it.
>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> In any event you should put your debug on and look at your logs in
>>>>>>>> asterisk
>>>>>>>> to see what it sees and why it doesn't react to the rtp packet, if it
>>>>>>>> gets
>>>>>>>> it
>>>>>>> 
>>>>>>> Could you point me how the debug should be conducted?
>>>>>> 
>>>>>> Using the asterisk cli turn on debug for the peer and rtp and see what
>>>>>> happens. Match it with the asterisk processes. You have to do this, you
>>>>>> can
>>>>>> look at cli or the log files, follow it through to see the rtp packet
>>>>>> being
>>>>>> received. Lots of debug advice on google.
>>>>> 
>>>>> Asterisk cli did not show anything interesting. I tried pjsip set
>>>>> logger verbose on, but no logs showed anywhere. What am I doing wrong?
>>>>> 
>>>>> Marek
>>>>> 
>>>>> 
>>>>>>> 
>>>>>>> Is my suspection that the problem could be caused by nat ip addres
>>>>>>> changing reasonable? How should asterisk handle the situation?
>>>>>> I can’t see anything to support that. Everything is looking normal
>>>>>> except
>>>>>> asterisk doesn’t appear to beseeing the rtp packet
>>>>>>> 
>>>>>>> Thanks
>>>>>>> 
>>>>>>> Marek
>>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> Have fun, its all good learning.
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Sun, Sep 5, 2021 at 6:27 PM Marek Greško <mgresko8 at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>> Hello,
>>>>>>>>> 
>>>>>>>>> regarding the ipv6, you see nothing about that it should be some
>>>>>>>>> type
>>>>>>>>> of ipv6 tunnelling, because also MTU is lower than expected. You
>>>>>>>>> should not see any ipv6 related communication in the sniff. Phone is
>>>>>>>>> not aware of it.
>>>>>>>>> 
>>>>>>>>> The asterisk's static public ip address is 198.51.100.1.
>>>>>>>>> The remote provider's dynamic nat pool is 192.0.2.0/24. By provider
>>>>>>>>> we
>>>>>>>>> mean internet provider the remote phones are behind. We are not
>>>>>>>>> complaining about voip provider, we have no problem with that. Only
>>>>>>>>> communication between asterisk and remote phones behind some
>>>>>>>>> internet
>>>>>>>>> provider. This is the only conversation to look at.
>>>>>>>>> The phone private address is 192.168.100.235.
>>>>>>>>> 
>>>>>>>>> Thanks
>>>>>>>>> 
>>>>>>>>> Marek
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 2021-09-05 1:11 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On 5/09/2021, at 10:21 AM, Marek Greško <mgresko8 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Hello,
>>>>>>>>>>> 
>>>>>>>>>>> could you please answer my previous question about anonymizing
>>>>>>>>>>> several
>>>>>>>>>>> parameters? I have the data ready, but will post after answer. I
>>>>>>>>>>> have
>>>>>>>>>>> no clue whether I could disclose some important data not deleting
>>>>>>>>>>> them.
>>>>>>>>>>> 
>>>>>>>>>>> Regarding sdp, the address will be the internal one, since the
>>>>>>>>>>> phone
>>>>>>>>>>> is behind nat and it is not aware of the nat. The provider's nat
>>>>>>>>>>> device is configured as dump nat, no application tweaking is done.
>>>>>>>>>>> So
>>>>>>>>>>> the asterisk will see the lan address in the sip.
>>>>>>>>>>> 
>>>>>>>>>> There are two conversations to look at
>>>>>>>>>> Provider to Asterisk
>>>>>>>>>> Asterisk to Phone
>>>>>>>>>> You need the packet captures of both.
>>>>>>>>>> 
>>>>>>>>>> Your statements are mixing them up
>>>>>>>>>> 
>>>>>>>>>> I don’t know what you mean by LAN address, that’s an ambiguous
>>>>>>>>>> term.
>>>>>>>>>> The
>>>>>>>>> ip
>>>>>>>>>> your asterisk receives from the provider should be the providers
>>>>>>>>> external ip
>>>>>>>>>> or in the sdp the external address of the media server which may or
>>>>>>>>>> may
>>>>>>>>> not
>>>>>>>>>> be the same device
>>>>>>>>>> 
>>>>>>>>>>> In the working scenario it is sending rtp packets to the internal
>>>>>>>>>>> address which is wrong, but after receiving cca 5 rtp packets from
>>>>>>>>>>> the
>>>>>>>>>>> phone it somehow discovers correct nat ip/port and switches to it.
>>>>>>>>>>> In
>>>>>>>>>>> non-working scenario it never switches and still sends to the lan
>>>>>>>>>>> address. Strange there is no audio, even one direction. Another
>>>>>>>>>>> strange thing is there are 2 phones (different vendors) behind the
>>>>>>>>>>> same nat and the problem appearance on them is independent,
>>>>>>>>>>> sometimes
>>>>>>>>>>> the first has problem, sometimes the second and sometimes both.
>>>>>>>>>>> 
>>>>>>>>>>> The tcpdumps are made on the asterisk side. I have currently no
>>>>>>>>>>> means
>>>>>>>>>>> of capturing on phone side.
>>>>>>>>>>> 
>>>>>>>>>>> Marek
>>>>>>>>>>> 
>>>>>>>>>>> 2021-09-04 23:56 GMT+02:00, Antony Stone
>>>>>>>>>>> <Antony.Stone at asterisk.open.source.it>:
>>>>>>>>>>>>>> On Saturday 04 September 2021 at 22:13:32, Marek Greško wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I agree my knowledge of SIP itself is poor, but I have quite
>>>>>>>>>>>>>> well
>>>>>>>>>>>>>> general tcp/ip understanding. What sip parameters should be
>>>>>>>>>>>>>> anonymized? How about tag, branch, call-id, cseq values?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Show us your packet captures with meaningful addresses (not
>>>>>>>>>>>>> necessarily
>>>>>>>>>>>>> accurate ones, but at least unambiguous - see my previous
>>>>>>>>>>>>> suggestion
>>>>>>>>>>>>> re
>>>>>>>>>>>>> RFC5737) and we can help you to understand them and what they
>>>>>>>>>>>>> mean.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Antony.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Heisenberg, Gödel, and Chomsky walk in to a bar.
>>>>>>>>>>>>> Heisenberg says, "Clearly this is a joke, but how can we work
>>>>>>>>>>>>> out
>>>>>>>>>>>>> if
>>>>>>>>>> it's
>>>>>>>>>>>>> funny or not?"
>>>>>>>>>>>>> Gödel replies, "We can't know that because we're inside the
>>>>>>>>>>>>> joke."
>>>>>>>>>>>>> Chomsky says, "Of course it's funny. You're just saying it
>>>>>>>>>>>>> wrong."
>>>>>>>>>>>>> 
>>>>>>>>>>>>>                                                Please reply to
>>>>>>>>>>>>> the
>>>>>>>>>>>>> list;
>>>>>>>>>>>>>                                                      please
>>>>>>>>>>>>> *don't*
>>>>>>>>>> CC
>>>>>>>>>>>>> me.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> --
>>>>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>>>>>>> http://www.api-digital.com
>>>>>>>>>>>>> --
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>>> 
>>>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>>> 
>>>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>>> 
>>>>>>>>>>>> --
>>>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>>>>>> http://www.api-digital.com
>>>>>>>>>>>> --
>>>>>>>>>>>> 
>>>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>> 
>>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>> 
>>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>> 
>>>>>>>>>>> --
>>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>>>>>>>>> --
>>>>>>>>>>> 
>>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>> 
>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>    https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>> 
>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>>>>>>>> --
>>>>>>>>>> 
>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>> 
>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>    https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>> 
>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> _____________________________________________________________________
>>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>>>> 
>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>> https://community.asterisk.org/
>>>>>>>> 
>>>>>>>> New to Asterisk? Start here:
>>>>>>>>    https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>> 
>>>>>>>> asterisk-users mailing list
>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>> 
>>>>>>> --
>>>>>>> _____________________________________________________________________
>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>>> 
>>>>>>> Check out the new Asterisk community forum at:
>>>>>>> https://community.asterisk.org/
>>>>>>> 
>>>>>>> New to Asterisk? Start here:
>>>>>>>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>> 
>>>>>>> asterisk-users mailing list
>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>  http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>> 
>>>> 
>>> 
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> 
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>> 
>>> New to Asterisk? Start here:
>>>     https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>> 
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>  http://lists.digium.com/mailman/listinfo/asterisk-users
>> 
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> 
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>> 
>> New to Asterisk? Start here:
>>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>> 
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list