[Asterisk-Users] Working Xten, Asterisk, double-NAT configs out there?

Sat May 21 15:19:31 MST 2005

Aaron O'Hara wrote:

>Tim,
>
>Aside from the firewall logs in /var/log/messages, what tools did u find
>most helpful for seeing SIP/RTP traffic?
>
>What are some of the key things to look for to see if there's a problem?

Oh, I generally use tcpdump to grab the packets and save them to a file, 
then load them with ethereal at a workstation to analzye them.

You can also use ngrep to watch sip traffic.

Some things to watch for:

- make sure all SIP traffic on the outside interface of each firewall 
advertises its external IP to the other side
- make sure that the host and port in the SDP payload of the SIP packet 
looks sane (port within redirection range, host is external IP)

For example, here is a SIP problem I just troubleshot:

I have a friend with a d-link router and a sipura 2000 behind it, 
connecting to free world dialup. I have an * server behind a NAT and 
*thought* everything was working ( I have a few SIP connections that all 
seem to work).

When he called me, everything was fine
When I called him, we had one way audio.

one way audio + NAT's on both sides = 99% Probability it is NAT related

I started by watching the traffic arrive on my external interface (using 
ngrep) . I made sure the INVITE from him (actually from free world 
dialup) looked sane (contained his external IP address in the SDP 
payload, and the port was withing the range programmed into his sipura 
2000 - so it would be forwarded properly by his redirection rules on the 
d-link).

Then I watched my response, and make sure again that the SDP payload in 
my response was advertising my IP address and a port within the range 
secified in my rtp.conf.

Everything seemed ok. Just to make sure, I grabbed a bunch of packets 
with tcpdump and loaded them up in ethereal. Everything looked like it 
should work.

So next, I watched my firewall log in realtime (the drop log) to see if 
I was dropping anything inadvertently on the firewall. Nothing. I open 
two sessions into the firewall, and watch all communication to either 
fwd or my friend (in just a one line summary per packet) on both the 
Internal and External interface. This shows a different picture. I can 
follow the SIP conversation coming from FWD and my response. It is when 
we begin trying to talk (using RTP) that I see that his RTP packets are 
in fact coming to me, but I don't see them cross the firewall (I see 
them on the outside, and not on the inside). I know that my firewall is 
not dropping them, so it must be something else.

I enabled debugging on my firewall (pfctl -x loud) and watched my system 
log. Sure enough, I am getting a state error on every inbound RTP packet 
from him. I have had this problem before, and it has to do with pf using 
the state table to handle redirects. I had established a state already 
for some reason (probably a keep-state rule somewhere) that is clashing 
with the inbound rdr.

I just found the problem, I havn't fixed it yet, but at least I know 
where it is. Interestingly it wasn't really a NAT problem, but more how 
I've decided to implement my firewall.

Sorry if this is long and maybe obvious to you, but this is basically 
the process that I follow whenever I have SIP or NAT problems.

Tim