[asterisk-users] Asterisk SIP/IAX peers can't connect after Firewall change?
Chris Brentano
chris at jivesoftware.com
Thu Jun 17 12:36:19 CDT 2010
I have a suspicion that it's the saved/cached SIP/IAX2 useragent info:
-- Registered SIP 'paloalto' at 10.XX.X.25 port 5060
> Saved useragent "Asterisk PBX 1.6.1.6" for peer paloalto
Is there a way to clear this saved info manually?
- Chris
On Jun 17, 2010, at 10:29 AM, Chris Brentano wrote:
> And slight update:
>
> With regards to Case 2, which happened last night. After I noticed that SIP registrations were failing between two of the offices, I commented out the register line in sip.conf on each box, reloaded SIP, and called it good for the night. After re-enabling it and reloading SIP this morning they successfully re-registered.
>
> Is there some sort of TTL, cache, saved salt value, or other time/session related tidbit saved that is expiring here?
>
> - Chris
>
>
> On Jun 17, 2010, at 10:21 AM, Chris Brentano wrote:
>
>> Hi all,
>>
>> I tried searching, so if this has already been discussed please point me in the right direction.
>>
>> On separate occasions I've seen cases where Asterisk boxes will be unable to register with each other via SIP or IAX2 when a Firewall is replaced. I'll describe two different cases. In both we have three offices connected via IPsec tunnels.
>>
>>
>> Case 1: High Availability firewall fail-over
>>
>> We have two Palo Alto Networks PA-4020 firewalls in one office setup in an active/passive pair. Sessions and traffic are automatically maintained and moved to the passive firewall in case the active one dies/loses power/etc. When I was doing routine maintenance and had to fail over to the passive firewall purposely, the SIP connections between offices broke, and failed to re-register. What I see is:
>>
>> [Jun 17 10:09:40] NOTICE[3311]: chan_sip.c:7783 sip_reg_timeout: -- Registration for 'portland at 10.XX.X.25' timed out, trying again (Attempt #2273)
>>
>> And similarly on the other side:
>>
>> [Jun 17 10:09:16] NOTICE[17102]: chan_sip.c:10169 sip_reg_timeout: -- Registration for 'paloalto at 10.XX.X.10' timed out, trying again (Attempt #1660)
>>
>> Restarting Asterisk and even both servers doesn't seem to change anything. The last time this happened, for some reason setting srvlookup=yes in the [general] section of sip.conf *seemed* to fixed it. The previous time this occured, the servers were trunked via IAX2 instead of SIP, but I switched to SIP trunks because it solved the problem (for the meantime anyway).
>>
>>
>> Case 2: Entire firewall replacement
>>
>> In one office I recently replaced a Cisco ASA 5505 with a Palo Alto Networks PA-2020. This completely broke SIP connections to the two other offices. Same errors as above. Again, restarting Asterisk and even the servers sees no change.
>>
>>
>> It seems as if somewhere there's something that is cached with regards to the old firewall (or perhaps IPsec/IKE session). I've been digging around but can't find anything obvious. Has anyone else seen this behavior and potentially found a fix? This happens with Asterisk 1.6.1.6 and Asterisk 1.4.26.2.
>>
>> Much thanks.
>>
>> - Chris
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>> http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list