[asterisk-users] iax2: two users can't authenticate from same ip address
Sean Darcy
seandarcy2 at gmail.com
Tue Sep 10 11:08:38 CDT 2013
On 09/09/2013 07:48 PM, Eric Wieling wrote:
> Try this as an example of why it doesn't matter.
>
> 1) On windows open a cmd prompt or on linux open up a local terminal.
> 2) open a web browser and connect to a web site like cnn.com
> 3) on windows type "netstat -n" in the command prompt, in linux type netstat -n --ip
>
> For example on my system, the local IP is 172.17.3.111. Notice below how the port on my local system is NOT 80, even though the port on the remote system is? This is simply how TCP and UDP work. When you are looking at your iax peers you are seeing the REMOTE IP and REMOTE port, which seldom matters. It is the port on the client you are connecting TO which matters, not the port which you are connecting FROM. TCP and UDP do not allow more than one connection using the same source IP/source port/destination IP/destination port (called a tuple). For most things the source port does not matter so the operating system assigns whatever source port it wants to. NAT routers will often change the source port when the connection is NAT'd. These are fundamental IP networking concepts whi
> ch all people doing VoIP should know, but most don't. I'm sure there are many books on TCP/IP networking which explain it better than I have explained it.
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP 172.17.3.111:22020 157.166.226.25:80 ESTABLISHED
> TCP 172.17.3.111:22021 157.166.249.10:80 ESTABLISHED
> TCP 172.17.3.111:22022 23.63.227.185:80 ESTABLISHED
> TCP 172.17.3.111:22023 23.63.227.185:80 ESTABLISHED
> TCP 172.17.3.111:22024 23.63.227.185:80 ESTABLISHED
> TCP 172.17.3.111:22025 23.63.227.185:80 ESTABLISHED
> TCP 172.17.3.111:22026 23.63.227.185:80 ESTABLISHED
> TCP 172.17.3.111:22027 23.203.4.211:80 ESTABLISHED
> TCP 172.17.3.111:22028 23.63.227.185:80 ESTABLISHED
> TCP 172.17.3.111:22029 4.27.18.126:80 ESTABLISHED
> TCP 172.17.3.111:22030 4.27.18.126:80 ESTABLISHED
> TCP 172.17.3.111:22031 4.27.18.126:80 ESTABLISHED
> TCP 172.17.3.111:22032 4.27.18.126:80 ESTABLISHED
> TCP 172.17.3.111:22033 4.27.18.126:80 ESTABLISHED
> TCP 172.17.3.111:22034 4.27.18.126:80 ESTABLISHED
> TCP 172.17.3.111:22035 74.217.240.83:80 ESTABLISHED
> TCP 172.17.3.111:22036 23.63.227.123:80 ESTABLISHED
> TCP 172.17.3.111:22037 12.130.81.225:80 ESTABLISHED
> TCP 172.17.3.111:22038 4.26.252.126:80 ESTABLISHED
> TCP 172.17.3.111:22039 4.26.252.126:80 ESTABLISHED
> TCP 172.17.3.111:22040 4.26.252.126:80 ESTABLISHED
> TCP 172.17.3.111:22041 4.26.252.126:80 ESTABLISHED
> TCP 172.17.3.111:22042 4.26.252.126:80 ESTABLISHED
> TCP 172.17.3.111:22043 4.26.252.126:80 ESTABLISHED
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sean Darcy
> Sent: Monday, September 09, 2013 7:00 PM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] iax2: two users can't authenticate from same ip address
>
> On 09/09/2013 03:37 PM, Eric Wieling wrote:
>> Again, that port is assigned by your NAT router. Asterisk cannot control the source port if the incoming packet. That is set by your NAT router and client and likely has nothing to do with your problem.
>>
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com
>> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sean
>> Darcy
>> Sent: Monday, September 09, 2013 3:30 PM
>> To: asterisk-users at lists.digium.com
>> Subject: Re: [asterisk-users] iax2: two users can't authenticate from
>> same ip address
>>
>> Dial("IAX2/home-14358", "IAX2/gn") in new stack
>> -- Called IAX2/gn
>> CLI> iax2 show peers
>> Name/Username Host Mask Port
>> Status Description
>> gn <gnipaddr> (D) 255.255.255.255 9007 OK
>> (179 ms)
>> ............
>> [Sep 9 19:11:36] WARNING[530]: chan_iax2.c:3552 __attempt_transmit: Max retries exceeded to host <gnipaddr> on IAX2/gn-11311 (type = 6, subclass = 11, ts=10018, seqno=1)
>> -- Hungup 'IAX2/gn-11311'
>>
>> Again, what's with this port 9007? Is asterisk assigning it? I thought all iax traffic went over 4569.
>>
>> Of course, this could be a zoiper problem.
>>
>> sean
>>
>
> But the problem is it's not MY nat router; it's amazon's. And if you only have only have one iax device registered, it's always 4569, So why does amazon assign a different port to the second iax device? How would it even "know"?
>
> sean
>
Well, I may be confused, but iax show peers is showing the remote port,
the port it will connect TO, right?
netstat doesn't show the asterisk connections at all, just the STUN server:
netstat -nu --ip
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
udp 0 0 <myipaddr>:60766 66.228.45.110:3478 ESTABLISHED
If the server sends out packets to port 9007 the client won't see it.
The client (zoiper) must send to 4569, and if it didn't the amazon
Security Group would drop it. I get NAT port translation, but I don't
see how that applies here.
Maybe a different question would be helpful. Let's assume no NAT; the
server is directly connected with an FQDN. Two iax devices register.
Does asterisk assign them different ports?
sean
More information about the asterisk-users
mailing list