[asterisk-users] problems with natted phones
Duncan Turnbull
duncan at e-simple.co.nz
Mon Sep 6 16:05:27 CDT 2021
> On 7/09/2021, at 8:30 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>
> Hello,
>
> it is only local nftables with nf_conntrack_sip on the asterisk
> server. Probably a kernel bug? It did not trigger with previous
> providers since they had working SIP ALG. Now I hear no audio in both
> directions because outgoing rtp stream from asterisk goes to private
> address space and incoming stream is blocked. So the outgoing rtp
> could not be learnt to send to nat addess.
>
Maybe a bug but that’s less likely than a config error. Time to debug your nftables.
> Marek
>
>
> 2021-09-06 22:17 GMT+02:00, Duncan Turnbull <duncan at turnbull.co.nz>:
>>
>>
>>>> On 7/09/2021, at 3:08 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> so when debugging RTP in asterisk there was no rtp income from the
>>> remote site. I did check remote nat ip address and it was same as the
>>> one in the pjsip show aors. So it is not due to ip address change. It
>>> seems the local firewall sip module does not allow rtp stream to get
>>> into. It was working previously with the other provider because of
>>> working SIP ALG on their gateways. But now with this provider and
>>> disabled SIP ALG it is not allowed. As I remeber in the past these
>>> setups did work. What are your experiences on this?
>>>
>> You would need to provide a lot more explanation here. What is your
>> firewall? I am assuming you configure it so find the configuration that’s
>> blocking the ports and change it.
>>
>> My experience as before was that something is blocking rtp, now you know
>> what that something is and it’s under your control so you need to check it’s
>> configuration and fix it. I don’t use a sip firewall. If I have external sip
>> clients I use a proxy.
>>
>>> Thanks
>>>
>>> Marek
>>>
>>>
>>> 2021-09-06 11:50 GMT+02:00, Marek Greško <mgresko8 at gmail.com>:
>>>> Sorry rtp set debug on showed something. So let try for the problem to
>>>> arise again.
>>>>
>>>> Marek
>>>>
>>>>
>>>> 2021-09-06 11:48 GMT+02:00, Marek Greško <mgresko8 at gmail.com>:
>>>>> Hello,
>>>>>
>>>>>>> I would expect that when asterisk is aware of nat, it does not send
>>>>>>> the rtp until it receives rtp from other side to learn the port, but
>>>>>>> OK, no problem to accept the behavior.
>>>>>>>
>>>>>> That’s not how things work. You should google how sip rtp and Nat work
>>>>>> as
>>>>>> it
>>>>>> will help you
>>>>>
>>>>> no problem if it is intended.
>>>>>
>>>>>>>
>>>>>>>> The question is why your asterisk didn't learn the external address
>>>>>>>> and
>>>>>>>> port from the received rtp packet
>>>>>>>>
>>>>>>>> You can look at your logs with debug to see what decisions its
>>>>>>>> making.
>>>>>>>> You
>>>>>>>> can see if different rtp ports have different results.
>>>>>>>> Your phone provider has rtp on 5010 unsuccessfully and 5016
>>>>>>>> successfully.
>>>>>>>> Your asterisk uses rtp 13786 successfully and fails when using 18892.
>>>>>>>> Is
>>>>>>>> it
>>>>>>>> possible your firewall is blocking port 18892 and so asterisk never
>>>>>>>> sees
>>>>>>>> the returned packet and can't learn from it?
>>>>>>>
>>>>>>> It is very unprobable. I see no reason for blocking the port. The
>>>>>>> problem is asterisk never learns the correct port, so there is nothing
>>>>>>> to block.
>>>>>> It wasn’t what is probable, look at the asterisk logs and see what it’s
>>>>>> actually doing. If asterisk never sees the reply then you will know
>>>>>> something is blocking or stealing the port for some other service
>>>>>
>>>>> If it is stolen port for rtp, the next call would solve it, since it
>>>>> will use different one, and it does not solve it.
>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> In any event you should put your debug on and look at your logs in
>>>>>>>> asterisk
>>>>>>>> to see what it sees and why it doesn't react to the rtp packet, if it
>>>>>>>> gets
>>>>>>>> it
>>>>>>>
>>>>>>> Could you point me how the debug should be conducted?
>>>>>>
>>>>>> Using the asterisk cli turn on debug for the peer and rtp and see what
>>>>>> happens. Match it with the asterisk processes. You have to do this, you
>>>>>> can
>>>>>> look at cli or the log files, follow it through to see the rtp packet
>>>>>> being
>>>>>> received. Lots of debug advice on google.
>>>>>
>>>>> Asterisk cli did not show anything interesting. I tried pjsip set
>>>>> logger verbose on, but no logs showed anywhere. What am I doing wrong?
>>>>>
>>>>> Marek
>>>>>
>>>>>
>>>>>>>
>>>>>>> Is my suspection that the problem could be caused by nat ip addres
>>>>>>> changing reasonable? How should asterisk handle the situation?
>>>>>> I can’t see anything to support that. Everything is looking normal
>>>>>> except
>>>>>> asterisk doesn’t appear to beseeing the rtp packet
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Marek
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Have fun, its all good learning.
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Sun, Sep 5, 2021 at 6:27 PM Marek Greško <mgresko8 at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> regarding the ipv6, you see nothing about that it should be some
>>>>>>>>> type
>>>>>>>>> of ipv6 tunnelling, because also MTU is lower than expected. You
>>>>>>>>> should not see any ipv6 related communication in the sniff. Phone is
>>>>>>>>> not aware of it.
>>>>>>>>>
>>>>>>>>> The asterisk's static public ip address is 198.51.100.1.
>>>>>>>>> The remote provider's dynamic nat pool is 192.0.2.0/24. By provider
>>>>>>>>> we
>>>>>>>>> mean internet provider the remote phones are behind. We are not
>>>>>>>>> complaining about voip provider, we have no problem with that. Only
>>>>>>>>> communication between asterisk and remote phones behind some
>>>>>>>>> internet
>>>>>>>>> provider. This is the only conversation to look at.
>>>>>>>>> The phone private address is 192.168.100.235.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2021-09-05 1:11 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On 5/09/2021, at 10:21 AM, Marek Greško <mgresko8 at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> could you please answer my previous question about anonymizing
>>>>>>>>>>> several
>>>>>>>>>>> parameters? I have the data ready, but will post after answer. I
>>>>>>>>>>> have
>>>>>>>>>>> no clue whether I could disclose some important data not deleting
>>>>>>>>>>> them.
>>>>>>>>>>>
>>>>>>>>>>> Regarding sdp, the address will be the internal one, since the
>>>>>>>>>>> phone
>>>>>>>>>>> is behind nat and it is not aware of the nat. The provider's nat
>>>>>>>>>>> device is configured as dump nat, no application tweaking is done.
>>>>>>>>>>> So
>>>>>>>>>>> the asterisk will see the lan address in the sip.
>>>>>>>>>>>
>>>>>>>>>> There are two conversations to look at
>>>>>>>>>> Provider to Asterisk
>>>>>>>>>> Asterisk to Phone
>>>>>>>>>> You need the packet captures of both.
>>>>>>>>>>
>>>>>>>>>> Your statements are mixing them up
>>>>>>>>>>
>>>>>>>>>> I don’t know what you mean by LAN address, that’s an ambiguous
>>>>>>>>>> term.
>>>>>>>>>> The
>>>>>>>>> ip
>>>>>>>>>> your asterisk receives from the provider should be the providers
>>>>>>>>> external ip
>>>>>>>>>> or in the sdp the external address of the media server which may or
>>>>>>>>>> may
>>>>>>>>> not
>>>>>>>>>> be the same device
>>>>>>>>>>
>>>>>>>>>>> In the working scenario it is sending rtp packets to the internal
>>>>>>>>>>> address which is wrong, but after receiving cca 5 rtp packets from
>>>>>>>>>>> the
>>>>>>>>>>> phone it somehow discovers correct nat ip/port and switches to it.
>>>>>>>>>>> In
>>>>>>>>>>> non-working scenario it never switches and still sends to the lan
>>>>>>>>>>> address. Strange there is no audio, even one direction. Another
>>>>>>>>>>> strange thing is there are 2 phones (different vendors) behind the
>>>>>>>>>>> same nat and the problem appearance on them is independent,
>>>>>>>>>>> sometimes
>>>>>>>>>>> the first has problem, sometimes the second and sometimes both.
>>>>>>>>>>>
>>>>>>>>>>> The tcpdumps are made on the asterisk side. I have currently no
>>>>>>>>>>> means
>>>>>>>>>>> of capturing on phone side.
>>>>>>>>>>>
>>>>>>>>>>> Marek
>>>>>>>>>>>
>>>>>>>>>>> 2021-09-04 23:56 GMT+02:00, Antony Stone
>>>>>>>>>>> <Antony.Stone at asterisk.open.source.it>:
>>>>>>>>>>>>>> On Saturday 04 September 2021 at 22:13:32, Marek Greško wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I agree my knowledge of SIP itself is poor, but I have quite
>>>>>>>>>>>>>> well
>>>>>>>>>>>>>> general tcp/ip understanding. What sip parameters should be
>>>>>>>>>>>>>> anonymized? How about tag, branch, call-id, cseq values?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Show us your packet captures with meaningful addresses (not
>>>>>>>>>>>>> necessarily
>>>>>>>>>>>>> accurate ones, but at least unambiguous - see my previous
>>>>>>>>>>>>> suggestion
>>>>>>>>>>>>> re
>>>>>>>>>>>>> RFC5737) and we can help you to understand them and what they
>>>>>>>>>>>>> mean.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Antony.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Heisenberg, Gödel, and Chomsky walk in to a bar.
>>>>>>>>>>>>> Heisenberg says, "Clearly this is a joke, but how can we work
>>>>>>>>>>>>> out
>>>>>>>>>>>>> if
>>>>>>>>>> it's
>>>>>>>>>>>>> funny or not?"
>>>>>>>>>>>>> Gödel replies, "We can't know that because we're inside the
>>>>>>>>>>>>> joke."
>>>>>>>>>>>>> Chomsky says, "Of course it's funny. You're just saying it
>>>>>>>>>>>>> wrong."
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please reply to
>>>>>>>>>>>>> the
>>>>>>>>>>>>> list;
>>>>>>>>>>>>> please
>>>>>>>>>>>>> *don't*
>>>>>>>>>> CC
>>>>>>>>>>>>> me.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>>>>>>> http://www.api-digital.com
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>>>
>>>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>>>
>>>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>>>> -- Bandwidth and Colocation Provided by
>>>>>>>>>>>> http://www.api-digital.com
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>>
>>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>>
>>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>
>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>
>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> _____________________________________________________________________
>>>>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>
>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>
>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> _____________________________________________________________________
>>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>>>>
>>>>>>>> Check out the new Asterisk community forum at:
>>>>>>>> https://community.asterisk.org/
>>>>>>>>
>>>>>>>> New to Asterisk? Start here:
>>>>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>
>>>>>>>> asterisk-users mailing list
>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>
>>>>>>> --
>>>>>>> _____________________________________________________________________
>>>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>>>
>>>>>>> Check out the new Asterisk community forum at:
>>>>>>> https://community.asterisk.org/
>>>>>>>
>>>>>>> New to Asterisk? Start here:
>>>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>
>>>>>>> asterisk-users mailing list
>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>
>>>>
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list