Re: [Asterisk-Users] Working Xten, Asterisk, double-NAT configs out there?
I have my * box NAT'd with all ports forwarded that are SIP related (based on Wiki). I also have nat=yes, externalip=WAN address of firewall, internalip=LAN network of *. I have my Xten soft phone on a PC which is NAT'd behind firewall with ports forwarded. I have also followed instructions on Wiki for Xten. Take a look here: http://willypick.mindsay.com/?entry=10 Your problem does not sound like NAT to me, but authentication on the other end. Max retries refers to the phone you are trying to reach. ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Working Xten, Asterisk, double-NAT configs out there?
I have (had) a similar setup at one time. I'm running freebsd/pf on each nat box. Asterisk is behind one, an xten softphone behind the other. I watched the SIP traffic on both the incoming and outgoing interfaces (pre/post nat) of each box. You can then generally see whats wrong, and as a huge plus, learn a lot more about how SIP/RTP actually works .. That coupled with the firewall log (I deny/log all by default) and the firewall debut output ( I have had, and am still having in a couple of weird cases, state clashes) you can usually identify the problem .. Or you could post your details and let someone have a stab at helping, unless there are any psychics here :-) Tim Aaron O'Hara wrote: All, I have my * box NAT'd with all ports forwarded that are SIP related (based on Wiki). I also have nat=yes, externalip=WAN address of firewall, internalip=LAN network of *. I have my Xten soft phone on a PC which is NAT'd behind firewall with ports forwarded. I have also followed instructions on Wiki for Xten. I can authenticate fine, and sip show peers shows my extension is OK, but whenever I dial another SIP or zap channel, I can a max retries exceeded on my * box. Can somebody post a working config with * behind firewall w/ports forwarded and xten behind firewall w/ports forwarded? Thanks, -- Aaron ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Working Xten, Asterisk, double-NAT configs out there?
Tim, Aside from the firewall logs in /var/log/messages, what tools did u find most helpful for seeing SIP/RTP traffic? What are some of the key things to look for to see if there's a problem? Aaron On Sat, 2005-21-05 at 14:04 -0600, Tim Pushor wrote: I have (had) a similar setup at one time. I'm running freebsd/pf on each nat box. Asterisk is behind one, an xten softphone behind the other. I watched the SIP traffic on both the incoming and outgoing interfaces (pre/post nat) of each box. You can then generally see whats wrong, and as a huge plus, learn a lot more about how SIP/RTP actually works .. That coupled with the firewall log (I deny/log all by default) and the firewall debut output ( I have had, and am still having in a couple of weird cases, state clashes) you can usually identify the problem .. Or you could post your details and let someone have a stab at helping, unless there are any psychics here :-) Tim Aaron O'Hara wrote: All, I have my * box NAT'd with all ports forwarded that are SIP related (based on Wiki). I also have nat=yes, externalip=WAN address of firewall, internalip=LAN network of *. I have my Xten soft phone on a PC which is NAT'd behind firewall with ports forwarded. I have also followed instructions on Wiki for Xten. I can authenticate fine, and sip show peers shows my extension is OK, but whenever I dial another SIP or zap channel, I can a max retries exceeded on my * box. Can somebody post a working config with * behind firewall w/ports forwarded and xten behind firewall w/ports forwarded? Thanks, -- Aaron ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Working Xten, Asterisk, double-NAT configs out there?
Aaron O'Hara wrote: Tim, Aside from the firewall logs in /var/log/messages, what tools did u find most helpful for seeing SIP/RTP traffic? What are some of the key things to look for to see if there's a problem? Oh, I generally use tcpdump to grab the packets and save them to a file, then load them with ethereal at a workstation to analzye them. You can also use ngrep to watch sip traffic. Some things to watch for: - make sure all SIP traffic on the outside interface of each firewall advertises its external IP to the other side - make sure that the host and port in the SDP payload of the SIP packet looks sane (port within redirection range, host is external IP) For example, here is a SIP problem I just troubleshot: I have a friend with a d-link router and a sipura 2000 behind it, connecting to free world dialup. I have an * server behind a NAT and *thought* everything was working ( I have a few SIP connections that all seem to work). When he called me, everything was fine When I called him, we had one way audio. one way audio + NAT's on both sides = 99% Probability it is NAT related I started by watching the traffic arrive on my external interface (using ngrep) . I made sure the INVITE from him (actually from free world dialup) looked sane (contained his external IP address in the SDP payload, and the port was withing the range programmed into his sipura 2000 - so it would be forwarded properly by his redirection rules on the d-link). Then I watched my response, and make sure again that the SDP payload in my response was advertising my IP address and a port within the range secified in my rtp.conf. Everything seemed ok. Just to make sure, I grabbed a bunch of packets with tcpdump and loaded them up in ethereal. Everything looked like it should work. So next, I watched my firewall log in realtime (the drop log) to see if I was dropping anything inadvertently on the firewall. Nothing. I open two sessions into the firewall, and watch all communication to either fwd or my friend (in just a one line summary per packet) on both the Internal and External interface. This shows a different picture. I can follow the SIP conversation coming from FWD and my response. It is when we begin trying to talk (using RTP) that I see that his RTP packets are in fact coming to me, but I don't see them cross the firewall (I see them on the outside, and not on the inside). I know that my firewall is not dropping them, so it must be something else. I enabled debugging on my firewall (pfctl -x loud) and watched my system log. Sure enough, I am getting a state error on every inbound RTP packet from him. I have had this problem before, and it has to do with pf using the state table to handle redirects. I had established a state already for some reason (probably a keep-state rule somewhere) that is clashing with the inbound rdr. I just found the problem, I havn't fixed it yet, but at least I know where it is. Interestingly it wasn't really a NAT problem, but more how I've decided to implement my firewall. Sorry if this is long and maybe obvious to you, but this is basically the process that I follow whenever I have SIP or NAT problems. Tim ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
