I'll go through these issues, thanks for providing them. First thing is first: can you please point me toward a decent HOWTO or documentation on how exactly to setup a symmetric NAT with iptables? Currently, a fragment of my NAT rules look like this:
# Enable masquerading iptables -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 123.123.123.123 # this is my external IP # Port forward SIP to voipserver iptables -t nat -A PREROUTING --dest 123.123.123.123 -p udp --dport 5060 -j DNAT --to-destination 10.0.0.6 iptables -t nat -A PREROUTING --dest 123.123.123.123 -p udp --dport 5080 -j DNAT --to-destination 10.0.0.6 iptables -t nat -A PREROUTING --dest 123.123.123.123 -p tcp --dport 5060 -j DNAT --to-destination 10.0.0.6 iptables -t nat -A PREROUTING --dest 123.123.123.123 -p tcp --dport 5080 -j DNAT --to-destination 10.0.0.6 iptables -t nat -A PREROUTING --dest 123.123.123.123 -p udp --dport 30000:31000 -j DNAT --to-destination 10.0.0.6 The 5060 ports are not used, I had just opened them up for testing. I am not sure if this is a proper symmetric NAT setup or not, because I am unsure as to how the firewall is going to handle port mappings... There are also FORWARD rules, I am just not showing them. Based on your advice I will disable nf_conntrack_sip (note that I had enabled it on port 5080, and disabled the rule to forward 30000:31000 that is shown above). AJ On Tue, Oct 25, 2011 at 6:33 PM, Tony Graziano <tgrazi...@myitdepartment.net> wrote: > Also, FS should be showing the call as anchored and with the IP of the sipx > server (the internal ip address). > So either you dont have sipx or the trunk configured properly, or you have a > strange firewall issue too. > there are many things probably wrong here, so here's a short list. > > sipx server should be behind NAT. It's IP address should be using stun or > have the public address manually input. > the itsp should NOT be doing nat traversal for you. > stop using the iptables sip conntrack modules, they will not be of any help. > just setup iptables to do symmetric nat. > make sure your trunk say to use the public address for call setup. > > On Tue, Oct 25, 2011 at 6:00 PM, Tony Graziano > <tgrazi...@myitdepartment.net> wrote: >> >> Who is the provider? Are theya commercial or consumer provider? It sounds >> like they do not support re-invite with sdp... >> Supply a proper sip trace. See the wiki: >> >> http://wiki.sipfoundry.org/display/sipXecs/Display+SIP+message+flow+using+Sipviewer >> For a proper trace, you should have the logging level for the proxy, >> voicemail and auto attendant and trunking to debug prior. rotate your logs, >> and make a test call. don't forget to change the logging levels back. feel >> free to post the trace to the list. tcpdump doesnt really cut it because it >> does not show signalling between the various components, so you won't get a >> lot of input on that. >> >> On Tue, Oct 25, 2011 at 4:51 PM, Adrien Guillon <aj.guil...@gmail.com> >> wrote: >>> >>> A bit more information... these bad ports seem to only happen after >>> the call has been picked up.... so the AA will transfer, phone will >>> ring (the phone that placed the call is disconnected), and when I pick >>> up the dead call I get the unreachable packets... >>> >>> On Tue, Oct 25, 2011 at 4:47 PM, Adrien Guillon <aj.guil...@gmail.com> >>> wrote: >>> > Yes, the INVITE is coming in to port 5080. >>> > >>> > Here is a fragment of the TCP dump... >>> > >>> > 20:35:20.680594 IP bm-srv-01.voicenetwork.ca.23960 > >>> > 123.123.123.123.30500: UDP, length 172 >>> > 20:35:20.700720 IP 74-51-40-188.voicenetwork.ca.5060 > >>> > 123.123.123.123.5080: SIP, length: 974 >>> > 20:35:20.701954 IP bm-srv-01.voicenetwork.ca.23960 > >>> > 123.123.123.123.30500: UDP, length 172 >>> > 20:35:20.716718 IP 123.123.123.123.5080 > >>> > 74-51-40-188.voicenetwork.ca.5060: SIP, length: 743 >>> > 20:35:20.721350 IP bm-srv-01.voicenetwork.ca.23960 > >>> > 123.123.123.123.30500: UDP, length 172 >>> > 20:35:20.740643 IP bm-srv-01.voicenetwork.ca.23960 > >>> > 123.123.123.123.30500: UDP, length 172 >>> > 20:35:20.760635 IP bm-srv-01.voicenetwork.ca.23960 > >>> > 123.123.123.123.30500: UDP, length 172 >>> > 20:35:20.792415 IP 74-51-40-188.voicenetwork.ca.5060 > >>> > 123.123.123.123.5080: SIP, length: 805 >>> > 20:35:21.399765 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.420746 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.423869 IP bm-srv-01.voicenetwork.ca > 123.123.123.123: ICMP >>> > bm-srv-01.voicenetwork.ca udp port 23960 unreachable, length 208 >>> > 20:35:21.441759 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.444943 IP bm-srv-01.voicenetwork.ca > 123.123.123.123: ICMP >>> > bm-srv-01.voicenetwork.ca udp port 23960 unreachable, length 208 >>> > 20:35:21.459734 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.466007 IP bm-srv-01.voicenetwork.ca > 123.123.123.123: ICMP >>> > bm-srv-01.voicenetwork.ca udp port 23960 unreachable, length 208 >>> > 20:35:21.480694 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.483860 IP bm-srv-01.voicenetwork.ca > 123.123.123.123: ICMP >>> > bm-srv-01.voicenetwork.ca udp port 23960 unreachable, length 208 >>> > 20:35:21.501487 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.504884 IP bm-srv-01.voicenetwork.ca > 123.123.123.123: ICMP >>> > bm-srv-01.voicenetwork.ca udp port 23960 unreachable, length 208 >>> > 20:35:21.519723 IP 123.123.123.123.30500 > >>> > bm-srv-01.voicenetwork.ca.23960: UDP, length 172 >>> > 20:35:21.525664 IP bm-srv-01.voicenetwork.ca > 123.123.123.123: ICMP >>> > bm-srv-01.voicenetwork.ca udp port 23960 unreachable, length 208 >>> > >>> > >>> > What is strange, is that you see that at some point my own host >>> > (123.123.123.123) is being contacted on port 23960 which was formerly >>> > the originating port of the provider (although maybe this is expected, >>> > I don't know). I am not sure if this port is actually opened or not >>> > on the sipX side. >>> > >>> > Here is a fragment of the INVITE: >>> > >>> > Time: 2011-10-25T20:35:09.610000Z >>> > Frame: 9 sipxbridge.xml:2663 >>> > Source: 74.51.40.188:5060 >>> > Dest: voip.sipxecs.tld-sipXbridge >>> > >>> > ... >>> > >>> > v=0 >>> > o=FreeSWITCH 2592907442 2592907443 IN IP4 68.68.29.232 >>> > s=FreeSWITCH >>> > c=IN IP4 68.68.29.232 >>> > t=0 0 >>> > m=audio 23960 RTP/AVP 18 0 101 >>> > a=rtpmap:101 telephone-event/8000 >>> > a=ptime:20 >>> > a=silenceSupp:off - - - - >>> > >>> > >>> > --- >>> > AJ >>> > >>> > >>> > >>> > On Tue, Oct 25, 2011 at 4:30 PM, Tony Graziano >>> > <tgrazi...@myitdepartment.net> wrote: >>> >> No. If the phone is connect to sipx, and sipx is doing the trunking, >>> >> sipx is >>> >> anchoring the media. >>> >> Ensure the ITSP is ending the INVITE on the incoming call to port >>> >> 5080. >>> >> >>> >> On Tue, Oct 25, 2011 at 4:07 PM, Adrien Guillon <aj.guil...@gmail.com> >>> >> wrote: >>> >>> >>> >>> Hi everyone, >>> >>> >>> >>> I have been working on incoming calls from a sip trunk, and debugging >>> >>> potential issues. Right now, calls are disconnected immediately >>> >>> after >>> >>> I dial an extension from the AA (when I call externally). I'm pretty >>> >>> sure the NAT is configured properly, and I'm starting to narrow down >>> >>> the problem. The NAT uses nf_conntrack_sip rather than explicitly >>> >>> opening RTP ports. I used tcpdump to monitor incoming calls, and I >>> >>> find events such as (right before disconnection): >>> >>> >>> >>> 19:40:25.689135 IP bm-srv-01.voicenetwork.ca > 123.456.1.12: ICMP >>> >>> bm-srv-01.voicenetwork.ca udp port 19222 unreachable, length 208 >>> >>> >>> >>> I have discussed this with a friend, and one potential issue could be >>> >>> how the phone network is configured. My phones are firewalled so >>> >>> that >>> >>> they can only communicate with the SipX server. I am not sure if the >>> >>> transfer negotiation is attempting to pass the connection directly to >>> >>> the phone, which then has no path back (and is not really reachable >>> >>> from the NAT system). >>> >>> >>> >>> Any suggestions? >>> >>> >>> >>> AJ >>> >>> _______________________________________________ >>> >>> sipx-users mailing list >>> >>> sipx-users@list.sipfoundry.org >>> >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >> >>> >> >>> >> >>> >> -- >>> >> ====================== >>> >> Tony Graziano, Manager >>> >> Telephone: 434.984.8430 >>> >> sip: tgrazi...@voice.myitdepartment.net >>> >> Fax: 434.465.6833 >>> >> >>> >> Email: tgrazi...@myitdepartment.net >>> >> >>> >> LAN/Telephony/Security and Control Systems Helpdesk: >>> >> Telephone: 434.984.8426 >>> >> sip: helpd...@voice.myitdepartment.net >>> >> >>> >> Helpdesk Contract Customers: >>> >> http://support.myitdepartment.net >>> >> Blog: >>> >> http://blog.myitdepartment.net >>> >> >>> >> Linked-In >>> >> Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>> >> Ask about our Internet Fax services! >>> >> >>> >> _______________________________________________ >>> >> sipx-users mailing list >>> >> sipx-users@list.sipfoundry.org >>> >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >> >>> > >>> _______________________________________________ >>> sipx-users mailing list >>> sipx-users@list.sipfoundry.org >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> -- >> ====================== >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: tgrazi...@voice.myitdepartment.net >> Fax: 434.465.6833 >> >> Email: tgrazi...@myitdepartment.net >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: helpd...@voice.myitdepartment.net >> >> Helpdesk Contract Customers: >> http://support.myitdepartment.net >> Blog: >> http://blog.myitdepartment.net >> >> Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! > > > > -- > ====================== > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: tgrazi...@voice.myitdepartment.net > Fax: 434.465.6833 > > Email: tgrazi...@myitdepartment.net > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: helpd...@voice.myitdepartment.net > > Helpdesk Contract Customers: > http://support.myitdepartment.net > Blog: > http://blog.myitdepartment.net > > Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/
