Hello,
it is only local nftables with nf_conntrack_sip on the asterisk
server. Probably a kernel bug? It did not trigger with previous
providers since they had working SIP ALG. Now I hear no audio in both
directions because outgoing rtp stream from asterisk goes to private
address space and incoming stream is blocked. So the outgoing rtp
could not be learnt to send to nat addess.
Marek
2021-09-06 22:17 GMT+02:00, Duncan Turnbull <duncan at
turnbull.co.nz>:>
>
>> On 7/09/2021, at 3:08 AM, Marek Greško <mgresko8 at gmail.com>
wrote:
>>
>> Hello,
>>
>> so when debugging RTP in asterisk there was no rtp income from the
>> remote site. I did check remote nat ip address and it was same as the
>> one in the pjsip show aors. So it is not due to ip address change. It
>> seems the local firewall sip module does not allow rtp stream to get
>> into. It was working previously with the other provider because of
>> working SIP ALG on their gateways. But now with this provider and
>> disabled SIP ALG it is not allowed. As I remeber in the past these
>> setups did work. What are your experiences on this?
>>
> You would need to provide a lot more explanation here. What is your
> firewall? I am assuming you configure it so find the configuration that’s
> blocking the ports and change it.
>
> My experience as before was that something is blocking rtp, now you know
> what that something is and it’s under your control so you need to check
it’s
> configuration and fix it. I don’t use a sip firewall. If I have external
sip
> clients I use a proxy.
>
>> Thanks
>>
>> Marek
>>
>>
>> 2021-09-06 11:50 GMT+02:00, Marek Greško <mgresko8 at gmail.com>:
>>> Sorry rtp set debug on showed something. So let try for the problem
to
>>> arise again.
>>>
>>> Marek
>>>
>>>
>>> 2021-09-06 11:48 GMT+02:00, Marek Greško <mgresko8 at
gmail.com>:
>>>> Hello,
>>>>
>>>>>> I would expect that when asterisk is aware of nat, it
does not send
>>>>>> the rtp until it receives rtp from other side to learn
the port, but
>>>>>> OK, no problem to accept the behavior.
>>>>>>
>>>>> That’s not how things work. You should google how sip rtp
and Nat work
>>>>> as
>>>>> it
>>>>> will help you
>>>>
>>>> no problem if it is intended.
>>>>
>>>>>>
>>>>>>> The question is why your asterisk didn't learn
the external address
>>>>>>> and
>>>>>>> port from the received rtp packet
>>>>>>>
>>>>>>> You can look at your logs with debug to see what
decisions its
>>>>>>> making.
>>>>>>> You
>>>>>>> can see if different rtp ports have different
results.
>>>>>>> Your phone provider has rtp on 5010 unsuccessfully
and 5016
>>>>>>> successfully.
>>>>>>> Your asterisk uses rtp 13786 successfully and fails
when using 18892.
>>>>>>> Is
>>>>>>> it
>>>>>>> possible your firewall is blocking port 18892 and
so asterisk never
>>>>>>> sees
>>>>>>> the returned packet and can't learn from it?
>>>>>>
>>>>>> It is very unprobable. I see no reason for blocking the
port. The
>>>>>> problem is asterisk never learns the correct port, so
there is nothing
>>>>>> to block.
>>>>> It wasn’t what is probable, look at the asterisk logs and
see what it’s
>>>>> actually doing. If asterisk never sees the reply then you
will know
>>>>> something is blocking or stealing the port for some other
service
>>>>
>>>> If it is stolen port for rtp, the next call would solve it,
since it
>>>> will use different one, and it does not solve it.
>>>>
>>>>>>
>>>>>>>
>>>>>>> In any event you should put your debug on and look
at your logs in
>>>>>>> asterisk
>>>>>>> to see what it sees and why it doesn't react to
the rtp packet, if it
>>>>>>> gets
>>>>>>> it
>>>>>>
>>>>>> Could you point me how the debug should be conducted?
>>>>>
>>>>> Using the asterisk cli turn on debug for the peer and rtp
and see what
>>>>> happens. Match it with the asterisk processes. You have to
do this, you
>>>>> can
>>>>> look at cli or the log files, follow it through to see the
rtp packet
>>>>> being
>>>>> received. Lots of debug advice on google.
>>>>
>>>> Asterisk cli did not show anything interesting. I tried pjsip
set
>>>> logger verbose on, but no logs showed anywhere. What am I doing
wrong?
>>>>
>>>> Marek
>>>>
>>>>
>>>>>>
>>>>>> Is my suspection that the problem could be caused by
nat ip addres
>>>>>> changing reasonable? How should asterisk handle the
situation?
>>>>> I can’t see anything to support that. Everything is looking
normal
>>>>> except
>>>>> asterisk doesn’t appear to beseeing the rtp packet
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Have fun, its all good learning.
>>>>>>>
>>>>>>>
>>>>>>>> On Sun, Sep 5, 2021 at 6:27 PM Marek Greško
<mgresko8 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> regarding the ipv6, you see nothing about that
it should be some
>>>>>>>> type
>>>>>>>> of ipv6 tunnelling, because also MTU is lower
than expected. You
>>>>>>>> should not see any ipv6 related communication
in the sniff. Phone is
>>>>>>>> not aware of it.
>>>>>>>>
>>>>>>>> The asterisk's static public ip address is
198.51.100.1.
>>>>>>>> The remote provider's dynamic nat pool is
192.0.2.0/24. By provider
>>>>>>>> we
>>>>>>>> mean internet provider the remote phones are
behind. We are not
>>>>>>>> complaining about voip provider, we have no
problem with that. Only
>>>>>>>> communication between asterisk and remote
phones behind some
>>>>>>>> internet
>>>>>>>> provider. This is the only conversation to look
at.
>>>>>>>> The phone private address is 192.168.100.235.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Marek
>>>>>>>>
>>>>>>>>
>>>>>>>> 2021-09-05 1:11 GMT+02:00, Duncan Turnbull
<duncan at e-simple.co.nz>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On 5/09/2021, at 10:21 AM, Marek Greško
<mgresko8 at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> could you please answer my previous
question about anonymizing
>>>>>>>>>> several
>>>>>>>>>> parameters? I have the data ready, but
will post after answer. I
>>>>>>>>>> have
>>>>>>>>>> no clue whether I could disclose some
important data not deleting
>>>>>>>>>> them.
>>>>>>>>>>
>>>>>>>>>> Regarding sdp, the address will be the
internal one, since the
>>>>>>>>>> phone
>>>>>>>>>> is behind nat and it is not aware of
the nat. The provider's nat
>>>>>>>>>> device is configured as dump nat, no
application tweaking is done.
>>>>>>>>>> So
>>>>>>>>>> the asterisk will see the lan address
in the sip.
>>>>>>>>>>
>>>>>>>>> There are two conversations to look at
>>>>>>>>> Provider to Asterisk
>>>>>>>>> Asterisk to Phone
>>>>>>>>> You need the packet captures of both.
>>>>>>>>>
>>>>>>>>> Your statements are mixing them up
>>>>>>>>>
>>>>>>>>> I don’t know what you mean by LAN address,
that’s an ambiguous
>>>>>>>>> term.
>>>>>>>>> The
>>>>>>>> ip
>>>>>>>>> your asterisk receives from the provider
should be the providers
>>>>>>>> external ip
>>>>>>>>> or in the sdp the external address of the
media server which may or
>>>>>>>>> may
>>>>>>>> not
>>>>>>>>> be the same device
>>>>>>>>>
>>>>>>>>>> In the working scenario it is sending
rtp packets to the internal
>>>>>>>>>> address which is wrong, but after
receiving cca 5 rtp packets from
>>>>>>>>>> the
>>>>>>>>>> phone it somehow discovers correct nat
ip/port and switches to it.
>>>>>>>>>> In
>>>>>>>>>> non-working scenario it never switches
and still sends to the lan
>>>>>>>>>> address. Strange there is no audio,
even one direction. Another
>>>>>>>>>> strange thing is there are 2 phones
(different vendors) behind the
>>>>>>>>>> same nat and the problem appearance on
them is independent,
>>>>>>>>>> sometimes
>>>>>>>>>> the first has problem, sometimes the
second and sometimes both.
>>>>>>>>>>
>>>>>>>>>> The tcpdumps are made on the asterisk
side. I have currently no
>>>>>>>>>> means
>>>>>>>>>> of capturing on phone side.
>>>>>>>>>>
>>>>>>>>>> Marek
>>>>>>>>>>
>>>>>>>>>> 2021-09-04 23:56 GMT+02:00, Antony
Stone
>>>>>>>>>> <Antony.Stone at
asterisk.open.source.it>:
>>>>>>>>>>>>> On Saturday 04 September
2021 at 22:13:32, Marek Greško wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I agree my knowledge of SIP
itself is poor, but I have quite
>>>>>>>>>>>>> well
>>>>>>>>>>>>> general tcp/ip
understanding. What sip parameters should be
>>>>>>>>>>>>> anonymized? How about tag,
branch, call-id, cseq values?
>>>>>>>>>>>>
>>>>>>>>>>>> Show us your packet captures
with meaningful addresses (not
>>>>>>>>>>>> necessarily
>>>>>>>>>>>> accurate ones, but at least
unambiguous - see my previous
>>>>>>>>>>>> suggestion
>>>>>>>>>>>> re
>>>>>>>>>>>> RFC5737) and we can help you to
understand them and what they
>>>>>>>>>>>> mean.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Antony.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Heisenberg, Gödel, and Chomsky
walk in to a bar.
>>>>>>>>>>>> Heisenberg says, "Clearly
this is a joke, but how can we work
>>>>>>>>>>>> out
>>>>>>>>>>>> if
>>>>>>>>> it's
>>>>>>>>>>>> funny or not?"
>>>>>>>>>>>> Gödel replies, "We
can't know that because we're inside the
>>>>>>>>>>>> joke."
>>>>>>>>>>>> Chomsky says, "Of course
it's funny. You're just saying it
>>>>>>>>>>>> wrong."
>>>>>>>>>>>>
>>>>>>>>>>>>
Please reply to
>>>>>>>>>>>> the
>>>>>>>>>>>> list;
>>>>>>>>>>>>
please
>>>>>>>>>>>> *don't*
>>>>>>>>> CC
>>>>>>>>>>>> me.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
_____________________________________________________________________
>>>>>>>>>>>> -- Bandwidth and Colocation
Provided by
>>>>>>>>>>>> http://www.api-digital.com
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>> Check out the new Asterisk
community forum at:
>>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>>
>>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>>
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>>
>>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>>> To UNSUBSCRIBE or update
options visit:
>>>>>>>>>>>>
http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
_____________________________________________________________________
>>>>>>>>>>> -- Bandwidth and Colocation
Provided by
>>>>>>>>>>> http://www.api-digital.com
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> Check out the new Asterisk
community forum at:
>>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>>
>>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>>
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>>
>>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>>> To UNSUBSCRIBE or update options
visit:
>>>>>>>>>>>
http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
_____________________________________________________________________
>>>>>>>>>> -- Bandwidth and Colocation Provided by
http://www.api-digital.com
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Check out the new Asterisk community
forum at:
>>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>>
>>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>>
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>>
>>>>>>>>>> asterisk-users mailing list
>>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>>
http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
_____________________________________________________________________
>>>>>>>>> -- Bandwidth and Colocation Provided by
http://www.api-digital.com
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Check out the new Asterisk community forum
at:
>>>>>>>>> https://community.asterisk.org/
>>>>>>>>>
>>>>>>>>> New to Asterisk? Start here:
>>>>>>>>>
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>>>
>>>>>>>>> asterisk-users mailing list
>>>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>>>
http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
_____________________________________________________________________
>>>>>>> -- Bandwidth and Colocation Provided by
http://www.api-digital.com --
>>>>>>>
>>>>>>> Check out the new Asterisk community forum at:
>>>>>>> https://community.asterisk.org/
>>>>>>>
>>>>>>> New to Asterisk? Start here:
>>>>>>>
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>>
>>>>>>> asterisk-users mailing list
>>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>>
http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>>>
>>>>>> --
>>>>>>
_____________________________________________________________________
>>>>>> -- Bandwidth and Colocation Provided by
http://www.api-digital.com --
>>>>>>
>>>>>> Check out the new Asterisk community forum at:
>>>>>> https://community.asterisk.org/
>>>>>>
>>>>>> New to Asterisk? Start here:
>>>>>>
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>>
>>>>>> asterisk-users mailing list
>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>
http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users