asterisk users - Sep 2003 - Maximum retries exceeded w/SIP

First of all, I'd like to send a big "thank you" to all the folks
who have
helped me get this far.

Now on to the next problem.  Here's my current network setup:


The Big I ---+--- FreeBSD FW --- * (10.0.0.253) ---- PC (10.0.0.1)
              |
              +--- Laptop (public IP)

natd is set up with the following rules:

redirect_port udp 10.0.0.253:10000-20000 10000-20000
redirect_port udp 10.0.0.253:5060 5060

* is set up with the demo/sandbox config.

I'm using XLite as my SIP client and have configured it on PC to work with
*.
I'm able to do everything I've tried so far.  I should, though - I'm
on the inside.

However, when trying to make a call from the outside (via Laptop),
something's
breaking.  I've set up the SIP proxy in XLite to be the external interface
on
the firewall, and am able to log into the proxy without difficulty.  And while I
can begin conversations, I can't keep them going for long.

For instance, when trying to call 500@10.0.0.253 (or 500@FWpublicIP), I get most
of the "demo-abouttotry" message - "I am about to attempt an IAX
connection to a
demonstration server located at Di" - at which point it gets cut off.  The 
console spits out the following error:

File chan_sip.c, Line 443 (retrans_pkt): Maximum retries exceeded on call 
FB9CEC48-7CE1-4171-895B-2DF048ED5D1F@12.252.156.250 for seqno 12384 (Response)


Any ideas what could be going on?  My first guess is the firewall, but I
can't
figure out why some of the packets would get through while others apparently are
not.  I'm at a loss.

Brad Waite
aka HankPoacher

Unfortunetly this setup does not work, when * sends SDP info in the
INVITE process on how to establish the audio session *'s real IP address
is in the packet and the outside phone tries to connect to this IP
address, which of course is unreachable because of the firewall. For
this to work you need to move * to the firewall and the firewall's ip
address in the SIP.CONF file.

HTH,
Steve

On Sat, 2003-09-20 at 12:07, Brad Waite wrote:
> First of all, I'd like to send a big "thank you" to all the
folks who have
> helped me get this far.
> 
> Now on to the next problem.  Here's my current network setup:
> 
> 
> The Big I ---+--- FreeBSD FW --- * (10.0.0.253) ---- PC (10.0.0.1)
>               |
>               +--- Laptop (public IP)
> 
> natd is set up with the following rules:
> 
> redirect_port udp 10.0.0.253:10000-20000 10000-20000
> redirect_port udp 10.0.0.253:5060 5060
> 
> * is set up with the demo/sandbox config.
> 
> I'm using XLite as my SIP client and have configured it on PC to work
with *.
> I'm able to do everything I've tried so far.  I should, though -
I'm on the inside.
> 
> However, when trying to make a call from the outside (via Laptop),
something's
> breaking.  I've set up the SIP proxy in XLite to be the external
interface on
> the firewall, and am able to log into the proxy without difficulty.  And
while I
> can begin conversations, I can't keep them going for long.
> 
> For instance, when trying to call 500@10.0.0.253 (or 500@FWpublicIP), I get
most
> of the "demo-abouttotry" message - "I am about to attempt an
IAX connection to a
> demonstration server located at Di" - at which point it gets cut off. 
The
> console spits out the following error:
> 
> File chan_sip.c, Line 443 (retrans_pkt): Maximum retries exceeded on call 
> FB9CEC48-7CE1-4171-895B-2DF048ED5D1F@12.252.156.250 for seqno 12384
(Response)
> 
> 
> Any ideas what could be going on?  My first guess is the firewall, but I
can't
> figure out why some of the packets would get through while others
apparently are
> not.  I'm at a loss.
> 
> Brad Waite
> aka HankPoacher
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>

Brad,

I've played with XLite, but not with a firewall in this direction, so 
my comments might be off base.
> redirect_port udp 10.0.0.253:10000-20000 10000-20000
> redirect_port udp 10.0.0.253:5060 5060
> 
> * is set up with the demo/sandbox config.
> 
> I'm using XLite as my SIP client and have configured it on PC to work
with *.
> I'm able to do everything I've tried so far.  I should, though -
I'm on the inside.
> 
> However, when trying to make a call from the outside (via Laptop),
something's
> breaking.  I've set up the SIP proxy in XLite to be the external
interface on
> the firewall, and am able to log into the proxy without difficulty.  And
while I
> can begin conversations, I can't keep them going for long.
I'd guess that udp/5060 is working fine, but the voice channel is being
dropped for a couple of possible reasons. The Xlite doc suggests the voice
channel will be using udp/8000-8006 where 8000 & 8001 are used for line #1,
etc. Based on the redirect_port statement above, I wonder if one-half of
the voice port is being blocked (and therefore times out), or, nat table
timeout might might be an issue.
> Any ideas what could be going on?  My first guess is the firewall, but I
can't
> figure out why some of the packets would get through while others
apparently are
> not.  I'm at a loss.
I'd download ethereal (or whatever other sniffer you'd like) and watch
the
flow of packets. It should give you a pretty good clue what's happening
for real.

I'm not so sure you're going to want to live with direction that
you're
heading (asterisk on the inside) as the nat function is going to limit
what can be done.  Example, even if you get this to work, trying to make
any other call through nat while the first one is happening will be a
problem; the first call nails up udp/5060, but the second call will have
the udp/5060 nat'ed to some other port which will fail.

Reversing the role of * and the laptop will work, and many others have that
very implementation working for a single instance of Xlite.

Depending upon what your real objectives are for *, I'd suggest either
moving * to the outside, or add another NIC to * and placing it on the
outside. You should be able to lock down that external interface in such
a way as to only allow selected tcp/udp ports to be used.

Can you disable your firewall?  i am about to start this phase of asterisk
an would like help from one newbie to another.  otherwise this newbie will
let you know how i did it.


----- Original Message -----
From: "Brad Waite" <brad@wcubed.net>
To: <asterisk-users@lists.digium.com>
Sent: Saturday, September 20, 2003 9:07 AM
Subject: [Asterisk-Users] Maximum retries exceeded w/SIP

> First of all, I'd like to send a big "thank you" to all the
folks who have
> helped me get this far.
>
> Now on to the next problem.  Here's my current network setup:
>
>
> The Big I ---+--- FreeBSD FW --- * (10.0.0.253) ---- PC (10.0.0.1)
>               |
>               +--- Laptop (public IP)
>
> natd is set up with the following rules:
>
> redirect_port udp 10.0.0.253:10000-20000 10000-20000
> redirect_port udp 10.0.0.253:5060 5060
>
> * is set up with the demo/sandbox config.
>
> I'm using XLite as my SIP client and have configured it on PC to work
with
*.
> I'm able to do everything I've tried so far.  I should, though -
I'm on
the inside.
>
> However, when trying to make a call from the outside (via Laptop),
something's
> breaking.  I've set up the SIP proxy in XLite to be the external
interface
on
> the firewall, and am able to log into the proxy without difficulty.  And
while I
> can begin conversations, I can't keep them going for long.
>
> For instance, when trying to call 500@10.0.0.253 (or 500@FWpublicIP), I
get most
> of the "demo-abouttotry" message - "I am about to attempt an
IAX
connection to a
> demonstration server located at Di" - at which point it gets cut off. 
The
> console spits out the following error:
>
> File chan_sip.c, Line 443 (retrans_pkt): Maximum retries exceeded on call
> FB9CEC48-7CE1-4171-895B-2DF048ED5D1F@12.252.156.250 for seqno 12384
(Response)
>
>
> Any ideas what could be going on?  My first guess is the firewall, but I
can't
> figure out why some of the packets would get through while others
apparently are
> not.  I'm at a loss.
>
> Brad Waite
> aka HankPoacher
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>

I struggled with this for several hours tonight.Turns out that if you have an *
machine behind NAT, you must put the PUBLIC address in the bindaddr in
sip.confIf you don't put it in, the Contact: header contains the NATted
address and the sip phone can't get back to *.I don't know what happens
if you mix and match sip phones on the local network -- it might not work unless
the sipphone uses the public address as well. Hope this helps as I see this
thread come up again and again... Andy -------------------Steve,

Sure, I could put all my machines on the public Internet, but that defeats the 
purpose of having a firewall in the first place.

As an alternative, I could only place the * server on the outside, but I'd 
rather not give the script-kiddies another box to pound.

Steve Totaro wrote:
> Can you disable your firewall?  i am about to start this phase of asterisk
> an would like help from one newbie to another.  otherwise this newbie will
> let you know how i did it.
> 
> 
> ----- Original Message -----
> From: "Brad Waite" <brad@wcubed.net>
> To: <asterisk-users@lists.digium.com>
> Sent: Saturday, September 20, 2003 9:07 AM
> Subject: [Asterisk-Users] Maximum retries exceeded w/SIP
> 
> 
> 
>>First of all, I'd like to send a big "thank you" to all
the folks who have
>>helped me get this far.
>>
>>Now on to the next problem.  Here's my current network setup:
>>
>>
>>The Big I ---+--- FreeBSD FW --- * (10.0.0.253) ---- PC (10.0.0.1)
>>              |
>>              +--- Laptop (public IP)
>>
>>natd is set up with the following rules:
>>
>>redirect_port udp 10.0.0.253:10000-20000 10000-20000
>>redirect_port udp 10.0.0.253:5060 5060
>>
>>* is set up with the demo/sandbox config.
>>
>>I'm using XLite as my SIP client and have configured it on PC to
work with
> 
> *.
> 
>>I'm able to do everything I've tried so far.  I should, though -
I'm on
> 
> the inside.
> 
>>However, when trying to make a call from the outside (via Laptop),
> 
> something's
> 
>>breaking.  I've set up the SIP proxy in XLite to be the external
interface
> 
> on
> 
>>the firewall, and am able to log into the proxy without difficulty.  And
> 
> while I
> 
>>can begin conversations, I can't keep them going for long.
>>
>>For instance, when trying to call 500@10.0.0.253 (or 500@FWpublicIP), I
> 
> get most
> 
>>of the "demo-abouttotry" message - "I am about to attempt
an IAX
> 
> connection to a
> 
>>demonstration server located at Di" - at which point it gets cut
off.  The
>>console spits out the following error:
>>
>>File chan_sip.c, Line 443 (retrans_pkt): Maximum retries exceeded on
call
>>FB9CEC48-7CE1-4171-895B-2DF048ED5D1F@12.252.156.250 for seqno 12384
> 
> (Response)
> 
>>
>>Any ideas what could be going on?  My first guess is the firewall, but I
> 
> can't
> 
>>figure out why some of the packets would get through while others
> 
> apparently are
> 
>>not.  I'm at a loss.
>>
>>Brad Waite
>>aka HankPoacher
>>
>>_______________________________________________
>>Asterisk-Users mailing list
>>Asterisk-Users@lists.digium.com
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
> 
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20040619/dda33179/attachment.htm