Asterisk is on public IP (as described in the first email) i have 10 years experience in voip, 4 years webrtc in production. i know about ICE/STUN/DTLS-SRTP. yes, not every detail but the basic mechanism but i confess. i dont understand WHY Asterisk SOMETIMES switches destination IP in RTP. this is not only about ICE. its about RTP engine too which is Asterisk specific and Asterisk DEBUG is not helping ... going back to read res_rtp_asterisk.c & decrypting pcaps with wireshark Dne 12/12/2019 v 13:02 Joshua C. Colp napsal(a):> On Thu, Dec 12, 2019 at 7:57 AM marek <cervajs64 at gmail.com > <mailto:cervajs64 at gmail.com>> wrote: > > with wireshark i need decrypt traffic every call which is time > consuming. get debug from pjnat through asterisk is not possible > because of technical reasons or nobody did it? > > > in my case its strange that ice candidates are the same > > good call > > v=0 > o=- 3669976329745317845 2 IN IP4 127.0.0.1 > s=- > t=0 0 > a=msid-semantic: WMS EoNIdKcMZvWBLULGqGPJTDe12ujjFEemeapo > m=audio 52421 RTP/SAVPF 8 0 101 > c=IN IP4 10.2.152.36 > a=rtcp:9 IN IP4 0.0.0.0 > a=candidate:3607370648 1 udp 2122260223 10.2.152.36 52421 typ host > generation 0 network-id 1 network-cost 10 > a=candidate:2575820648 1 tcp 1518280447 10.2.152.36 9 typ host > tcptype active generation 0 network-id 1 network-cost 10 > > bad call > > v=0 > o=- 2602173234285924157 2 IN IP4 127.0.0.1 > s=- > t=0 0 > a=msid-semantic: WMS aDrO7zRNTqNWKodpSG62Co1IDoHReEpT8Ga3 > m=audio 63249 RTP/SAVPF 8 0 101 > c=IN IP4 10.2.152.36 > a=rtcp:9 IN IP4 0.0.0.0 > a=candidate:3607370648 1 udp 2122260223 10.2.152.36 63249 typ host > generation 0 network-id 1 network-cost 10 > a=candidate:2575820648 1 tcp 1518280447 10.2.152.36 9 typ host > tcptype active generation 0 network-id 1 network-cost 10 > > > but RTP looks like > > bad call (1.1.1.1 is "public" ip of PSTN SIP GW) > > Got RTP packet from 1.1.1.1:13460 <http://1.1.1.1:13460> (type > 08, seq 002433, ts 000160, len 000160) > Sent RTP packet to 10.2.152.36:63249 <http://10.2.152.36:63249> > (type 08, seq 022470, ts 000160, len 000160) > Got RTP packet from 1.1.1.1:13460 <http://1.1.1.1:13460> (type > 08, seq 002434, ts 000320, len 000160) > Sent RTP packet to 10.2.152.36:63249 <http://10.2.152.36:63249> > (type 08, seq 022471, ts 000320, len 000160) > Got RTP packet from 1.1.1.1:13460 <http://1.1.1.1:13460> (type > 08, seq 002435, ts 000480, len 000160) > > good call (1.1.1.1 is "public" ip of PSTN SIP GW, 2.2.2.2 is > public IP of router) > > Got RTP packet from 1.1.1.1:15026 <http://1.1.1.1:15026> (type > 08, seq 021197, ts 000160, len 000160) > Sent RTP packet to *10.2.152.36:52421 <http://10.2.152.36:52421> > (type 08, seq 032328, ts 000160, len 000160)* > > [Dec 11 16:59:53] DEBUG[44360]: res_rtp_asterisk.c:6049 > ast_rtp_remote_address_set: Setting RTCP address on RTP instance > '0x7faa14005408' > > Got RTP packet from 1.1.1.1:15026 <http://1.1.1.1:15026> (type > 08, seq 021198, ts 000320, len 000160) > Sent RTP packet to 2.2.2.2:52421 <http://2.2.2.2:52421> (via ICE) > (type 08, seq 032329, ts 000320, len 000160) > Got RTP packet from 1.1.1.1:15026 <http://1.1.1.1:15026> (type > 08, seq 021199, ts 000480, len 000160) > Sent RTP packet to 2.2.2.2:52421 <http://2.2.2.2:52421> (via ICE) > (type 08, seq 032330, ts 000480, len 000160) > Got RTP packet from 1.1.1.1:15026 <http://1.1.1.1:15026> (type > 08, seq 021200, ts 000640, len 000160) > Sent RTP packet to 2.2.2.2:52421 <http://2.2.2.2:52421> (via ICE) > (type 08, seq 032331, ts 000640, len 000160) > Got RTP packet from 1.1.1.1:15026 <http://1.1.1.1:15026> (type > 08, seq 021201, ts 000800, len 000160) > > looking for the part where RTP engine switch from *10.2.152.36 to > **2.2.2.2* > > it looks like**its somewhere in the learning phase > > > You need to look at the ICE candidates given by Asterisk as well, and > ensure that if it is behind NAT it is configured in rtp.conf to do > some mapping of candidates, as well as ensuring the firewall is open. > The wireshark capture like I said will provide insight into what ICE > is doing. > > ICE is what is used to figure out the path and determine the IP > address/port to use. If that fails, then it won't work. > > I would also urge you to learn more about the lower level details of > WebRTC if you plan on deploying it. You really need some understanding > of ICE/STUN/DTLS-SRTP if deploying, as those are fundamental aspects > and stuff doesn't just work in all cases. Digging into why it's not > working takes you down to those. > > -- > Joshua C. Colp > Senior Software Developer > Sangoma Technologies > Check us out at www.sangoma.com <http://www.sangoma.com> and > www.asterisk.org <http://www.asterisk.org> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191212/89ebd113/attachment.html>
Joshua C. Colp
2019-Dec-12 13:05 UTC
[asterisk-users] asterisk pjsip webrtc rtp to private IP
On Thu, Dec 12, 2019 at 8:57 AM marek <cervajs64 at gmail.com> wrote:> Asterisk is on public IP (as described in the first email) > > i have 10 years experience in voip, 4 years webrtc in production. i know > about ICE/STUN/DTLS-SRTP. yes, not every detail but the basic mechanism > > but i confess. i dont understand WHY Asterisk SOMETIMES switches > destination IP in RTP. this is not only about ICE. its about RTP engine too > which is Asterisk specific > > and Asterisk DEBUG is not helping >RTP traffic is given to pjnath to send using ICE, if this fails then it uses the c= line. If you don't see (via ICE) then the fallback has occurred and pjnath didn't send it via ICE, which most likely means ICE negotiation failed for some reason. ICE and STUN is not encrypted in Wireshark, so it can be seen there easily. You can enable debug in logger.conf to go to console, and also increase the log_level in pjproject.conf to a high amount to see some pjnath messages. The learning phase doesn't impact outgoing. It's for locking on to a source of media so other sources can be ignored, preventing hijacking. -- Joshua C. Colp Senior Software Developer Sangoma Technologies Check us out at www.sangoma.com and www.asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191212/4a101d6f/attachment.html>
thank you very much. this is exactly whats needed for debug example output for your info [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Added new remote candidate from the request: 2.2.2.2:57536 [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .New triggered check added: 1 [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 ..Sending connectivity check for check 1: [1] 1.1.1.1:17728-->2.2.2.2:57536 [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 ...Check 1: [1] 1.1.1.1:17728-->2.2.2.2:57536: state changed from Waiting to In Progress [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Check 1: [1] 1.1.1.1:17728-->2.2.2.2:57536 (nominated): connectivity check SUCCESS [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Check 1: [1] 1.1.1.1:17728-->2.2.2.2:57536: state changed from In Progress to Succeeded [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Check 1 is successful and nominated [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Cancelling check 0: [1] 1.1.1.1:17728-->10.128.3.150:57536 (In Progress) [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Check 0: [1] 1.1.1.1:17728-->10.128.3.150:57536: state changed from In Progress to Failed [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .ICE process complete, status=Success [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 .Valid list [Dec 12 15:39:19] DEBUG[2182][C-00000000]: pjproject: <?>: icess0x7f5d44081e88 . 0: [1] 1.1.1.1:17728-->2.2.2.2:57536 (nominated, state=Succeeded) 1.1.1.1 is asterisk on "public" ip 2.2.2.2 is router on "public" ip (jssip is behind it on private ip 10.128.3.150) our specific case we found problem in customers internet provider we dont know yet what technology is the problem but "sometimes" respond ip of some core router ( ISP - isp core/edge router ip - customers router ip - customers private ip ) to stun request pjsproject debug config pjproject.conf [startup] log_level=4 type=startup btw some examples will be very helpfull Marek Dne 12/12/2019 v 14:05 Joshua C. Colp napsal(a):> On Thu, Dec 12, 2019 at 8:57 AM marek <cervajs64 at gmail.com > <mailto:cervajs64 at gmail.com>> wrote: > > Asterisk is on public IP (as described in the first email) > > i have 10 years experience in voip, 4 years webrtc in production. > i know about ICE/STUN/DTLS-SRTP. yes, not every detail but the > basic mechanism > > but i confess. i dont understand WHY Asterisk SOMETIMES switches > destination IP in RTP. this is not only about ICE. its about RTP > engine too which is Asterisk specific > > and Asterisk DEBUG is not helping > > > RTP traffic is given to pjnath to send using ICE, if this fails then > it uses the c= line. If you don't see (via ICE) then the fallback has > occurred and pjnath didn't send it via ICE, which most likely means > ICE negotiation failed for some reason. ICE and STUN is not encrypted > in Wireshark, so it can be seen there easily. You can enable debug in > logger.conf to go to console, and also increase the log_level in > pjproject.conf to a high amount to see some pjnath messages. > > The learning phase doesn't impact outgoing. It's for locking on to a > source of media so other sources can be ignored, preventing hijacking. > > -- > Joshua C. Colp > Senior Software Developer > Sangoma Technologies > Check us out at www.sangoma.com <http://www.sangoma.com> and > www.asterisk.org <http://www.asterisk.org> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191212/a952fad1/attachment.html>