Discussion:
Update peer IP address
(too old to reply)
Daniel Heckl
2015-03-30 16:31:46 UTC
Permalink
Hello

I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom Germany. We have sometimes problems with incoming and outgoing calls. I hope I can explain it understandable.

For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de <http://tel.t-online.de/>), the message is answered with OK and the peer is registered.

Usually INVITES comes now from this ip address. All works fine. But sometimes INVITES comes from an other IP address, for example 217.0.23.100. This request Asterisk responds with 401 Unauthorized.

In the next register procedure REGISTER are sent to the new ip address and answered also with OK. But qualify OPTIONS are continue be sent to the old ip address. Incoming and outgoing calls are canceled. Outgoing calls are answered with Forbidden.

Even if the REGISTER procedure works with the new ip address, the peers are connected with the old address.

Waiting doesn’t help, only a „sip reload“ update the ip address of the peer.

What is the solution for this problem? How can asterisk update the peer?

The Asterisk is local behind a NAT with a firewall, following settings are used:

externhost with DynDNS
stun with stun.t-online.de <http://stun.t-online.de/>
nat=yes
srvlookup=yes
allowguest=no
trustrpid=no
insecure=invite
qualify=yes

Thank you!
Daniel
Sebastian Kemper
2015-03-30 18:09:04 UTC
Permalink
Post by Daniel Heckl
Hello
I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom
Germany. We have sometimes problems with incoming and outgoing calls.
I hope I can explain it understandable.
Hello Daniel,

I'll find myself in the same situation a few weeks from now :-)
Post by Daniel Heckl
For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de
<http://tel.t-online.de/>), the message is answered with OK and the
peer is registered.
Usually INVITES comes now from this ip address. All works fine. But
sometimes INVITES comes from an other IP address, for example
217.0.23.100. This request Asterisk responds with 401 Unauthorized.
In the next register procedure REGISTER are sent to the new ip address
and answered also with OK. But qualify OPTIONS are continue be sent to
the old ip address. Incoming and outgoing calls are canceled. Outgoing
calls are answered with Forbidden.
Even if the REGISTER procedure works with the new ip address, the
peers are connected with the old address.
Waiting doesn’t help, only a „sip reload“ update the ip address of the
peer.
What is the solution for this problem? How can asterisk update the peer?
I think the solution - for the inbound issue at least - could be to add
more hosts as a peer. Have a looks at this forum post:

http://www.ip-phone-forum.de/showthread.php?t=268787&p=1999371&viewfull=1#post1999371

The user used a template and than he added peers, each with its own IP
address. The provided list was last updated in 2014, though, so I assume
the provider in the meantime has added to that list.

It looks pretty tedious, though, I mean there could be dozens of IPs
you'd have to add. But I guess this is the way to go with Asterisk 11
and chan_sip.

The future looks brighter :-) I read that with pjsip, which I understand
is the replacement for chan_sip, you can have one peer entry and match
an IP range instead of a single host. That should tidy up the dialplan.

What I'm a little afraid of is the SIP provider using IPs out of a range
that they also use for other services. Maybe out of the same range they
hand out IPs to their customers. I guess we got to be careful :-)

Kind regards,
Sebastian
Post by Daniel Heckl
externhost with DynDNS stun with stun.t-online.de
<http://stun.t-online.de/> nat=yes srvlookup=yes allowguest=no
trustrpid=no insecure=invite qualify=yes
Thank you! Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.
Daniel Heckl
2015-03-31 10:36:34 UTC
Permalink
Hello Sebastian,

I had already seen this list of the hosts, but it is not active. All servers with which my Asterisk has been communicated are not listed.

A port scan, to eventually update the list, found hundreds of servers provided in the address range 217.0.0.0/13 with open port 5060, some were even not found. I think there must be another solution.

If I change insecure to insecure=port,invite - could that be a solution?

Or should I try to change to res_pjsip (upgrade to Asterisk 13 is no problem)? Has there anyone experience with dynamic ip addresses of Asterisk?

Daniel
Post by Sebastian Kemper
Post by Daniel Heckl
Hello
I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom
Germany. We have sometimes problems with incoming and outgoing calls.
I hope I can explain it understandable.
Hello Daniel,
I'll find myself in the same situation a few weeks from now :-)
Post by Daniel Heckl
For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de
<http://tel.t-online.de/>), the message is answered with OK and the
peer is registered.
Usually INVITES comes now from this ip address. All works fine. But
sometimes INVITES comes from an other IP address, for example
217.0.23.100. This request Asterisk responds with 401 Unauthorized.
In the next register procedure REGISTER are sent to the new ip address
and answered also with OK. But qualify OPTIONS are continue be sent to
the old ip address. Incoming and outgoing calls are canceled. Outgoing
calls are answered with Forbidden.
Even if the REGISTER procedure works with the new ip address, the
peers are connected with the old address.
Waiting doesn’t help, only a „sip reload“ update the ip address of the
peer.
What is the solution for this problem? How can asterisk update the peer?
I think the solution - for the inbound issue at least - could be to add
http://www.ip-phone-forum.de/showthread.php?t=268787&p=1999371&viewfull=1#post1999371
The user used a template and than he added peers, each with its own IP
address. The provided list was last updated in 2014, though, so I assume
the provider in the meantime has added to that list.
It looks pretty tedious, though, I mean there could be dozens of IPs
you'd have to add. But I guess this is the way to go with Asterisk 11
and chan_sip.
The future looks brighter :-) I read that with pjsip, which I understand
is the replacement for chan_sip, you can have one peer entry and match
an IP range instead of a single host. That should tidy up the dialplan.
What I'm a little afraid of is the SIP provider using IPs out of a range
that they also use for other services. Maybe out of the same range they
hand out IPs to their customers. I guess we got to be careful :-)
Kind regards,
Sebastian
Post by Daniel Heckl
externhost with DynDNS stun with stun.t-online.de
<http://stun.t-online.de/> nat=yes srvlookup=yes allowguest=no
trustrpid=no insecure=invite qualify=yes
Thank you! Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
Daniel Heckl
2015-03-31 18:36:01 UTC
Permalink
Maybe someone could elaborate on my first question again.

If the ip address changes while a REGISTER period, the ip address of the peer isn't been updated. How can asterisk update the ip address of the peer?
Post by Daniel Heckl
Hello Sebastian,
I had already seen this list of the hosts, but it is not active. All servers with which my Asterisk has been communicated are not listed.
A port scan, to eventually update the list, found hundreds of servers provided in the address range 217.0.0.0/13 with open port 5060, some were even not found. I think there must be another solution.
If I change insecure to insecure=port,invite - could that be a solution?
Or should I try to change to res_pjsip (upgrade to Asterisk 13 is no problem)? Has there anyone experience with dynamic ip addresses of Asterisk?
Daniel
Post by Sebastian Kemper
Post by Daniel Heckl
Hello
I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom
Germany. We have sometimes problems with incoming and outgoing calls.
I hope I can explain it understandable.
Hello Daniel,
I'll find myself in the same situation a few weeks from now :-)
Post by Daniel Heckl
For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de
<http://tel.t-online.de/>), the message is answered with OK and the
peer is registered.
Usually INVITES comes now from this ip address. All works fine. But
sometimes INVITES comes from an other IP address, for example
217.0.23.100. This request Asterisk responds with 401 Unauthorized.
In the next register procedure REGISTER are sent to the new ip address
and answered also with OK. But qualify OPTIONS are continue be sent to
the old ip address. Incoming and outgoing calls are canceled. Outgoing
calls are answered with Forbidden.
Even if the REGISTER procedure works with the new ip address, the
peers are connected with the old address.
Waiting doesn’t help, only a „sip reload“ update the ip address of the
peer.
What is the solution for this problem? How can asterisk update the peer?
I think the solution - for the inbound issue at least - could be to add
http://www.ip-phone-forum.de/showthread.php?t=268787&p=1999371&viewfull=1#post1999371
The user used a template and than he added peers, each with its own IP
address. The provided list was last updated in 2014, though, so I assume
the provider in the meantime has added to that list.
It looks pretty tedious, though, I mean there could be dozens of IPs
you'd have to add. But I guess this is the way to go with Asterisk 11
and chan_sip.
The future looks brighter :-) I read that with pjsip, which I understand
is the replacement for chan_sip, you can have one peer entry and match
an IP range instead of a single host. That should tidy up the dialplan.
What I'm a little afraid of is the SIP provider using IPs out of a range
that they also use for other services. Maybe out of the same range they
hand out IPs to their customers. I guess we got to be careful :-)
Kind regards,
Sebastian
Post by Daniel Heckl
externhost with DynDNS stun with stun.t-online.de
<http://stun.t-online.de/> nat=yes srvlookup=yes allowguest=no
trustrpid=no insecure=invite qualify=yes
Thank you! Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
Scott Griepentrog
2015-03-31 20:45:45 UTC
Permalink
You have two options for dealing with an IP change during the registration
period:

1) set the registration time to shorter period of time to minimize the
downtime

2) detect that the IP address has changed via whatever method available,
and then issue a "sip reload" CLI command to asterisk, which will cause it
to resend registrations immediately.
Post by Daniel Heckl
Maybe someone could elaborate on my first question again.
If the ip address changes while a REGISTER period, the ip address of the
peer isn't been updated. How can asterisk update the ip address of the peer?
Hello Sebastian,
I had already seen this list of the hosts, but it is not active. All
servers with which my Asterisk has been communicated are not listed.
A port scan, to eventually update the list, found hundreds of servers
provided in the address range 217.0.0.0/13 with open port 5060, some were
even not found. I think there must be another solution.
If I change insecure to insecure=port,invite - could that be a solution?
Or should I try to change to res_pjsip (upgrade to Asterisk 13 is no
problem)? Has there anyone experience with dynamic ip addresses of Asterisk?
Daniel
Hello
I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom
Germany. We have sometimes problems with incoming and outgoing calls.
I hope I can explain it understandable.
Hello Daniel,
I'll find myself in the same situation a few weeks from now :-)
For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de
<http://tel.t-online.de/>), the message is answered with OK and the
peer is registered.
Usually INVITES comes now from this ip address. All works fine. But
sometimes INVITES comes from an other IP address, for example
217.0.23.100. This request Asterisk responds with 401 Unauthorized.
In the next register procedure REGISTER are sent to the new ip address
and answered also with OK. But qualify OPTIONS are continue be sent to
the old ip address. Incoming and outgoing calls are canceled. Outgoing
calls are answered with Forbidden.
Even if the REGISTER procedure works with the new ip address, the
peers are connected with the old address.
Waiting doesn’t help, only a „sip reload“ update the ip address of the peer.
What is the solution for this problem? How can asterisk update the peer?
I think the solution - for the inbound issue at least - could be to add
http://www.ip-phone-forum.de/showthread.php?t=268787&p=1999371&viewfull=1#post1999371
The user used a template and than he added peers, each with its own IP
address. The provided list was last updated in 2014, though, so I assume
the provider in the meantime has added to that list.
It looks pretty tedious, though, I mean there could be dozens of IPs
you'd have to add. But I guess this is the way to go with Asterisk 11
and chan_sip.
The future looks brighter :-) I read that with pjsip, which I understand
is the replacement for chan_sip, you can have one peer entry and match
an IP range instead of a single host. That should tidy up the dialplan.
What I'm a little afraid of is the SIP provider using IPs out of a range
that they also use for other services. Maybe out of the same range they
hand out IPs to their customers. I guess we got to be careful :-)
Kind regards,
Sebastian
externhost with DynDNS stun with stun.t-online.de
<http://stun.t-online.de/> nat=yes srvlookup=yes allowguest=no
trustrpid=no insecure=invite qualify=yes
Thank you! Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
Daniel Heckl
2015-04-01 06:55:48 UTC
Permalink
Scott, thank you four your reply.

I had already though about both options, but the problem is, that after an ip change AND a new registration the ip address of the peer is not updated automatically. INVITES are answered with 401.

Only after a sip reload the peer works again.

That can't be normal...

Daniel
1) set the registration time to shorter period of time to minimize the downtime
2) detect that the IP address has changed via whatever method available, and then issue a "sip reload" CLI command to asterisk, which will cause it to resend registrations immediately.
Post by Daniel Heckl
Maybe someone could elaborate on my first question again.
If the ip address changes while a REGISTER period, the ip address of the peer isn't been updated. How can asterisk update the ip address of the peer?
Post by Daniel Heckl
Hello Sebastian,
I had already seen this list of the hosts, but it is not active. All servers with which my Asterisk has been communicated are not listed.
A port scan, to eventually update the list, found hundreds of servers provided in the address range 217.0.0.0/13 with open port 5060, some were even not found. I think there must be another solution.
If I change insecure to insecure=port,invite - could that be a solution?
Or should I try to change to res_pjsip (upgrade to Asterisk 13 is no problem)? Has there anyone experience with dynamic ip addresses of Asterisk?
Daniel
Post by Sebastian Kemper
Post by Daniel Heckl
Hello
I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom
Germany. We have sometimes problems with incoming and outgoing calls.
I hope I can explain it understandable.
Hello Daniel,
I'll find myself in the same situation a few weeks from now :-)
Post by Daniel Heckl
For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de
<http://tel.t-online.de/>), the message is answered with OK and the
peer is registered.
Usually INVITES comes now from this ip address. All works fine. But
sometimes INVITES comes from an other IP address, for example
217.0.23.100. This request Asterisk responds with 401 Unauthorized.
In the next register procedure REGISTER are sent to the new ip address
and answered also with OK. But qualify OPTIONS are continue be sent to
the old ip address. Incoming and outgoing calls are canceled. Outgoing
calls are answered with Forbidden.
Even if the REGISTER procedure works with the new ip address, the
peers are connected with the old address.
Waiting doesn’t help, only a „sip reload“ update the ip address of the
peer.
What is the solution for this problem? How can asterisk update the peer?
I think the solution - for the inbound issue at least - could be to add
http://www.ip-phone-forum.de/showthread.php?t=268787&p=1999371&viewfull=1#post1999371
The user used a template and than he added peers, each with its own IP
address. The provided list was last updated in 2014, though, so I assume
the provider in the meantime has added to that list.
It looks pretty tedious, though, I mean there could be dozens of IPs
you'd have to add. But I guess this is the way to go with Asterisk 11
and chan_sip.
The future looks brighter :-) I read that with pjsip, which I understand
is the replacement for chan_sip, you can have one peer entry and match
an IP range instead of a single host. That should tidy up the dialplan.
What I'm a little afraid of is the SIP provider using IPs out of a range
that they also use for other services. Maybe out of the same range they
hand out IPs to their customers. I guess we got to be careful :-)
Kind regards,
Sebastian
Post by Daniel Heckl
externhost with DynDNS stun with stun.t-online.de
<http://stun.t-online.de/> nat=yes srvlookup=yes allowguest=no
trustrpid=no insecure=invite qualify=yes
Thank you! Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
Tech Support
2015-04-01 14:40:37 UTC
Permalink
If I correctly understand what the problem is, what I did was write a script that runs out of CRON every 15 minutes. It checks the outside IP address by querying http://checkip.dyndns.org and compares it to the IP address stored in the parameter “externip” in the [general] section of sip.conf. If the two values are the same, the script exits quietly. If they are different, the script updates “externip” with the new address, does a sip reload, and shoots me an email saying there was an update. It's a fairly simple and straightforward process and does the job. I use this script for all PBX’s that are behind a NAT. I hope this helps.

Regards;

John



From: asterisk-users-***@lists.digium.com [mailto:asterisk-users-***@lists.digium.com] On Behalf Of Daniel Heckl
Sent: Wednesday, April 01, 2015 2:56 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Update peer IP address





Scott, thank you four your reply.



I had already though about both options, but the problem is, that after an ip change AND a new registration the ip address of the peer is not updated automatically. INVITES are answered with 401.



Only after a sip reload the peer works again.



That can't be normal...



Daniel


Am 31.03.2015 um 22:45 schrieb Scott Griepentrog <***@digium.com>:

You have two options for dealing with an IP change during the registration period:



1) set the registration time to shorter period of time to minimize the downtime



2) detect that the IP address has changed via whatever method available, and then issue a "sip reload" CLI command to asterisk, which will cause it to resend registrations immediately.



On Tue, Mar 31, 2015 at 1:36 PM, Daniel Heckl <***@gmail.com> wrote:

Maybe someone could elaborate on my first question again.





If the ip address changes while a REGISTER period, the ip address of the peer isn't been updated. How can asterisk update the ip address of the peer?


Am 31.03.2015 um 12:36 schrieb Daniel Heckl <***@gmail.com>:

Hello Sebastian,



I had already seen this list of the hosts, but it is not active. All servers with which my Asterisk has been communicated are not listed.



A port scan, to eventually update the list, found hundreds of servers provided in the address range 217.0.0.0/13 with open port 5060, some were even not found. I think there must be another solution.



If I change insecure to insecure=port,invite - could that be a solution?



Or should I try to change to res_pjsip (upgrade to Asterisk 13 is no problem)? Has there anyone experience with dynamic ip addresses of Asterisk?



Daniel



Am 30.03.2015 um 20:09 schrieb Sebastian Kemper <***@gmx.net>:



On Mon, Mar 30, 2015 at 06:31:46PM +0200, Daniel Heckl wrote:



Hello

I use Asterisk 11 with FreePBX 12. Our SIP Provider is Telekom
Germany. We have sometimes problems with incoming and outgoing calls.
I hope I can explain it understandable.


Hello Daniel,

I'll find myself in the same situation a few weeks from now :-)





For example, Asterisk sends a REGISTER to 217.0.23.68 (tel.t-online.de
<http://tel.t-online.de/>), the message is answered with OK and the
peer is registered.

Usually INVITES comes now from this ip address. All works fine. But
sometimes INVITES comes from an other IP address, for example
217.0.23.100. This request Asterisk responds with 401 Unauthorized.

In the next register procedure REGISTER are sent to the new ip address
and answered also with OK. But qualify OPTIONS are continue be sent to
the old ip address. Incoming and outgoing calls are canceled. Outgoing
calls are answered with Forbidden.

Even if the REGISTER procedure works with the new ip address, the
peers are connected with the old address.

Waiting doesn’t help, only a „sip reload“ update the ip address of the
peer.

What is the solution for this problem? How can asterisk update the
peer?


I think the solution - for the inbound issue at least - could be to add
more hosts as a peer. Have a looks at this forum post:

http://www.ip-phone-forum.de/showthread.php?t=268787 <http://www.ip-phone-forum.de/showthread.php?t=268787&p=1999371&viewfull=1#post1999371> &p=1999371&viewfull=1#post1999371

The user used a template and than he added peers, each with its own IP
address. The provided list was last updated in 2014, though, so I assume
the provider in the meantime has added to that list.

It looks pretty tedious, though, I mean there could be dozens of IPs
you'd have to add. But I guess this is the way to go with Asterisk 11
and chan_sip.

The future looks brighter :-) I read that with pjsip, which I understand
is the replacement for chan_sip, you can have one peer entry and match
an IP range instead of a single host. That should tidy up the dialplan.

What I'm a little afraid of is the SIP provider using IPs out of a range
that they also use for other services. Maybe out of the same range they
hand out IPs to their customers. I guess we got to be careful :-)

Kind regards,
Sebastian




The Asterisk is local behind a NAT with a firewall, following settings
are used:

externhost with DynDNS stun with stun.t-online.de
<http://stun.t-online.de/> nat=yes srvlookup=yes allowguest=no
trustrpid=no insecure=invite qualify=yes

Thank you! Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users




--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
Image removed by sender. Digium logo

Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Daniel Heckl
2015-04-01 14:48:31 UTC
Permalink
John,

thank you four your answer. I think you have misunderstood the problem. It’s about a ip address change of the sip trunk, not of my asterisk server.

Kind regards,
Daniel
If I correctly understand what the problem is, what I did was write a script that runs out of CRON every 15 minutes. It checks the outside IP address by querying http://checkip.dyndns.org <http://checkip.dyndns.org/> and compares it to the IP address stored in the parameter “externip” in the [general] section of sip.conf. If the two values are the same, the script exits quietly. If they are different, the script updates “externip” with the new address, does a sip reload, and shoots me an email saying there was an update. It's a fairly simple and straightforward process and does the job. I use this script for all PBX’s that are behind a NAT. I hope this helps.
Regards;
John
Andres
2015-04-01 15:00:56 UTC
Permalink
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
dynamic IP changes:

# cat dnsmgr.conf
[general]
enable=yes ; enable creation of managed DNS lookups
; default is 'no'
refreshinterval=180 ; refresh managed DNS lookups every <n> seconds
; default is 300 (5 minutes)
Post by Daniel Heckl
Kind regards,
Daniel
Post by Tech Support
If I correctly understand what the problem is, what I did was
write a script that runs out of CRON every 15 minutes. It checks the
outside IP address by queryinghttp://checkip.dyndns.organd compares
it to the IP address stored in the parameter “externip” in the
[general] section of sip.conf. If the two values are the same, the
script exits quietly. If they are different, the script updates
“externip” with the new address, does a sip reload, and shoots me an
email saying there was an update. It's a fairly simple and
straightforward process and does the job. I use this script for all
PBX’s that are behind a NAT. I hope this helps.
Regards;
John
--
Technical Support
http://www.cellroute.net
Sebastian Kemper
2015-04-01 17:23:20 UTC
Permalink
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,

I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.

Daniel, did you try it out already?

Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/m
Daniel Heckl
2015-04-02 14:03:10 UTC
Permalink
Ok, I have tested dnsmgr. This is not a solution, the situation has not changed. With dnsmgr I can not place outbound calls. I do not know why and what dnsmgr really do.

My current solution is as follows:

Say allowguest=yes, configure the default context that there can not be placed outbound calls. Use iptables to DROP all at your SIP port and allow only your local phones and the sip trunk ip range. I think srvlookup must be set to yes to place outbound calls if there is an ip address change.

I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://list
Scott Griepentrog
2015-04-02 18:11:45 UTC
Permalink
​I'd be curious if setting

insecure=invite,port

makes any difference either (without alllowguest on).
​
Post by Daniel Heckl
Ok, I have tested dnsmgr. This is not a solution, the situation has not
changed. With dnsmgr I can not place outbound calls. I do not know why and
what dnsmgr really do.
Say allowguest=yes, configure the default context that there can not be
placed outbound calls. Use iptables to DROP all at your SIP port and allow
only your local phones and the sip trunk ip range. I think srvlookup must
be set to yes to place outbound calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
Daniel Heckl
2015-04-02 19:28:00 UTC
Permalink
Scott, I have changed the configuration as said it and will test it. I’m curious.

Can you briefly explain what insecure=invite,port does?

;insecure=port ; Allow matching of peer by IP address without
; matching port number
;insecure=invite ; Do not require authentication of incoming INVITEs
;insecure=port,invite ; (both)

Do I understand correctly that in this mode the IP address is not checked and no authentication is required?
Post by Scott Griepentrog
​I'd be curious if setting
insecure=invite,port
makes any difference either (without alllowguest on).
​
Ok, I have tested dnsmgr. This is not a solution, the situation has not changed. With dnsmgr I can not place outbound calls. I do not know why and what dnsmgr really do.
Say allowguest=yes, configure the default context that there can not be placed outbound calls. Use iptables to DROP all at your SIP port and allow only your local phones and the sip trunk ip range. I think srvlookup must be set to yes to place outbound calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
Andres
2015-04-02 19:58:05 UTC
Permalink
Post by Daniel Heckl
Scott, I have changed the configuration as said it and will test it. I’m curious.
Can you briefly explain what insecure=invite,port does?
;insecure=port ; Allow matching of peer by IP address without
; matching port number
;insecure=invite ; Do not require authentication of incoming INVITEs
;insecure=port,invite ; (both)
Do I understand correctly that in this mode the IP address is not
checked and no authentication is required?
Not correct, the IP address is checked but not the port and if the ip
address matches no password authentication is performed for the Invite.
Post by Daniel Heckl
Am 02.04.2015 um 20:11 schrieb Scott Griepentrog
​I'd be curious if setting
insecure=invite,port
makes any difference either (without alllowguest on).
​
Ok, I have tested dnsmgr. This is not a solution, the situation
has not changed. With dnsmgr I can not place outbound calls. I do
not know why and what dnsmgr really do.
Say allowguest=yes, configure the default context that there can
not be placed outbound calls. Use iptables to DROP all at your
SIP port and allow only your local phones and the sip trunk ip
range. I think srvlookup must be set to yes to place outbound
calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Am 01.04.2015 um 19:23 schrieb Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not
of my
Post by Andres
Post by Daniel Heckl
asterisk server.
You would probably benefit by enabling the DNS Manager to
allow for
Post by Andres
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is
300 (5
Post by Andres
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by
http://www.api-digital.com <http://www.api-digital.com/> --
New to Asterisk? Join us for a live introductory webinar every
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by
http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
Digium logo
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> ·
http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
Technical Support
http://www.cellroute.net
Scott Griepentrog
2015-04-02 20:00:07 UTC
Permalink
Actually, the IP address is still used to identify the incoming invite.
With the insecure=port option set, Asterisk will presume the invite to
still match the trunk account even if the NAT router has mangled (changed)
the port number. My suspicion is that when the new register goes out, it's
creating a new state in the firewall, resulting in a new port number, which
is why you would have to allow anonymous calls to then accept it without
insecure=port. The other possibility is that you have a port forward in
the router set, which is similarly mangling the port number. With a valid
registration being held, and assuming the router does not drop UDP states
faster than 30 minutes, and also assuming that the provider is sending you
invites on the registered port rather than always on 5060, there should not
be a need for an inbound port forward to Asterisk, and you should not need
insecure=port.

The invite option disables authentication - which means only that Asterisk
will not force a check of the password on the other end. Where the IP
address is well known and trusted, the extra overhead and delay of
authenticating incoming INVITEs is not needed.
Post by Daniel Heckl
Scott, I have changed the configuration as said it and will test it. I’m curious.
Can you briefly explain what insecure=invite,port does?
;insecure=port ; Allow matching of peer by IP address without
; matching port number
;insecure=invite ; Do not require authentication of incoming INVITEs
;insecure=port,invite ; (both)
Do I understand correctly that in this mode the IP address is not checked
and no authentication is required?
​I'd be curious if setting
insecure=invite,port
makes any difference either (without alllowguest on).
​
Post by Daniel Heckl
Ok, I have tested dnsmgr. This is not a solution, the situation has not
changed. With dnsmgr I can not place outbound calls. I do not know why and
what dnsmgr really do.
Say allowguest=yes, configure the default context that there can not be
placed outbound calls. Use iptables to DROP all at your SIP port and allow
only your local phones and the sip trunk ip range. I think srvlookup must
be set to yes to place outbound calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
Daniel Heckl
2015-04-02 20:23:08 UTC
Permalink
Okay, Scott, I think we are on the wrong path. Maybe I'm wrong though.

I will summarize again briefly the problems together:
The peer ip address could be another than the ip address of incoming invites
After an re-register the REGISTER is send to the new SIP server, answered with OK. But the peer ip address is still the old one (sip show peers).
If now is a INVITE, the request is answered with 401 Unauthorized.

That’s why I would say, the problem is not the port or a needed authentication. My Asterisk works behind a NAT without port forwarding and nat=no, I have qualify=yes that it does not come to a NAT timeout.

Here is an example. The peer ip address was at this time 217.0.23.100, the INVITE came from 217.0.23.68 an was rejected with 401 Unauthorized:

INVITE sip:***@80.000.111.222:45061 SIP/2.0
Max-Forwards: 58
Via: SIP/2.0/UDP 217.0.23.68:5060;branch=z9hG4bKg3Zqkv7ib7h2smv8whryjnos88srot1i7
To: <sip:***@telekom.de>
From: <sip:+***@tel.t-online.de;user=phone>;tag=h7g4Esbg_44c62525
Call-ID: ***@62.155.0.75
CSeq: 3950540 INVITE
Contact: <sip:***@217.0.23.68;transport=udp>
Record-Route: <sip:217.0.23.68;transport=udp;lr>
Min-Se: 900
P-Asserted-Identity: <sip:+***@tel.t-online.de;user=phone>
Session-Expires: 3600
Supported: histinfo
Supported: timer
Supported: norefersub
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 204
Allow: ACK, BYE, CANCEL, INFO, INVITE, OPTIONS, PRACK, REFER, REGISTER, UPDATE

v=0
o=- 0 0 IN IP4 217.0.23.68
s=-
c=IN IP4 217.0.4.134
t=0 0
m=audio 36480 RTP/AVP 9 8 102
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:102 telephone-event/8000
a=maxptime:20
a=ptime:20
Actually, the IP address is still used to identify the incoming invite. With the insecure=port option set, Asterisk will presume the invite to still match the trunk account even if the NAT router has mangled (changed) the port number. My suspicion is that when the new register goes out, it's creating a new state in the firewall, resulting in a new port number, which is why you would have to allow anonymous calls to then accept it without insecure=port. The other possibility is that you have a port forward in the router set, which is similarly mangling the port number. With a valid registration being held, and assuming the router does not drop UDP states faster than 30 minutes, and also assuming that the provider is sending you invites on the registered port rather than always on 5060, there should not be a need for an inbound port forward to Asterisk, and you should not need insecure=port.
The invite option disables authentication - which means only that Asterisk will not force a check of the password on the other end. Where the IP address is well known and trusted, the extra overhead and delay of authenticating incoming INVITEs is not needed.
Scott, I have changed the configuration as said it and will test it. I’m curious.
Can you briefly explain what insecure=invite,port does?
;insecure=port ; Allow matching of peer by IP address without
; matching port number
;insecure=invite ; Do not require authentication of incoming INVITEs
;insecure=port,invite ; (both)
Do I understand correctly that in this mode the IP address is not checked and no authentication is required?
Post by Scott Griepentrog
​I'd be curious if setting
insecure=invite,port
makes any difference either (without alllowguest on).
​
Ok, I have tested dnsmgr. This is not a solution, the situation has not changed. With dnsmgr I can not place outbound calls. I do not know why and what dnsmgr really do.
Say allowguest=yes, configure the default context that there can not be placed outbound calls. Use iptables to DROP all at your SIP port and allow only your local phones and the sip trunk ip range. I think srvlookup must be set to yes to place outbound calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
Scott Griepentrog
2015-04-02 21:21:50 UTC
Permalink
That sounds like asterisk was working 100% correctly. If you receive an
INVITE from an unknown IP address, then it should fail. Unless you want to
allow anonymous, which is genearlly a very bad idea.

If you are registering to IP X, but the provider may be transmitting
invites from any number of other IP addresses, then you need a list of IP
addresses, and have a trunk configuration set up for each one so that they
are all recognized (with insecure=port,invite).

If the provider is requiring you to accept invites from random IP
addresses, get a new provider.
Post by Daniel Heckl
Okay, Scott, I think we are on the wrong path. Maybe I'm wrong though.
- The peer ip address could be another than the ip address of incoming
invites
- After an re-register the REGISTER is send to the new SIP server,
answered with OK. But the peer ip address is still the old one (sip show
peers).
- If now is a INVITE, the request is answered with 401 Unauthorized.
That’s why I would say, the problem is not the port or a needed
authentication. My Asterisk works behind a NAT without port forwarding and
nat=no, I have qualify=yes that it does not come to a NAT timeout.
Here is an example. The peer ip address was at this time 217.0.23.100, the
Max-Forwards: 58
Via: SIP/2.0/UDP 217.0.23.68:5060
;branch=z9hG4bKg3Zqkv7ib7h2smv8whryjnos88srot1i7
CSeq: 3950540 INVITE
Record-Route: <sip:217.0.23.68;transport=udp;lr>
Min-Se: 900
Session-Expires: 3600
Supported: histinfo
Supported: timer
Supported: norefersub
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 204
Allow: ACK, BYE, CANCEL, INFO, INVITE, OPTIONS, PRACK, REFER, REGISTER, UPDATE
v=0
o=- 0 0 IN IP4 217.0.23.68
s=-
c=IN IP4 217.0.4.134
t=0 0
m=audio 36480 RTP/AVP 9 8 102
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:102 telephone-event/8000
a=maxptime:20
a=ptime:20
Actually, the IP address is still used to identify the incoming invite.
With the insecure=port option set, Asterisk will presume the invite to
still match the trunk account even if the NAT router has mangled (changed)
the port number. My suspicion is that when the new register goes out, it's
creating a new state in the firewall, resulting in a new port number, which
is why you would have to allow anonymous calls to then accept it without
insecure=port. The other possibility is that you have a port forward in
the router set, which is similarly mangling the port number. With a valid
registration being held, and assuming the router does not drop UDP states
faster than 30 minutes, and also assuming that the provider is sending you
invites on the registered port rather than always on 5060, there should not
be a need for an inbound port forward to Asterisk, and you should not need
insecure=port.
The invite option disables authentication - which means only that Asterisk
will not force a check of the password on the other end. Where the IP
address is well known and trusted, the extra overhead and delay of
authenticating incoming INVITEs is not needed.
Post by Daniel Heckl
Scott, I have changed the configuration as said it and will test it. I’m curious.
Can you briefly explain what insecure=invite,port does?
;insecure=port ; Allow matching of peer by IP address without
; matching port number
;insecure=invite ; Do not require authentication of incoming INVITEs
;insecure=port,invite ; (both)
Do I understand correctly that in this mode the IP address is not checked
and no authentication is required?
​I'd be curious if setting
insecure=invite,port
makes any difference either (without alllowguest on).
​
Post by Daniel Heckl
Ok, I have tested dnsmgr. This is not a solution, the situation has not
changed. With dnsmgr I can not place outbound calls. I do not know why and
what dnsmgr really do.
Say allowguest=yes, configure the default context that there can not be
placed outbound calls. Use iptables to DROP all at your SIP port and allow
only your local phones and the sip trunk ip range. I think srvlookup must
be set to yes to place outbound calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
[image: Digium logo]
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com · http://asterisk.org
Daniel Heckl
2015-04-02 21:33:38 UTC
Permalink
I do not want set allowguest=yes. The problem is, there is no official list with ip addresses of Telekom Germany. But I think all ip addresses comes from the ip range 217.0.0.0/13.

I have now the following addition to sip.conf. I think it is the only safe option. Or what would you say?

[telekom](!)
context=from-trunk
type=peer
defaultuser=
authuser=
remotesecret=
fromdomain=tel.t-online.de
qualify=no
dtmfmode=rfc2833
directmedia=no
sendrpid=pai
trustrpid=no
insecure=port,invite
disallow=all
allow=g722
allow=alaw
allow=gsm
deny=0.0.0.0/0
permit=217.0.0.0/13

[DTAG-IP_IN18_016](telekom)
host=217.0.18.16

[DTAG-IP_IN18_036](telekom)
host=217.0.18.36

etc.
That sounds like asterisk was working 100% correctly. If you receive an INVITE from an unknown IP address, then it should fail. Unless you want to allow anonymous, which is genearlly a very bad idea.
If you are registering to IP X, but the provider may be transmitting invites from any number of other IP addresses, then you need a list of IP addresses, and have a trunk configuration set up for each one so that they are all recognized (with insecure=port,invite).
If the provider is requiring you to accept invites from random IP addresses, get a new provider.
Okay, Scott, I think we are on the wrong path. Maybe I'm wrong though.
The peer ip address could be another than the ip address of incoming invites
After an re-register the REGISTER is send to the new SIP server, answered with OK. But the peer ip address is still the old one (sip show peers).
If now is a INVITE, the request is answered with 401 Unauthorized.
That’s why I would say, the problem is not the port or a needed authentication. My Asterisk works behind a NAT without port forwarding and nat=no, I have qualify=yes that it does not come to a NAT timeout.
Max-Forwards: 58
Via: SIP/2.0/UDP 217.0.23.68:5060;branch=z9hG4bKg3Zqkv7ib7h2smv8whryjnos88srot1i7
CSeq: 3950540 INVITE
Record-Route: <sip:217.0.23.68;transport=udp;lr <>>
Min-Se: 900
Session-Expires: 3600
Supported: histinfo
Supported: timer
Supported: norefersub
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 204
Allow: ACK, BYE, CANCEL, INFO, INVITE, OPTIONS, PRACK, REFER, REGISTER, UPDATE
v=0
o=- 0 0 IN IP4 217.0.23.68
s=-
c=IN IP4 217.0.4.134
t=0 0
m=audio 36480 RTP/AVP 9 8 102
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:102 telephone-event/8000
a=maxptime:20
a=ptime:20
Actually, the IP address is still used to identify the incoming invite. With the insecure=port option set, Asterisk will presume the invite to still match the trunk account even if the NAT router has mangled (changed) the port number. My suspicion is that when the new register goes out, it's creating a new state in the firewall, resulting in a new port number, which is why you would have to allow anonymous calls to then accept it without insecure=port. The other possibility is that you have a port forward in the router set, which is similarly mangling the port number. With a valid registration being held, and assuming the router does not drop UDP states faster than 30 minutes, and also assuming that the provider is sending you invites on the registered port rather than always on 5060, there should not be a need for an inbound port forward to Asterisk, and you should not need insecure=port.
The invite option disables authentication - which means only that Asterisk will not force a check of the password on the other end. Where the IP address is well known and trusted, the extra overhead and delay of authenticating incoming INVITEs is not needed.
Scott, I have changed the configuration as said it and will test it. I’m curious.
Can you briefly explain what insecure=invite,port does?
;insecure=port ; Allow matching of peer by IP address without
; matching port number
;insecure=invite ; Do not require authentication of incoming INVITEs
;insecure=port,invite ; (both)
Do I understand correctly that in this mode the IP address is not checked and no authentication is required?
Post by Scott Griepentrog
​I'd be curious if setting
insecure=invite,port
makes any difference either (without alllowguest on).
​
Ok, I have tested dnsmgr. This is not a solution, the situation has not changed. With dnsmgr I can not place outbound calls. I do not know why and what dnsmgr really do.
Say allowguest=yes, configure the default context that there can not be placed outbound calls. Use iptables to DROP all at your SIP port and allow only your local phones and the sip trunk ip range. I think srvlookup must be set to yes to place outbound calls if there is an ip address change.
I think with the restriction of the firewall that should be a secure solution.
Post by Sebastian Kemper
Post by Andres
Post by Daniel Heckl
John,
thank you four your answer. I think you have misunderstood the
problem. It’s about a ip address change of the sip trunk, not of my
asterisk server.
You would probably benefit by enabling the DNS Manager to allow for
# cat dnsmgr.conf [general] enable=yes ; enable creation
of managed DNS lookups ; default is 'no' refreshinterval=180 ;
refresh managed DNS lookups every <n> seconds ; default is 300 (5
minutes)
Hello Andres,
I read that same suggestion elsewhere in connection with Deutsche
Telekom, so it seems there's some benefit in it.
Daniel, did you try it out already?
Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
http://www.asterisk.org/hello <http://www.asterisk.org/hello>
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users <http://lists.digium.com/mailman/listinfo/asterisk-users>
--
Scott Griepentrog
Digium, Inc · Software Developer
445 Jan Davis Drive NW · Huntsville, AL 35806 · US
direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090
Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org <http://asterisk.org/>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
Sebastian Kemper
2015-04-14 06:26:07 UTC
Permalink
Post by Daniel Heckl
I do not want set allowguest=yes. The problem is, there is no official
list with ip addresses of Telekom Germany. But I think all ip
addresses comes from the ip range 217.0.0.0/13.
Hello Daniel,

Judging by the lists I found I think it's more like this subnet:
217.0.16.0/255.255.248.0
Post by Daniel Heckl
I have now the following addition to sip.conf. I think it is the only
safe option. Or what would you say?
[telekom](!)
<snip>
Post by Daniel Heckl
[DTAG-IP_IN18_016](telekom)
host=217.0.18.16
[DTAG-IP_IN18_036](telekom)
host=217.0.18.36
etc.
This configuration is now running here:

[general]
context=unauthenticated
allowguest=no
srvlookup=no
udpbindaddr=0.0.0.0
tcpenable=no
localnet=172.16.28.0/24
alwaysauthreject=yes
directmedia=no
sdpsession=MyNewSessionString
useragent=MyNewUserAgent
language=de
tonezone=de
defaultexpiry=480

register => 0NUMBER2:PASS:***@t-***@tel.t-online.de/NUMBER2
register => 0NUMBER3:PASS:***@t-***@tel.t-online.de/NUMBER3
register => 0NUMBER4:PASS:***@t-***@tel.t-online.de/NUMBER4

[my-codecs](!)
allow=!all,alaw

[home-phone](!,my-codecs)
acl=voice_vlan
type=friend
host=dynamic
context=LocalSets

[XXXXXXXXXXX](home-phone)
secret=XXXXXXXXXXXXX

[dtag_inbound](my-codecs)
acl=acl_dtag_inbound
type=peer
context=from_dtag
host=tel.t-online.de

[dtag_outbound](my-codecs)
acl=acl_dtag_outbound
type=peer
defaultuser=***@t-online.de
remotesecret=PASS
host=tel.t-online.de
fromdomain=tel.t-online.de

The thing is, the provider's SIP server hasn't changed the IP yet. This
morning it's still the same as yesterday. And yesterday it was the same
the whole day.

Don't know why I didn't run into the "load balancer" issue (yet). I'm
starting to think it's because I'm "hiding" that I'm using Asterisk
(sdpsession, useragent, also custom systemname in asterisk.conf). But
probably that's not the reason. Anyway, I'm just going to wait until it
doesn't work and then worry about it.

Regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Sebastian Kemper
2015-04-14 19:56:17 UTC
Permalink
Post by Daniel Heckl
Sebastian,
Your code sounds good, I'm curious how it goes on.
First the linux machine had the Google Public DNS 8.8.8.8 as DNS
server. After I changed it to the via PPPoE assigned DNS servers, i
had no changes any more. But we should be prepared for changes.
You must enable the dnsmgr. If DNS resolves a new ip, the peer is
updated.
Hello Daniel,

Thanks for the tip. I've enabled the DNS manager. Let's see how it goes.

Kind regards,
Sebastian
Post by Daniel Heckl
Post by Sebastian Kemper
Post by Daniel Heckl
I do not want set allowguest=yes. The problem is, there is no official
list with ip addresses of Telekom Germany. But I think all ip
addresses comes from the ip range 217.0.0.0/13.
Hello Daniel,
217.0.16.0/255.255.248.0
Post by Daniel Heckl
I have now the following addition to sip.conf. I think it is the only
safe option. Or what would you say?
[telekom](!)
<snip>
Post by Daniel Heckl
[DTAG-IP_IN18_016](telekom)
host=217.0.18.16
[DTAG-IP_IN18_036](telekom)
host=217.0.18.36
etc.
[general]
context=unauthenticated
allowguest=no
srvlookup=no
udpbindaddr=0.0.0.0
tcpenable=no
localnet=172.16.28.0/24
alwaysauthreject=yes
directmedia=no
sdpsession=MyNewSessionString
useragent=MyNewUserAgent
language=de
tonezone=de
defaultexpiry=480
[my-codecs](!)
allow=!all,alaw
[home-phone](!,my-codecs)
acl=voice_vlan
type=friend
host=dynamic
context=LocalSets
[XXXXXXXXXXX](home-phone)
secret=XXXXXXXXXXXXX
[dtag_inbound](my-codecs)
acl=acl_dtag_inbound
type=peer
context=from_dtag
host=tel.t-online.de
[dtag_outbound](my-codecs)
acl=acl_dtag_outbound
type=peer
remotesecret=PASS
host=tel.t-online.de
fromdomain=tel.t-online.de
The thing is, the provider's SIP server hasn't changed the IP yet. This
morning it's still the same as yesterday. And yesterday it was the same
the whole day.
Don't know why I didn't run into the "load balancer" issue (yet). I'm
starting to think it's because I'm "hiding" that I'm using Asterisk
(sdpsession, useragent, also custom systemname in asterisk.conf). But
probably that's not the reason. Anyway, I'm just going to wait until it
doesn't work and then worry about it.
Regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Sebastian Kemper
2015-09-14 18:58:00 UTC
Permalink
Post by Sebastian Kemper
Post by Daniel Heckl
I do not want set allowguest=yes. The problem is, there is no official
list with ip addresses of Telekom Germany. But I think all ip
addresses comes from the ip range 217.0.0.0/13.
Hello Daniel,
217.0.16.0/255.255.248.0
Hi again,

I had poked a hole in my firewall for packets from above subnet to my
port 5060. I had done the same for the RTP ports.

A while back I realized that for RTP this was nonsense, as the RTP
packets came from servers not even part of the subnet. Although there
were no ports opened for those it just worked, because Telekom is doing
symmetric RTP (and so is Asterisk by default).

So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.

So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.

Just wanted to add that.

Kind regards,
Sebastian
Post by Sebastian Kemper
Post by Daniel Heckl
I have now the following addition to sip.conf. I think it is the only
safe option. Or what would you say?
[telekom](!)
<snip>
Post by Daniel Heckl
[DTAG-IP_IN18_016](telekom)
host=217.0.18.16
[DTAG-IP_IN18_036](telekom)
host=217.0.18.36
etc.
[general]
context=unauthenticated
allowguest=no
srvlookup=no
udpbindaddr=0.0.0.0
tcpenable=no
localnet=172.16.28.0/24
alwaysauthreject=yes
directmedia=no
sdpsession=MyNewSessionString
useragent=MyNewUserAgent
language=de
tonezone=de
defaultexpiry=480
[my-codecs](!)
allow=!all,alaw
[home-phone](!,my-codecs)
acl=voice_vlan
type=friend
host=dynamic
context=LocalSets
[XXXXXXXXXXX](home-phone)
secret=XXXXXXXXXXXXX
[dtag_inbound](my-codecs)
acl=acl_dtag_inbound
type=peer
context=from_dtag
host=tel.t-online.de
[dtag_outbound](my-codecs)
acl=acl_dtag_outbound
type=peer
remotesecret=PASS
host=tel.t-online.de
fromdomain=tel.t-online.de
The thing is, the provider's SIP server hasn't changed the IP yet. This
morning it's still the same as yesterday. And yesterday it was the same
the whole day.
Don't know why I didn't run into the "load balancer" issue (yet). I'm
starting to think it's because I'm "hiding" that I'm using Asterisk
(sdpsession, useragent, also custom systemname in asterisk.conf). But
probably that's not the reason. Anyway, I'm just going to wait until it
doesn't work and then worry about it.
Regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Marie Fischer
2015-09-14 19:51:19 UTC
Permalink
Post by Sebastian Kemper
So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.
So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.
As far as I understand, raising the UDP session timeout (or lowering the REGISTER timeout, if possible) is actually the better solution. Most Telcos I know don't answer the OPTIONS request anyway and some might object to the traffic overhead.
--
marie
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Daniel Heckl
2015-09-16 16:48:16 UTC
Permalink
Sebastian,

If I have understood you correctly, the SIP communication is now via NAT instead forwarded ports. For safety, it is much better.

I think it is not because of a UDP timeout, but rather because of a NAT timeout. For this is "qualify" exactly the right thing to let the NAT port opened.

Daniel
Post by Marie Fischer
Post by Sebastian Kemper
So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.
So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.
As far as I understand, raising the UDP session timeout (or lowering the REGISTER timeout, if possible) is actually the better solution. Most Telcos I know don't answer the OPTIONS request anyway and some might object to the traffic overhead.
--
marie
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
http://www.asterisk.org/hello
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Sebastian Kemper
2015-09-17 09:52:47 UTC
Permalink
Post by Daniel Heckl
Sebastian,
If I have understood you correctly, the SIP communication is now via
NAT instead forwarded ports. For safety, it is much better.
I think it is not because of a UDP timeout, but rather because of a NAT
timeout. For this is "qualify" exactly the right thing to let the NAT
port opened.
Daniel
Hi Daniel,

Not quite. Asterisk is running on an Openwrt router. So Asterisk is listening on a public IP. No NAT involved, no port forwarding.

Openwrt tracks the UDP connection for 180s (default). "qualify" keeps the connection alive (every 120s).

Without "qualify" inbound calls wouldn't work starting 180s after the registration, until after another 300s, when Asterisk registers again (provider requires a registration expiry >480s).

Regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Sebastian Kemper
2015-04-01 17:19:17 UTC
Permalink
Post by Daniel Heckl
Hello Sebastian,
I had already seen this list of the hosts, but it is not active. All
servers with which my Asterisk has been communicated are not listed.
A port scan, to eventually update the list, found hundreds of servers
provided in the address range 217.0.0.0/13 with open port 5060, some
were even not found. I think there must be another solution.
If I change insecure to insecure=port,invite - could that be a
solution?
Hello Daniel,

I've asked myself that, too. But I don't have access to the connection,
yet, so I can't test it right away.

Kind regards,
Sebastian
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Continue reading on narkive:
Loading...