Bounty if anybody fix my issue : Your session has been disabled Issue

i am facing agent logout issue all agents sudden kicked out and says your session has been disabled
i have 5 ISP connection i tried each and everything facing this issue from last 3 month
in few minutes agents get logout.

this error as well

= WebSocket connection from ‘103.201.141.233:51175’ for protocol ‘sip’ accepted using version ‘13’
[Oct 1 14:44:34] ERROR[19138]: utils.c:1499 ast_careful_fwrite: fflush() returned error: Bad file descriptor
[Oct 1 14:44:34] ERROR[19138]: tcptls.c:488 tcptls_stream_close: SSL_shutdown() failed: error:00000005:lib(0):func(0):DH lib, Underlying BIO error: Bad file descriptor
== WebSocket connection from ‘103.201.141.233:51162’ forcefully closed due to fatal write error
– Registered SIP ‘1003’ at 103.201.141.233:51175


Uploading: WhatsApp Image 2022-09-29 at 1.11.56 AM.jpeg…

VICIDial?

yes vicidial @dewdude

your skype id please @dewdude

I don’t have Skype.

Some things say this is an SSL cert problem. Others say it was solved by changing out the dialer with a newer one.

Check this thread: vicidial.org • View topic - Viciphone 2.0
This also mentions some solutions: vicidial.org • View topic - Problem with WebRTC

This looks to be a transport issue. Asterisk is attempting to write to the web socket connection but it’s failing to do so.

First off, tick off some obvious ones. Asterisk will never close the websocket by its self, so long as you send a register within the first few seconds (i think 30) of establishing a connection. Once a client is connected, and a REGISTER messages is sent it stays endlessly connected, so it’s not Asterisk closing it for no reason.

The other point is that websockets are like any other TCP/TLS connection - if they are NATed, the device keeping the NAT connection, like a router etc, can close it, if it doesn’t see actual data (not just keep alive empty packets) over the connection for N amount of time. (N will be different per router.) You must qualify the endpoint (aka send an OPTIONS message), and I would suggest setting this to about every 120 seconds. (don’t change the nat time-out settings on the router. Defaults should be fine, so long as default is more than 120sec… but would be pretty harsh if it was)

If this makes your system stable fine, leave it, however I would highly recommend the following:
Personally I prefer to hand LTS connections over to a full blown web server. Not that MiniHTTP server isn’t up to the job, but there are better ones. Here is the basics; install Apache (if not already installed), and set the host to reverse proxy the wss://0.0.0.0:4431/ws connection to ws://127.0.0.1:8080/ws (note the ws:). This ends the TLS leg of the connection (wss) on Apache, and forwards the next leg of the connection to the Asterisk box (at 127.0.0.1) on its non-tls web server port (8080). So yes, you can actually turn off TLS on Asterisk HTTP. Apache is the LTS server, and Asterisk treats the connection like a typical non secure web socket connection, and calls etc flow as per normal. Best of all, you change absolutely nothing else because the web server is on the same box as Asterisk.

/etc/asterisk/http.conf

[general]
enabled=yes
bindaddr=127.0.0.1 
bindport=8080 
tlsenable=no 
enablestatic=no 

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost 0.0.0.0:4431>
        ServerName mycompany.com
        DocumentRoot /var/www/html

        ProxyRequests off
        ProxyPreserveHost On

        SSLEngine on
        SSLCertificateFile /home/certs/mycompany.crt
        SSLCertificateKeyFile /home/certs/mycompany.key
        SSLProtocol all -SSLv2 -SSLv3 -TLSv1
        SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384
        SSLHonorCipherOrder on
        SSLCompression off
        SSLOptions +StrictRequire

        ProxyPass /ws ws://127.0.0.1:8080/ws
        ProxyPassReverse /ws ws://127.0.0.1:8080/ws
</VirtualHost>

I have done an explainer video on this if you want I can share the link, otherwise apply any configuration changes to this that you may have, and give it a try.

P.S. You can even take this one step further if you like, and run Apache as a separate server with load balancing… so one web server can act as the endpoint for many asterisk boxes. But that does require a bit of change. The important thing to remember here is that the wss requirement is only for browsers, not for Asterisk, so if you go to standard ws before you get to Asterisk, you deal with none of that certificate mess.

Sir let me try this all and update you soon Sir @InnovateAsterisk
Hope all work smoothly
Thankyou So Much
Regards

unable to resolve still

Are you saying you still have SSL errors in your CLI? if so then you are still handling the TLS connection at Asterisk - reverse proxy the connection as described above.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.