NAT rtp problem in Asterisk 1.6.0-beta9

jlpedrosa · June 22, 2008, 7:08pm

Hello!

I’m just setting up the 1.6 beta 9 and I’m getting some trouble with nat:

I got a peer (2002) wich connects from outside the office (Tipical DSL + NAT router) so i included nat=yes in his ‘profile’ and canreinvite=no so all the trafic goes through Asterisk

Asterisk internal=10.41.1.254
Peer internal=192.168.1.53 or 192.168.1.2 (tried on different computers)
Peer public=83.45.79.198

if i don’t define localnet and externip everithing works fine,
(tcpdum)

20:27:55.413437 IP 83.45.79.198.11612 > 10.41.1.254.5060: SIP, length: 950 20:27:55.413850 IP 10.41.1.254.5060 > 83.45.79.198.11612: SIP, length: 534 20:27:55.751716 IP 83.45.79.198.11612 > 10.41.1.254.5060: SIP, length: 321 20:27:55.797687 IP 83.45.79.198.11612 > 10.41.1.254.5060: SIP, length: 1109 20:27:55.797950 IP 10.41.1.254.5060 > 83.45.79.198.11612: SIP, length: 470 20:27:55.798169 IP 10.41.1.254.5060 > 83.45.79.198.11612: SIP, length: 860 20:27:55.799336 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.818815 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.838809 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.868805 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.878811 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.908805 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.918807 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.938807 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.968809 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:55.978807 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.008804 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.018810 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.048804 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.058807 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.082002 IP 83.45.79.198.4743 > 10.41.1.254.18203: UDP, length 132 20:27:56.082042 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.108805 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.118807 IP 10.41.1.254.18202 > 192.168.1.53.4742: UDP, length 172 20:27:56.120227 IP 83.45.79.198.4742 > 10.41.1.254.18202: UDP, length 172 20:27:56.129971 IP 83.45.79.198.4742 > 10.41.1.254.18202: UDP, length 172 20:27:56.138809 IP 10.41.1.254.18202 > 83.45.79.198.4742: UDP, length 172 20:27:56.148460 IP 83.45.79.198.4742 > 10.41.1.254.18202: UDP, length 172

I suppose at first Asterisk tries to send to the local IP of the peer until first peer’s package arrives and knows his IP (don’t know why does not use SIP ip packets address if have nat=yes)

But if I define localnet and externip them with the corrects values, SIP negotiation goes ok, but RTP packets are sent to HIS local ip @, so he does not receive audio:
(tcp dump)

[code]20:51:34.365407 IP 83.45.79.198.5084 > 10.41.1.254.5060: SIP, length: 776
20:51:34.365696 IP 10.41.1.254.5060 > 83.45.79.198.5084: SIP, length: 560
20:51:34.716429 IP 83.45.79.198.5084 > 10.41.1.254.5060: SIP, length: 432
20:51:34.755403 IP 83.45.79.198.5084 > 10.41.1.254.5060: SIP, length: 940
20:51:34.755668 IP 10.41.1.254.5060 > 83.45.79.198.5084: SIP, length: 497
20:51:34.756095 IP 10.41.1.254.5060 > 83.45.79.198.5084: SIP, length: 793
20:51:34.757059 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.776314 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.798811 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.818812 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.838807 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.856306 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.876306 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.896306 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.916306 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.936308 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.956307 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.978806 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:34.996306 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:35.016307 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:35.036306 IP 10.41.1.254.15798 > 83.45.79.198.5014: UDP, length 172
20:51:35.039468 IP 83.45.79.198.5084 > 10.41.1.254.5060: SIP, length: 649
20:51:35.040469 IP 83.45.79.198 > 10.41.1.254: ICMP 83.45.79.198 udp port 5014 unreachable, length 208

i got just SOME more ICMP messages like that and no incomming trafic in peer
[/code]

If i do a whireShark on peer’s computer I see they packets are being send propertly.
I’m not sure of what the problem is, but i’d say that:
First packet from Asterisk arrives Peer before than the first’s Peer package have gone out and the peer’s router has not already established the nat session. In fact that icmp Message does not came from peer’s computer so it must be the router.

i have the peer’s Wireshar if u need, but 'id say ip’s and ports are ok

Any other ideas? any solution?

Thanks

AndrewZ · June 22, 2008, 7:31pm

Everything works as it should.
Configure localnet and externip on Asterisk side.
Configure STUN on the peer side. BTW, which SIP UA is it?

jlpedrosa · June 22, 2008, 9:53pm

Hi, thanks for the reply

I tried Ekiga on a Linux box and Xlite in windows, both with the same behaviour

jlpedrosa · June 22, 2008, 11:04pm

I’ve double checked everithing and i can’t guess whats going on… but i discovered simething else…

Stun server was setup on Ekiga, but not in Xlite, if I set-up stun server in xlite it works and got audio in both ways… but not In Ekiga, if i do a wireshark on peer and tcpdum on host, both points are sending RTP trafic to the correct ports, but any side receives the other side’s traffic…

I think it’s irrelevant but for now i’m using voipbuster’s stun server, by the way the debian Pkg called stun is ok to be a stun server?

So if i call from Xlite and tcpdump asterisk I saw he was trying to reach the internal ip of the peer. the peer is set-up as NAT=yes, in conf files says

"Asterisk ; may override the address/port information specified in the SIP/SDP messages, ; and use the information (sender address) supplied by the network stack instead. ; However, this is only useful if the external traffic can reach us. ; The following settings are allowed (both globally and in individual sections): ; ; nat = no ; default. Use NAT mode only according to RFC3581 (;rport) nat=yes ; Always ignore info and assume NAT"

So:

What’s the problem with Ekiga? why both are sending frames and the other part are not getting them?
I did set it up badly with nat=yes or it’s not valid for RTP only for sip
Is stun debian pkg ok for a stun server? if no… any advice?

Thanks