Oracle Cloud free tier users -- UDP problems?

Hi – I’m trying to get an asterisk server to work on an ARM server in the free tier of Oracle cloud but I’m having issues.

It seems that the oracle network firewall is blocking fragmented UDP datagrams. This causes strange issues: for example, the initial INVITE works (because it’s small enough to not be fragmented) but after the 401 Unauthorized, the subsequent INVITEs don’t come through (because with the authorization embedded they are too large for a single UDP datagram and get fragmented.)

Did you have to pull some tricks to get the oracle cloud network to work properly with UDP? Thanks for any tips!

Are you limiting the codecs to just those really needed?

I believe so (using allow = !all,g722,ulaw, is that what you meant?) but this seems to be a network layer issue rather than an asterisk thing. I can reproduce this same behavior just by using netcat and trying to send data back and forth, e.g. on the server side:

# netcat -u -l -p 5432

And on the client side:

dd if=/dev/zero bs=1 count=1000 2>/dev/null | base64 | netcat -u 146.235.204.128 5432

…that works fine. But if I do on the client side count=1200:

dd if=/dev/zero bs=1 count=1200 2>/dev/null | base64 | netcat -u 146.235.204.128 5432

…it does not work, and I see via wireshark on the client side that the data fragmented in the second case (but not in the first), and on the server side that it only sees the first fragment and thus does not deliver the data to netcat. Hence my question focusing on the cloud server net config. There must be folks here that have asterisk going on these (my understanding was that the ARM server is a popular entry-level option for PBX’s…) so I thought maybe they could share their ingress rules or something.

I’ve been able to google up a couple questions on the oracle forums, e.g. this, but no answers yet…

Ah, the problem is that with UDP only the first fragment has the destination port # embedded. Subsequent fragments are IP packets without port number, so those are blocked by a firewall that only enables the single port or port range.

You have to set your firewall ingress to allow all UDP ports, at least in this case. Then it works.

The reason I asked was that including all the codecs was a known cause of packets requiring fragmentation.

1 Like