When that Source-Port changes on another register, we have the “forbidden” issue.
It sticks long with the same TCP-Port, but then all of a sudden: port changes.
I tried rewrite_contact=no and yes but did not help.
allow_reload=yes will force the problem on applying changes and the port will change.
REGISTER from Port 1, o.k.
INVITE from Port 1, o.k.
INVITE from Port 1, o.k.
INVITE from Port 1, o.k.
INVITE from Port 2, SIP 403 forbidden.
REGISTER von Port 2, o.k.
INVITE from Port 2, o.k.
INVITE from Port 2, o.k.
INVITE from Port 2, o.k.
INVITE from Port 3, SIP 403 forbidden.
REGISTER from Port 3, o.k.
and so on…
So there is a local portchange on an invite. Why and how to fix?
Because one end or the other closed the TCP connection that was used for the REGISTER.
I’d consider this to be a non-compliant provider. Even if they didn’t close the connection, there is no reason to reject the normal recovery from a lost connection. Actually, there is no need to match incoming INVITEs against incoming REGISTERs; it is perfectly valid not to have registered before an outbound call, even if you need to register to receive calls.
Some providers over in Europe also ignore the specifications when it comes to SRV, and expect you to always use the same IP address/port and connection as the outbound registration, instead of load balancing according to their SRV configuration. There’s no option in Asterisk to ignore the specifications and work that way.
If I recall, some people have just run local DNS solutions that answer with a single IP address always instead. For other solutions I do not know. There’s been posts in the past on here if I recall, so search may find information.
I don’t know what triggers the port-change. But does not look like a change in IP to me.
Our IP does not change, nor does the IP of the provider change. Think sngrep shows that good in the screenshot above.
as jcolp wrote, you should do a packet capture. We have seen cases with Deutsche Telekom products where the firewall killed the TCP connection some time after registration (due to missing traffic, idle timer in firewall). Asterisk then establishes a new connection with an outgoing INVITE and may end up on a different IP address, which is where the 403 comes from. In this case increase the idle timeout of inactive TCP connections.
When capturing packets, check whether the TCP connection is cut and therefore a new connection to a different destination is established.
We have no problems with Asterisk and CompanyFlex.
Best regards
Karsten
With Deutsche Telekom products in particular, you should ideally use the provider’s DNS. With CompanyFlex, the NAPTR lookup may only provide sips access via SIP TLS.
We recently had a case where 1.1.1.1 and 8.8.8.8 were entered as the DNS. In the DNS SRV entries, the priorities were then reversed for successive queries because the two DNS servers provided different answers.
I don’t know if the behavior was correct, but after entering 8.8.8.8 and 8.8.4.4 or the Telekom DNS servers, the error disappeared.
Just a stupid question from someone who never used sip over tcp:
Is there a difference in behaviour between udp and tcp? Because with udp I can say for sure that asterisk always uses the configured bind port as source port.
Regarding your problem, there are firewalls where you can configure “same source port” rules. So whenever a device sends pakets, the firewall will do NATing to the same configured source port. This is something that may help in your situation.
Unfortunately, as I know LANCOM quite well, I don’t think it’s possible with their routers.
This is different in tcp. The source port is chosen by the kernel when a connection is set up. As the connection persists until explicit closed, answer packets get back for sure, using the socket of the connection. Think of Your browser: the source port would never be 80 or 443.
As udp is connection less, answers are directed to the source.
I don’t know LANCOMs but I think, the setting you mentioned is for udp.