Random source "TLS" port on outgoing methods

Diego.Espinoza · October 24, 2023, 4:32pm

Hi there Dear Community,

I’ve been struggling to configure Asterisk via PJSIP to another Endpoint with the following:

SIP METHOD via TLS from source port: 5061 to destination port: 5061

Im not sure why, but, source port is a random port instead of the transport configured value:

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  transport_tls             tls      0      0  0.0.0.0:5061

 ParameterName              : ParameterValue
 =======================================================================================================================================
 allow_reload               : false
 allow_wildcard_certs       : Yes
 async_operations           : 1
 bind                       : 0.0.0.0:5061
 ca_list_file               : /etc/asterisk/certs/allCA.pem
 ca_list_path               :
 cert_file                  : /etc/asterisk/certs/wildcard.crt
 cipher                     : ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256
 cos                        : 0
 domain                     :
 external_media_address     : *
 external_signaling_address : *
 external_signaling_port    : 5061
 local_net                  : *
 local_net                  : *
 local_net                  : *
 local_net                  : *
 local_net                  : *
 method                     : tlsv1_2
 password                   :
 priv_key_file              : /etc/asterisk/certs/private.key
 protocol                   : tls
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 0
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

Asterisk Version:
Asterisk certified-18.9-cert5

SIP OPTIONS is also generated from a random port that keeps static until a reload/restart of pjsip/asterisk

Could this be a bug, misconfiguration of pjsip/dialplan or its how tls works in asterisk?

Any ideas will be greatly appreciated
Warm Regards

david551 · October 24, 2023, 4:42pm

That’s not a normal way of using TCP based protocols. I very much doubt it is supported.

Diego.Espinoza · October 24, 2023, 4:47pm

Dear @david551 ,

You meant that, for TCP traffic, outgoing methods don’t require to be sent from a specific source port, like in SIP UDP traffic?
If so, do you know if this is due RFC standard, best practices or just Asterisk “source code”

Warm Regards

david551 · October 24, 2023, 5:04pm

I don’t believe that statement is true about UDP.

dewdude · October 24, 2023, 5:10pm

The ol source vs destination port thing. Let’s take a look at this log from my ssh:

Oct 24 17:02:19 nas auth.info sshd[37553]: Received disconnect from 192.168.1.70 port 52018:11: disconnected by user
Oct 24 17:02:19 nas auth.info sshd[37553]: Disconnected from user dewdude 192.168.1.70 port 52018
Oct 24 17:02:31 nas auth.info sshd[39441]: Accepted publickey for dewdude from 192.168.1.70 port 52438

Do you see how there are two different port numbers listed? This is because my local PC connected TO the SSH server’s port using that port. My PC made the connection to port 22, the reverse path to my PC was port 52018 and 52438. One end of the connection is usually randomized to avoid conflicts. If one of my computers tried to connect to a web-server on port 443 and I was running a webserver on port 443…then a 443 to 443 connection wouldn’t work. In some cases you can force the same IP on each end…but this usually isn’t required unless you have a very broken firewall. OF course, things like NAT are the reason we do this; if you have 15 computers on a nework…then you need randomized source ports to keep traffic straight. Your firewall is counting on the fact the source ports are different.

Diego.Espinoza · October 24, 2023, 6:33pm

Dear @david551 ,

Thanks for your reply, about:

“You meant that, for TCP traffic, outgoing methods don’t require to be sent from a specific source port, like in SIP UDP traffic?”

I wrote that because i also have pjsip over udp (transport) and im not seeing traffic from a random source port, SIP Methods flow from port 5060 to port 5060, even without mentioning it.

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  transport_udp             udp      0      0  0.0.0.0:5060

 ParameterName              : ParameterValue
 =======================================================
 allow_reload               : false
 allow_wildcard_certs       : Yes
 async_operations           : 1
 bind                       : 0.0.0.0:5060
 ca_list_file               :
 ca_list_path               :
 cert_file                  :
 cipher                     :
 cos                        : 0
 domain                     :
 external_media_address     : *
 external_signaling_address : *
 external_signaling_port    : 0
 local_net                  : *
 local_net                  : *
 local_net                  : *
 local_net                  : *
 local_net                  : *
 method                     : unspecified
 password                   :
 priv_key_file              :
 protocol                   : udp
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 0
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

Instead of focusing about what is the standard or what is the proper environment, i would like to know if there is a way to set a static source port for TCP traffic just like i have for UDP (Even when i don’t have manually set 5060 port for udp traffic).

Any suggestions are welcome
Warm Regards

Pooh · October 24, 2023, 6:48pm

“bind : 0.0.0.0:5060”

The bind address is the address which a machine listens on for connections
in to the machine.

It has no bearing on the port number/s used for outbound connections from
the machine.

Antony.

david551 · October 24, 2023, 8:37pm

Essentially no-one ever does it, so I haven’t looked into the fine details of Posix network programming to see if you can even bind a port to the near side of a TCP connection.

I think some phones use random ports for UDP SIP, and, if you go through NAT you risk that happening anyway.

Diego.Espinoza · October 24, 2023, 8:57pm

Makes sense @david551

But, currently i need to do port forward in an external firewall since an external platform always replies to the TCP source port of the SIP Methods instead of “reading” the ports mentioned in the SIP CONTACT/VIA/FROM headers.

Asterisk:SourceRandomPort → ExternalPlatform:5061
Asterisk:SourceRandomPort ← ExternalPlatform:5061

Asterisk:SourceRandomPort → ExternalPlatform:5061
Asterisk:HeaderPort ← ExternalPlatform:5061

Maybe the external platform is not working properly, but besides that, I want to make sure if with Asterisk i could have a static source port for TCP traffic.

Not sure why for UDP traffic, source port is always 5060, i thought by default Asterisk always uses a static port, and if you require to modify it, using external_signalling_port would do the trick.

Warm Regards

david551 · October 24, 2023, 10:55pm

NAT firewalls generally build reverse path automatically for TCP. Good UDP ones will do the same

system · November 23, 2023, 10:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.