"Security denial" error in calls from H323 trunk

Asterisk Asterisk Support
1

Dears

Environment: Asterisk 11.4
Objective: attempting H.323 trunk integration with “Polycom CMA” using ooh323 module.

When placing H323 calls from the Polycom CMA, the call goes through the trunk (as shown by tcpdump) but is rejected by Asterisk with the following error in /var/log/asterisk/h323_log

==================
10:40:28:564 ERROR: Security denial remote sig IP isn’t a socket ip, 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming, ooh323c_1)

10.44.1.156 being IP address of H323 client registered to Polycom CMA, 10.71.0.55 being the address of Polycom CMA.

tcpdump shows “disengageRequest” H.225 sent by Asterisk to Polycom CMA.

If you have any idea of the problem, please let me know…

Thanks

Below the relevant config

10.100.202.88 is IP of the Asterisk server.

[size=85]========ooh323.conf=================
[general]
port=1720
bindaddr=10.100.202.88
h323id=AsteriskPBX
mediawaitforconnect=yes
;callerid=AsteriskPBX
gateway=yes
gatekeeper = 10.71.0.55
;gatekeeper=DISABLE
allowGKRouted=yes
AcceptAnonymous=yes
faststart=yes
h245tunneling=yes
logfile=/var/log/asterisk/h323_log

;
;Following values apply to all users/peers/friends defined below, unless
;overridden within their client definition
;

context=default
rtptimeout=60
disallow=all
allow=ulaw
dtmfmode=rfc2833
progress_setup=8
progress_alert=8

directmedia=yes
directrtpsetup=yes

;
;Users definition
;Section header is extension
;

[10.71.0.55]
type=peer
;context=default
ip=10.71.0.55
port=1720
e164=12345
disallow=all
allow=ulaw
rtptimeout=60
dtmfmode=rfc2833

===========extensions.conf===========================
[general]
static=yes
writeprotect=no
autofallthrough=yes
clearglobalvars=no

[globals]
TRUNKMSD=1 ; MSD digits to strip (usually 1 or 0)
MAYAH0 => SIP/123450
MAYAH1 => SIP/123451

[default]
;exten => 123450,1,Dial(SIP/123450)
exten => 123450,1,Echo()
exten => 123450,n,Playback(demo-echotest)
exten => 123450,n,Hangup

exten => 123451,1,Dial(${MAYAH1})
exten => 123451,n,Hangup

exten => _XXX.,1,Dial(OOH323/10.71.0.55/${EXTEN})
exten => _XXX.,n,Dial(OOH323/${EXTEN}@10.71.0.55)
exten => _XXX.,n,Hangup
======================================[/size]

2

Dear all,

For the record, I solved this problem by commenting these lines in ooh323.c and recompiling:

=======================
if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
OOTRACEERR5(“ERROR: Security denial remote sig IP isn’t a socket ip, %s not %s “
”(%s, %s)\n”, remoteIP, call->remoteIP, call->callType,
call->callToken);
return OO_FAILED;
}

Btw is this code correct? How can it work at all? Am I missing something?

Ok, now on to next problem…

KR
Gabriele

3

I think you need to take this to the developer list.

I don’t use that protocol, but it seems you have an unusual case where two addresses are different when the expectation is that they are the same. It is likely that the correct fix is to add an option to disable the check, rather than to unconditionally disable it.

Note that even trivial changes need to be submitted to the bug tracker as attachments marked as your having agreed to the contributor agreement, before they will be looked at.

4

Ok I’ll drop a mail to the developers’ list.

Thanks

Gabriele