STUN/ICE not working

mdspam · June 20, 2019, 9:27pm

Hi,
I am running Certified Asterisk 13 with chan_sip (pjsip is no option for me at the moment as I am required to use Asterisk 13). I am trying to use STUN or ICE, but it does not work. Reference for the STUN/ICE configuration is the asterisk wiki.
My configuration for STUN:
sip.conf:
icesupport = yes
rtp.conf:

icesupport=yes
stunaddr=stun.sipgate.net

res_stun_monitor.conf is also set up, the module is loaded

In wireshark I can see STUN packets being sent to and answered by the STUN server.

When enabling STUN debug, I see
STUN Packet, msg Binding Response (0101), length: 68
Found STUN Attribute Mapped Address (0001), length 8
Ignoring STUN attribute Mapped Address (0001), length 8
Found STUN Attribute Source Address (0004), length 8
Ignoring STUN attribute Source Address (0004), length 8
Found STUN Attribute Changed Address (0005), length 8
Ignoring STUN attribute Changed Address (0005), length 8
Found STUN Attribute Non-RFC3489 Attribute (8020), length 8
Ignoring STUN attribute Non-RFC3489 Attribute (8020), length 8
Found STUN Attribute Non-RFC3489 Attribute (8022), length 16
Ignoring STUN attribute Non-RFC3489 Attribute (8022), length 16
Dunno what to do with STUN message 0101 (Binding Response)

However, “stun show status” gives a correct external IP, so STUN seems to work nevertheless.

Hostname                  Port  Period  Retries  Status  ExternAddr       ExternPort
stun.sipgate.net          3478  30      3        OK      <correct external IP>    58499

Now, I would expect the SDP then to contain the external address instead of the private IP my asterisk instance has (being behind a NAT). But there is always the private IP address, never the public IP. Also, the IP in the SIP header only contains the private IP address. The external IP address is never used in any SIP message.

My questions regarding this:

Should not STUN/ICE make asterisk replace the private address with the public address
(a) in the SIP header
(b) in the SDP header?
The Asterisk Wiki suggests that there should be lines for ice in the SDP. But there are none according to the output I get from sip debug in the asterisk log.
Main question is: Is there something I am doing wrong? What are my options for further debugging or fixing this?

Thanks,
Marcel

jcolp · June 20, 2019, 9:42pm

The STUN functionality does not alter the SDP or SIP headers like that. You still have to configure them in sip.conf.

If I recall ICE support may have to be enabled at the user/peer level, if you aren’t doing so. The other side also has to support ICE.

EkFudrek · June 21, 2019, 9:10am

You could run the client of the stund package and check whether there are any anomalies.

Sine you are mentioning the private IPs, the first question would be about your nat related settings (nat, externip/externhost, localnet, …).

ambiorixg12 · June 22, 2019, 5:02am

Why dont you use the options Asterisk offers when dealing with NAT

I made a list of them here (some of then are configured global other on peer section

gist.github.com

https://gist.github.com/ambiorixg12/07d1553e287a24fb9a8715ead5b10f9b

chan_sip NAT settings

nat=rtp_force,comedia
directmedia=no
localnet=192.168.0.0/255.255.0.0 ; RFC 1918 addresses
localnet=10.0.0.0/255.0.0.0      ; Also RFC1918
localnet=172.16.0.0/12           ; Another RFC1918 with CIDR notation
localnet=169.254.0.0/255.255.0.0 ; Zero conf local network
externaddr = (PUBLIC IP)
media_address = X.X.X.X (PUBLIC IP)
qualify=yes
rtpkeepalive=5

mdspam · June 23, 2019, 12:56pm

Thanks for all the responses.

@ambiorixg12 and EkFudrek I know about these settings and they work as expected. However, I am dealing with a situation where the public IP address changes on a daily basis. This is why I need STUN in the first place.

@jcolp From your answer, I am not sure what to expect from Asterisks STUN feature. You said that with STUN enabled no IPs are replaced, but why then have STUN support in the first place if it has no effect?
I assume switching to pjsip will not change anything wrt this, will it?
I will try to enable ICE on a per user level, maybe this makes a difference. Thanks for the suggestion.

jcolp · June 23, 2019, 3:24pm

It serves two purposes:

It’s used by the res_stun_monitor module to monitor the external IP address so things inside can be triggered (such as re-registering an outbound registration so they get the new IP address).
It’s used by the ICE support to determine the external IP address to place into ICE candidates.

While it could be used as you originally wanted, that is not functionality anyone has written and built in.

ambiorixg12 · June 23, 2019, 4:48pm

use the externhost = hostname[:port]" is similar to “externaddr” except
; that the hostname is looked up every “externrefresh” seconds
; (default 10s).

system · July 23, 2019, 4:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using STUN to fill in media IP address in SIP SDP Asterisk SIP	2	745	May 24, 2019
Use STUN server while registering for receiving inbound calls Asterisk SIP	7	1286	August 5, 2020
STUN/ICE troubleshoot Asterisk Support	7	1524	April 1, 2021
Stun troubleshooting: Dunno what to do with Stun Asterisk Support	4	1039	January 26, 2024
Configured Stun but NOT showed in SIP Asterisk General	0	413	June 2, 2014

STUN/ICE not working

Related topics