[OpenSIPS-Users] NAT and ACK (private IP/domain)

Jacek Konieczny jajcus at jajcus.net
Fri Apr 24 14:23:19 CEST 2009


On Thu, Apr 23, 2009 at 07:50:06PM +0300, Bogdan-Andrei Iancu wrote:
> The ACK will be routed based on Route + RURI info. Route hdr made the 
> ACK to get to .201 and the RURI will continue to .71. The RURI from ACK 
> is taken from the Contact hdr of the 200 OK reply.

That is true, but Contact header may get corrupted in the way. I was
troubleshooting a NAT & ACK problem today too. 

My setup was two SIP ATAs behind a NAT connecting via two chained
opensips proxies (with mediaproxy at one of them). 

ATA1 --{NAT}--> PROXY1 --> PROXY2 --{NAT}--> ATA2


And that is what I found:


1. First, I did not have fix_contact() in onreply_route. So, the call
was nearly established, the called party (ATA2) responded with "200 OK",
but it never received the ACK, as it was sent (by PROXY2) to a private
address instead of NAT public IP. The private address was taken by ATA1
from the Contact header of the "200 OK" response.

2. I have added:

        if (client_nat_test("3")) {
                fix_contact();
        }

To both proxy opensips.cfg onreply_route. The same code was used in the
main route.  This didn't help much, as the called party still didn't
receive its ACK. This time it was not sent to the private IP, but to the
proxy.

After inspecting the traffic I found out, that both proxies had replaced
Contact header in the "200 OK" response. PROXY2 did it right: replaced
ATA2 private IP with the IP message was received from, so Contact was
valid. But the other proxy rewritten it again, replacing the public NAT
IP with the IP of PROXY2. This caused the ACK to loop inside PROXY2
instead of being sent to ATA2.

It seem client_nat_test("3") in onreply_route matches even if request
came directly (no NAT) from another proxy, which had already do the NAT
fix on Contact.  This doesn't seem to be the same way in main route
block.

3. I have replaced client_nat_test("3") with client_nat_test("1") and
this solved the problem.

Greets,
        Jacek



More information about the Users mailing list