[OpenSIPS-Users] Getting a Cisco 7960 to register behind a PIX
James Lamanna
jlamanna at gmail.com
Thu Dec 9 18:04:25 CET 2010
Here's the SIP traffic from my phone now running v8.9 with nat_enable
= 1 and nat_received_processing = 1.
BTW this phone has no issues registering to asterisk on a different line key.
-- James
U nat.ip:6212 -> opensips.ip:5060
REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
nat.ip:8427;branch=z9hG4bK67291d74..From:
<sip:xxxxxxx at opensips.ip>;tag=00036be7b0aa000731de6fab-4eefd488..To:
<sip:xxxxxxx at opensips.ip>..
Call-ID: 00036be7-b0aa0007-5a172506-53e80b15 at nat.ip..Max-Forwards:
70..CSeq: 101 REGISTER..User-Agent: Cisco-CP7960G/8.0..Contact:
<sip:xxxxxxx1 at nat.ip:8427;user=phone;transport=udp>;+sip.
instance="<urn:uuid:00000000-0000-0000-0000-00036be7b0aa>";+u.sip!model.ccm.cisco.com="7"..Content-Length:
0..Expires: 45....
#
Uopensips.ip:5060 -> nat.ip:8427
SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
nat.ip:8427;branch=z9hG4bK67291d74..From:
<sip:xxxxxxxx at opensips.ip>;tag=00036be7b0aa000731de6fab-4eefd488..To:
<sip:xxxxxxxxx at opensips.ip>;tag=c5cd5e
6c2a1d4c975e04c2ff1b643904.c6b0..Call-ID:
00036be7-b0aa0007-5a172506-53e80b15 at nat.ip..CSeq: 101
REGISTER..WWW-Authenticate: Digest realm="asterisk",
nonce="4d010bf1000104ac9cec46f3f3eafb667ac1d37dd4
c56fce"..Server: OpenSIPS (1.6.3-notls
(x86_64/linux))..Content-Length: 0....
On Tue, Dec 7, 2010 at 2:29 PM, Advantia VoIP Systems <info at advantia.ca> wrote:
> James,
> When I look at my 7940 phones, I am running version 8.8. It seems to me
> that this could/should be fixable at your PIX but what are the chance of you
> flashing your phone to a more recent firmware and seeing if that is helps
> with the port numbering issue. Just a guess...
> Mario
> On Tue, Dec 7, 2010 at 1:14 PM, James Lamanna <jlamanna at gmail.com> wrote:
>>
>> On Tue, Dec 7, 2010 at 11:42 AM, Duane Larson <duane.larson at gmail.com>
>> wrote:
>> > From your original post before you set up nat enable on the Cisco phone
>> > OpenSIPS was replying back on the 2260 port
>> >
>> > U nat.ip:2260 -> opensips.ip:5060
>> > REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >
>> > #
>> > U opensips.ip:5060 -> nat.ip:2260
>> > SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >
>> > So right there without configuring NatEnable on the Cisco phone OpenSIPS
>> > is
>> > sending back to the original port that the Cisco phone used correct?
>>
>> Yes, that is correct.
>> That is with nat_enable : 0.
>>
>> -- James
>>
>> >
>> >
>> > On Tue, Dec 7, 2010 at 1:34 PM, James Lamanna <jlamanna at gmail.com>
>> > wrote:
>> >>
>> >> On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <duane.larson at gmail.com>
>> >> wrote:
>> >> > From your SIP message
>> >> >
>> >> > U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip
>> >> > SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb..
>> >> > From: <sip:9515013401 at opensips.ip;user=phone>..To:
>> >> > <sip:9515013401 at opensips.ip;user=phone>..Call-ID:
>> >> > 00036be7-b0aa0007-736f1483-25859b27 at nat.ip..Date: Mon, 06 Dec 2010
>> >> > 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent
>> >> > : CSCO/7..Contact: <sip:9515013401 at nat.ip:8427>..Content-Length:
>> >> > 0..Expires: 45....
>> >> >
>> >> > In the VIA header I believe your phone is saying "Talk to me over
>> >> > nat.ip:8427"
>> >> >
>> >> > You might want to set up logging on your PIX/ASA firewall to see
>> >> > whats
>> >> > getting blocked, but from the way you've explained the issue it
>> >> > doesn't
>> >> > sound like an OpenSIPS issue. Sounds like a firewall issue or Cisco
>> >> > phone
>> >> > issue.
>> >>
>> >> Logging on the PIX definitely sees packets coming back 8427, which
>> >> since they aren't part of an established connection get dropped.
>> >> Maybe going to opensips these phones need sip fixup on, though going
>> >> directly to Asterisk, they have been working with sip fixup off...
>> >>
>> >> -- James
>> >>
>> >>
>> >> >
>> >> > On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <jlamanna at gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Hi Bogdan,
>> >> >> I guess I'm confused as to why you say its being transmitted back to
>> >> >> the same IP:Port:
>> >> >>
>> >> >> U nat.ip:2370 -> opensips.ip:5060
>> >> >> U opensips.ip:5060 -> nat.ip:8427
>> >> >>
>> >> >> Shouldn't it be going back to port 2370? And not 8427?
>> >> >>
>> >> >> -- James
>> >> >>
>> >> >> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu
>> >> >> <bogdan at voice-system.ro> wrote:
>> >> >> > Hi James,
>> >> >> >
>> >> >> > From proxy point of view, everything looks ok - I see the reply
>> >> >> > sent
>> >> >> > back to
>> >> >> > the exact IP:port where the request came from....So the reply
>> >> >> > should
>> >> >> > make it
>> >> >> > through the NAT...But it seams it doesn't as the phone keeps
>> >> >> > retransmitting
>> >> >> > the REGISTER..
>> >> >> >
>> >> >> > Again, from NAT pov, opensips is doing the right stuff (doing
>> >> >> > symmetric
>> >> >> > signalling) - there is nothing more you can do here for
>> >> >> > opensips..Maybe
>> >> >> > it
>> >> >> > is something specific to the NAT device - any possibility to
>> >> >> > debug/trace
>> >> >> > on
>> >> >> > it ?
>> >> >> >
>> >> >> > Regards,
>> >> >> > Bogdan
>> >> >> >
>> >> >> > James Lamanna wrote:
>> >> >> >>
>> >> >> >> Hi,
>> >> >> >> I was wondering if anyone had any experience getting a Cisco 7960
>> >> >> >> phone to register to opensips when the phone is behind a PIX
>> >> >> >> firewall.
>> >> >> >> I'm having a hell of a time getting it to register.
>> >> >> >> I see these messages:
>> >> >> >>
>> >> >> >> U nat.ip:2260 -> opensips.ip:5060
>> >> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>> >> >> >> sip:xxxxxxx at opensips.ip;user=phone>..To:
>> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>> >> >> >> 6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec
>> >> >> >> 2010
>> >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
>> >> >> >> ..User-Agent: CSCO/7..Contact:
>> >> >> >> <sip:xxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires:
>> >> >> >> 45....
>> >> >> >> #
>> >> >> >> U opensips.ip:5060 -> nat.ip:2260
>> >> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>> >> >> >> ed=208.90.184.123..From:
>> >> >> >> <sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>> >> >> >> <sip:xxxxxxxx at opensips.ip;
>> >> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>> >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
>> >> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>> >> >> >> realm="asterisk", nonce="4cfd27fe0000780d7
>> >> >> >> 1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls
>> >> >> >> (x86_64/linux))..Content-Length: 0..
>> >> >> >> ..
>> >> >> >> #
>> >> >> >> U nat.ip:2260 -> opensips.ip:5060
>> >> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP
>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <
>> >> >> >> sip:xxxxxxxxx at opensips.ip;user=phone>..To:
>> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..Call-ID: 0003
>> >> >> >> 6be7-b0aa0007-46220771-115f4fcc at 10.20.33.22..Date: Mon, 06 Dec
>> >> >> >> 2010
>> >> >> >> 18:10:49 GMT..CSeq: 107 REGISTER
>> >> >> >> ..User-Agent: CSCO/7..Contact:
>> >> >> >> <sip:xxxxxxxxx at 10.20.33.22:5060>..Content-Length: 0..Expires:
>> >> >> >> 45....
>> >> >> >> #
>> >> >> >> U opensips.ip:5060 -> nat.ip:2260
>> >> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
>> >> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv
>> >> >> >> ed=208.90.184.123..From:
>> >> >> >> <sip:xxxxxxxx at opensips.ip;user=phone>..To:
>> >> >> >> <sip:xxxxxxxxx at opensips.ip;
>> >> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:
>> >> >> >> 00036be7-b0aa0007-46220771-115f4fcc@
>> >> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest
>> >> >> >> realm="asterisk", nonce="4cfd28000000780e5
>> >> >> >> c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls
>> >> >> >> (x86_64/linux))..Content-Length: 0..
>> >> >> >>
>> >> >> >> This suggests the 401 response is not making it back to the
>> >> >> >> phone....but I'm not sure why the PIX would be blocking it.
>> >> >> >> All sip fixup is off.
>> >> >> >>
>> >> >> >> Any configuration suggestions would be much appreciated.
>> >> >> >> The phone has:
>> >> >> >> nat_enable: 0
>> >> >> >> nat_received_processing: 0
>> >> >> >>
>> >> >> >> That was the only way I could get opensips to send the responses
>> >> >> >> back
>> >> >> >> to the correct port.
>> >> >> >>
>> >> >> >> Thanks.
>> >> >> >>
>> >> >> >> -- James
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> Users mailing list
>> >> >> >> Users at lists.opensips.org
>> >> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >> >> >>
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Bogdan-Andrei Iancu
>> >> >> > OpenSIPS Bootcamp
>> >> >> > 15 - 19 November 2010, Edison, New Jersey, USA
>> >> >> > www.voice-system.ro
>> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > Users mailing list
>> >> >> > Users at lists.opensips.org
>> >> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >> >> >
>> >> >>
>> >> >> _______________________________________________
>> >> >> Users mailing list
>> >> >> Users at lists.opensips.org
>> >> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > --
>> >> > *--*--*--*--*--*
>> >> > Duane
>> >> > *--*--*--*--*--*
>> >> > --
>> >> >
>> >> > _______________________________________________
>> >> > Users mailing list
>> >> > Users at lists.opensips.org
>> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >> >
>> >> >
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at lists.opensips.org
>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> >
>> >
>> > --
>> > --
>> > *--*--*--*--*--*
>> > Duane
>> > *--*--*--*--*--*
>> > --
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> >
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
More information about the Users
mailing list