<div>Here is a good INVITE I have from being behind a firewall</div>
<div> </div>
<div>The firewall has an IP of 75.X.X.158</div>
<div>The internal network the IP phone is on is 192.168.33.X</div>
<div>The OpenSIPS server is 173.X.X.88</div>
<div> </div>
<div> </div>
<div>U 2010/12/07 16:12:14.459659 75.X.X.158:2048 -> 173.X.X.88:5060<br>INVITE <a href="mailto:sip%3A111@irock.com">sip:111@irock.com</a>;user=phone SIP/2.0.<br>Via: SIP/2.0/UDP 192.168.33.23:2048;branch=z9hG4bK-9se1atq58cbk;rport.<br>
From: "Moo " <<a href="mailto:sip%3A9@irock.com">sip:9@irock.com</a>>;tag=tq7cj9lj3c.<br>To: <<a href="mailto:sip%3A111@irock.com">sip:111@irock.com</a>;user=phone>.<br>Call-ID: 3c28c61f517f-au6e4a6vh38t.<br>
CSeq: 1 INVITE.<br>Max-Forwards: 70.<br>Contact: <sip:9@192.168.33.23:2048;line=qtgpvpl1>;reg-id=1.<br>X-Serialnumber: 0004132902C9.<br>P-Key-Flags: resolution="31x13", keys="4".<br>User-Agent: snom360/<a href="http://8.4.18.">8.4.18.</a><br>
Accept: application/sdp.<br>Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE.<br>Allow-Events: talk, hold, refer, call-info.<br>Supported: timer, 100rel, replaces, from-change.<br>
Session-Expires: 3600;refresher=uas.<br>Min-SE: 90.<br>Content-Type: application/sdp.<br>Content-Length: 475.<br>.<br>v=0.<br>o=root 217266021 217266021 IN IP4 192.168.33.23.<br>s=call.<br>c=IN IP4 192.168.33.23.<br>t=0 0.<br>
m=audio 60836 RTP/AVP 0 8 9 99 3 18 4 101.<br>a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:KDdT1DXlQP7n5ulSDPGv9aOWWmKQzMwlqqpUI8Zc.<br>a=rtpmap:0 pcmu/8000.<br>a=rtpmap:8 pcma/8000.<br>a=rtpmap:9 g722/8000.<br>a=rtpmap:99 g726-32/8000.<br>
a=rtpmap:3 gsm/8000.<br>a=rtpmap:18 g729/8000.<br>a=fmtp:18 annexb=no.<br>a=rtpmap:4 g723/8000.<br>a=rtpmap:101 telephone-event/8000.<br>a=fmtp:101 0-16.<br>a=ptime:20.<br>a=sendrecv.</div>
<div>#<br>U 2010/12/07 16:12:14.459991 173.X.X.88:5060 -> 75.X.X.158:2048<br>SIP/2.0 407 Proxy Authentication Required.<br>Via: SIP/2.0/UDP 192.168.33.23:2048;branch=z9hG4bK-9se1atq58cbk;rport=2048;received=75.X.X.158.<br>
From: "Moo " <<a href="mailto:sip%3A9012211612@irock.com">sip:9012211612@irock.com</a>>;tag=tq7cj9lj3c.<br>To: <<a href="mailto:sip%3A111@irock.com">sip:111@irock.com</a>;user=phone>;tag=c97b4d1cb1f3d0da549e06a8d482ef63.9234.<br>
Call-ID: 3c28c61f517f-au6e4a6vh38t.<br>CSeq: 1 INVITE.<br>Proxy-Authenticate: Digest realm="<a href="http://irock.com">irock.com</a>", nonce="4cfeb15c93b5eb253383911370bef215dfed2212", qop="auth".<br>
Server: OpenSIPS (1.6.3-notls (x86_64/linux)).<br>Content-Length: 0.<br></div>
<div> </div>
<div>When you don't have NAT enabled on the phone are you still seeing the "407 Authentication Required" message being sent to the firewall and getting blocked? Just trying to see if the 407 message is not actually being sent to a private IP which won't work. I am only guessing it is getting sent to the Firewall when NAT is disabled on the phone because you show "nat.ip:2260" in your output.</div>
<div><br> </div>
<div class="gmail_quote">On Tue, Dec 7, 2010 at 3:14 PM, James Lamanna <span dir="ltr"><<a href="mailto:jlamanna@gmail.com">jlamanna@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">On Tue, Dec 7, 2010 at 11:42 AM, Duane Larson <<a href="mailto:duane.larson@gmail.com">duane.larson@gmail.com</a>> wrote:<br>
> From your original post before you set up nat enable on the Cisco phone<br>> OpenSIPS was replying back on the 2260 port<br>><br>> U nat.ip:2260 -> opensips.ip:5060<br>> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP<br>
><br>> #<br>> U opensips.ip:5060 -> nat.ip:2260<br>> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP<br>><br>> So right there without configuring NatEnable on the Cisco phone OpenSIPS is<br>> sending back to the original port that the Cisco phone used correct?<br>
<br>Yes, that is correct.<br>That is with nat_enable : 0.<br><br>-- James<br><br>><br>><br>> On Tue, Dec 7, 2010 at 1:34 PM, James Lamanna <<a href="mailto:jlamanna@gmail.com">jlamanna@gmail.com</a>> wrote:<br>
>><br>>> On Tue, Dec 7, 2010 at 9:32 AM, Duane Larson <<a href="mailto:duane.larson@gmail.com">duane.larson@gmail.com</a>><br>>> wrote:<br>>> > From your SIP message<br>>> ><br>>> > U nat.ip:2370 -> opensips.ip:5060 REGISTER sip:opensips.ip<br>
>> > SIP/2.0..Via: SIP/2.0/UDP nat.ip:8427;branch=z9hG4bK79682dfb..<br>>> > From: <sip:9515013401@opensips.ip;user=phone>..To:<br>>> > <sip:9515013401@opensips.ip;user=phone>..Call-ID:<br>
>> > 00036be7-b0aa0007-736f1483-25859b27@nat.ip..Date: Mon, 06 Dec 2010<br>>> > 21:28:11 GMT..CSeq: 200 REGISTER..User-Agent<br>>> > : CSCO/7..Contact: <sip:9515013401@nat.ip:8427>..Content-Length:<br>
>> > 0..Expires: 45....<br>>> ><br>>> > In the VIA header I believe your phone is saying "Talk to me over<br>>> > nat.ip:8427"<br>>> ><br>>> > You might want to set up logging on your PIX/ASA firewall to see whats<br>
>> > getting blocked, but from the way you've explained the issue it doesn't<br>>> > sound like an OpenSIPS issue. Sounds like a firewall issue or Cisco<br>>> > phone<br>>> > issue.<br>
>><br>>> Logging on the PIX definitely sees packets coming back 8427, which<br>>> since they aren't part of an established connection get dropped.<br>>> Maybe going to opensips these phones need sip fixup on, though going<br>
>> directly to Asterisk, they have been working with sip fixup off...<br>>><br>>> -- James<br>>><br>>><br>>> ><br>>> > On Tue, Dec 7, 2010 at 10:22 AM, James Lamanna <<a href="mailto:jlamanna@gmail.com">jlamanna@gmail.com</a>><br>
>> > wrote:<br>>> >><br>>> >> Hi Bogdan,<br>>> >> I guess I'm confused as to why you say its being transmitted back to<br>>> >> the same IP:Port:<br>>> >><br>
>> >> U nat.ip:2370 -> opensips.ip:5060<br>>> >> U opensips.ip:5060 -> nat.ip:8427<br>>> >><br>>> >> Shouldn't it be going back to port 2370? And not 8427?<br>>> >><br>
>> >> -- James<br>>> >><br>>> >> On Tue, Dec 7, 2010 at 2:43 AM, Bogdan-Andrei Iancu<br>>> >> <<a href="mailto:bogdan@voice-system.ro">bogdan@voice-system.ro</a>> wrote:<br>
>> >> > Hi James,<br>>> >> ><br>>> >> > From proxy point of view, everything looks ok - I see the reply sent<br>>> >> > back to<br>>> >> > the exact IP:port where the request came from....So the reply should<br>
>> >> > make it<br>>> >> > through the NAT...But it seams it doesn't as the phone keeps<br>>> >> > retransmitting<br>>> >> > the REGISTER..<br>>> >> ><br>
>> >> > Again, from NAT pov, opensips is doing the right stuff (doing<br>>> >> > symmetric<br>>> >> > signalling) - there is nothing more you can do here for<br>>> >> > opensips..Maybe<br>
>> >> > it<br>>> >> > is something specific to the NAT device - any possibility to<br>>> >> > debug/trace<br>>> >> > on<br>>> >> > it ?<br>>> >> ><br>
>> >> > Regards,<br>>> >> > Bogdan<br>>> >> ><br>>> >> > James Lamanna wrote:<br>>> >> >><br>>> >> >> Hi,<br>>> >> >> I was wondering if anyone had any experience getting a Cisco 7960<br>
>> >> >> phone to register to opensips when the phone is behind a PIX<br>>> >> >> firewall.<br>>> >> >> I'm having a hell of a time getting it to register.<br>>> >> >> I see these messages:<br>
>> >> >><br>>> >> >> U nat.ip:2260 -> opensips.ip:5060<br>>> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP<br>>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <<br>
>> >> >> sip:xxxxxxx@opensips.ip;user=phone>..To:<br>>> >> >> <sip:xxxxxxxx@opensips.ip;user=phone>..Call-ID: 0003<br>>> >> >> 6be7-b0aa0007-46220771-115f4fcc@10.20.33.22..Date: Mon, 06 Dec 2010<br>
>> >> >> 18:10:49 GMT..CSeq: 107 REGISTER<br>>> >> >> ..User-Agent: CSCO/7..Contact:<br>>> >> >> <<a href="http://sip:xxxxxxxx@10.20.33.22:5060" target="_blank">sip:xxxxxxxx@10.20.33.22:5060</a>>..Content-Length: 0..Expires: 45....<br>
>> >> >> #<br>>> >> >> U opensips.ip:5060 -> nat.ip:2260<br>>> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP<br>>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv<br>
>> >> >> ed=208.90.184.123..From:<br>>> >> >> <sip:xxxxxxxxx@opensips.ip;user=phone>..To:<br>>> >> >> <sip:xxxxxxxx@opensips.ip;<br>>> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:<br>
>> >> >> 00036be7-b0aa0007-46220771-115f4fcc@<br>>> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest<br>>> >> >> realm="asterisk", nonce="4cfd27fe0000780d7<br>
>> >> >> 1826527370e7c8b97f663425df75489"..Server: OpenSIPS (1.6.3-notls<br>>> >> >> (x86_64/linux))..Content-Length: 0..<br>>> >> >> ..<br>>> >> >> #<br>
>> >> >> U nat.ip:2260 -> opensips.ip:5060<br>>> >> >> REGISTER sip:opensips.ip SIP/2.0..Via: SIP/2.0/UDP<br>>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a..From: <<br>
>> >> >> sip:xxxxxxxxx@opensips.ip;user=phone>..To:<br>>> >> >> <sip:xxxxxxxx@opensips.ip;user=phone>..Call-ID: 0003<br>>> >> >> 6be7-b0aa0007-46220771-115f4fcc@10.20.33.22..Date: Mon, 06 Dec 2010<br>
>> >> >> 18:10:49 GMT..CSeq: 107 REGISTER<br>>> >> >> ..User-Agent: CSCO/7..Contact:<br>>> >> >> <<a href="http://sip:xxxxxxxxx@10.20.33.22:5060" target="_blank">sip:xxxxxxxxx@10.20.33.22:5060</a>>..Content-Length: 0..Expires: 45....<br>
>> >> >> #<br>>> >> >> U opensips.ip:5060 -> nat.ip:2260<br>>> >> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP<br>>> >> >> 10.20.33.22:5060;branch=z9hG4bK48039e3a;rport=2260;receiv<br>
>> >> >> ed=208.90.184.123..From: <sip:xxxxxxxx@opensips.ip;user=phone>..To:<br>>> >> >> <sip:xxxxxxxxx@opensips.ip;<br>>> >> >> user=phone>;tag=c5cd5e6c2a1d4c975e04c2ff1b643904.5bf3..Call-ID:<br>
>> >> >> 00036be7-b0aa0007-46220771-115f4fcc@<br>>> >> >> 10.20.33.22..CSeq: 107 REGISTER..WWW-Authenticate: Digest<br>>> >> >> realm="asterisk", nonce="4cfd28000000780e5<br>
>> >> >> c3381d838a044479357aa6c660df432"..Server: OpenSIPS (1.6.3-notls<br>>> >> >> (x86_64/linux))..Content-Length: 0..<br>>> >> >><br>>> >> >> This suggests the 401 response is not making it back to the<br>
>> >> >> phone....but I'm not sure why the PIX would be blocking it.<br>>> >> >> All sip fixup is off.<br>>> >> >><br>>> >> >> Any configuration suggestions would be much appreciated.<br>
>> >> >> The phone has:<br>>> >> >> nat_enable: 0<br>>> >> >> nat_received_processing: 0<br>>> >> >><br>>> >> >> That was the only way I could get opensips to send the responses<br>
>> >> >> back<br>>> >> >> to the correct port.<br>>> >> >><br>>> >> >> Thanks.<br>>> >> >><br>>> >> >> -- James<br>
>> >> >><br>>> >> >> _______________________________________________<br>>> >> >> Users mailing list<br>>> >> >> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> >> >> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>>> >> >><br>>> >> >><br>
>> >> ><br>>> >> ><br>>> >> > --<br>>> >> > Bogdan-Andrei Iancu<br>>> >> > OpenSIPS Bootcamp<br>>> >> > 15 - 19 November 2010, Edison, New Jersey, USA<br>
>> >> > <a href="http://www.voice-system.ro/" target="_blank">www.voice-system.ro</a><br>>> >> ><br>>> >> ><br>>> >> > _______________________________________________<br>
>> >> > Users mailing list<br>>> >> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>>> >> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> >> ><br>>> >><br>>> >> _______________________________________________<br>>> >> Users mailing list<br>>> >> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
>> >> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>>> ><br>>> ><br>>> ><br>>> > --<br>
>> > --<br>>> > *--*--*--*--*--*<br>>> > Duane<br>>> > *--*--*--*--*--*<br>>> > --<br>>> ><br>>> > _______________________________________________<br>>> > Users mailing list<br>
>> > <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>>> > <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
>> ><br>>> ><br>>><br>>> _______________________________________________<br>>> Users mailing list<br>>> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>>> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
><br>><br>><br>> --<br>> --<br>> *--*--*--*--*--*<br>> Duane<br>> *--*--*--*--*--*<br>> --<br>><br>> _______________________________________________<br>> Users mailing list<br>> <a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
> <a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>><br>><br><br>_______________________________________________<br>
Users mailing list<br><a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br><a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>--<br>*--*--*--*--*--*<br>Duane<br>*--*--*--*--*--*<br>--<br>