Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.




211 posts

Master Geek
+1 received by user: 26


Topic # 83345 14-May-2011 13:55 Send private message

Hi All,
I've spent the morning trying to figure out why I can only periodically receive calls.  I'm starting to feel like i'm missing something obvious and cant see the woods for the trees.
This is a newly setup Elastix install, elastix-2.0.0-58.  Previously I had Trixbox - the same condition existed on that host as well.  I've only just got around to sorting the issue out :)
I have also recently rebuilt my firewall (about a month ago).

To clarify, I can call out, call between extensions fine, and even recieve calls -  but only periodically.  I can always receive an inbound call after placing one out.

Disclosure: a lot of the information I have provided had been obfuscated.

The network looks like:
Internet ----- ADSL Modem ----- Firewall ----- Elastix
                                                           |-- Snom M3 phone

The ADSL modem is a Nokia M1122, firewall is pfSense.

For the sake of completeness, I'll also describe the ports I've opened.
I have an entry on the ADSL modem that NAPT's the ports 5060 and 5061, UDP to the Elastix host's IP.  There are also static routes for the network that the Asterisk (Elastix) host sits on.
There are entries on the firewall allowing traffic from 58.28.20.150 (pan.wxnz.net) and 202.180.76.163 (iax.2talk.co.nz) on ports 5060 and 5061 to the Asterisk (Elastix) host.  There is no NAT performed on the pfSense firewall - it's for want of a better term a routing firewall.
In addition I only allow communication from the Asterisk (Elastix) host to 58.28.20.150 (pan.wxnz.net) and 202.180.76.163 through the firewall.

I'm fairly confident that I've got everything sorted on the firewall as I'm not seeing any traffic that I don't expect to see denied.

My peer details for peer 1 is:
username=12345abcdef
type=peer
secret=secret12345
regseconds=180
registertimeout=20
port=5060
nat=yes
maxexpirey=180
insecure=invite,port
host=pan.wxnz.net
fromuser=42345678
fromdomain=pan.wxnz.net
dtmfmode=rfc2833
disallow=all
defaultexpirey=180
context=from-trunk
canreinvite=no
allow=ulaw&alaw

User Context for peer 1:
12345abcdef

Registar String for peer 1:
42345678:secret12345:[email protected]/42345678

My peer details for peer 2 is:
username=ghijkl67890
type=peer
secret=secret67890
regseconds=180
registertimeout=20
port=5060
nat=yes
maxexpirey=180
insecure=invite,port
host=pan.wxnz.net
fromuser=49876545
fromdomain=pan.wxnz.net
dtmfmode=rfc2833
disallow=all
defaultexpirey=180
context=from-trunk
canreinvite=no
allow=ulaw&alaw

User Context for peer 1:
ghijkl67890

Registar String for peer 1:
49876545:secret67890:[email protected]/49876545

I'm also confident that my call plans are OK as when the phones do work, routing etc, works perfectly and as expected.

I enabled SIP debugging to try and determine what the issue might be, but I get nothing on the console when I ring in, which suggests that the traffic isn't even getting to the Asterisk host (which is reinforced by the logs on the firewall).

A sip show registry displays:
*CLI> sip show registry
Host                           dnsmgr Username       Refresh State                Reg.Time
pan.wxnz.net:5060              N      49876545           285 Registered           Sat, 14 May 2011 13:22:27
pan.wxnz.net:5060              N      42345678           285 Registered           Sat, 14 May 2011 13:22:27
2 SIP registrations.

Interestingly enough, I can only see the registration for 42345678 at: http://myvfx.xport.co.nz/User/Registrations/

I haven't tested if the same issue exists for the second line as it's just occurred to me that I should have tested that.  I'll make sure I test to see if the second line if affected next time the condition occurs.


Sorry for the long post, hopefully I've given enough information to help you help me :)

Any ideas as to what to check next?

Cheers,
Glen

Create new topic
20204 posts

Uber Geek
+1 received by user: 1753

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 469065 14-May-2011 14:18 Send private message

Odds are it's definately a firewall issue with the NAT pinhole closing before the SIP registation timeout.




211 posts

Master Geek
+1 received by user: 26


  Reply # 469067 14-May-2011 14:34 Send private message

That's what I was hoping, I can diagnose that - however, I cant see anything in the firewall logs.
I wonder if it's the M1122 starting to have issues? Undecided

3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 469069 14-May-2011 14:45 Send private message

I don't know your account details so couldn't check, but intermittent inbound calls is almost exclusively a nat/ firewall / pinhole issue , if I had your details I could check the call records but I will take an educated guess that we will see no response to the invite being sent.

Some Symptoms of Nat / firewall issues are

1. Outbound calls okay
2. Inbound calls fail intermittently
3. Inbound Calls are generally straight after an outbound call.




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



211 posts

Master Geek
+1 received by user: 26


  Reply # 469073 14-May-2011 14:56 Send private message

Hmmm...   I wonder if it was when i upgraded from pfSense 1.3 to 2.0 that caused the issue.
Will send you a PM Maverick,

Thanks for your help guys.

BTW: anyone know how to get the filter logs from a Nokia M1122?

And any suggestions for a new modem with a true firewall?  Something that can do NAPT.  I was looking at the SRP527W, but might wait for the VDSL 2 stuff to come out.

I was eye'ing up a Juniper SSG20 with a ADSL2 modem.  But things got expensive quickly :)

2048 posts

Uber Geek
+1 received by user: 286

Trusted
Subscriber

  Reply # 469181 14-May-2011 23:37 Send private message

Its most certainly an inbound NAT issue as when you establish an outbound connection it's working as the firewalls are state-full.

My advise would be to disable NAT on your modem and run your modem and pfsense firewall in half-bridge mode if you can, which will mean you only have one device doing any NAT.

If you want your current setup to work you'd need to adjust the NAT rules on your pfsense box to pinhole SIP traffic with a source of your your modem and not WxC. Double Nat is nasty.



211 posts

Master Geek
+1 received by user: 26


  Reply # 469201 15-May-2011 08:29 Send private message

I've been avoiding running the modem in half bridge mode for the only reason that it's another device for someone to get through through if one decided to have a hack around on my DSL link.  Defense in depth and all that Wink

Remember guys, the setup used to work fine for a number of years.

Interestingly enough, I had a play with the M1122 command line and enabled NAPT debug.  Bam - the M1122 did a warm reboot.  I can enable debug on everthing else but for NAPT.  Odd.

I might try another modem.

3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 469466 16-May-2011 06:56 Send private message

Checked out the details you sent me for the call at 9:11 it timed out when the invite was sent to your IP, it then auto failed over to your cell, so pretty much what I thought, really looks like your nat / firewall has broken somewhere since your not even seeing the SIP message hit your box.




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



211 posts

Master Geek
+1 received by user: 26


  Reply # 469562 16-May-2011 11:42 Send private message

Thanks maverick.



211 posts

Master Geek
+1 received by user: 26


Reply # 481080 14-Jun-2011 16:19 Send private message

I thought I should post a resolution here just in case anyone else has similar issues in the future.  I replaced my DSL modem and things have been great since.

The poor M1122 has been put out to pasture :(


Thanks for your help in diagnosing the issue - much appreciated.

3569 posts

Uber Geek
+1 received by user: 62

Trusted
WorldxChange

  Reply # 481084 14-Jun-2011 16:24 Send private message

Thanks for the update




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

forgot how to unlock a car door
Created by joker97, last reply by benokobi on 18-Dec-2014 22:08 (38 replies)
Pages... 2 3


Spray Foam Insulation
Created by AACTech, last reply by timmmay on 18-Dec-2014 16:19 (28 replies)
Pages... 2


Has Spark (Telecom) locked their iphone 6 ?
Created by anewguy2014, last reply by michaelmurfy on 17-Dec-2014 14:32 (25 replies)
Pages... 2


Lightbox launches on PlayStation 4
Created by freitasm, last reply by networkn on 18-Dec-2014 22:18 (22 replies)
Pages... 2


In defence of cats
Created by Rikkitic, last reply by DarthKermit on 17-Dec-2014 15:40 (68 replies)
Pages... 3 4 5


How to cool a room
Created by E3xtc, last reply by joker97 on 18-Dec-2014 22:34 (21 replies)
Pages... 2


Slaughter of Innocents
Created by networkn, last reply by networkn on 18-Dec-2014 20:08 (43 replies)
Pages... 2 3


How is iParcel these days?
Created by peejayw, last reply by surfisup1000 on 18-Dec-2014 21:45 (19 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.