Nat in PBX info page

Not sure but I do not think STUN will solve your issue. Are you using the same type of firewall at each site. There is a NAT keepalive setting in the Linksys devices.

Cheers,

Chris A

Hi Chris,

Different firewalls at each site. I have set the keepalive time to 5 sec's on all phones.

I would have thought if nat was working correctly back to our hosted server, we would have seen Y under nat in pbx info page?

Cheers Chris

Dion

all nat=yes does is send sip replies back to the IP address that sent the message INSTEAD of the address in the URI, because the phone is sending things from sip:exten@some.private.ip which you cant route to.

btw the 'N' means that its configured to use nat. It will ether be empty or an N. Nat problems with sip are one of the big reasons why I use firewalls with built-in sip proxies.

Hi Dion,

are you using provisioning ..? if so we had a LOT of problem with the NAT settings..

this setting is controlled by the NAT setting in the extensions

${NAT_MAPPING}

This setting is hard setup to YES in TL, (BAD TL) as you can see I changed the setting to NO in our scripts and it corrected the problem.

no

the problem this caused us was the phone once brought online, provision and work fine, either after a couple hours OR a few back to back calls the phone would go offline stay that way.

if you are not using provisioning you need to check the port settings in your firewalls and make sure sip ports are open.

being the phone do register says the system and the phones are set correctly and by fact that they go off line after a while points to your firewall settings..

one other item that can cause SIP devices to lose their registrations are the

ip_nat_sip and ip_conntract_sip kernel modules. Check to make sure they arent loaded

'lsmod | grep sip'

Hi Guys,

Thanks for the feedback. I will let you know the outcome.

I have changed nat keep alive to 5 secs.

I have turned off nat mapping.

Turned off STUN, and Erik none of the modules were loaded either.

Thanks again

Dion

Well, now I have disabled nat mapping I am getting my phone dropping off line more often. If I make 2 calls within 10 secs, the phone de-registers and comes up with proxy unreachable comes right after 20 sec's or so.

In the linksys phones there is a whole lot of nat/via settings, does anyone have any info on these? I have had a good look around the net and have failed to find any decent info?

NAT Support Parameters

Handle VIA received: yes/no Handle VIA rport: yes/no

Insert VIA received: yes/no Insert VIA rport: yes/no

Substitute VIA Addr: yes/no Send Resp To Src Port: yes/no

Thanks

Dion

Thought I'd chime in as I am fighting a NAT issue tonight as well. I just changed from a Cisco PIX-501 10-user to a Linksys RV042 50-user router at my house. My phones have multiple extensions on two different SIP servers; the (non-asterisk) VoIP switch from my day job company, and my Thirdlane Asterisk MT system. Before the change, all extensions worked; both SIP servers showed the public IP address for the phones. After the change, the Thirdlane extensions stopped registering, but the extensions on the day job SIP server still functioned. However, when I look at the day job server, it now shows both a public IP and the original private IP address of each phone behind the firewall. On my Thirdlane MT, it looks like the phones are trying; I see the private addresses of the phones in PBX info, but no reference to the public IP address of the firewall. The phones never think they are registered on those extensions. NAT is checked on all of the User Extensions in PBX Mgr, no difference either way.

So what it looks like to me is that the RV042 is fixing up the SIP protocol in such a way as to map multiple phones better (it works great on the day job switch, better than anything else), but Asterisk doesn't like it that way. I guess the SIP fixup in the PIX could be older and more compatible, sending out the public IP in the URI more to what asterisk expects.

Hell I'm just guessing at this point...

Be sure to turn off NAT for the extensions that are having the issue. I find that if the router is trying to change the packet payload you do not want NAT enabled for those extensions.

-Matt

Well I figured out my mistake. It was the NAT box in User Extension. Only I was in the wrong tenant (duh). So I guess RV042 works after all.

i some times have this issue that a phone becomes unreachable

when i do sip show peer 1001-xxxxxxxxxx this what comes up

Name : 1001-xxxxxxxxxx

Secret :

MD5Secret :

Context : from-inside-xxxxxxxxxx

Subscr.Cont. : local-extensions-xxxxxxxxxx

Language :

AMA flags : Unknown

Transfer mode: open

CallingPres : Presentation Allowed, Not Screened

Callgroup :

Pickupgroup :

Mailbox : 1001@default-xxxxxxxxxxx

VM Extension : asterisk

LastMsgsSent : 32767/65535

Call limit : 0

Dynamic : Yes

Callerid : "" <>

MaxCallBR : 384 kbps

Expire : 958

Insecure : no

Nat : Always

ACL : No

T38 pt UDPTL : No

CanReinvite : No

PromiscRedir : No

User=Phone : No

Video Support: No

Trust RPID : No

Send RPID : No

Subscriptions: Yes

Overlap dial : Yes

DTMFmode : rfc2833

LastMsg : 0

ToHost :

Addr->IP : 173.68.244.90 Port 50876

Defaddr->IP : 0.0.0.0 Port 5060

Def. Username: 1001clone-xxxxxxxxxx

SIP Options : (none)

Codecs : 0xe (gsm|ulaw|alaw)

Codec Order : (ulaw:20,alaw:20,gsm:20)

Auto-Framing: No

Status : UNREACHABLE

Useragent : PolycomSoundPointIP-SPIP_550-UA/3.1.1.0137

Reg. Contact : sip:1001clone-xxxxxxxxxx@192.168.1.44

some times the following message comes up but not always

[Jan 3 08:14:42] NOTICE[3772]: chan_sip.c:15679 sip_poke_noanswer: Peer '1001-xxxxxxxxxx' is now UNREACHABLE! Last qualify: 3023

and it could take some times up to 20 minutes till it comes back up i usually reboot and it re register

any thoughts /advice

thanks

let me guess, your phones are behind a NAT device and you have more than 5-10 phones there? If so you would benefit from a sip proxy like siproxd

actually its all over the place maximum 5 phone on each network and keep on running into unmonitored and or unreachable

any advice what i could do to make sure the status stays ok

sip proxy is the best way to bypass nat firewall rules.

I've had a lot of success setting the registration expiration on the phones to about 5 minutes. I run an office with a lot of softphones and a lot of remote employees with Polycom hardware phones that got shipped to them. Most of them tend to have standard household cable routers with NAT firewalls on them. Most of these will open a return port for SIP traffic once the phone initiates a connection (say by registering) and then will close that hole after 10 minutes of inactivity on the connection. Dropping the registration expiration on the phone down to 5 minutes or so (it defaults to an hour on most hardware devices) causes the re-register traffic to hold the connection open.

Did somebody tried to use VPN for VoIP? I just read a lots of articles about it. This solution will allow you to have all phones and asterisk on the same network (so no NAT problems). Another advantage of VPN is security (nobody can sniff your packets and listen to your conversation) and bandwidth control. VPN will add some overhead but the difference is not so big.

How do you secure QoS for VoIP calls?

Peter

you lose DSCP markings (QoS) if you tunnel the packets inside an ipsec tunnel.

that not all network devices support ToS... Do you install on every customers network some gateway for ToS support and SIP proxy for NAT ?

Peter

All my quotes include a poe switch that does 802.1q vlans, and dscp. It also includes a sip proxy if they are using a hosted solution of 5 or more phones. The sip proxy acts as a gateway for the voice vlan as well as side stepping the NAT issue where dozens of devices try to share a single IP. Keepalives only go so far, they only take place over SIP and do nothing for the random port assigned RTP traffic.

Of course, the customer can insist on not using any of this. But, in almost every case, they eventually have quality problems and try to blame us for it. The unwillingness to use a qos switch and sip proxy has become almost a litmus test for customers that are going to be much bigger time sinks than average.

do you use? Do you prefer software or hardware SIP proxy?

Peter

the proxy itself is siproxd which can be implemented on different hardware.

If the customer is malleable to replacing their existing firewall (maybe its a no frills home based firewall/router) I would put endian firewall community edition on some hardware running the lan as zone green and the voice vlan as zone blue (normally reserved for a seperate wireless network). This firewall includes transparent proxies for virus scanning of http, smtp, pop, imap and ftp traffic as well some spam filtering. Its quite a firewall upgrade for someone using a $80 router. Additionally it supports additional DHCP options so you don't have to program nearly as much on the polycoms.

If the customer is married to their firewall (maybe its cisco or they have a bunch of vpn's running) then your looking at a sip proxy solution that runs parallel to their firewall as the gateway for the voice network. In such a case you could install OpenWRT on a linksys WRT54GL ($80) and install the siproxd package. You can also remove the original dnsmasq utility with its limited dhcp server and install a full fledged dhcp server.

Do you need to have public IP address on WAN interface of WRT54GL when you can't replace customer firewall?

Peter

yes, if you can't replace customers firewall, just run it in parallel with a 2nd public ip. It wont be as perfect but better than running behind the original firewall.