NO JOY Cisco 7941 + PIAF on EC2

[Al Grant]

Hi All,

I have very successfully got a Cisco 7941 to work on my LAN with a instance of PIAF.

For my next project I got PIAF running on EC2 and tried to connect the phone - this has not worked so far.

I think it is to do with the way the Cisco 7941 handles NAT, explained here:

http://www.voip-info.org/wiki/view/Standalone+Cisco+7941/7961+without+a+local+PBX

and here:

http://forum.sipsorcery.com/viewtopic.php?f=6&t=2165

As I said I got a 401 UNAUTH error just trying to register.

If anyone thinks there is a good work around which doesn't involve opening up huge port ranges I would be keen to hear from them.

Regards,

-Al

 

[snarpatroid]

From the error message it sounds more like a password issue. Usually if there is a port or NAT issue you will simply get the phone in a boot loop. Because it halts on an unauth message I'd check and double check the password (start simple, basic numbers and letters with a short-ish password, get it working, then beef up your security with longer passwords and special characters checking what does and does not work).

Before starting I would ensure you are on 9.3.1 SR2 firmware for SIP and registering on the Cisco website will let you download this firmware for free as it is now end of life as far as they're concerned (these handsets will keep giving for years to come though believe me). Then make sure your transport defaults to TCP both in your config files and on your extension. Also enter TCPENABLE=YES on general settings within Asterisk.

 

[Al Grant]

Hi Snarpatroid,

I might give it one more go tonight - I did check the password from the extension web menu of the PIAF install against the SEP<mac>cnf.xml several times!!

According to the voip-info link I need:

5060 and 13,000 ish through to 35,000 ish UDP forwarded to my phone? That's a hell of a range to open up.

It also looks like NAT should be set to in PIAF NO from those pages - even though logic would say yes.

Finally it also looks like I should specify the real world IP of the phone in the SEP<mac>cnf.xml ?

I might post configs shortly just about to head out the door.

Regards

-Al

 

[Al Grant]

<?xml version="1.0" ?>
<device>
<deviceProtocol>SIP</deviceProtocol>
<sshUserId>root</sshUserId>
<sshPassword>letmein</sshPassword>
<devicePool>
<dateTimeSetting>
<dateTemplate>D-M-Ya</dateTemplate>
<timeZone>New Zealand Standard/Daylight Time</timeZone>
<ntps>
<ntp>
<name>time.nist.gov</name>
<ntpMode>Unicast</ntpMode>
</ntp>
</ntps>
</dateTimeSetting>
<callManagerGroup>
<members>
<member priority="0">
<callManager>
<processNodeName>54.123.36.202</processNodeName>
<ports>
<sipPort>5060</sipPort>
</ports>
</callManager>
</member>
</members>
</callManagerGroup>
</devicePool>
<sipProfile>
<natEnabled></natEnabled>
<natAddress></natAddress>
<sipProxies>
<registerWithProxy>true</registerWithProxy>
<outboundProxy></outboundProxy>
<outboundProxyPort></outboundProxyPort>
<backupProxy>54.123.36.202</backupProxy>
<backupProxyPort>5060</backupProxyPort>
</sipProxies>
<preferredCodec>none</preferredCodec>
<phoneLabel>Office</phoneLabel>
<sipLines>
<line button="1">
<featureID>9</featureID>
<featureLabel>92111</featureLabel>
<proxy>54.123.36.202</proxy>
<port>5060</port>
<name>92111</name>
<authName>92111</authName>
<authPassword>Letmein2014</authPassword>
<messageWaitingLampPolicy>3</messageWaitingLampPolicy>
<messagesNumber>*97</messagesNumber>
</line>
</sipLines>
<dialTemplate>dialplan.xml</dialTemplate>
</sipProfile>
<networkLocale>United_States</networkLocale><networkLocaleInfo><name>United_States</name><uid>64</uid><version>1.0.0.0-1</version></networkLocaleInfo>
</device>

 

[snarpatroid]

That range is too wide. Get TCP working and forget about UDP, on SIP these phones excel on TCP. If you applied the presence patch as I describe in my resources (very useful, for example I use this to enable BLF on a handset, I'm on a call, I can then use the 'park' softkey during a call, it parks a call and all handsets get a red light to indicate a call is parked on that line), these features won't work unless you're on TCP.

5060 is the port you need to use for authorising the handsets. Generally, 10,000 to 20,000 are the ports that SIP signalling works over (I have never heard of anything as high as you're talking about). Get the handset registering first then play about with the SIP signalling if you have audio problems. 5060 is key.

When it comes to dealing with passwords, nothing beats copy and paste to make sure it's correct. The times I have seen 'I' written, is that a lower case L or an upper case i? The mind plays funny tricks after staring too long at passwords

To be perfectly honest I have no idea if NAT should be yes or no as I have never used EC2. I would guess if you have a static IP address then NAT is no, however for cloud computing this is not my area of expertise so perhaps someone else can give you an idea. As far as what you specify in your cnf.xml file for an IP address it should be the same IP as you'd type in a browser window to access PIAF.

Hope this helps.

 

[snarpatroid]

Just noticed you've posted your entire cnf.xml file including your IP address and passwords, I'd take that down asap!

You could always try the cnf.xml file in my resources section which is known good on the 9.3.1 SR2 firmware, I'd get yourself on that firmware whilst you're at it as this is also known good firmware with Asterisk plus it removes a security hole the phone is vulnerable to.

 

[Al Grant]

Hi snarpatroid,

I have purposely changed the IP and the passwords are incorrect.

9.3.1 SR2 I had problems with (it didn't seem to like my cnf.xml) so I went back to that older release - it could be worth a go, but really shouldn't stop the phone registering right?

How would I change to using TCP?
Cheers

-AL

 

[snarpatroid]

That could be a problem in itself. If I were you, start by upgrading your firmware then use the cnf.xml in my resources section, it's already set to use TCP in the config file.

Then you also need to set your extensions to transport as all, TCP preferred. Plus in FreePBX go to settings - Asterisk SIP settings - then enter at the bottom of the screen tcpenable = yes.

 

[Jake]

A Vpn was the only way I could get my 7960 & 7961 to work. I could not get it to work with nat

 

[Al Grant]

Yes, it certainly seems to be problematic to get it to work over NAT. I am going to see if snarpatroid wants to try to work on it with me.....

Will post results if I do.

Did you VPN to EC2?

 

[billsimon]

Asterisk will need to have SIP NAT settings configured if you're running in EC2 because the public IP is not visible to Asterisk; the IP address on the network interface will be private. This will be necessary whether you use UDP or TCP SIP.

I was curious what you're using for t*f*t*p. If you're using the t*f*t*p server on the Asterisk server, don't forget to open that port (69 TCP and UDP) in the EC2 security group also.

 

[Al Grant]

Yip I have followed the tutorial when setting up Asterisk in EC2 and have a few security groups configuered.

In terms of t*f*t*p : the same phone that I want to work with EC2 I have connected to a asterisk PC on my LAN.

To get this phone to work with EC2, I am just taking the config file SEP<mac>.cnf.xml on the asterisk PC on LAN, copying it so I have two versions : a EC2 version and a lan version on the asterisk PC at home.

Since the cisco phone I want to work with EC2 is already configured to get its config from the home PC, I just update the EC2 version to point to the WAN IP of the EC2 instance.

I can see the phone attempting to connect to the EC2 instance so there is connectivity - its really just a question of why I am getting UNAUTH.

So in essence i continue to use local PC for t*f*t*p.

I presume EC2 instance needs NAT on in asterisk settings along with WAN IP entered.

I assume to get registration I must also have 5060 on my router forwarded to the LAN IP of the cisco phone?

 

[billsimon]

I presume EC2 instance needs NAT on in asterisk settings along with WAN IP entered.

Yes. Use an Elastic IP so that it doesn't change in the future with a stop/start and then put that IP in the externip field in Asterisk SIP settings.

I assume to get registration I must also have 5060 on my router forwarded to the LAN IP of the cisco phone?

No, this is not necessary. SIP registration keeps the port alive between your Cisco phone and Asterisk and symmetric RTP takes care of opening the proper RTP ports when you place or receive a phone call. If your router aggressively "cleans up" (closes) UDP sessions, make the SIP registration more frequent until the timing is below the router's clean-up threshold.

 

[rjaiswal]

I would suggest using the latest firmware, and Snarpatroid's cnf.xml example. I would also suggest setting up a vpn tunnel between your location and ec2. I've never been able to successfully configure a 79xx phone over NAT. They weren't designed to work over the internet like that. A VPN tunnel would also be more secure.

 

[Al Grant]

I see.

Thanks Bill, but with a Auth error and having triple checked the extension password against the xml I am not sure what to do next.

 

[Al Grant]

I am still going to try all these suggestions and do a packet trace (but its middle of the night here), BUT isn't this my exact problem:

http://iops.io/blog/analysis-cisco-7940-sip-alg-nat-traversal-problems/

Explained thoroughly!

 

[billsimon]

I think the tcpdump / wireshark will reveal the problem.

This might be one of those (rare) instances where SIP ALG on your router will actually solve the problem, if the Cisco phone is unable to properly traverse the local NAT.

I had a Cisco 7906 (single line) working across the Internet but it had its own public IP. (It was an experiment. I don't normally waste public IPv4 addresses on IP phones.)

 

[Al Grant]

Is there a way from the CLI on the server to double check the extension password?

 

[billsimon]

The password will be listed in /etc/asterisk/sip_additional.conf.

This posting says it must be under 32 characters long: http://pbxinaflash.com/community/in...uthorized-when-registering-older-works.13876/ -- seems like that's not the problem, since you had it working before.

 

[Al Grant]

Ok,

In order to debug my problem I did a simultaneous capture of the span port on the phone, and using tcpdump on the server.

Here is what the converation looks like, note both the phone and the server are behind routers and getting NAT'd:

Cisco 7941G register

register.sip src: 192.168.55.57: 49156 dst: 54.79.36.200:5060

My EC2 PIAF sees:

register.sip src:118.92.137.186:52804 dst:172.31.9.145:5060

The EC2 PIAF replies:

unauthorised src:172.31.9.145:5060 dst: 118.92.137.186:52804   rport=52804

Cisco 7941G receives:

unauthorised src:54.79.36.200:5060 dst:192.168.55.57:49156

In trying to understand if there is a problem I have concluded that the IP addresses seem to be getting translated ok, but the EC2 server is inserting a rport and replying not to 49156 but 52804.

Presumeably the phone is not listening on that port and the conversation goes no further - apparently the 79x1's dont recognise rport.

I think this problem is also discussed here:

http://forum.sipsorcery.com/viewtopic.php?t=2165

And appears to have a solution which I have not managed to fully understand.

So (1) Is my analysis correct of the problem? (2) Any solutions other than VPN? the thread above talks about bindings and modification of code....but they are not on PIAF.

Cheers

-Al