TIPS Where are my SIP packets going?

[jemadsen]

Greetings PIAF People,

I am having a strange problem with my remote ATA. Randomly and for days, my remote phone looses registration with my PIAF. It was last working four day ago. I do not believe it is a problem with the PIAF. The last time I try to troubleshoot it started to work.

My configuration looks like this:

. . . . . . . . . . . TCPDUMP | . . . . | TCPDUMP
. . . . . . . . . . . . . .| . . . .|
Phone – ATA - - - - - Firewall | - WAN – | Firewall – PIAF
. . . (HT287 Rev4) . (DD-WRT NAT) . . . .(DD-WRT NAT)

My firewall is configured to pass 5060 and 10,000-20,000 UDP traffic to the PIAF. When I run TCPDUMP on the WAN side of each firewall with only the ATA turned on, I see 5060 UDP packet leave the remote site, but never arrive at the PIAF site. I run NMAP on a machine behind the remote firewall sending 5060 UDP packet to the PIAF site, I see those packet on my PIAF firewall.

nmap -sU --data-length 495 -p 5060 piafsite.net
02:29:14.299310 IP remotesite.net.54570 > piafsite.net.5060: SIP, length: 495
02:29:14.934804 IP remotesite.net.54571 > piafsite.net.5060: SIP, length: 495


Can someone suggest something I am doing wrong or a better troubleshooting technique to isolate the problem?

Thanks,
Jens

 

[bucasia]

Seems like your troubleshooting is good. You're outside the remote firewall, so it's not a SIP ALG messing up the packets. And the fact that other packets to port 5060 get through confirms it's not a general network issue.

The only think I can think of is that your ISP is doing deep packet inspection and blocking specific packets destined for port 5060. Maybe only packets that they see contain SIP INVITE/REGISTER requests.

 

[briankelly63]

I assume there are a lot of versions of dd-wrt and others who are familiar with those issues may comment.

I'd be focused on the dd-wrt routers-firewall as the source of the issue. I don't know how much logging the router itself does but the beauty of firewalls like PfSense are that you get a much better window into whats going on.

 

[hbonath]

This sounds like a routing problem to me. Can you run "mtr" from your ATA source to PBX IP and see what's going on there?

 

[jemadsen]

Thank you for the responses. When I have had the time to look at it, it seems to work.

In the interim, the router at the ATA end died and my son replaced it with out of the box firmware. The ATA registered for a while then stopped working. I found that the extension setting was set to N0-RFC3581. I set it to Yes. I am waiting to see if this solves the problem.

Here is the output from mtr from the lan with the ATA to the firewall of the piaf lan. And yes it works. Thanks for a new mtr command.

Start: Wed Apr 30 18:28:49 2014
HOST: spock.madnet.madcyberspace. Loss% Snt Last Avg Best Wrst StDev
1.|-- reed.madnet.madcyberspace 0.0% 100 0.3 0.2 0.2 0.3 0.0
2.|-- 192.168.0.1 0.0% 100 3.7 2.4 0.8 3.7 0.6
3.|-- albq-dsl-gw49.albq.qwest. 0.0% 100 32.6 41.9 27.9 200.2 30.2
4.|-- albq-agw1.inet.qwest.net 0.0% 100 32.6 32.4 27.8 80.6 7.0
5.|-- dvr-brdr-02.inet.qwest.ne 0.0% 100 42.2 44.0 37.6 98.3 10.8
6.|-- 63.146.26.130 0.0% 100 41.7 43.1 37.5 110.4 10.4
7.|-- vb2000d1.rar3.denver-co.u 0.0% 100 111.4 111.9 97.9 124.7 6.6
8.|-- te-4-2-0.rar3.dallas-tx.u 0.0% 100 109.1 111.6 97.4 123.0 6.0
9.|-- ae0d0.mcr2.tampa-fl.us.xo 0.0% 100 111.2 109.2 94.9 173.6 10.2
10.|-- ae1d0.mcr1.tampa-fl.us.xo 1.0% 100 163.2 110.8 96.2 173.4 15.5
11.|-- 64.220.113.206.ptr.us.xo. 2.0% 100 83.4 82.7 77.4 85.7 1.7
12.|-- hun0-0-0-0.tamp20-car2.bh 1.0% 100 126.8 119.6 103.1 133.3 5.8
| `|-- 72.31.208.3
| |-- 72.31.117.159
| |-- 72.31.117.157
| |-- 71.44.3.93
| |-- 72.31.117.165
13.|-- ten0-8-0-0.orld71-CAR1.bh 2.0% 100 119.4 120.3 103.9 130.3 6.3
| `|-- 71.44.1.209
| |-- 71.44.1.213
| |-- 71.44.1.215
14.|-- ten0-5-0-6.orld31-car2.bh 0.0% 100 117.9 116.5 104.1 125.1 4.8
| `|-- 97.69.194.143
| |-- 97.69.194.145
| |-- 72.31.192.103
| |-- 71.44.61.23
| |-- 72.31.194.253
| |-- 97.69.194.147
| |-- 71.44.61.21
15.|-- ten0-1-0-0.orld30-ser2.bh 0.0% 100 112.0 114.5 104.0 144.8 5.5
| `|-- 71.44.61.3
| |-- 71.44.61.1
| |-- 72.31.193.7
16.|-- ten3-0-0.ORLD30-cts1.bhn. 0.0% 100 113.6 114.2 103.5 123.0 4.0
| `|-- 97.69.193.177
17.|-- ??? 100.0 100 0.0 0.0 0.0 0.0 0.0

 

[visionlogic]

Thanks for a new mtr command.

It's a good tool. And those on Windoze boxes can use WinMTR freeware (Not spamming - I'm just a satisfied user of it).

 

[jemadsen]

I worked this problem on and off for the past few months and came to the conclusion that I just do not understand SIP handshaking enough to troubleshoot this problem. My solution was to build up another BeagleBoneBlack piaf and install it at the remote site.
Thanks for all the help!

 

[jemadsen]

Solution.
I had some time over the holidays with the local network and traced the problem to a DLINK DIR 615 wireless router. I could not get the router to work with SIP and replaced the router.
Thanks again for the help.
Jens