Asterisk 11 Server Behind Separate NAT and Clients Behind another NAT

[James Mortensen]

After verifying that all my clients connect to ws://sipml5.org:8088/ws and have 2 way audio, and after verifying that the same EXACT configuration used on sipml5.orgs' server does NOT work on two independent servers I setup, it's becoming clear that the problems I'm facing have to do with my server being on EC2 and behind it's own NAT.

Mac Chrome client #1 (10.X.Y.1 addr) === -> NAT => 50.10.Z.Z (Public IP) ------ INTERNET ----- 50.20.W.W (Public IP) <- = EC2 NAT 

                                                                     ^                                                                                                                 ^

                                                                     |                                                                                                                  |

WinXP Chrome client #2 (10.X.Y.2 addr)  --------                                                                            (10.1.2.3 private IP) (Asterisk11B 373330)

Hopefully, the above diagram came through okay.  I have NAT in front of my two clients, and I have an EC2 server in the cloud, which has it's own NAT and private IP address, as well as a public IP address.

According to my IT department, Amazon keeps the firewall and NAT rules fairly locked down. The ports are open, but I don't believe we can control port address translation and port forwarding.

I've made some attempts to try and configure my server to live behind NAT:

sip.conf (modified ones from sipml5.org server):

rtpkeepalive=25

externaddr=50.20.W.W   ; This is the public IP I see when I ping my Asterisk server or call wimi.com's automation script.

localnet=10.1.2.3/255.255.255.0   ; This is the local IP and subnet of the EC2 instance when running ifconfig

nat=force_rport,comedia

users.conf 

[1060]

nat=force_rport,comedia

qualify=yes

Added those two entries for 1060 and 1062 users.

I made the call FROM the Mac Chrome client #1 TO The WinXP Chrome Client #2. No audio.

I've attached all my console logs and the Asterisk SIP Debug logs.  If anyone else has had to deal with NAT on the server-side, I'd appreciate any help in getting this resolved.

Thank you,

James

[Mamadou DIOP]

This looks logic as Asterisk generate only host candidates. To fix the issue, Asterisk have to include server/peer reflexive candidates.

--
 
 
<chrome2.txt><chrome1.rtf><chrome1.txt><ast11-nat.txt>

[James Mortensen]

I noticed candidates in the SDP with different IP addresses, including both of my public IP's as well as the private IP's. I'm still trying to wrap my head around how the candidates work.  If you don't mind my asking, how can you tell the reflexive candidates are missing?

I'm reading http://www.packetizer.com/rfc/rfc5245/, which has a diagram on page 9 that points to the public side of the Agents' NAT to indicate the  "Server reflexive address". Looks like STUN or TURN is involved.

STUN and TURN configuration:

Not sure if this is the right thing to do, but I thought I'd try....  So.... I went into rtp.conf and res_stun_monitor.conf and added the following line in each:

stunaddr = stun.l.google.com:19302

I also added rtpchecksums=no to the rtp.conf file as well. Tried both with and without.

Additionally, I configured TURN settings as well in rtp.conf

turnaddr=numb.viagenie.ca

turnusername=MYUSERNAME

turnpassword=MYPASSWORD

XLite To XLite:

The good news is that I can get two way audio between my 2 XLite clients!!  This is the first time I've had two-way audio on this server. Success!!  Sort of :)  

XLite to Chrome results in the following WARNING:

[Sep 27 21:27:50] WARNING[9653]: chan_sip.c:4126 __sip_autodestruct: Autodestruct on dialog '35067d6609e84e0f...@50.20.W.W:5060' with owner SIP/1061-00000001 in place (Method: BYE). Rescheduling destruction for 10000 ms

There's no audio on XLite to Chrome

Chrome to Chrome

There's no audio here either. I've attached the console logs and Asterisk logs for this session as well.

Let me know if you think it's possible or not to get this working with NAT on both ends. We're more than happy to continue providing test cases if it helps move this along. If not, if it's best to use a completely public server with NO NAT, please let me know and we'll do that too. We're happy to help move the NAT side along if need be.  Just let me know if this is something I need to report to Digium/Asterisk or if I should continue here. 

50.10.Z.Z - Public IP in front of clients

10.X.Y.1 - Mac Chrome client private IP

10.X.Y.2 - XP Chrome client private IP

50.20.W.W - Public IP in front of Asterisk 11

10.1.2.3 - Private IP of Asterisk 11 server

Thanks again for your help!

James

[Mamadou DIOP]

If you don't mind my asking, how can you tell the reflexive candidates are missing? => I checked the code :)

The candidates from Asterisk look like this:

a=candidate:Ha7aedae 1 udp 2130706431 10.1.2.3 19290 typ host generation 0 svn 16

a=candidate:Ha7aedae 2 udp 2130706430 10.1.2.3 19291 typ host generation 0 svn 16

The "host" string after "typ" means the candidate type is "host" (local)

For server reflexive candidates (discovered using STUN) the type must be "srflx". If you're behind a NAT only these candidates or relay (TURN) could work.

The peer reflexive candidates are not part of the SDP but dynamically discovered using IP address and port for which we receive a STUN binding request.

--
 
 
<ast11-stun-turn.txt><chrome2-stun-turn.txt><chrome1-stun.txt>

[Mamadou DIOP]

Forgot to say that even if these kind of candidates are not supported yet it should be easy to patch Asterisk to add them

--
 
 

[James Mortensen]

Thanks for the explanation.  I'm still not sure I fully understand what's missing.  For instance, I do see these candidates in all 3 of my files:

a=candidate:1349109546 1 udp 1912610559 50.10.Z.Z 26624 typ srflx generation 0
a=candidate:1349109546 2 udp 1912610558 50.10.Z.Z 55222 typ srflx generation 0

and

a=candidate:Ha7aedae 1 udp 2130706431 10.1.2.3 26998 typ host generation 0 svn 16
a=candidate:S17166e7b 1 udp 1694498815 50.20.W.W 26998 typ srflx generation 0 svn 16
a=candidate:Ha7aedae 2 udp 2130706430 10.1.2.3 26999 typ host generation 0 svn 16
a=candidate:S17166e7b 2 udp 1694498814 50.20.W.W 26998 typ srflx generation 0 svn 16

Is there something more that I should be seeing in addition to these?  50.20.W.W is my Asterisk public IP and 50.10.Z.Z is the public IP for the two clients.  They have the "typ srflx"

Thank you again,

James

--
 
 

--
James Mortensen
Project Manager, VoiceCurve, Inc.
866-707-4590
james.m...@voicecurve.com

[Mamadou]

chrome1.txt: the recv=INVITE...
chrome2.txt: the recv=SIP/2.0...
..perhaps I'm missing something unless you can give the file name and line number

--
 
 

[James Mortensen]

If I understand what's being said here in this document correctly, http://www.voiptraversal.com/ice_methodology.htm, it's the "relay" types that I'm missing. The "typ relay" from the TURN server.  I have it configured but haven't verified it's making connections. Will do that now.

James

[Mamadou]

TURN is only required for rare cases (e.g. two symetric NATs).
In all case chrome do not support TURN yet.
As I suggested, you can try using one of the public servers on the website (sip2sip.info, ...) to see if it works with 2 chromes or not. If it works this means you don't need TURN.

--
 
 

[James Mortensen]

please check the latest attachments:

chrome2-stun-turn.txt:

Line 31:

a=candidate:3524997644 1 udp 1912610559 50.10.Z.Z 3829 typ srflx generation 0

a=candidate:3524997644 2 udp 1912610559 50.10.Z.Z 3829 typ srflx generation 0

Line 61:

a=candidate:3524997644 1 udp 1912610559 50.10.Z.Z 3829 typ srflx generation 0

a=candidate:3524997644 2 udp 1912610559 50.10.Z.Z 3829 typ srflx generation 0

Line 237:

a=candidate:S17166e7b 1 udp 1694498815 50.20.W.W 26998 typ srflx generation 0 svn 16

a=candidate:Ha7aedae 2 udp 2130706430 10.1.2.3 26999 typ host generation 0 svn 16

a=candidate:S17166e7b 2 udp 1694498814 50.20.W.W 26998 typ srflx generation 0 svn 16

And in chrome-1-stun.txt:

Line 36:

a=candidate:S17166e7b 1 udp 1694498815 50.20.W.W 5998 typ srflx generation 0 svn 16

a=candidate:Ha7aedae 2 udp 2130706430 10.1.2.3 5999 typ host generation 0 svn 16

a=candidate:S17166e7b 2 udp 1694498814 50.20.W.W 5998 typ srflx generation 0 svn 16

Line 46:

a=candidate:S17166e7b 1 udp 1694498815 50.20.W.W 6048 typ srflx generation 0 svn 16

a=candidate:Ha7aedae 2 udp 2130706430 10.1.2.3 6049 typ host generation 0 svn 16

a=candidate:S17166e7b 2 udp 1694498814 50.20.W.W 6048 typ srflx generation 0 svn 16

Line 118:

a=candidate:1349109546 1 udp 1912610559 50.10.Z.Z 45503 typ srflx generation 0

a=candidate:1349109546 2 udp 1912610558 50.10.Z.Z 7981 typ srflx generation 0

Line 138:

a=candidate:1349109546 1 udp 1912610559 50.10.Z.Z 7903 typ srflx generation 0

a=candidate:1349109546 2 udp 1912610558 50.10.Z.Z 6520 typ srflx generation 0

Line 227:

a=candidate:1349109546 1 udp 1912610559 50.10.Z.Z 45503 typ srflx generation 0

a=candidate:1349109546 2 udp 1912610558 50.10.Z.Z 7981 typ srflx generation 0

Line 234:

a=candidate:1349109546 1 udp 1912610559 50.10.Z.Z 59296 typ srflx generation 1

a=candidate:1349109546 2 udp 1912610558 50.10.Z.Z 24279 typ srflx generation 1

I'll also give sip2sip.info a try and see if I can determine if a firewall is in the way. Thx!

James

[Sep 27 21:27:50] WARNING[9653]: chan_sip.c:4126 __sip_autodestruct: Autodestruct on dialog '35067d6609e84e0f6dc38cc5156a3b...@50.20.W.W:5060' with owner SIP/1061-00000001 in place (Method: BYE). Rescheduling destruction for 10000 ms

<ast11-stun-turn.txt><chrome2-stun-turn.txt><chrome1-stun.txt>

--
 
 

--
 
 

[James Mortensen]

Created two sip2sip.info accounts. Here's what I found.

• If Expert mode empty, it defaults to ws://sipml5.org:6062/ which I think is Resiprocate.  I can register both of my sip2sip.info accounts and make a call from Mac Chrome to XP chrome. Video works and audio works.  No issues.

• If Expert mode set to ws://sipml5.org:8088/ws (your Asterisk 11 server), I get Forbidden (Bad Auth).

• If Expert mode set to ws://50.20.W.W:8088/ws (my Asterisk 11 server), I also get Forbidden (Bad Auth).

Configuration in Chromes:

Private identity: mor...@sip2sip.info and jay...@sip2sip.info

Public:  sip:mor...@sip2sip.info and sip:jay...@sip2sip.info

password:  MY PASSWORD

realm:  sip2sip.info

Not sure if this is the right thing to do or not. I'm assuming only Resiprocate is supposed to act as the WS proxy to pass the request to sip2sip.info...  Hope this helps! Thanks again.

James

James

[Sep 27 21:27:50] WARNING[9653]: chan_sip.c:4126 __sip_autodestruct: Autodestruct on dialog '35067d6609e84e0f6dc38cc5156a3b...@50.20.W.W:5060' with owner SIP/1061-00000001 in place (Method: BYE). Rescheduling destruction for 10000 ms

<ast11-stun-turn.txt><chrome2-stun-turn.txt><chrome1-stun.txt>

--
 
 

--
 
 

[Hadi Ams]

You are right James , only resiprocate which is a sip proxy can forward your register messages to sip2sip.info.

Asterisk is a sip enabled PBX and does not forward the message to sip2sip . it only checks the registration against its own database (users.conf) and obviously you get bad auth.

I don't know if it will help or has any use for you , but you can create a registration in Asterisk , so at start up a public sip account will be registered to external servers , and then create a dial plan , to forward any incoming sip calls that comes for that public account , to your local account and vice versa .

so it means , if somebody will call "e.g. te...@ekiga.net" , the local account 1060 will be called in your browser. 

And you can also define in asterisk to dial out sip calls to external accounts.so when you are logged in with 1060 , if you call x...@yyy.com the call will go out of asterisk. but again you need a dialplan and local accounts on asterisk and you should manage extensions.conf to redirect these calls to each other.

[James Mortensen]

Ok, so assuming making the calls with the 2 sip2sip.info accounts in two Chrome's through Resiprocate is what Mamadou was suggesting, then that means I don't need TURN.  I've disabled it since I was able to make the calls and hear audio.

Since I am showing the "srflx" candidates in my logs, it seems like this might not be a configuration problem. I'm open to more suggestions or things to try. 

In the meantime, I'll spend some time looking at more tcpdumps and see if anything stands out to me. I may also try something other than EC2 as a hosting provider, since EC2 throws up NAT in front of the instances and other cloud server hosts don't.  :)  Thanks again.

James

[James Mortensen]

Hello,

The other thing I tried, which is hopefully helpful, is I setup Resiprocate (webrtc2sip) on my EC2 server using the instructions found here:  http://code.google.com/p/webrtc2sip/

I registered using my 2 sip2sip.info accounts and used ws://50.20.W.W:4062/  where 50.20.W.W is the IP address of my server with webrtc2sip.  I have 2 way audio in Chrome!  

Not sure if this is what Mamadou was asking me to do, but if I understand, this means the problem is not with Chrome, not with sipml5, and is most likely a problem with Asterisk?  Is this accurate?

James

[James Mortensen]

I went ahead and installed Asterisk on a Rackspace server with the public IP bound to the network interface.  With no server NAT, I am able to get two way audio in Chrome to Chrome.  

So for now, I'd suggest staying away from EC2 and platform providers that put NAT in front of the servers.

James