RTP / NAT Question ( Pjsip )
I am having trouble with RTP and NAT :
Below is a SIP SDP invite from a remote endpoint which is trying to call extension 420 which is the ECHO application .
As you can see, the public IP is where the request comes in from, but the SDP contains the private, internal IP in numerous places.
I do have rewrite_contact=yes; on in my pjsip endpoint configuration, but still the “rtp set debug on” command is showing me that when I dial into the echo application, RTP packets are being sent to the private IP and not the public IP .
Advice appreciated thank you.
<--- Received SIP request (1282 bytes) from TLS:72.52.31.109:55256 --->
INVITE sip:420@dev1.domain.com SIP/2.0
Via: SIP/2.0/TLS 10.128.30.239:55253;branch=z9hG4bK-524287-1—bf28eb29eb900b43;rport Max-Forwards: 70
Contact:
To:
From: “Kevin”
Call-ID: MGE5OWFhMDY5OGFhYzM4ZDIxNjA5OGRjY2M5OWE3ZGY
CSeq: 2 INVITE
Allow: INVITE, ACK, CANCEL, BYE, REFER, INFO, NOTIFY, UPDATE, PRACK, MESSAGE, OPTIONS, SUBSCRIBE, OPTIONS
Content-Type: application/sdp Supported: replaces, 100rel User-Agent: Bria iOS release 3.6.2 stamp 33024
Authorization: Digest username=”6000″,realm=”asterisk”,nonce=”1456965577/29f2977e5352209d33847b1eafc5f937″,uri=”sip:420@dev1.haloprivacy.com”,response=”9c23bba47f43fa343bfc3bd2580a84ad”,cnonce=”ea996236e91c869bb16b1652c8504ba3″,nc=00000001,qop=auth,algorithm=md5,opaque=”609ab4014ccfac10″
Content-Length: 358
v=0
o=- 1456965576139402 1 IN IP4 10.128.30.239
s=Cpc session c=IN IP4 10.128.30.239
t=0 0
m=audio 61216 RTP/SAVP 0 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:tkUxPSw8qTZ25fk6VuQPWNVOABk5mwe63/+d7vP7
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:tkUxPSw8qTZ25fk6VuQPWNVOABk5mwe63/+d7vP7
a=sendrecv
8 thoughts on - RTP / NAT Question ( Pjsip )
Kevin Long wrote:
The “rtp_symmetric” option is used to control this for RTP. When set to yes media will be sent to the source IP address+port of the received RTP.
Cheers,
—
Joshua Colp Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
Thank you for the response Joshua .
I had rtp_symmetric=yes before I wrote the email, then I set it to no, restart asterisk, and tried to make the call from the remote endpoint again but still tcpdump is showing me the RTP packets are being sent from Asterisk to the private IP.
tcpdump on asterisk server showing UDP packet bound for my remote endpoints internal IP:
17:07:57.130212 IP 10.50.55.10.6214 > 10.128.30.239.51126: UDP, length 182
Current pjsip.conf file
[transport-tls]
type=transport protocol=tls bind=0.0.0.0:5061
local_net=10.50.55.0/24
external_media_address=
external_signaling_address=
cert_file=/etc/asterisk/keys/dev1.crt priv_key_file=/etc/asterisk/keys/dev1.key ca_list_file=/etc/asterisk/keys/ca.crt cipher=AES256-SHA
method=tlsv1
;===============EXTENSION 6001
[6000]
type=endpoint context=internal disallow=all allow=ulaw auth=auth6000
aors=6000
direct_media=no rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port ice_support=no force_rport=yes rtp_symmetric=no media_encryption=sdes
[auth6000]
type=auth auth_type=userpass password=6000
username=6000
[6000]
type=aor qualify_frequency=30
max_contacts=1
remove_existing=yes
;===============EXTENSION 6001
[6001]
type=endpoint context=internal disallow=all
allow=ulaw auth=auth6001
aors=6001
direct_media=no rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port ice_support=no force_rport=yes rtp_symmetric=no media_encryption=sdes
[auth6001]
type=auth auth_type=userpass password=6001
username=6001
[6001]
type=aor qualify_frequency=30
max_contacts=1
remove_existing=yes
Kevin Long wrote:
It needs to be set to yes, and you also must have received an RTP packet from the remote side. If you haven’t received any then check to see if they are being blocked by a firewall, and that the SDP sent to the device contains the public IP address.
Hi Joshua,
Looking at the transmitted SIP packets from Asterisk, it looks like Asterisk is only sending it’s own internal IP (it is behind a NAT too, with proper port forwarding) .
I did set in my transport the external_signaling_address and external_media_address , and I have now put transport= into my endpoint configuration hoping they will “inherit” the correct public IP for the media .
But Asterisk is still sending RTP to the wrong IP .
I am trying to test a “real world” scenario of public IP and NAT traversal, but I do have split tunnel VPN in my environment so the endpoint and the asterisk server *could* reach each other by the private IP ,but I am actually trying to avoid this with a proper configuration since my real users will not be on any VPN, mostly.
;===============TRANSPORT
[transport-tls]
type=transport protocol=tls bind=0.0.0.0:5061
local_net=10.50.55.0/24
external_media_address=66.114.139.174
external_signaling_address=66.114.139.174
cert_file=/etc/asterisk/keys/dev1.crt priv_key_file=/etc/asterisk/keys/dev1.key ca_list_file=/etc/asterisk/keys/ca.crt cipher=AES256-SHA
method=tlsv1
;===============EXTENSION 6001
[6000]
type=endpoint context=internal disallow=all allow=ulaw transport=transport-tls auth=auth6000
aors=6000
direct_media=no rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port ice_support=no force_rport=yes rtp_symmetric=yes media_encryption=sdes
[auth6000]
type=auth auth_type=userpass password=6000
username=6000
[6000]
type=aor qualify_frequency=30
max_contacts=1
remove_existing=yes
;===============EXTENSION 6001
[6001]
type=endpoint context=internal disallow=all
allow=ulaw transport=transport-tls auth=auth6001
aors=6001
direct_media=no rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port ice_support=no force_rport=yes rtp_symmetric=yes media_encryption=sdes
[auth6001]
type=auth auth_type=userpass password=6001
username=6001
[6001]
type=aor qualify_frequency=30
max_contacts=1
remove_existing=yes
Kevin Long wrote:
What version of 13 are you also using?
—
Joshua Colp Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
Hi Joshua,
This Asterisk 13 was pulled from git master branch just 2-3 days ago: GIT-13-d1495b .
I used this very recent source code to overcome a pjsip problem (you can see my email list post from a few days ago)
Thanks again
Kevin Long wrote:
You may be getting bit by an issue[1] which impacts NAT support. A patch is currently up on gerrit[2] to fix it and will be included by next week probably.
[1] https://issues.asterisk.org/jira/browse/ASTERISK-25830
[2] https://gerrit.asterisk.org/#/c/2346/
So the patch did resolve the audio RTP issue and I can make echo calls now, but it seems like the last issue I posted to the list, (pjsip driver making new outbound TLS transports instead of using existing SIP connection, not NAT friendly) is happening again .. Could that be?
Thanks again,
Kevin Long