[Serusers] Can't solve the problem. Need help.
Alex
alexandergav at gmail.com
Sun Apr 17 08:41:31 CEST 2005
Thanks for the reply.
it's something strange , because i use the same ser.cfg file on other
server and the same ATA286 (which using stun) working perfect.
U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
<sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
<sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
<sip:phonenumber at sourceip:22115>..Call-ID:
c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
orwards: 70..Allow:
INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
0....
#
U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
<sip:phonenumber at xxx.xxx.xxx.xxx>;
tag=94a44507e03df901..To:
<sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04..Call-I
D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd595b3558cfdd4
46b83b081d1e2d3cc480"..Server: Sip EXpress router (0.8.14
(i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
Noisy feedback tells: pid=21363 req_src_ip=sourceip
req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
Ok i see there is the difference in ports where the register sending back .
it's coming from port 26012 and the 401 Unauthorized sending back to port 22115
how i can fix it: if it possible to give complete example.
and what else i need to install in order to perform the fix.
thanks for any help.
On 4/16/05, Greger V. Teigre <greger at teigre.com> wrote:
> Good observation! Grandstream (at least) firmware 10.5.16 has an error in
> symmetric NAT handling with STUN. GS should NOT try to replace IP:port with
> the public one, because it will be wrong.
> nat_uac_test("16") will catch this through checking the Contact port with
> the received port.
> g-)
>
> Atle Samuelsen wrote:
> > I think the reason why this is happening is a broken ADSL router or
> > simular, that has a ALG that thinks it supports SIP.
> >
> > try to turn off SIP_ALG or what it is called on your router. or change
> > the port on your sipserver to 5062 or something simular.. if you do
> > that I bet it will work.
> >
> > -Atle
> >
> > * Alex Vishnev <avishnev at optonline.net> [050416 19:41]:
> >> Alex,
> >>
> >> I found this interesting and don't know if this is what is causing
> >> your problem. Normally, when register is issued the Via header
> >> indicates where UAS/proxy should respond. In your first packet, here
> >> is what's happening:
> >>
> >> U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
> >> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..
> >> Via: SIP/2.0/UDP sourceip:22115;
> >>
> >> It looks like UA wants to receive the response back on port 22115.
> >> Now, SER sends the response to that port, but it does not look like
> >> UA is listening there, as UA just re-originates REGISTER. The
> >> question I have is why do you have a strange port number, instead of
> >> 5060? So it looks to me the reason why you never getting another
> >> REGISTER with credentials is because 401 Unauthorized never makes it
> >> to your Grandstream UA.
> >>
> >>
> >> So I would do the following:
> >>
> >> 1. Check with Grandstream to see if your firmware is the
> >> latest/stable version. I use Grandstream Bt100 and have not
> >> problems. I know grandstream is pretty good in resolving problems.
> >>
> >> 2. If UA is behind NAT, please make sure that grandstream is
> >> configured for NAT traversal.
> >>
> >> Hope this helps
> >>
> >> Alex Vishnev
> >>
> >> -----Original Message-----
> >> From: serusers-bounces at iptel.org [mailto:serusers-bounces at lists.iptel.org]
> >> On Behalf Of Alex
> >> Sent: Saturday, April 16, 2005 12:13 PM
> >> To: aland at ox.org; freeradius-users at lists.freeradius.org;
> >> serusers at lists.iptel.org; amack at fhm.edu; daniel at voice-system.ro
> >> Subject: [Serusers] Can't solve the problem. Need help.
> >>
> >> This is the answer i got on the list :
> >> The second REGISTER (the block 3) must contains the response to the
> >> authentication challenge carried by 401 reply (block 2). That means
> >> that the block 3 must contain an Authorization header with
> >> authentication credentials computed according to HTTP-Digest
> >> authentication mechanism (RFC2617).
> >>
> >> U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
> >> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
> >> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
> >> <sip:phonenumber at sourceip:22115>..Call-ID:
> >> c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
> >> 3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
> >> orwards: 70..Allow:
> >> INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
> >> 0....
> >> #
> >> U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>;
> >> tag=94a44507e03df901..To:
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04.
> >> .Call-I
> >> D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
> >> Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd595b3558cfdd4
> >> 46b83b081d1e2d3cc480"..Server: Sip EXpress router (0.8.14
> >> (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
> >> Noisy feedback tells: pid=21363 req_src_ip=sourceip
> >> req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
> >> out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
> >>
> >> #
> >> U sourceip:26012 -> xxx.xxx.xxx.xxx:5060
> >> REGISTER sip:xxx.xxx.xxx.xxx SIP/2.0..Via: SIP/2.0/UDP
> >> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>..Contact:
> >> <sip:phonenumber at sourceip:22115>..Call-ID:
> >> c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..Expires:
> >> 3600..User-Agent: Grandstream HT286 1.0.5.11..Max-F
> >> orwards: 70..Allow:
> >> INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE..Content-Length:
> >> 0....
> >> #
> >> U xxx.xxx.xxx.xxx:5060 -> sourceip:22115
> >> SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP
> >> sourceip:22115;branch=z9hG4bK4913f67fbbcfb571..From: "Alex "
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=94a44507e03df901..To:
> >> <sip:phonenumber at xxx.xxx.xxx.xxx>;tag=b27e1a1d33761e85846fc98f5f3a7e58.eb04.
> >> .Call-I
> >> D: c9f64c0c2ef27cd1 at 10.0.0.6..CSeq: 100 REGISTER..WWW-Authenticate:
> >> Digest realm="xxx.xxx.xxx.xxx", nonce="42612dd63c17bd54baef
> >> 0f620d6b9b066c23c8ce"..Server: Sip EXpress router (0.8.14
> >> (i386/linux))..Content-Length: 0..Warning: 392 xxx.xxx.xxx.xxx:5060 "
> >> Noisy feedback tells: pid=21360 req_src_ip=sourceip
> >> req_src_port=26012 in_uri=sip:xxx.xxx.xxx.xxx
> >> out_uri=sip:xxx.xxx.xxx.xxx via_cnt==1"....
> >>
> >>
> >> here is my ser debug:
> >> -------------------------------------
> >>
> >> 12(21360) SIP Request:
> >> 12(21360) method: <REGISTER>
> >> 12(21360) uri: <sip:xxx.xxx.xxx.xxx>
> >> 12(21360) version: <SIP/2.0>
> >> 12(21360) parse_headers: flags=1
> >> 12(21360) Found param type 232, <branch> = <z9hG4bKf776a5d04027adc6>;
> >> state=16
> >> 12(21360) end of header reached, state=5
> >> 12(21360) parse_headers: Via found, flags=1
> >> 12(21360) parse_headers: this is the first via
> >> 12(21360) After parse_msg...
> >> 12(21360) preparing to run routing scripts...
> >> 12(21360) REGISTER message received
> >> 12(21360) REGISTER: Authenticating user
> >> 12(21360) parse_headers: flags=4
> >> 12(21360) end of header reached, state=9
> >> 12(21360) DEBUG: get_hdr_field: <To> [34];
> >> uri=[sip:phonenumber at xxx.xxx.xxx.xxx]
> >> 12(21360) DEBUG: to body [<sip:phonenumber at xxx.xxx.xxx.xxx>
> >> ]
> >> 12(21360) parse_headers: flags=4096
> >> 12(21360) get_hdr_field: cseq <CSeq>: <100> <REGISTER>
> >> 12(21360) DEBUG: get_hdr_body : content_length=0
> >> 12(21360) found end of header
> >> 12(21360) pre_auth(): Credentials with given realm not found
> >> 12(21360) REGISTER: challenging user
> >> 12(21360) build_auth_hf(): 'WWW-Authenticate: Digest
> >> realm="xxx.xxx.xxx.xxx",
> >> nonce="42613540bb4462c045f7f3fe7714c3a1d6c0bca9"
> >> '
> >> 12(21360) parse_headers: flags=-1
> >> 12(21360) check_via_address(62.219.160.40, 62.219.160.40, 1)
> >> 12(21360) DEBUG:destroy_avp_list: destroing list (nil)
> >> 12(21360) receive_msg: cleaning up
> >>
> >> For some reason that i can not figure out i don't receive anything on
> >> the radius logs.
> >> it's looks like my granstream ATA286 not going through authectication
> >> process.
> >> when i change the ip of the sip server to different one (2-server)
> >> it's working perfect.
> >> The grandstream ATA286 sending same packets, on the 2 server it's
> >> working, on 1- one nothing happens.
> >> on the problematic server i have clean installation of
> >> freeradius-1.02 radiusclient-4.8 ser-8.14
> >>
> >> I tested the installation of the freeradius with the :
> >> radclient -f digest localhost auth testing123
> >> Received response ID 134, code 2, length = 45
> >> Reply-Message = "Hello, test with digest"
> >>
> >> radius logs:
> >> ----------------------------------------------
> >> rad_recv: Access-Request packet from host 127.0.0.1:32844, id=134,
> >> length=140
> >> User-Name = "test"
> >> Digest-Response = "631d6d73147add2f9e437f59bbc3aeb7"
> >> Digest-Attributes = "\001\013testrealm"
> >> Digest-Attributes = "\002\n1234abcd"
> >> Digest-Attributes = "\003\010INVITE"
> >> Digest-Attributes = "\004\034sip:5555551212 at example.com"
> >> Digest-Attributes = "\006\005MD5"
> >> Digest-Attributes = "\n\006test"
> >> Processing the authorize section of radiusd.conf
> >> modcall: entering group authorize for request 0
> >> modcall[authorize]: module "preprocess" returns ok for request 0
> >> modcall[authorize]: module "chap" returns noop for request 0
> >> modcall[authorize]: module "mschap" returns noop for request 0
> >> rlm_digest: Converting Digest-Attributes to something sane...
> >> Digest-Realm = "testrealm"
> >> Digest-Nonce = "1234abcd"
> >> Digest-Method = "INVITE"
> >> Digest-URI = "sip:5555551212 at example.com"
> >> Digest-Algorithm = "MD5"
> >> Digest-User-Name = "test"
> >> rlm_digest: Adding Auth-Type = DIGEST
> >> modcall[authorize]: module "digest" returns ok for request 0
> >> rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> >> rlm_realm: No such realm "NULL"
> >> modcall[authorize]: module "suffix" returns noop for request 0
> >> rlm_eap: No EAP-Message, not doing EAP
> >> modcall[authorize]: module "eap" returns noop for request 0
> >> users: Matched entry DEFAULT at line 152
> >> users: Matched entry test at line 215
> >> modcall[authorize]: module "files" returns ok for request 0
> >> modcall: group authorize returns ok for request 0
> >> rad_check_password: Found Auth-Type Digest
> >> auth: type "digest"
> >> Processing the authenticate section of radiusd.conf
> >> modcall: entering group authenticate for request 0
> >> A1 = test:testrealm:test
> >> A2 = INVITE:sip:5555551212 at example.com
> >> KD =
> >> 1e00d6dbd30441265df6064b9d9b7da9:1234abcd:675b8c827b388805aa252ea38bfb6804
> >> modcall[authenticate]: module "digest" returns ok for request 0
> >> modcall: group authenticate returns ok for request 0
> >> radius_xlat: 'Hello, test with digest'
> >> Sending Access-Accept of id 134 to 127.0.0.1:32844
> >> Reply-Message = "Hello, test with digest"
> >> Finished request 0
> >>
> >> I need some help to figure out that's the problem with this server.
> >> And what can be a reason what i don't see any authentication process
> >> in the radius , when the packets coming from ATA286
> >> to authenticate the the user.
> >>
> >>
> >> Thanks for any help.
> >>
> >> _______________________________________________
> >> Serusers mailing list
> >> serusers at lists.iptel.org
> >> http://lists.iptel.org/mailman/listinfo/serusers
> >>
> >>
> >> _______________________________________________
> >> Serusers mailing list
> >> serusers at lists.iptel.org
> >> http://lists.iptel.org/mailman/listinfo/serusers
> >>
> >
> > _______________________________________________
> > Serusers mailing list
> > serusers at lists.iptel.org
> > http://lists.iptel.org/mailman/listinfo/serusers
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
>
More information about the sr-users
mailing list