[SR-Users] TLS in-dialog set_forward_no_connect()and upstream TLS LCR gateway
Anthony Joseph Messina
amessina at messinet.com
Mon Sep 9 02:00:08 CEST 2019
In preparation for the 5.3 release, I've been testing the following
configuration change for TCP/TLS connections:
https://github.com/kamailio/kamailio/commit/
8bba208fe6ae7ccb4c92362b8c33f1530b9f56da
route[REQINIT] {
# no connect for sending replies
set_reply_no_connect();
if(has_totag()) {
# no connect for requests within dialog
set_forward_no_connect();
}
This change creates issues when a UAC TLS INVITE routes to an upstream gateway
using TLS to port 5061 (via the LCR module). Kamailio sends the initial
outbound TLS connection from a local ephemeral port. The TCPOPS
tcp_keepalive_enable function issues keepalives from the local ephemeral port
to the gateway port 5061:
https://kamailio.org/docs/modules/stable/modules/
tcpops#tcpops.f.tcp_keepalive_enable
Even so, the TLS connection eventually times out, after which in-dialog
requests from the UAC are no longer able to reach the upstream gateway.
ERROR: tm [../../core/forward.h:293]: msg_send_buffer(): tcp_send failed
WARNING: tm [t_fwd.c:1570]: t_send_branch(): sending request on branch 0
failed
ERROR: sl [sl_funcs.c:372]: sl_reply_error(): stateless error reply used:
Unfortunately error on sending to next hop occurred (477/SL)
I figure I must be doing something wrong with my TCPOPS here. Is a TLS
connection to an upstream gateway supposed to be maintained throughout the
duration of a call?
--
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190908/7afb9181/attachment.sig>
More information about the sr-users
mailing list