<HTML dir=ltr><HEAD><TITLE>Re: [SR-Users] kamailio restart and TLS ( relay_to_tls() )</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.17093" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText27154 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Hi again Klaus,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I understand (now better) what you mean with timing parameters, I was just testing to close the first connection. The reason is because when I restart kamailio the clients I use reopen a second connection, as you said to me. So the solution to this issue could be not to open newer connection. I tested, as you said, "set_forward_no_connect();" but may be not well enough. I imagine the solution goes by using it.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>About the question on making TLS connection to the clients, I'm only relaying TLS connections to the gateway, who has a certificate. I set TCP ASYNC=NO, because I had an error running TLS, as documentation says if I use TLS I have to disable asynch TCP.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I'm going to test in depth "set_forward_no_connect();" and feeback again.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Regards,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Ricardo Dominguez</FONT></DIV>
<DIV dir=ltr><FONT face="Times New Roman" size=3></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2> <BR></DIV></FONT>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>De:</B> Klaus Darilion [mailto:klaus.mailinglists@pernau.at]<BR><B>Enviado el:</B> mar 21/12/2010 16:48<BR><B>Para:</B> Dominguez Jover, Ricardo<BR><B>CC:</B> sr-users@lists.sip-router.org<BR><B>Asunto:</B> Re: [SR-Users] kamailio restart and TLS ( relay_to_tls() )<BR></FONT><BR></DIV></DIV>
<DIV>
<P><FONT size=2>Not sure what exactly happens in your scenario, but some generic tips:<BR><BR>- Regardless if the client is behind NAT or not, IMO the TCP connection<BR>should be openend by the client and kept open for the whole lifetime of<BR>the client. Thus, the TCP connection should not be closed, not by the<BR>client and not by the proxy. Thus, set your TCP connection lifetime to a<BR>value which is bigger the maximum registration expiration.<BR><BR>I also would enable keep-alive in the client.<BR><BR>Is there any specific reason why you close the TCP connection?<BR><BR>When using TLS there is one more problem: The party that receives the<BR>TLS connection needs to present a certificate. This means, if the proxy<BR>setups a TLS connection to the SIP client, the SIP client would need a<BR>TLS client certificate.<BR><BR>Conclusion:<BR>- the client should create a TCP/TLS connection and it should be kept<BR>open for the whole lifetime.<BR>- the proxy should use async mode (why don't you use it?)<BR>- the proxy should not event try to make a TLS connection to the client<BR>as the client probably can not provide TLS certificate<BR><BR>regards<BR>klaus<BR><BR>Am 21.12.2010 14:13, schrieb Dominguez Jover, Ricardo:<BR>> Klaus, it happens exactly what you said, duplicated TCP connection. Now I tell you about what I've found and timing variables. First to say there is no NAT in this scenario.<BR>><BR>> About the timing variables there is a re-register time in the client (by default 3600s) and a "minimum time" (20s). Every time I restart Kamailio, after the minimum time the client re-opens a session. The client is not sending any SIP keepalive (I've switched it OFF), and in Kamailio "tcp_connection_lifetime=120", so after this time the first TCP connection is closed.<BR>><BR>> But this happens only if I don't try to register again. If I do so, having the duplicated connection, then the first TCP connection only closes after the re-register timer finishes, and the second TCP connection closes every 120 seconds and then is re-opened after the 20s period.<BR>><BR>> In my config TCP ASYNC is set to NO and set_forward_no_connect() doesn't seem to do anything since there is no NAT.<BR>><BR>> I can reduce re-register time in the client side for a faster expiring time of the first TCP connection. But, how could I close the "corrupted" TCP connection from the server side? As I said since the second TCP connection is opened " tcp_connection_lifetime" doesn't affect the first one.<BR>><BR>> Kind regards,<BR>><BR>> Ricardo Dominguez<BR>><BR>> -----Mensaje original-----<BR>> De: Klaus Darilion [<A href="mailto:klaus.mailinglists@pernau.at">mailto:klaus.mailinglists@pernau.at</A>]<BR>> Enviado el: martes, 21 de diciembre de 2010 10:47<BR>> Para: Dominguez Jover, Ricardo<BR>> CC: sr-users@lists.sip-router.org<BR>> Asunto: Re: [SR-Users] kamailio restart and TLS ( relay_to_tls() )<BR>><BR>><BR>><BR>> Am 21.12.2010 08:30, schrieb Dominguez Jover, Ricardo:<BR>>> Hi everybody,<BR>>><BR>>> Since I implemented Kamailio 3.1 with TLS I've found a strange behavior.<BR>>> That is, with some clients (Bria and Blink) registered, if I restart<BR>>> Kamailio, then when the clients re-register the strange behaivour<BR>>> happens. This behavior consist on receiving calls, it took about 15<BR>>> seconds to receive the first tone since the call was made.<BR>><BR>> This sounds like some timeout.<BR>><BR>> Just think about what may happen: you restart Kamailio - thus the TCP<BR>> connection is terminated and probably the client will create a new<BR>> registration using a new TCP connection.<BR>><BR>> As the old registration was not deREGISTERed, you will have 2 entries in<BR>> your location table: one for the new registration (if the client already<BR>> registered) and one for the old one (pointing to a non-existing TCP<BR>> connection).<BR>><BR>> No on incoming call, Kamailio will try to estblish a TCP connection to<BR>> the old contact - which for sure will fail of the client is behind NAT<BR>> or a firewall.<BR>><BR>> There are several TCP parameters to tweak, e.g:<BR>><BR>> make sure TCP is non-blocking:<BR>> <A href="http://www.kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#tcp_async">http://www.kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#tcp_async</A><BR>><BR>> do not try to open TCP connections to SIP clients when they are known to<BR>> be behind NAT/FW.<BR>> <A href="http://www.kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#set_forward_no_connect">http://www.kamailio.org/dokuwiki/doku.php/core-cookbook:3.1.x#set_forward_no_connect</A><BR>><BR>> There are also some more TCP functions which can be used to change the<BR>> behavior, just look around set_forward_no_connect() function in core<BR>> cookbook.<BR>><BR>> regards<BR>> klaus<BR>><BR>> regards<BR>> Klaus<BR>><BR>><BR>>><BR>>> I made the following modification in the "route[Relay]" config. The<BR>>> reason is I wanted my gateway and Kamailio to make signaling by TLS.<BR>>> Without this modification the signaling was unencrypted (SIP):<BR>>><BR>>> route[RELAY] {<BR>>><BR>>> #!ifdef WITH_NAT<BR>>><BR>>> if (check_route_param("nat=yes")) {<BR>>><BR>>> setbflag(FLB_NATB);<BR>>><BR>>> }<BR>>><BR>>> if (isflagset(FLT_NATS) || isbflagset(FLB_NATB)) {<BR>>><BR>>> route(RTPPROXY);<BR>>><BR>>> }<BR>>><BR>>> #!endif<BR>>><BR>>> /* example how to enable some additional event routes */<BR>>><BR>>> if (is_method("INVITE")) {<BR>>><BR>>> #t_on_branch("BRANCH_ONE");<BR>>><BR>>> t_on_reply("REPLY_ONE");<BR>>><BR>>> t_on_failure("FAIL_ONE");<BR>>><BR>>> }<BR>>><BR>>> *# Se comunica con el GWa traves de TLS *<BR>>><BR>>> ***if(!( ($od=~"mydomain.com")&& ( ($rU=~"[a-z]{3,20}$") ||<BR>>> ($rU=~"^xx[0-9][0-9]$") ) ) ) { ### If I'm calling a PBX extension do<BR>>> the signaling by TLS with the gateway (Cisco 2811)*<BR>>><BR>>> **<BR>>><BR>>> * if (!t_relay_to_tls()) {*<BR>>><BR>>> * sl_reply_error();*<BR>>><BR>>> * }*<BR>>><BR>>> } else if {<BR>>><BR>>> if (!t_relay()) {<BR>>><BR>>> sl_reply_error();<BR>>><BR>>> }<BR>>><BR>>> }<BR>>><BR>>> exit;<BR>>><BR>>> }<BR>>><BR>>> The rest of functionalities are working really fine. Any idea about what<BR>>> is happening?<BR>>><BR>>> Cheers!<BR>>><BR>>> *Ricardo Domínguez*<BR>>><BR>>><BR>>><BR>>> _______________________________________________<BR>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<BR>>> sr-users@lists.sip-router.org<BR>>> <A href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</A><BR>><BR>> _______________________________________________<BR>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<BR>> sr-users@lists.sip-router.org<BR>> <A href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</A><BR></FONT></P></DIV></BODY></HTML>