[Freeswitch-users] TOO Frequent SIP Registration

Sean Devoy sdevoy at bizfocused.com
Fri Jun 12 18:31:40 MSD 2015 

Michael,

Please give me a minute of your time for my education…

Do I have something I need to fix or not?

Sean

From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Sean Devoy
Sent: Thursday, June 11, 2015 10:06 AM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] TOO Frequent SIP Registration

Michael,
Sorry, I am paranoid about publishing the FQDN of my FS server.  I have so many hackers without publishing it, it makes me crazy.

These are NAT devices.  Is registration every 30 seconds required for ALL NAT devices and I just never noticed?

Let me give you more information as I think everything may be working just fine now.
What brought this to my attention was a console window open with loglevel set to 5.  There were LOTS of these purple auth REGISTER lines from ONE customer site.  During my investigation, I found that my remote desktop login to that site was slow and bursty.  When I got around to sip tracing, the problem seemed to have gone away.  I noticed the REGISTER events every 30 seconds, but no log entry was generated.

I think their line was faulting and their phones WERE actually registering again following a disconnect, causing the log entry.  When they are still registered, no log entry is generated.  Does that sound correct?  If so, this is a case of “a little knowledge can be dangerous”, sorry to bother you.

As always thanks for your help.
Sean

From: freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org> [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Michael Jerris
Sent: Thursday, June 11, 2015 5:00 AM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] TOO Frequent SIP Registration

Every time I have ever looked at an edited sip trace, the real problem has been obscured by the edits, so I don't bother looking at them anymore .  Check out the sip trace and debug and your config to see why it's detecting nat

On Wednesday, June 10, 2015, Sean Devoy <sdevoy at bizfocused.com<mailto:sdevoy at bizfocused.com>> wrote:
The SIP trace shows an oddity.  The request has expires=3600, but the response from FS says expires=30.  This is happening on ALL devices that have the latest CISCO firmware.  Can you see anything wrong with the registration request:

   ------------------------------------------------------------------------
recv 767 bytes from udp/[69.137.35.208]:1024 at 18:59:53.382917:
   ------------------------------------------------------------------------
   REGISTER sip: [my domain name]  SIP/2.0
   Via: SIP/2.0/UDP 69.137.35.208:1024;branch=z9hG4bK-b2eec5e;rport
   From: "Ann-Marie" <sip:11@[my domain name]<sip:11@[my%20domain%20name]>>;tag=86dec25c650ffef4o0
   To: "Ann-Marie" <sip:11@[my domain name]<sip:11@[my%20domain%20name]>>
   Call-ID: d1a1e2df-34f61b38 at 192.168.2.11<javascript:_e(%7B%7D,'cvml','d1a1e2df-34f61b38 at 192.168.2.11');>
   CSeq: 10545 REGISTER
   Max-Forwards: 70
   Authorization: Digest username="11",realm="[my domain name]",nonce="6d8f48f6-0d40-4f18-8a87-4b961f7b7881",uri="sip: [my domain name]",algorithm=MD5,response="c73d90489df58e17dad9a9d3b1b06865",qop=auth,nc=00000010,cnonce="4c9c7235"
   Contact: "Ann-Marie" <sip:11 at 69.137.35.208:1024<http://sip:11@69.137.35.208:1024>>;expires=3600
   User-Agent: Cisco/SPA504G-7.5.5
   Content-Length: 0
   Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER, UPDATE
   Supported: replaces

   ------------------------------------------------------------------------
send 614 bytes to udp/[69.137.35.208]:1024 at 18:59:53.386375:
  ------------------------------------------------------------------------
   SIP/2.0 200 OK
   Via: SIP/2.0/UDP 69.137.35.208:1024;branch=z9hG4bK-b2eec5e;rport=1024
   From: "Ann-Marie" <sip:11@[my domain name]<sip:11@[my%20domain%20name]>>;tag=86dec25c650ffef4o0
   To: "Ann-Marie" <sip:11@[my domain name]<sip:11@[my%20domain%20name]>>;tag=tpUU52gppFZrj
   Call-ID: d1a1e2df-34f61b38 at 192.168.2.11<javascript:_e(%7B%7D,'cvml','d1a1e2df-34f61b38 at 192.168.2.11');>
   CSeq: 10545 REGISTER
   Contact: <sip:11 at 69.137.35.208:1024<http://sip:11@69.137.35.208:1024>>;expires=30
   Date: Wed, 10 Jun 2015 18:59:53 GMT
   User-Agent: FreeSWITCH-mod_sofia/1.2.22+git~20140309T212137Z~65fed130e5~64bit
   Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
   Supported: path, replaces
   Content-Length: 0


From: freeswitch-users-bounces at lists.freeswitch.org<javascript:_e(%7B%7D,'cvml','freeswitch-users-bounces at lists.freeswitch.org');> [mailto:freeswitch-users-bounces at lists.freeswitch.org<javascript:_e(%7B%7D,'cvml','freeswitch-users-bounces at lists.freeswitch.org');>] On Behalf Of Michael Jerris
Sent: Wednesday, June 10, 2015 1:41 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] TOO Frequent SIP Registration

Likely relates to us detecting them as nat.  Take a look at the registrations, do they say NAT?  To confirm why you would look at the sip trace to see whats going on with the registration, my guess would be sip ALG on the client side messing up the traffic.

On Jun 10, 2015, at 1:30 PM, Sean Devoy <sdevoy at bizfocused.com<javascript:_e(%7B%7D,'cvml','sdevoy at bizfocused.com');>> wrote:

Hi everyone,

Forgive my lack of knowledge here.  I have a multi-tenant server setup and oddly everything is working correctly!  Working correctly isn’t odd, writing when everything is ok is odd.

For one of my domains, all of the phones re-register about every 30 seconds.  The log is filled with messages like:
sofia_reg.c:1532 SIP auth challenge (REGISTER) on sofia profile 'external' for [43@<snip>]

On the phones I changed the “Reg Min Expires” to 300 and they disappeared from registration!!
Also, the phones are registered, I can call them and their status web page says next registration is xx (30 or less) seconds.

So …
How often show registered phones re-register?
How/Where do I set it?
Why only one of my domains?  (This domain may be the only one to get the latest firmware in the phones).

For extra points does this relate to NAT Keepalive at all?

I did google this but the only registration expiration info I can find is on gateways, not phones.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150612/7f75cf66/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list