[Freeswitch-users] Random calls failing with WRONG_CALL_STATe when using TLS

Emrah lists at kavun.ch
Mon Jan 25 23:38:11 MSK 2016


> I have found that some carriers trim the UDP packets to 512. This may be related.
> 

How? TLS will force signaling in TCP.

Compact headers don’t help much. In fact many client don’t offer it.

More suggestions welcome.




> On Jan 19, 2016, at 3:43 PM, Luis Daniel Lucio Quiroz <luis.daniel.lucio at gmail.com> wrote:
> 
> I have found that some carriers trim the UDP packets to 512. This may be related.
> 
> There is an option in the Sophia profile to use short header names. That will help for sure
> 
> Le 19 janv. 2016 2:26 AM, "Emrah" <lists at kavun.ch <mailto:lists at kavun.ch>> a écrit :
> Hi there,
> So what do we do of this?
> I don’t have any TLS issues except with FreeSWITCH. And to everyone here, it’s an issue with the equipment or the soft phone.
> I tried FS V1.2, 1.4, 1.6 and 1.7.
> Now remember this is something that can be reproduced with Yealink, Polycom, an I recently found out that Counterpath Bria was in the same basket.
> https://support.counterpath.com/topic/intermittent-tls-403-forbidden-error <https://support.counterpath.com/topic/intermittent-tls-403-forbidden-error>
> 
> We know what the problem is. When the TLS packet is too large, possibly because of a long list of codecs, the TLS thread crashes on the client.
> 
> The question is, how can this happen only when using FS? The same clients do OK with other TLS enabled PBXs.
> 
> Emrah
>> On Jan 14, 2016, at 1:09 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>> 
>> I was certain that I’d fixe all my issues with an FS update to 1.6. 
>> After much frustration and over a year of trial and error, I found out that the TLS session breaks if the content of the packet is too large.
>> This was also confirmed with the FS documentation that lists this issue as a generic Polycom issue: Generic Polycom issues <https://freeswitch.org/confluence/display/FREESWITCH/Polycom#Polycom-GenericPolycomissues>
>> 
>> I can confirm that this also happens with Yealink phones and a couple of other Softphones including Blink Pro on Mac OS X.
>> 
>> So far, I’ve only experienced this with FS. I’ve not been able to replicate this with other SIP servers that can also transport and handle media.
>> 
>> Anyone else  can relate to this?
>> 
>> Anyway, what’s worked for me is to make my packets as small as possible by reducing the number of offered codecs to the bare minimum. 
>> 
>> Best,
>> E
>>> On Mar 3, 2015, at 2:38 PM, Brian West <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>>> 
>>> sofia global siptrace on 
>>> sofia loglevel all 9
>>> 
>>> Then outline the scenario and config on the JIRA.
>>> 
>>> On Tue, Mar 3, 2015 at 7:54 AM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>> Hey Brian, just saw this message.
>>> There is no other UA in between FS and the endpoint. There is a regular NAT, that's all.
>>> What seems to happen is:
>>> endpoint -> FS: invite = ok
>>> FS -> endpoint: 407 = OK
>>> Endpoint -> FS: invite = Fails with SSL error.
>>> 
>>> What are the components I should capture to open up a Jira? FS Logs, FS Siptrace, anything else?
>>> 
>>> Thanks!
>>>> On Feb 16, 2015, at 2:44 PM, Brian West <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>>>> 
>>>> Via: SIP/2.0/TLS 1.2.3.4:443;branch=z9hG4bK6Kv171Q3U5rrD
>>>> 
>>>> Your issue is the contact has no port 443 or transport=tls right?  What sits between FS and the endpoint?
>>>> 
>>>> On Sun, Feb 15, 2015 at 5:38 AM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>> Thanks Ken. Is there a way to filter the SIP trace? It's a busy box.
>>>> 
>>>>> On Feb 14, 2015, at 3:35 AM, Ken Rice <krice at freeswitch.org <mailto:krice at freeswitch.org>> wrote:
>>>>> 
>>>>> Open a jire with a full debug login including sip tracing on
>>>>> 
>>>>> Sent from my iPhone
>>>>> 
>>>>> On Feb 13, 2015, at 7:57 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>>> 
>>>>>> Hi,
>>>>>> The issue is persistent. I am curious to know if anyone else on the list is experiencing this. It doesn't seem to have been reported before.
>>>>>> Should I dedicate a profile to TLS use only?
>>>>>> I also posted a message on the list about receiving options packet with the wrong transport. Are these 2 issues connected? Here is a copy paste of my message:
>>>>>> 
>>>>>> My experience with FS and TLS has been rather mixed so far. It's been a little inconsistent in keeping NAT sessions up and users discoverable.
>>>>>> One thing I've noticed is that FS advertises the wrong information in option packets. The following is what I receive over my TLS session which is working on port 443.
>>>>>> 1.2.3.4:443 <http://1.2.3.4:443/> -(SIP over TLS)-> 10.0.0.99:51132 <http://10.0.0.99:51132/>
>>>>>> OPTIONS sip:53178246 at 10.0.0.99:56494;transport=tls;received=5.6.7.8:51132 <> SIP/2.0
>>>>>> Via: SIP/2.0/TLS 1.2.3.4:443;branch=z9hG4bK6Kv171Q3U5rrD
>>>>>> Route: <sip:53178246 at 5.6.7.8:51132 <>>;transport=tls
>>>>>> Max-Forwards: 70
>>>>>> From: <sip:mod_sofia at 1.2.3.4:5060 <>>;tag=Q6XDFHeUUrcHD
>>>>>> To: <sip:user at domain.com <>>
>>>>>> Call-ID: 0a052f23-34a8-4158-8c88-fd2a70ffb561_c2RhaSoOYBR6jfJe4ndLoTTKJMrO2gMv
>>>>>> CSeq: 71498568 OPTIONS
>>>>>> Contact: <sip:mod_sofia at 1.2.3.4:5060 <>>
>>>>>> User-Agent: FreeSWITCH
>>>>>> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
>>>>>> Supported: timer, path, replaces
>>>>>> Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
>>>>>> Content-Length: 0
>>>>>> 
>>>>>> As you can see FS stamps the packet with a port 5060... No reference to port 443 with a transport=tls.
>>>>>> 
>>>>>> What shall be done?
>>>>>> 
>>>>>>> On Feb 5, 2015, at 3:18 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>>>>> 
>>>>>>> Hi there,
>>>>>>> This issue is happening all around with devices using TLS. It's not very frequent with softphones, but not inexistant.
>>>>>>> Any pointers would be greatly appreciated. Do you have  best practice configs you'd like to share?
>>>>>>> 
>>>>>>> Thanks
>>>>>>>> On Jan 30, 2015, at 6:10 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>>>>>> 
>>>>>>>> Hi all,
>>>>>>>> I am facing a very frustrating issue. I often have to dial twice when using my Yealink phone with TLS because the first attempt times out.
>>>>>>>> The logs on the Yealink indicate that the first invite is successfully received, to which my FS sends a 100 trying and 407 proxy auth required. It is subsequently when my phone sends back the invite that the connection crashes with the following error:
>>>>>>>> SSL ERROR SYSCALL
>>>>>>>> 
>>>>>>>> Is this something common? Why does the SSL connection crashes when the phone attempts to send the second invite? My phone is behind NAT.
>>>>>>>> 
>>>>>>>> It is going to be a crazy expedition to collect the logs and Pastebin them, so I am tempting my luck on the list first to see if you have any pointers.
>>>>>>>> 
>>>>>>>> As a last piece, my Bria on my iPHone, among other clients, never had this issue. I did experience it from time to time with Blink on Mac OS X.
>>>>>>>> 
>>>>>>>> Any help appreciated.
>>>>>>>> 
>>>>>>>> Emrah
>>>>>>> 
>>>>>> 
>>>>>> _________________________________________________________________________
>>>>>> Professional FreeSWITCH Consulting Services: 
>>>>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>>>>> 
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>>>> http://www.cluecon.com <http://www.cluecon.com/>
>>>>>> 
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>>> http://www.freeswitch.org <http://www.freeswitch.org/>_________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services: 
>>>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>>>> 
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>>> http://www.cluecon.com <http://www.cluecon.com/>
>>>>> 
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> 
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>>> 
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>> http://www.cluecon.com <http://www.cluecon.com/>
>>>> 
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Brian West
>>>> brian at freeswitch.org <mailto:brian at freeswitch.org>
>>>> 
>>>> Twitter: @FreeSWITCH , @briankwest
>>>> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
>>>> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
>>>> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
>>>> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>>>> 
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services: 
>>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>>> 
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>> http://www.cluecon.com <http://www.cluecon.com/>
>>>> 
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> 
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>> 
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>> http://www.cluecon.com <http://www.cluecon.com/>
>>> 
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> 
>>> 
>>> 
>>> -- 
>>> Brian West
>>> brian at freeswitch.org <mailto:brian at freeswitch.org>
>>> 
>>> Twitter: @FreeSWITCH , @briankwest
>>> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
>>> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
>>> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
>>> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>>> 
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services: 
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>> 
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>> http://www.cluecon.com <http://www.cluecon.com/>
>>> 
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services: 
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160125/dde39c19/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list