<div dir="ltr">Hi Steven,<div><br></div><div>thank you for the detailed response! I'll check out NDLB and look further into how the ports are changing. The strange thing is that it happens with some but not all softphones and that the message going to the wrong port nevertheless gets to my computer through the router and is only rejected here - rather than in the router. This is evidenced by wireshark running on my computer. I'll let you know if I find anything useful after investigating further.</div>
<div><br></div><div style>Thanks again!</div>
<div><br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr">Thank you<div><i><font color="#0000ff">Oleg</font></i></div></div></div>
<br><br><div class="gmail_quote">On Mon, Jun 3, 2013 at 8:57 PM, Steven Ayre <span dir="ltr"><<a href="mailto:steveayre@gmail.com" target="_blank">steveayre@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">1. Why does FreeSWITCH initially send "Unauthorized" reply?</blockquote>
<div><br></div></div><div>It's required. SIP authentication is similar to HTTP authentication, it's based on challenge response. The first request fails and the response contains a nonce. The 2nd request sends a digest of the password combined with that nonce. That means you authenticate without sending your password over the internet plaintext and since the nonce is time-limited without that digest being able to be reused by an attacker.</div>
<div><br></div><div>If you see yourself calling into FS without that then you are either a) authenticating via IP address not password or b) calling into a SIP profile that doesn't require authentication (eg one for receiving calls).</div>
<div class="im">
<div><br></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
2. Does anyone know why some phones change their port during registration from behind a NAT? </blockquote><div><br></div></div><div>That could be your NAT router changing the port mapping between requests (each REGISTER and INVITE is a separate SIP dialog).</div>
<div><br></div><div>SIP with NAT can work, but will be messy. Mostly because not everything supports it, supports it well, or does it in the same way. You can also encounter situations where the phone and router are both trying to workaround the NAT issues which causes more problems than it solves.</div>
<div><br></div><div>Generally FS does a good job of working around many of the issues, and has a few NDLB options for handling devices that don't handle NAT well. See <a href="http://wiki.freeswitch.org/wiki/NAT_Traversal" target="_blank">http://wiki.freeswitch.org/wiki/NAT_Traversal</a></div>
<div><br></div><div>For starters you should disable SIP ALG on your router and enable STUN in the SIP client, if it's supported.</div><div class="im"><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
3. Should I file a Jira ticket to have FreeSWITCH change UA's registered contact info when the UA sends a message with a different Contact header?</blockquote><div><br></div></div><div>But what would it change it to?</div>
<div>
<br></div><div>For handling broken devices there are some NDLB options, some do try rewriting the Contact to where the packet came from. That's not correct in all cases, but perhaps is in many. <a href="http://wiki.freeswitch.org/wiki/NDLB" target="_blank">http://wiki.freeswitch.org/wiki/NDLB</a></div>
<div><br></div><div><br></div><div>-Steve</div><div><br></div><div> </div><div><br></div><br><div class="gmail_quote"><div><div class="h5">On 3 June 2013 21:32, Oleg Stolyar <span dir="ltr"><<a href="mailto:ostolyar@netflix.com" target="_blank">ostolyar@netflix.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Hi guys,<div><br></div><div>I ran into the following problem recently:</div>
<div><br></div><div>Using a softphone from a computer behind a NAT I register it with FreeSWITCH.</div>
<div>It registers with a certain port in the Contact header. FreeSWITCH stores this port in the user's registration info and uses it from then on to send messages to the phone.</div>
<div><br></div><div>However, for some reason FreeSWITCH initially sends back an "Unauthorized" response. After that some phones seem to send REGISTER again but with a<b> different port</b>.</div><div>
This only happen if the phone is behind a NAT. If FreeSWITCH is on the same network as the phone, the phone keeps the same port.</div><div><br></div><div>FreeSWITCH ignores that and keeps trying to contact the phone on the old port and of course fails.</div>
<div><br></div><div>Only some phones seem to change their port after registration. They include 3CXPhone, X-Lite.</div><div>Phones that don't do this are MicroSIP and Mizu.</div><div><br></div>
<div>I have a wireshark capture file of the session from the softphone machine if anyone would like, I'll be happy to email it or publish it.</div><div><br></div><div>So, I have three questions:</div>
<div>1. Why does FreeSWITCH initially send "Unauthorized" reply?</div><div>2. Does anyone know why some phones change their port during registration from behind a NAT? </div><div>3. Should I file a Jira ticket to have FreeSWITCH change UA's registered contact info when the UA sends a message with a different Contact header?</div>
<div><br></div><div><br clear="all"><div><div dir="ltr">Thank you<span><font color="#888888"><div><i><font color="#0000ff">Oleg</font></i></div></font></span></div></div>
</div></div>
<br></div></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br><div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>