<p dir="ltr">Thanks for the follow up. I never really understood how ICE works and consider it broken by default. Even though i have a ton of css's with ice and stun and p2p zrtp enrollment happens instantly or as soon as rtp appears.</p>
<div class="gmail_quote">On Jun 10, 2014 10:39 PM, "Peter Villeneuve" <<a href="mailto:petervnv1@gmail.com">petervnv1@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Answering myself since I seem to have finally figured it out. Hopefully this will save others the time I've spent debugging this.<div><br><div>The delay happens because ICE in FS is not responding correctly to CSipSimple's stun binding requests, which eventually timeout.</div>
<div>If I turn off ICE in CSipSimple, then ZRTP negotiation happens almost instantly as it should.</div><div><br></div><div>I believe there's an issue with FS's ICE implementation. Others seem to have noticed the same problem (see <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2014-June/105877.html" target="_blank">http://lists.freeswitch.org/pipermail/freeswitch-users/2014-June/105877.html</a>)</div>
<div><br></div><div>Is it possible to tweak and/or turn off ICE in FS?</div><div><br></div><div>Thanks</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 10, 2014 at 6:23 PM, Peter Villeneuve <span dir="ltr"><<a href="mailto:petervnv1@gmail.com" target="_blank">petervnv1@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I've been trying to debug why ZRTP negotiation with FS as endpoint takes almost 10 seconds every single time. I remember in the past ZRTP negotiation used to take 2 to 3 seconds at most.</div>
<div><br></div><div>I'm calling MoH extension from CSipSimple with ZRTP enabled to test it out and indeed it always takes 9 seconds to negotiate the ZRTP exchange. And even after it does it successfully and enteres secured state, I still see a lot of errors related to failed decryption.</div>
<div><br></div><div>I have posted the FS and CSipSimple logs on pastebin. FS log here <a href="http://pastebin.com/WNGcpTqB" target="_blank">http://pastebin.com/WNGcpTqB</a> and CSipSimple log here <a href="http://pastebin.com/DfW5gqSW" target="_blank">http://pastebin.com/DfW5gqSW</a></div>
<div><br></div><div><br></div><div>These are the relevant excerpts from FS which may help to shed light as to what's going on. You can see that the zrtp hellos from FS apparently never reach the CSipSimple client:</div>
<div><br></div><div><i>2014-06-10 16:17:55.949864 [DEBUG] switch_rtp.c:1352 [ zrtp engine]: WARNING! HELLO Max retransmissions count reached (20 retries). ID=9</i></div><div><br></div><div>But then you see a five second interval of nothing until CSipSimple's ZRTP hello reaches FS and the negotiation starts:</div>
<div><br></div><div><div><i>2014-06-10 16:17:55.949864 [DEBUG] switch_rtp.c:1352 [ zrtp]: <span style="white-space:pre-wrap"> </span>Stream ID=9 CLEAR switching <START> ---> <NOZRTP>.</i></div><div>
<i>2014-06-10 16:18:00.789889 [DEBUG] switch_rtp.c:1352 [ zrtp utils]: Received <Hello > packet with ssrc=0 seq=1/1 size=168. Stream9:CLEAR:NOZRTP.</i></div></div><div><i><br></i></div><div>Once that's successfull indeed ZRTP appears to work properly, although I still see a lot of errors like this:</div>
<div><br></div><div><div>2<i>014-06-10 16:18:01.509898 [DEBUG] switch_rtp.c:1352 [zrtp protoco]: ERROR! Decrypt failed. ID=9:DH s=SRTP authentication failure (RTP size=51 ssrc=690666908 seq=20192/20192 pt=111)</i></div>
<div>
<i>2014-06-10 16:18:01.509898 [DEBUG] switch_rtp.c:1352 [ zrtp engine]: Add 140 bytes of entropy to the RNG pool.</i></div></div><div><i><br></i></div><div>Now I guess this could be due to dropped packets, but I'm curious if others have seen the same thing in their setups.</div>
<div>Also, I see this message in the FS logs. On the CS logs everything seems to be fine. Why does FS think that CS needs new un-enrolment? I presume that nedpint is actually a typo for endpoint, but this just made me more confused.</div>
<div><br></div><div><div><i>2014-06-10 16:18:01.769867 [DEBUG] switch_rtp.c:1352 [zrtp protoco]: <span style="white-space:pre-wrap"> </span>INFO! The user requires new un-enrolment - the nedpint may clear the cache or perform other action. ID=9</i></div>
<div><i>c60c4480-f0ba-11e3-aa6e-ddba267b1226 2014-06-10 16:18:01.769867 [DEBUG] switch_rtp.c:1323 User unenrolled!</i></div><div><i>2014-06-10 16:18:01.769867 [DEBUG] switch_rtp.c:1352 [ zrtp cache]: <span style="white-space:pre-wrap"> </span>cache_put() zid1=346638366666393864366363, zis2=3888449c219de624b44b3ece MiTM=NO</i></div>
<div><i>2014-06-10 16:18:01.769867 [DEBUG] switch_rtp.c:1352 [ zrtp cache]: <span style="white-space:pre-wrap"> </span>cache_put() Just update existing value.</i></div></div><div><br></div><div><br></div><div>Any ideas as to what's happening?</div>
<div><br></div><div>Thanks</div></div>
</blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div>