[Freeswitch-users] 401 Unauthorized / phone, router or my fs config?

Charlie Orford charlie.orford at attackplan.net
Tue Nov 22 17:53:52 MSK 2011 

Hi Vitalie

Thank you very much for the hint, enabling <param 
name="NDLB-force-rport" value="true"/> worked and the phone was able to 
register.

Watching the siptrace, one thing bothers me. Immediately after the phone 
registers, FS sends a NOTIFY but it looks like this is sent to the wrong 
port (i.e. it doesn't use the rport value). Is this correct? Pastebin 
copy of the transcript is here: http://pastebin.com/S2LWzrY7

I also decided to see if the Aastra phones had a setting to enable rport 
and it turned out they did. I tried enabling this and setting 
"NDLB-force-rport" back to false in the FS profile but this resulted in 
the phone being unable to register again. It gets further than before in 
that it replies to the FS server request for authorization, however, it 
seems the phone then tries to register again (this time specifying the 
rport value for the port in the Contact header), FS replies again with a 
200 OK but the phone displays "No Service" and doesn't think it is 
registered. Running "sofia status profile internal" from the fs_cli 
seems to show the phone as registered twice (see: 
http://pastebin.com/PUWLNm7a ). For a pastebin of the complete 
registration transcript under this scenario, please see: 
http://pastebin.com/nRk8inVR

Kind Regards,
Charlie



On 22/11/2011 08:16, Vitalie Colosov wrote:
> Most probably some NAT issue happens on the client side.
>
> Router is not doing port translation as required.
>
> FS replies to a port which is indicated in REGISTER request (correct), 
> however client expects the reply on a different port.
>
> Try to enable <param name="NDLB-force-rport" value="true"/> in the 
> profile.
>
> http://wiki.freeswitch.org/wiki/Sofia_Configuration_Files#NDLB_.28A.K.A._No_device_left_behind.29
>
>
> Please reply if this helped.
>
> Vitalie
>
> 2011/11/21 Charlie Orford <charlie.orford at attackplan.net 
> <mailto:charlie.orford at attackplan.net>>
>
>     Hello list
>
>     I am an asterisk refugee and currently in the midst of moving our
>     voip platform across to freeswitch. The goal is to have FS in the
>     cloud (on a dedicated Linode virtual machine running Debian
>     Squeeze), with all office phones (Aastra 57i units) connecting via
>     the public internet.
>
>     FS is compiled and running on the linode machine (using the latest
>     git build from a week ago). It is setup to listen on the public IP
>     only so there is no NAT happening at the server end. All relevant
>     firewall ports are open (tcp/udp 5060, tcp/udp 5080 and udp
>     16384:32768).
>
>     Because our office net connection has a dynamic IP, we are using
>     (or trying to use) digest authentication rather than ACLs in order
>     to control user/extension access to the internal sip profile.
>
>     The problem:
>
>     For some reason, none of our phones are able to successfully
>     register with FS. Running fs_cli with logging at 7 and enabling
>     "sofia global siptrace on" shows that the phones make contact and
>     try to REGISTER but when FS replies with a 401 Unauthorized and
>     requests the phone authenticate via digest, the phone seems to
>     ignore this and just repeatedly keeps sending the same original
>     REGISTER request with no accompanying Authorization header.
>
>     My hunch is that the problem must lie with the phone or our router
>     rather than FS but I'm a little out of my depth with this problem
>     and so would appreciate any insight or advice.
>
>
>     For a transcript of a failed registration between our FS server
>     and a phone at the office, please see:
>     http://pastebin.com/1qRudrvE  (note: server and phone ip has been
>     changed to protect the innocent).
>
>     I also have a screen shot of the phone's SIP config here:
>     http://imgur.com/2lwiN  (we are running the latest publically
>     available Aastra firmware on the phones - v3.2.2.56).
>
>     Finally, in case it is relevant, the router at the office is a
>     Draytek Vigor 2600 ADSL router (about 5 years old now but working
>     happily as far as we know).
>
>
>     Thanks + Regards,
>     Charlie
>
>
>
>
>
>
>     _________________________________________________________________________
>     Professional FreeSWITCH Consulting Services:
>     consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>     http://www.freeswitchsolutions.com
>
>     
>     
>
>     Official FreeSWITCH Sites
>     http://www.freeswitch.org
>     http://wiki.freeswitch.org
>     http://www.cluecon.com
>
>     FreeSWITCH-users mailing list
>     FreeSWITCH-users at lists.freeswitch.org
>     <mailto:FreeSWITCH-users at lists.freeswitch.org>
>     http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>     UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>     http://www.freeswitch.org
>
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111122/aa3fb4af/attachment.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list