[Freeswitch-users] Random calls failing with WRONG_CALL_STATe when using TLS

Emrah lists at kavun.ch
Tue Jan 19 10:25:41 MSK 2016


Hi there,
So what do we do of this?
I don’t have any TLS issues except with FreeSWITCH. And to everyone here, it’s an issue with the equipment or the soft phone.
I tried FS V1.2, 1.4, 1.6 and 1.7.
Now remember this is something that can be reproduced with Yealink, Polycom, an I recently found out that Counterpath Bria was in the same basket.
https://support.counterpath.com/topic/intermittent-tls-403-forbidden-error

We know what the problem is. When the TLS packet is too large, possibly because of a long list of codecs, the TLS thread crashes on the client.

The question is, how can this happen only when using FS? The same clients do OK with other TLS enabled PBXs.

Emrah
> On Jan 14, 2016, at 1:09 PM, Emrah <lists at kavun.ch> wrote:
> 
> I was certain that I’d fixe all my issues with an FS update to 1.6. 
> After much frustration and over a year of trial and error, I found out that the TLS session breaks if the content of the packet is too large.
> This was also confirmed with the FS documentation that lists this issue as a generic Polycom issue: Generic Polycom issues <https://freeswitch.org/confluence/display/FREESWITCH/Polycom#Polycom-GenericPolycomissues>
> 
> I can confirm that this also happens with Yealink phones and a couple of other Softphones including Blink Pro on Mac OS X.
> 
> So far, I’ve only experienced this with FS. I’ve not been able to replicate this with other SIP servers that can also transport and handle media.
> 
> Anyone else  can relate to this?
> 
> Anyway, what’s worked for me is to make my packets as small as possible by reducing the number of offered codecs to the bare minimum. 
> 
> Best,
> E
>> On Mar 3, 2015, at 2:38 PM, Brian West <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>> 
>> sofia global siptrace on 
>> sofia loglevel all 9
>> 
>> Then outline the scenario and config on the JIRA.
>> 
>> On Tue, Mar 3, 2015 at 7:54 AM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>> Hey Brian, just saw this message.
>> There is no other UA in between FS and the endpoint. There is a regular NAT, that's all.
>> What seems to happen is:
>> endpoint -> FS: invite = ok
>> FS -> endpoint: 407 = OK
>> Endpoint -> FS: invite = Fails with SSL error.
>> 
>> What are the components I should capture to open up a Jira? FS Logs, FS Siptrace, anything else?
>> 
>> Thanks!
>>> On Feb 16, 2015, at 2:44 PM, Brian West <brian at freeswitch.org <mailto:brian at freeswitch.org>> wrote:
>>> 
>>> Via: SIP/2.0/TLS 1.2.3.4:443;branch=z9hG4bK6Kv171Q3U5rrD
>>> 
>>> Your issue is the contact has no port 443 or transport=tls right?  What sits between FS and the endpoint?
>>> 
>>> On Sun, Feb 15, 2015 at 5:38 AM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>> Thanks Ken. Is there a way to filter the SIP trace? It's a busy box.
>>> 
>>>> On Feb 14, 2015, at 3:35 AM, Ken Rice <krice at freeswitch.org <mailto:krice at freeswitch.org>> wrote:
>>>> 
>>>> Open a jire with a full debug login including sip tracing on
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>> On Feb 13, 2015, at 7:57 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>> 
>>>>> Hi,
>>>>> The issue is persistent. I am curious to know if anyone else on the list is experiencing this. It doesn't seem to have been reported before.
>>>>> Should I dedicate a profile to TLS use only?
>>>>> I also posted a message on the list about receiving options packet with the wrong transport. Are these 2 issues connected? Here is a copy paste of my message:
>>>>> 
>>>>> My experience with FS and TLS has been rather mixed so far. It's been a little inconsistent in keeping NAT sessions up and users discoverable.
>>>>> One thing I've noticed is that FS advertises the wrong information in option packets. The following is what I receive over my TLS session which is working on port 443.
>>>>> 1.2.3.4:443 <http://1.2.3.4:443/> -(SIP over TLS)-> 10.0.0.99:51132 <http://10.0.0.99:51132/>
>>>>> OPTIONS sip:53178246 at 10.0.0.99:56494;transport=tls;received=5.6.7.8:51132 <> SIP/2.0
>>>>> Via: SIP/2.0/TLS 1.2.3.4:443;branch=z9hG4bK6Kv171Q3U5rrD
>>>>> Route: <sip:53178246 at 5.6.7.8:51132 <>>;transport=tls
>>>>> Max-Forwards: 70
>>>>> From: <sip:mod_sofia at 1.2.3.4:5060 <>>;tag=Q6XDFHeUUrcHD
>>>>> To: <sip:user at domain.com <>>
>>>>> Call-ID: 0a052f23-34a8-4158-8c88-fd2a70ffb561_c2RhaSoOYBR6jfJe4ndLoTTKJMrO2gMv
>>>>> CSeq: 71498568 OPTIONS
>>>>> Contact: <sip:mod_sofia at 1.2.3.4:5060 <>>
>>>>> User-Agent: FreeSWITCH
>>>>> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
>>>>> Supported: timer, path, replaces
>>>>> Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
>>>>> Content-Length: 0
>>>>> 
>>>>> As you can see FS stamps the packet with a port 5060... No reference to port 443 with a transport=tls.
>>>>> 
>>>>> What shall be done?
>>>>> 
>>>>>> On Feb 5, 2015, at 3:18 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>>>> 
>>>>>> Hi there,
>>>>>> This issue is happening all around with devices using TLS. It's not very frequent with softphones, but not inexistant.
>>>>>> Any pointers would be greatly appreciated. Do you have  best practice configs you'd like to share?
>>>>>> 
>>>>>> Thanks
>>>>>>> On Jan 30, 2015, at 6:10 PM, Emrah <lists at kavun.ch <mailto:lists at kavun.ch>> wrote:
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> I am facing a very frustrating issue. I often have to dial twice when using my Yealink phone with TLS because the first attempt times out.
>>>>>>> The logs on the Yealink indicate that the first invite is successfully received, to which my FS sends a 100 trying and 407 proxy auth required. It is subsequently when my phone sends back the invite that the connection crashes with the following error:
>>>>>>> SSL ERROR SYSCALL
>>>>>>> 
>>>>>>> Is this something common? Why does the SSL connection crashes when the phone attempts to send the second invite? My phone is behind NAT.
>>>>>>> 
>>>>>>> It is going to be a crazy expedition to collect the logs and Pastebin them, so I am tempting my luck on the list first to see if you have any pointers.
>>>>>>> 
>>>>>>> As a last piece, my Bria on my iPHone, among other clients, never had this issue. I did experience it from time to time with Blink on Mac OS X.
>>>>>>> 
>>>>>>> Any help appreciated.
>>>>>>> 
>>>>>>> Emrah
>>>>>> 
>>>>> 
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services: 
>>>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>>>> 
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>>> http://www.cluecon.com <http://www.cluecon.com/>
>>>>> 
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> http://www.freeswitch.org <http://www.freeswitch.org/>_________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services: 
>>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>>> 
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>>> http://www.cluecon.com <http://www.cluecon.com/>
>>>> 
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> 
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>> 
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>> http://www.cluecon.com <http://www.cluecon.com/>
>>> 
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> 
>>> 
>>> 
>>> -- 
>>> Brian West
>>> brian at freeswitch.org <mailto:brian at freeswitch.org>
>>> 
>>> Twitter: @FreeSWITCH , @briankwest
>>> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
>>> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
>>> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
>>> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>>> 
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services: 
>>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>>> 
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>>> http://www.cluecon.com <http://www.cluecon.com/>
>>> 
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
>> http://www.cluecon.com <http://www.cluecon.com/>
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>> http://www.freeswitch.org <http://www.freeswitch.org/>
>> 
>> 
>> 
>> -- 
>> Brian West
>> brian at freeswitch.org <mailto:brian at freeswitch.org>
>> 
>> Twitter: @FreeSWITCH , @briankwest
>> http://www.freeswitchbook.com <http://www.freeswitchbook.com/>
>> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/>
>> T:+19184209001 | F:+19184209002 | M:+1918424WEST (9378)
>> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>> 
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services: 
>> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
>> http://www.freeswitchsolutions.com
>> 
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>> 
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20160119/e6d3e359/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list