dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3893
share rss forum feed


Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

Port Forwarding Issue

I am trying to setup port forwarding for a TrixBox System that uses SIP to connect to the VoIP Provider. The calls are routed through sometimes coming in from the VoIP Provider however sometimes the system doesn't respond. We believe this is an issue with the ports being blocked. As such this is my NAT configuration.

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.1.101 56839 interface FastEthernet4 56839
ip nat inside source static tcp 10.0.1.101 5639 interface FastEthernet4 5639
ip nat inside source static udp 10.0.1.101 5639 interface FastEthernet4 5639
ip nat inside source static tcp 10.0.1.110 5060 interface FastEthernet4 5060
ip nat inside source static udp 10.0.1.110 5060 interface FastEthernet4 5060
ip nat inside source static tcp 10.0.1.110 443 71.43.20.147 443 route-map nonat extendable
ip nat inside source static udp 10.0.1.101 56839 71.43.20.147 56839 extendable
 

However whenever I use the port checking tools online they still say 5060 is blocked.

nosx

join:2004-12-27
00000
kudos:5

Post the full config with the access-lists interfaces and route-map.



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

DeltaV#show conf
Using 6599 out of 131072 bytes
!
! Last configuration change at 04:32:23 PCTime Fri May 25 2007 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname DeltaV
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***
enable password 7 ***
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login local_authen local
aaa authorization exec default local 
aaa authorization exec local_author local 
aaa authorization ipmobile default group rad_pmip 
aaa accounting network acct_methods
 action-type start-stop
 group rad_acct
!
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3401533534
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3401533534
 revocation-check none
 rsakeypair TP-self-signed-3401533534
!
!
crypto pki certificate chain TP-self-signed-3401533534
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
!
dot11 ssid Vortex
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 ***
!
no ip source-route
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 10.0.2.1 10.0.2.99
!
ip dhcp pool Internal-net
   import all
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1 
   domain-name DeltaV.local
   dns-server 208.67.222.222 208.67.220.220 
   lease 4
!
ip dhcp pool VLAN20
   import all
   network 10.0.2.0 255.255.255.0
   default-router 10.0.2.1 
   domain-name DeltaV.local
   lease 4
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name DeltaV.local
ip inspect name MYFW appfw MYFW
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
appfw policy-name MYFW
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 
***
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_MYFW
 class sdm_p2p_bittorrent
!
!         
! 
!
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 spanning-tree portfast
 !
!
interface FastEthernet1
 spanning-tree portfast
 !
!
interface FastEthernet2
 spanning-tree portfast
 !
!
interface FastEthernet3
 spanning-tree portfast
 !
!
interface FastEthernet4
 description WAN$FW_OUTSIDE$$ETH-WAN$
 ip address 71.43.20.*** 255.255.255.248
 ip access-group Internet-inbound-ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect MYFW out
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
 !
 service-policy input sdmappfwp2p_MYFW
 service-policy output sdmappfwp2p_MYFW
!
interface Dot11Radio0
 description WiFi
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no dot11 extension aironet
 !
 encryption mode ciphers aes-ccm 
 !
 broadcast-key change 3600
 !
 !
 ssid Vortex
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 channel 2412
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 !
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
!
interface BVI1
 description Bridge to Internal Network$FW_INSIDE$
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.1.101 56839 interface FastEthernet4 56839
ip nat inside source static tcp 10.0.1.101 5639 interface FastEthernet4 5639
ip nat inside source static udp 10.0.1.101 5639 interface FastEthernet4 5639
ip nat inside source static tcp 10.0.1.110 5060 interface FastEthernet4 5060
ip nat inside source static udp 10.0.1.110 5060 interface FastEthernet4 5060
ip nat inside source static tcp 10.0.1.110 443 71.43.20.147 443 route-map nonat extendable
ip nat inside source static udp 10.0.1.101 56839 71.43.20.147 56839 extendable
ip route 0.0.0.0 0.0.0.0 71.43.20.145
!
ip access-list extended Guest-ACL
 deny   ip any 10.0.1.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
!
logging trap debugging
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny   any
no cdp run
 
!
!
!
!         
snmp-server community public RO
snmp-server community private RW
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
 !
!
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
 password 7 ***
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 password 7 ***
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 

nosx

join:2004-12-27
00000
kudos:5

1 edit

Can you try removing the ACL and zone based firewall from Fa4 and seeing if the port is available then?


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

Think you just need to add a "permit tcp any any eq 5060" and
"permit udp any any eq 5060" to your Internet-inbound-ACL ACL
to fix this. You're permitting echo / echo-reply, traceroute
gre and esp packets but dropping everything else.

You may want to take a look at this thread »Router ACL question
and this link »www.cisco.com/en/US/docs/ios/sec···upp.html
for some pointers on SIP.

Just out of curiousity, when you're in config mode, is the SIP
protocol in the list of options for "ip inspect name MYFW ?" output?

Regards



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

I added those however same deal and yes its in the list of commands.

DeltaV(config)#ip access-list extended Internet-inbound-ACL
DeltaV(config-ext-nacl)#permit udp any any eq 5060
DeltaV(config-ext-nacl)#permit tcp any any eq 5060
DeltaV(config-ext-nacl)#exit
DeltaV(config)#wr

DeltaV(config)#ip inspect name MYFW ?

and that lists SIP in there.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

Can you do a "show ip access-list Internet-inbound-ACL" to make sure the order
of permits / denies is right after the change? Cisco ACLs process top-down
and have an implicit "deny all" at the end.

Speaking of implicit denies, you may want to put an explicit "deny any any log"
at the end and watch your logs and see what is getting denied when you try and
send traffic on port 5060 (which should be SIP by default) to your router.

Regards



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA
reply to Edrick

DeltaV#show ip access-list Internet-inbound-ACL
Extended IP access list Internet-inbound-ACL
    10 permit icmp any any echo (23 matches)
    20 permit icmp any any echo-reply
    30 permit icmp any any traceroute
    40 permit gre any any
    50 permit esp any any
    60 permit udp any any eq 5060
    70 permit tcp any any eq 5060 (1 match)
DeltaV#
 


Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA
reply to Edrick

After adding those lines the system no longer registers (TrixBox) with the VoIP Provider.


nosx

join:2004-12-27
00000
kudos:5

1 edit

Honestly my reccomendation would be to not firewall SIP traffic. You will want to perform a full proxy instead.

That means setting up your router to register with your SIP provider, and register your trixbox to your router instead of the provider.

Either give the SIP box an unfiltered internet connection or perform a full L7 proxy (like a session border controller would).



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

If i really wanted I could just put the TrixBox on its own Static IP however everyone on the TrixBox forums highly recommends against putting the box on an unfiltered connection. The only thing that needs to be done is have the proper ports forwarded which shouldn't be a hard task. I'm just new to the Cisco World.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

@edrick
Without knowing the right ports the app is talking on, it's a shot in
the dark. That's why I referred to the previous thread and link, and
as far as I know, SIP talks on TCP/UDP 5060. There's also SIP-TLS
which is on TCP/UDP 5061, hence why I suggested adding the "deny any
any log" to your Internet-inbound-ACL ACL so you could see what was
coming back to the Tribox.

Looking at your NAT statements, can you explain further what they're
intended function is? I'm sure these two:

quote:
ip nat inside source static tcp 10.0.1.110 5060 interface FastEthernet4 5060
ip nat inside source static udp 10.0.1.110 5060 interface FastEthernet4 5060
is for the TriBox itself. What are the rest of the statements for?

Regards


Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA
reply to Edrick

Hey I actually cleared out all custom rules that were in place. I'm not sure how some of them got in there I don't assume the Cisco Router can just auto open ports that programs request? I looked up the others like 5639 ane 56839 and they were for an Online game I had played before.

I'll add in what you recommended to see what's happening.

Using 6112 out of 131072 bytes
!
! Last configuration change at 03:37:32 PCTime Sat May 26 2007 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname DeltaV
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 
enable password 7 
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login local_authen local
aaa authorization exec default local 
aaa authorization exec local_author local 
aaa authorization ipmobile default group rad_pmip 
aaa accounting network acct_methods
 action-type start-stop
 group rad_acct
!
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3401533534
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3401533534
 revocation-check none
 rsakeypair TP-self-signed-3401533534
!
!
crypto pki certificate chain TP-self-signed-3401533534
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
!
dot11 ssid Vortex
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 7 
!
no ip source-route
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 10.0.2.1 10.0.2.99
!
ip dhcp pool Internal-net
   import all
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1 
   domain-name DeltaV.local
   dns-server 208.67.222.222 208.67.220.220 
   lease 4
!
ip dhcp pool VLAN20
   import all
   network 10.0.2.0 255.255.255.0
   default-router 10.0.2.1 
   domain-name DeltaV.local
   lease 4
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name DeltaV.local
ip inspect name MYFW appfw MYFW
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW sip
no ipv6 cef
!
appfw policy-name MYFW
  application http
    port-misuse p2p action reset alarm
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_MYFW
 class sdm_p2p_bittorrent
!
!
! 
!         
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 spanning-tree portfast
 !
!
interface FastEthernet1
 spanning-tree portfast
 !
!
interface FastEthernet2
 spanning-tree portfast
 !
!
interface FastEthernet3
 spanning-tree portfast
 !        
!
interface FastEthernet4
 description WAN$FW_OUTSIDE$$ETH-WAN$
 ip address 71.43.20.147 255.255.255.248
 ip access-group Internet-inbound-ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect MYFW out
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
 !
 service-policy input sdmappfwp2p_MYFW
 service-policy output sdmappfwp2p_MYFW
!
interface Dot11Radio0
 description WiFi
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no dot11 extension aironet
 !
 encryption mode ciphers aes-ccm 
 !
 broadcast-key change 3600
 !
 !
 ssid Vortex
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 channel 2412
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 !
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
!
interface BVI1
 description Bridge to Internal Network$FW_INSIDE$
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.1.101 5639 interface FastEthernet4 5639
ip route 0.0.0.0 0.0.0.0 71.43.20.145
!
ip access-list extended Guest-ACL
 deny   ip any 10.0.1.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 permit icmp any any echo
 permit icmp any any echo-reply
 permit gre any any
 permit esp any any
!
logging trap debugging
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny   any
no cdp run
 
!
!
!
!
snmp-server community public RO
snmp-server community private RW
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
 !
!
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
 password 7 
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 password 7 
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 


Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA
reply to Edrick

How would I setup the logging based on what you said to enter.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

quote:
config t
logging buffered 51200 debugging
ip access-list extended Internet-inbound-ACL
deny ip any any log
do sh ip access-list Internet-inbound-ACL (and make sure the above line went in and is at the end of the ACL)
^Z
copy run start
Fire up the Tribox and get either it or the other endpoint talking and do a "show log,"
or setup a syslog server to log the denies to and see what's incoming.

Regards


Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

2 edits
reply to Edrick

DeltaV#sh ip access-list Internet-inbound-ACL
Extended IP access list Internet-inbound-ACL
10 permit icmp any any echo
20 permit icmp any any echo-reply
30 permit gre any any
40 permit esp any any
50 permit tcp any any eq 5060 (1 match)
60 permit udp any any eq 5060
70 deny ip any any log (18 matches)
DeltaV#

Then I made an outgoing call from the Cisco IP Phone and did show log. This is what I got,

DeltaV#show log
Syslog logging: enabled (0 messages dropped, 4 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
 
No Active Message Discriminator.
 
No Inactive Message Discriminator.
 
    Console logging: level critical, 0 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 40 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
 
No active filter modules.
 
ESM: 0 messages dropped
 
    Trap logging: level debugging, 48 message lines logged
          
Log Buffer (51200 bytes):
 
*Mar  1 00:00:13.255: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized 
*Mar  1 00:00:13.259: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled 
*Mar  1 00:00:14.779: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar  1 00:00:14.779: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up
*Mar  1 00:00:15.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar  1 00:00:15.787: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to up
*Mar  1 00:00:17.223: USB init complete.
000008: *Feb 28 19:00:48.711 PCTime: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:00:48 UTC Mon Mar 1 1993 to 19:00:48 PCTime Sun Feb 28 1993, configured from console by console.
000009: *Feb 28 19:00:48.715 PCTime: %SYS-6-CLOCKUPDATE: System clock has been updated from 19:00:48 PCTime Sun Feb 28 1993 to 19:00:48 PCTime Sun Feb 28 1993, configured from console by console.
000010: *Feb 28 19:00:48.955 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
000011: *Feb 28 19:01:07.575 PCTime: %SYS-5-CONFIG_I: Configured from memory by console
000012: *May 10 01:21:35.004 PCTime: %FW-6-INIT: Firewall inspection startup completed; beginning operation.
000013: *May 10 01:21:35.544 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
000014: *May 10 01:21:35.548 PCTime: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 30-Sep-09 08:42 by prod_rel_team
000015: *May 10 01:21:35.548 PCTime: %SNMP-5-COLDSTART: SNMP agent on host DeltaV is undergoing a cold start
000016: *May 10 01:21:35.616 PCTime: %SSH-5-ENABLED: SSH 1.99 has been enabled
000017: *May 10 01:21:35.668 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
000018: *May 10 01:21:35.668 PCTime: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
000019: *May 10 01:21:35.672 PCTime: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
000020: *May 10 01:21:35.680 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
000021: *May 10 01:21:36.032 PCTime: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   001f.5bcf.fa9b Reassociated SSID[Vortex] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
000022: *May 10 01:21:36.640 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
000023: *May 10 01:21:36.672 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
000024: *May 10 01:21:36.944 PCTime: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
000025: *May 10 01:21:36.948 PCTime: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up
000026: *May 10 01:21:37.944 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
000027: *May 10 01:21:37.944 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to up
000028: *May 10 01:21:37.948 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
000029: *May 10 01:21:37.948 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to up
000030: *May 10 01:21:51.031 PCTime: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   0023.6c7f.e0bc Associated SSID[Vortex] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]
000031: *May 10 01:22:58.606 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 72.246.113.244(80) -> 71.43.20.147(60454), 1 packet  
000032: *May 10 01:22:59.703 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(143) -> 71.43.20.147(59949), 1 packet  
000033: *May 10 01:23:03.280 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 205.188.1.75(5190) -> 71.43.20.147(58988), 1 packet  
000034: *May 10 01:23:14.466 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(993) -> 71.43.20.147(59944), 1 packet  
000035: *May 10 01:23:22.132 PCTime: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.0.1.109)
000036: *May 10 01:23:39.524 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied udp 208.67.222.222(53) -> 71.43.20.147(47412), 1 packet  
000037: *May 10 01:23:47.946 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 66.117.43.129(80) -> 71.43.20.147(55289), 1 packet  
000038: *May 10 01:24:02.693 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 72.246.113.244(80) -> 71.43.20.147(60454), 1 packet  
000039: *May 10 01:24:12.487 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 174.140.129.13(80) -> 71.43.20.147(55298), 1 packet  
000040: *May 10 01:24:17.596 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 69.63.181.45(80) -> 71.43.20.147(55304), 1 packet  
000041: *May 10 01:24:22.710 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(143) -> 71.43.20.147(59948), 1 packet  
000042: *May 10 01:24:34.696 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 11 packets 
000043: *May 10 01:24:37.633 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(993) -> 71.43.20.147(59939), 1 packet  
000044: *May 10 01:24:45.267 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 95.211.94.242(80) -> 71.43.20.147(55089), 1 packet  
DeltaV# 
 

The time on the router is incorrect here is the current time setting:

DeltaV#show clock detail
*01:28:57.716 PCTime Thu May 10 2007
No time source
Summer time starts 02:00:00 PCTime Sun Apr 6 2003
Summer time ends 02:00:00 PCTime Sun Oct 26 2003
DeltaV#

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

May be time to get your router configured for NTP, Edrick.

Okay, 71.43.20.147 is obviously your public IP address, and this is the chunk of the logs we're most interested in.

*May 10 01:22:58.606 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 72.246.113.244(80) -> 71.43.20.147(60454), 1 packet -- Akamai
*May 10 01:22:59.703 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(143) -> 71.43.20.147(59949), 1 packet -- Netriplex
*May 10 01:23:03.280 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 205.188.1.75(5190) -> 71.43.20.147(58988), 1 packet -- AOL
*May 10 01:23:14.466 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(993) -> 71.43.20.147(59944), 1 packet -- Netriplex
*May 10 01:23:22.132 PCTime: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.0.1.109)
*May 10 01:23:39.524 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied udp 208.67.222.222(53) -> 71.43.20.147(47412), 1 packet -- OpenDNS
*May 10 01:23:47.946 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 66.117.43.129(80) -> 71.43.20.147(55289), 1 packet -- Carpathia Hosting
*May 10 01:24:02.693 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 72.246.113.244(80) -> 71.43.20.147(60454), 1 packet -- Akamai
*May 10 01:24:12.487 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 174.140.129.13(80) -> 71.43.20.147(55298), 1 packet -- Carpathia Hosting
*May 10 01:24:17.596 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 69.63.181.45(80) -> 71.43.20.147(55304), 1 packet -- Facebook
*May 10 01:24:22.710 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(143) -> 71.43.20.147(59948), 1 packet -- Netriplex
*May 10 01:24:34.696 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 11 packets
*May 10 01:24:37.633 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 208.91.131.38(993) -> 71.43.20.147(59939), 1 packet -- Netriplex
*May 10 01:24:45.267 PCTime: %SEC-6-IPACCESSLOGP: list Internet-inbound-ACL denied tcp 95.211.94.242(80) -> 71.43.20.147(55089), 1 packet -- LeaseWeb B.V.

When did you make the call through the Cisco phone (corrected for your PCTime of course) and did you have any issues?
From the logs so far, nothing is coming in on port 5060 yet

Regards



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA
reply to Edrick

Hey after I noticed the time was off I set it up with NTP. As far as the calls go it seems to be an intermittent problem. Usually I always am able to make calls out. However for some reason the VoIP Providers system once and a while doesn't route the call to me and instead it uses the fail over destination. The technician said it seems to be that the system is trying to connect on another port other than 5060 and to make sure I had port forwarding setup. The port he said it was trying to connect on was 1024.

quote:
We send by port 5060. Looks like your device is set up for 1024.

Then I responded back and told him that it was indeed setup for 5060 and he suggested checking for port forwarding. So should I just sit here calling the number until it doesn't go through?

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

At that point, I'd tell whoever you're talking with to get someone technical
on the line because you don't need a monkey reading from a script. Sorry,
I've a very low tolerence for technical BS, and that sort of answer reads as
the worst kind.

First off, SIP as far as I know talks on 5060 and 5061, so I don't know what
this 'failover' thing they're talking about is and I want written documentation
on what they're talking about.

Second, I'd like to know what they're talking about port 1024 because again
SIP doesn't work that way according to my information, and I want documentation
on what they're talking about and how it works.

I can tell you now that so long as you have the inside source static
tcp / udp 5060 interface 5060, port forwarding is configured.

Now with the logging turned on and your NTP sync'd, you should hopefully have
some way of backtracking this 'failover' they're mentioning.

Just out of curiousity, is this the website for Tribox? »www.tribox.org/

Regards


nosx

join:2004-12-27
00000
kudos:5

1 edit

»www.trixbox.org/
And trixbox isnt much more than a pre-packaged asterisks (»www.asterisk.org/) install. SIP is just the control connection, and it can run over any arbitrary port. As long as both sides are able to communicate cleanly across that tcp port, signaling information can get from place to place.
The headaches come later after the signaling has negotiated an actual transmission of information (like a phone call) and they decide how the endpoints should forward traffic to eachother which is a whole other discussion. This is where packet trace usefulness end and siptrace begins. You care what the content of the SIP connection is to figure out why the call cant be established.



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA
reply to Edrick

Basically what the failover is, is a destination to call in the event that their servers don't get a response from my SIP Box. So I make a call on my cell phone it gets routed to their systems at that point either my system is registered with their network and it passes the call along to my PBX which then rings my Cisco IP Phone. However in the event that the system doesn't get a response fast enough it'll just ring the failover phone number which is used as a backup. Thus not transversing over my network at all.

So for some reason at random intervals the system wont see the TrixBox Server and from what I understand and I don't know where he got this number the box is registering via the port 1024 instead of 5060. So they said to check to make sure the system has correct port forwarding. Now I've set it up however when I use a port checker it says it doesn't get a response.


nosx

join:2004-12-27
00000
kudos:5

I have no idea what a port checker is, PM me your IP and ill try to hit TCP 5060 from a couple different locations.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

quote:
This is where packet trace usefulness end and siptrace begins. You care what the content of the SIP connection is to figure out why the call cant be established.
Oh PLEASE tell me this is not where we need an end-to-end Wireshark session :P

Regards

nosx

join:2004-12-27
00000
kudos:5

1 edit

HELLFIRE, Its ok, the server wasnt listening on the port.

The ACL permitted the traffic, and the nat correctly passed the traffic to the server. The server was sending RST replies because the asterisks service isnt listening on tcp port 5060.

Edit: Also when im talking about SIP trace, im not talking about packet captures but output from the soft switch, sbc, or anything terminating the SIP connection to determine what its thinking.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

...thought SIP was pretty much designed to be human-readable even from
a sniffer trace. Still like for Trixbox to explain about that 'failover'
thing though, now it's driving me nuts what the guy told Edrick, but
quite frankly I think whoever Edrick was dealing with didn't know what
they were talking about.

Regards



Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

2 edits
reply to Edrick

Here's the whole ticket log this is from our VoIP Provider.

quote:
Description
I have my DID 321 that's setup with a TrixBox PBX more than half of the time the system doesn't get the inbound call from you guys. I have no issues registering and the times that it does work there's no issue. However usually it just rings over and over until getting a busy signal. Even with the failover settings it seems to do the same.

Updates
Date: Sat - Jan, 30th 2010

Time: 02:50:34 PM

Who: Customer Support

Testing this number 3215944124 the call completes on first try. A gentleman answered the phone. If you are having an issue it is not replicable from our NOC. If not able to replicate we can not address your issue. To do additional testing please call our support line 18882048647 at your convenience.

Date: Sat - Jan, 30th 2010

Time: 04:57:34 PM

Who: Brightverse Networks

I didn't answer the phone it never rang here so I'm unsure who you spoke to or if the number was dialed correctly. However as I said I haven't received any call or failover call.

Date: Sat - Jan, 30th 2010

Time: 08:47:43 PM

Who: Customer Support

I have called and spoken with the tech from Brightverse Networks who is handling this ticket. I reached him at 3215944124 . He was the gentleman I spoke to early. I have placed a few more test calls unable to replicate. This may be an intermittent issue which means further testing is needed. I will run a capture and keeping looking to replicate the issue.

Date: Sat - Jan, 30th 2010

Time: 09:12:46 PM

Who: Customer Support

64.136.174.24 -> 71.43.20.147 SIP/SDP Request: INVITE sip:3215944124@ 71.43.20.147:1024, with session description
64.136.174.24 -> 71.43.20.147 SIP/SDP Request: INVITE sip:3215944124@ 71.43.20.147:1024, with session description
64.136.174.24 -> 71.43.20.147 SIP/SDP Request: INVITE sip:3215944124@ 71.43.20.147:1024, with session description
64.136.174.24 -> 71.43.20.147 SIP/SDP Request: INVITE sip:3215944124@ 71.43.20.147:1024, with session description
64.136.174.24 -> 71.43.20.147 SIP/SDP Request: INVITE sip:3215944124@ 71.43.20.147:1024, with session description
64.136.174.24 -> 71.43.20.147 SIP/SDP Request: INVITE sip:3215944124@ 71.43.20.147:1024, with session description
64.136.174.24 -> 71.43.20.147 SIP Request: CANCEL sip:3215944124@71.4 3.20.147:1024

Date: Sat - Jan, 30th 2010

Time: 09:19:34 PM

Who: Customer Support

Looks like when the issue occurs your IP is not replying back and the call is timing out. I will continue to look into this. Can you post your incoming trunk settings that you are using.

Date: Sun - Jan, 31st 2010

Time: 02:42:59 PM

Who: Brightverse Networks

disallow=all
allow=ulaw
context=from-trunk
host=chi-in.voipstreet.com
insecure=very
secret=
type=friend
user=
username=
Date: Sun - Jan, 31st 2010

Time: 08:23:23 PM

Who: Customer Support

We send by port 5060. Looks like your device is set up for 1024.

Date: Mon - Feb, 15th 2010

Time: 04:21:52 PM

Who: Brightverse Networks

Hi from looking at the config the system uses 5060 do you know where else I could check this I know you don't support the devices however I believe you had someone who was familiar with trixbox. It's TrixBox 2.8 and I looked in /etc/asterisk/sip.conf and it's 5060

Date: Tue - Feb, 16th 2010

Time: 07:28:04 AM

Who: Customer Support

This is most likely due to NAT from your firewall. Please make sure your router/firewall is not handling NAT for your registrations.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Edrick

@Edrick
Thanks be they provided you their ticket worklog. So looks like they have
logs from their side they were sending a SIP INVITE request on your port
1024 and that got terminated with a SIP CANCEL from them to you, again on
your port 1024. Would be nice they also had timestamps of when this
happened, but...

Right now, if you've done additional testing between them and you -- you
calling them and them calling you with no failures -- I guess the only
thing to do is to wait for the next occurrence of when they try and send
on your port 1024 again. If they're willing to commit resource(s) to a
live troubleshooting and test session, take it; make it fail and have all
parties looking at it at the same time.

I'd take deepblackmag's advice and see if any sort of SIPtrace can be taken
from your side as well as a record of what's happening from your side,
along with the router ACL logs when they start sending to your port 1024 again.

Regards