Good day!
This is my first post ever on this website.
I will try to include as much details as I possibly can.
My company recently started using Thirdlane MTE to provided hosted PBX solutions to clients locally in my country. I am in no way an asterisk expert and can do a few things within the CLI.
We recently began having problems with one client where they were unable to make any internal calls, but outbound worked fine. In monitoring over the CLI, using the "asterisk -r", I saw the error come up as follows:
[2012-05-08 09:15:29] WARNING[19172]: chan_sip.c:3551 retrans_pkt: Retransmission timeout reached on transmission 1a9131e90ba3eab20c60485e6e23caa0@X.X.X.X:5060 for seqno 102 (Critical Request) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
For company security, I have not included our public IP address in that error message.
So as instructed, I went to see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Unfortunately, I still couldn't understand where the problem lies. The server itself is not behind NAT and other clients behind NAT were not having any problems. In fact, the only firewall that we have on that server is the Linux firewall (configured via Webmin).
During the initial setup, we outsourced some assistance to have the server secured and also properly setup. Since then, I have personally included many different restrictions to ensure that only authorized IP and MAC addresses were allowed to connect to the SIP ports (5060:5069). See below the setup as shown by webmin.
Now firstly, yesterday I was making some changes to some of the IP's in the list. I accidentally deleted one of the IP's and was forced to click "Revert changes". When I did that, I lost all of the comments. I had to fill in what I could remember. All blank comment lines means I don't know what it does.
In the first picture, I know one of the ICMP types dropped is the response to pings. I'm not sure what the purpose of access to port 53, 443 and 113 is, but it was set up by someone else.
If the issue lies somewhere in this configuration, you can stop reading here.
Based on some research in this forum, I have deducted that I needed to include the string "insecure=port,invite" when setting up the extension. Therefore, by default, all extensions contain that string under "Other options".
We are using/distributing the following phones:
Yealink SIP-T22P - http://www.yealink.com/index.php/Products/detail/id/3
Yealink SIP-T28P - http://www.yealink.com/index.php/Products/detail/id/1
Gigaset C610AIP - http://gigaset.com/hq/en/product/GIGASETC610AIP.html
Gigaset SL78H----- http://gigaset.com/hq/en/product/GIGASETSL78H.html
The problem with Yealink phones on Thirdlane was that I needed to set Qualify to "No" as it causes some form of communication problem. Unfortunately I can't find the thread online that recommended this action. Below, you will see the output when I enter "sip show peers" in the CLI.
Tenants "Bronze" and "Standard" are test clients and would therefore be offline.
I couldn't understand why these phones were registering to ports outside of the 5060:5069 range, but I was advised that this is normal when NAT occurs.
All clients use the G.729 codec to preserve bandwidth.
Any advice?
Thanks in advance!
Just realised I posted the
Just realised I posted the wrong link to the webmin images.
Those are just thumbnails.
Here are the right ones:
http://postimage.org/image/uctezni1j/
http://postimage.org/image/cbaa1uo0n/
http://postimage.org/image/59ccfnkev/
Based on some research in
Based on some research in this forum, I have deducted that I needed to include the string "insecure=port,invite" when setting up the extension.
this is not something you want to do on an extension. you want your phones authenticating. the insecure=port,invite is for peer-to-peer trunks to service providers where both ends are a fixed, constant IP.
if you were to set
host=dynamic
and insecure=port,invite
on the same extension you would literally give everyone who wanted, free outbound dialing.
So should I remove the
So should I remove the insecure setting on the extensions?
I'm really not sure what to do...
Host is dynamic.
Thanks very much for your response...
yes and then paste the
yes and then paste the sip.conf entry for one of the extensions.. you can leave the secret= entry blank
I googled this "sip.conf"
I googled this "sip.conf" file.
I hope what I've presented here is what you need.
Here is a known problem extension.
They're all basically the same
XXX replaces the initials of the tenant
[100-XXX]
qualify=no
nat=yes
pickupgroup=9
callerid=*name* <100>
context=from-inside-XXX
insecure=port,invite
canreinvite=no
vmexten=100
parkinglot=parkinglot_XXX
secret=
host=dynamic
username=100-XXX
subscribecontext=local-extensions-XXX
dtmfmode=rfc2833
type=friend
mailbox=100@default-XXX
disallow=all
allow=g729
Edit:
I haven't removed the insecure settings as yet. But will do so following your next suggestion.
turn on qualify and remove
turn on qualify and remove insecure off of every extension of every tenant in this system. are you sure you have enough g729 licenses to go around? experiement with ulaw/alaw in order to rule out codec licensing issues.
eeman, Thanks very much for
eeman,
Thanks very much for your suggestion.
So far everything seems to work.
I appreciate your professional opinion and very timely answers.
All seems well
Thanks again!
cjm-tt
Retransmission timeout reached on transmission
Hi,
we have recently upgraded our Thirdlane MT to 64 bit version, ever since we are experiencing lots of call failed and call drops, please find the below warning from CLI.
WARNING[2364]: chan_sip.c:3687 retrans_pkt: Retransmission timeout reached on transmission 1850698654-5060-6@BJC.BGI.B.BEH for seqno 41 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 17535ms with no response
my extension configuration is as follows
Nat = yes
Qualify = yes
can reinvite = no
port = 5060
insecure = port,invite
I would really appreciate your help on the same
Thanks
please tell me you did not
please tell me you did not setup all your extensions with insecure=port,invite
you do know what that does right? You do understand how letting full invites go through when host=dynamic can be a really, really bad exploit that could make for a really bad surprise right?
yes , i am not sure i have
yes , i am not sure
i have searched in google and got this as fix
earlier it was below
Nat = yes
Qualify = yes
can reinvite = no
there were lots of call drops and call failed issues so i have included couple of setting
port = 5060
insecure = port,invite
after changing it to insecure=port,invite it is working fine
please let me know if this is a threat, if so please give me alternative setting which can solve the problem
Thanks
insecure=port,invite means
insecure=port,invite means that it accepts calls without authentication.. that will allow anyone to place calls on your network which will let someone get free calling and drive up some significant costs on your part.
it really should not impact in-progress calls because once the call starts there is no more SIP messages or SDP messages, its just an RTP audio stream.
It seems the pictures didn't come up... not sure why.
Here are the webmin pictures:
http://s7.postimage.org/uctezni1j/webmin_1.jpg
http://s7.postimage.org/cbaa1uo0n/webmin_2.jpg
http://s7.postimage.org/59ccfnkev/webmin_3.jpg
Here is the picture in CLI showing "sip show peers"
http://s7.postimage.org/6t9epbbx7/peers_1.jpg