Page 1 of 1

SIP outgoing works, incoming calls get dropped after 30 sec

Posted: Fri Jan 06, 2012 12:30 am
by gosi
Hi guys,

I become a bit lazy after using AVM FritzBoxes all the time and god, they surely make all the magic happen by themself :)
Anyhow I hope somebody has a bright idea for my problem: I have RB493G and it is really a great tool for me.
In my setup it is the NAT router in front of a cable modem for my little home network.
It does DHCP and all the rest, but nothing really fancy.
I made two traffic queues, one for P2P and one for the rest. Every port does get routed through,
I also added port 5060 and 10000 (my providers stun server) to the sip helper.

The VoIP calls does get in the high priority queue btw, so I would assume that is okay.

When I setup the call with my sip telephone everything is fine,
I can talk for minutes and nothing interferes at all.

If I get a call to my SIP telephone it works for a few seconds and then gets dropped.
Talking is possibe in both directions. In the log of the phone I can see,
that it does use the STUN server, but sadly it does not tell my why the call gets dropped.

I assume for some reason my routerboard closes some connection,
maybe somebody got a hint? I have read a bit about session tracking time out,
but not sure if that is it ...

Thanks for your help!

Kind regards,
Daniel

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 06, 2012 12:38 am
by gosi
Almost forgot:

[admin@MikroTik] /ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
udp-timeout: 10s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
tcp-syncookie: no
max-entries: 481472
total-entries: 101

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Mon Jan 09, 2012 6:07 pm
by gosi
nobody has an idea / tip for me?

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Tue Jan 10, 2012 8:45 pm
by THG
Disable SIP helper and add dst NAT rules for SIP and RTP. STUN does not work with symmetric NAT, so do not use booth at the same time.

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Thu Jan 12, 2012 5:54 pm
by tyronzn
This is a typical nat issue,try THG's method otherwise i will have to dig down memory lane on how i fixed my issue like this.

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Thu Jan 12, 2012 10:17 pm
by gosi
thanks for the tip, I have to figre out the ports my PBX uses for SIP and then forward it accordingly.
Will try tomorrow and let you know, thanks!

BTW: I always though STUN was made to fix the "SIP behind NAT" issue ...

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 10:23 am
by THG
STUN is not a self-contained NAT traversal solution applicable in all NAT deployment scenarios and does not work correctly with all of them.

STUN does work with primarily three types of NAT.
  • Full cone NAT
  • Restricted cone NAT
  • Port restricted cone NAT
http://en.wikipedia.org/wiki/Network_ad ... ranslation

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 11:03 am
by gosi
Thanks for your help, one more question: symetric nat is what the mikrotik devices do, when I just configure masquerading for the external interface?

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 2:02 pm
by THG
STUN should not be enabled if SIP helper (SIP ALG) is also enabled in your router. STUN requires that the NAT device allow all traffic that is directed to a particular port, and that the traffic is forwarded to the client on the inside. This means that STUN only works with less-secure NATs, so-called “full-cone” NATs, and that the internal client will be exposed to an attack from anyone who can capture the STUN traffic. STUN may be useful for some, but is generally not considered a viable solution for enterprises. In addition, STUN cannot be used with symmetric NATs. This may be a drawback in many situations as most enterprise-class firewalls are symmetric (including RouterOS).

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 2:29 pm
by gosi
Thanks for your elaborate explanation! So actually the only way with symetric NAT is to forward the according ports to the SIP device,
and expose it this way to the outside all the time? It would be nice if at least the SIP device could auto open the ports via UPNP or something like that.
I know it is not wise to use UPNP, as every device connected to the LAN could open ports, but still, it sounds a bit better than exposing the SIP device to the outside all time, right?

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 3:59 pm
by THG
It's not a problem if your PBX is properly secured, your service providers PBX is exposed to the public internet.

http://www.voipmechanic.com/securing-asterisk.htm

http://sysadminman.net/blog/2009/hackin ... server-592

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 4:15 pm
by gosi
okay, I understand, in my case the PBX is a small Siemens BizIP and well, it is not maintained anymore, so I wonder what to do.
Also the setup it way too small for a proper Asterisk setup ...

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 6:28 pm
by THG
I found this product with google, is that your PBX?

http://wiki.siemens-enterprise.com/imag ... _BizIP.pdf

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 6:37 pm
by gosi
yes, correct. One good thing about Siemens: their wiki is actually quite useful:

Here is additional information: http://wiki.siemens-enterprise.com/wiki/HiPath_BizIP

I run the BizIP AD20 and I have 3 BizIP 410a connected to it so far. Works pretty well...

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 9:31 pm
by THG
Can you tell us more about your network setup (take a look at page 133-135)?

http://wiki.siemens-enterprise.com/imag ... _BizIP.pdf

I have had similar problems with my Siemens VOIP phones, until I found out that RTP base port were hardcoded to 5004.

According to the manual, HiPath BizIP was developed primarily as a router behind the WAN. This is the most widespread application and is recommended without reservation. There is no information at all in the admin manual about RTP port numbers, only SIP port.

On page 135, it looks like the following is required for a PBX behind an external router. The manual for my Siemens VOIP phones said the same thing, but it worked quite well with port forwarding after I found out the correct hard coded port numbers.

Prerequisites
• Active SIP provider must have entered STUN = Activated and an available STUN server.
• The external router must transparently route incoming SIP packets to port 5060.
• The external router must transparently route incoming fragmented IP packets (for example, Freenet’s INVITE).

This worked with my Siemens VOIP phones (symmetric NAT section).

http://gigaset.com/medias/sys_master/Vo ... ng_en.html

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 9:33 pm
by siscom
Hi,

When dealing with Siemens IP telephony products we have usually found that seeing the traffic via Wireshark helps as this can show up any stuff that you might otherwise miss.

Rgds,
Mark.

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Fri Jan 13, 2012 9:45 pm
by THG
Exactly, this is the way I found out the correct port numbers.

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Mon Jan 16, 2012 11:17 pm
by gosi
Awesome! Seems to work like a charm and gladly I only had to forward UDP ports,
so my security concerns were not that real.

btw: if you mirror traffic for wireshark analysis, do you use a routerboard for that?
Back when I was more into network engineering I always had this Hub with me to do that ;)

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Sun Jan 22, 2012 10:09 pm
by gosi
Sadly I was a bit fast with saying everything is okay, but I am coming closer and narrowing down the problem.

I have found out something: as I use the BizIP AD 20 behind a router there are certain steps that need to be done,
as stated above I did that, activated stun, forwarded the ports, etc. but with the AD 20 something seems to be different.

When I setup the WAN connection with 0.0.0.0/0.0.0.0 as in the manual, then incoming calls work fine,
no time limitation, but on outgoing calls the voice of the partner is not arriving. So I tried different settings with STUN (on, off, automatic),
forwarded UDP 5004, 5006, etc and nothing did change that fact. Then I changed the WAN interface to 0.0.0.0/255.255.255.255,
which seemed better to me, then the incoming calls work fine, but break up after 30 seconds, but in that mode outgoing calls work just fine.

it is fun, that the WAN settings do even affect the whole setup, as the interface is just disabled...

With paket capturing I found nothing so far, as it seems that all the ports get forwarded correctly,
so the Routerboard seems to do its job properly, but something is still going wrong and that totally blows.

Somebody got an idea?

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Mon Jan 23, 2012 12:58 am
by THG
The manual said something about WAN IP = blank/mask = 0.0.0.0, and port forward 5060 from the external router (page 135 in the english manual).

http://wiki.siemens-enterprise.com/imag ... _BizIP.pdf

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Mon Jan 23, 2012 1:21 am
by gosi
Yes, sorry I meant that ip address field is empty and netmask is set to 0.0.0.0 or 255.255.255.255 gives the result described above.

Re: SIP outgoing works, incoming calls get dropped after 30

Posted: Mon Jul 30, 2012 8:41 am
by Miklim
STUN should not be enabled if SIP helper (SIP ALG) is also enabled in your router. STUN requires that the NAT device allow all traffic that is directed to a particular port, and that the traffic is forwarded to the client on the inside. This means that STUN only works with less-secure NATs, so-called “full-cone” NATs, and that the internal client will be exposed to an attack from anyone who can capture the STUN traffic. STUN may be useful for some, but is generally not considered a viable solution for enterprises. In addition, STUN cannot be used with symmetric NATs. This may be a drawback in many situations as most enterprise-class firewalls are symmetric (including RouterOS).
How do I make mikrotik router to behave like a full cone nat?
That is, how I can work with a stun and nat symmetric mikrotik without this annoying, my workspace is my house, I do not need much security, I would like my RB to behave with a full cone nat.

The problem is I do not know the amount of RTP ports, are many and variales in time to make an effective port forwarding.

What would you recommend to get this?

Re: SIP outgoing works, incoming calls get dropped after 30 sec

Posted: Sat Oct 08, 2016 3:04 am
by j12289
This is an old post but I ran into this issue today and nowhere on the web can you find an actual solution.

My scenario:

Softphone - - - Elastix - - - 24 port 10/100 swith - - - MT750r2 - - - Internet

Outgoing calls from the customer were not dropping but incoming calls would drop on the money every 31 seconds. Yes, I know, there are a lot of details more needed for something like this, but rather than write 3 pages about my local config I will just state my solution.

SIP helper on the MT has a setting that is only accessible through CLI called SIP timeout. This value out of the box on a RB750r2 with ROS 6.30 was preset to 30 seconds for whatever retarded reason. The value that this setting requests seems to be in seconds according to my tests here. MT, correct me if I'm wrong on that. I set it to 3600 seconds and my problems disappeared.

Complex firewalls are never simple I guess. I hope this saves somebody from pulling out too much hair.