| Summary: | ASTERISK-23033: direct call can't be placed over h323 if peer is not registered in gatekeeper | ||
| Reporter: | Dmitry Melekhov (slesru) | Labels: | |
| Date Opened: | 2013-12-19 00:55:46.000-0600 | Date Closed: | |
| Priority: | Minor | Regression? | |
| Status: | In Progress/In Progress | Components: | Addons/chan_ooh323 |
| Versions: | 11.7.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Centos 6 | Attachments: | ( 0) h323_log |
| Description: | If we have asterisk registered in gatekeeper and call peer directly- call doesn't pass, but stuck:
-- Executing [6401@sipphones:1] Dial("SIP/6052-00000008", "OOH323/6401@cisco") in new stack -- Called OOH323/6401@cisco I'll be glad to provide any useful info. Thank you! | ||
| Comments: | By: Rusty Newton (rnewton) 2013-12-19 18:52:32.019-0600 Thank you for taking the time to report this bug and helping to make Asterisk better. Unfortunately, we cannot work on this bug because your description did not include enough information. You may find it helpful to read the Asterisk Issue Guidelines http://www.asterisk.org/developers/bug-guidelines. We would be grateful if you would then provide a more complete description of the problem. At a minimum, we need: 1. the specific steps or actions you took that caused you to encounter the problem, 2. the behavior you expected, and 3. the behavior you actually encountered (in as much detail as possible). This likely includes output from the console with debug level logging, a SIP trace (if this is SIP related), and configuration information such as dialplan (e.g. extensions.conf) and channel configuration (e.g. sip.conf). Thanks! By: Rusty Newton (rnewton) 2013-12-19 18:53:55.027-0600 You'll want to include H323 traces, configuration and packet captures. I'll assign this to the h323 maintainer, Alexander. By: Dmitry Melekhov (slesru) 2013-12-19 23:30:31.232-0600 Hello! Rusty, thank you! About how to reproduce: let's say we have ooh323 peer : [cisco] type=peer context=h323 ip=192.168.22.253 port=1720 asterisk is registered in gatekeeper: ast-reserve*CLI> ooh323 show gk GateKeeper connection state: Gatekeeper: 192.168.22.254 GK state: Registered gatekeeper = 192.168.22.254 we want to call peer cisco without gatekeeper: exten => _6xxx,1,Dial(OOH323/${EXTEN}@cisco) if gatekeeper is available- call passes. if not- we do [root@ast-reserve ~]# iptables -A INPUT -s 192.168.22.254 -j DROP then I get following: -- Executing [6401@sipphones:1] Dial("SIP/6052-00000001", "OOH323/6401@cisco") in new stack -- Called OOH323/6401@cisco Restart stopped gatekeeper client == Everyone is busy/congested at this time (1:0/0/1) -- Executing [6401@sipphones:2] Hangup("SIP/6052-00000001", "") in new stack == Spawn extension (sipphones, 6401, 2) exited non-zero on 'SIP/6052-00000001' I'll get traces and attach it :-) This is asterisk 11.7.0 with patches from ASTERISK-21960 We have some peers we connects without gatekeeper, so this is real problem that we depends on gatekeeper for making such calls. By: Dmitry Melekhov (slesru) 2013-12-19 23:31:59.937-0600 calls log with trace level 6 By: Dmitry Melekhov (slesru) 2013-12-19 23:35:23.691-0600 hope I provided enough info to assign issue to Alexander. Thank you! By: Alexander Anikin (may213) 2013-12-20 03:18:10.812-0600 Hi Dmitry, Info is enough ;) Main question here for me is security. Main goal of GK routed model is full control of call processing from gatekeeper and i guess there can be some security violation if we enable direct call when gk connection is configured. By: Dmitry Melekhov (slesru) 2013-12-20 03:30:00.309-0600 Hello! Well, other gateways like cisco or addpac do such calls, really we use asterisk as sort of cisco replacement, so I think this is not very large security breach :-) And ooh323 calls peers directly if gatekeeper is available, and these peers are not known to gatekeeper, so gatekeeper do not prohibit these calls, although yes, asterisk have to be registered in gatekeeper to make calls. Moreover, in our environment gatekeeper and asterisk admin is the same engineer - me ;-) So, for me it is better to have an ability to make some calls if gatekeeper is not available for some reason then to have better security. May be solution can be in configuration parameter, so asterisk's admin will choose behaviour? Thank you! By: Alexander Anikin (may213) 2013-12-20 04:16:57.064-0600 Dmitry, Confirm with you, better case here is config option that enable direct calls wihtout gk approval when gk isn't available. Will produce patch here. By: Dmitry Melekhov (slesru) 2014-03-06 22:54:08.981-0600 Hello! I tried to read sources , but I don't understand (yet?) how chan_ooh323 works in this case. Could you tell me is there any progress? Thank you! | ||