[Home]

Summary:ASTERISK-26922: chan_sip: tcpbind uses wrong source address
Reporter:Ksenia (ksy)Labels:
Date Opened:2017-04-05 03:42:29Date Closed:2017-05-03 10:19:26
Priority:MajorRegression?
Status:Closed/CompleteComponents:Channels/chan_sip/General
Versions:13.1.0 Frequency of
Occurrence
Constant
Related
Issues:
is related toASTERISK-27324 [patch] Dual-Stack server cannot be used as IPv4 client via TCP/TLS
Environment:Ubuntu 16.04 4.4.0-72-genericAttachments:( 0) config_sip
( 1) extensions.conf_asterisk_gw1.txt
( 2) extensions.conf.txt
( 3) ip_a
( 4) sip_conf_asterisk_gw1.txt
( 5) sip_conf.txt
( 6) sip_debug_call.txt
( 7) sip_debug.txt
Description:I am running asterisk 13.1.0 on Ubuntu server 16.04. There are two IP addresses from the same subnet set on one interface, and bindaddr is set to the second on them in sip.conf and in iax.conf.
Incoming connections work as expected. However, for outgoing connections it seems that asterisk tells the kernel to use the specific "bind" address only in case of UDP usage (both SIP and IAX work like that). In case of outgoing TCP connections (SIP TCP and TLS) the first IP address from the interface is used.
In my understanding, normally 'bind' should not only tell on which address to listen, but also which source address to request for outgoing connections, but it works only for UDP connections for some reason.
{code}
netstat -nlp | egrep '506[01]'
tcp        0      0 192.168.0.177:5061      0.0.0.0:*               LISTEN      13255/asterisk  
udp        0      0 192.168.0.177:5060      0.0.0.0:*                           13255/asterisk
{code}
Source IP is set to the first IP address of the interface only when TCP is used. As I understand, the application (chan_sip in this case) should request kernel to use the specific source IP address (used in bind directive) for outgoing packets, however it seems to be done only for UDP. For outgoing packets on TCP/5061 I see the following:
{code}
IP 192.168.0.172.47596 > <mydestip>.5061: Flags [S], seq 2529313754, win 29200, options [mss 1460,sackOK,TS val 82765588 ecr 0,nop,wscale 7], length 0
And with UDP as transport:
IP 192.168.0.177.5060 > <mydestip>.5060: SIP: OPTIONS ....
{code}
I have also tried with the latest Asterisk built from sources with Ubuntu and Centos 7 - same behavior. I have also asked the community - they suggest I should report an issue.
Comments:By: Asterisk Team (asteriskteam) 2017-04-05 03:42:31.435-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Ksenia (ksy) 2017-04-05 03:43:18.224-0500

sip configuration

By: Rusty Newton (rnewton) 2017-04-12 17:49:10.962-0500

bq. I have also tried with the latest Asterisk built from sources

What exact version?

Please reattach your debug with .txt extensions for accessibility.

By: Ksenia (ksy) 2017-04-13 02:20:54.204-0500

Last time I have tried with 14.3.0. I can also try with 14.4 if needed. I will attach the debugs shortly.


By: Ksenia (ksy) 2017-04-13 03:42:33.979-0500

Tested fast on Centos 7 and Asterisk 14.4.0 - same behavior.
Debugs were taken from Asterisk 13.1.0 Ubuntu 16.04.
Scenario (SIP config attached):
1) peer transport set to UDP. No need even to make a call, behavior can be seen even with OPTIONS: tcpdump shows 192.168.0.177 as a source IP address.
2) peer transport set to TCP. OPTIONS: tcpdump shows 192.168.0.172 as a source IP address for SYN packet.


By: Ksenia (ksy) 2017-04-13 03:45:44.461-0500

Also attached debugs with a call to extension 5000. As I understand, the peer says "Forbidden" as
{code}
host=192.168.0.177
{code}
and the request comes from 192.168.0.172. With UDP the calls work.

By: Rusty Newton (rnewton) 2017-04-13 18:17:01.515-0500

Thanks for the additional information. I'm opening the issue up, however remember that chan_sip has been under extended support for a while now. Extended support issues can take a while to get to since they rely on the broader community. The best way to move it forward is to submit a patch if you are able.

You have provided some thorough debug which should help whoever may take interest in this issue.

By: Loic Didelot | https://www.mixvoip.com/asterisk-bounties (mixvoip) 2017-04-19 15:56:14.650-0500

I would like to offer a bounty of 1000 euro if someone can fix this and get the patch upstream into the official asterisk branch.

By: Rusty Newton (rnewton) 2017-04-24 18:58:58.025-0500

[~mixvoip] , The Asterisk project has a documented process for posting bounties.

Please follow the guidelines here: https://wiki.asterisk.org/wiki/display/AST/Asterisk+Bug+Bounties



By: Thierry Magnien (tmagnien) 2017-04-26 03:59:29.343-0500

Hi. I have a patch to propose. I've made a few tests and am waiting for a more complete test environment, then I'll propose it on gerrit, once my account is authorized.

By: Friendly Automation (friendly-automation) 2017-05-03 10:19:27.262-0500

Change 5570 merged by Jenkins2:
channels/chan_sip.c: use binding IP address for outgoing TCP SIP connections

[https://gerrit.asterisk.org/5570|https://gerrit.asterisk.org/5570]

By: Friendly Automation (friendly-automation) 2017-05-03 10:22:00.339-0500

Change 5571 merged by Jenkins2:
channels/chan_sip.c: use binding IP address for outgoing TCP SIP connections

[https://gerrit.asterisk.org/5571|https://gerrit.asterisk.org/5571]

By: Friendly Automation (friendly-automation) 2017-05-03 11:06:58.922-0500

Change 5529 merged by Joshua Colp:
channels/chan_sip.c: use binding IP address for outgoing TCP SIP connections

[https://gerrit.asterisk.org/5529|https://gerrit.asterisk.org/5529]

By: Friendly Automation (friendly-automation) 2017-10-10 07:42:20.968-0500

Change 6681 merged by Jenkins2:
tcptls: Do not re-bind to wildcard on client creation.

[https://gerrit.asterisk.org/6681|https://gerrit.asterisk.org/6681]

By: Friendly Automation (friendly-automation) 2017-10-10 07:51:07.574-0500

Change 6683 merged by Jenkins2:
tcptls: Do not re-bind to wildcard on client creation.

[https://gerrit.asterisk.org/6683|https://gerrit.asterisk.org/6683]

By: Friendly Automation (friendly-automation) 2017-10-10 07:53:43.653-0500

Change 6680 merged by Joshua Colp:
tcptls: Do not re-bind to wildcard on client creation.

[https://gerrit.asterisk.org/6680|https://gerrit.asterisk.org/6680]

By: Friendly Automation (friendly-automation) 2017-10-10 08:08:00.058-0500

Change 6682 merged by Jenkins2:
tcptls: Do not re-bind to wildcard on client creation.

[https://gerrit.asterisk.org/6682|https://gerrit.asterisk.org/6682]