| Summary: | ASTERISK-26984: chan_pjsip TLS incorrectly tears down connection | ||||
| Reporter: | Ross Beer (rossbeer) | Labels: | |||
| Date Opened: | 2017-05-05 06:06:35 | Date Closed: | 2020-01-14 11:13:44.000-0600 | ||
| Priority: | Major | Regression? | No | ||
| Status: | Closed/Complete | Components: | Channels/chan_pjsip | ||
| Versions: | 13.15.0 GIT | Frequency of Occurrence | Constant | ||
| Related Issues: |
| ||||
| Environment: | Fedora 23 TLS1.2 | Attachments: | ( 0) Capture.PNG ( 1) Capture2.PNG | ||
| Description: | chan_pjsip attempts to create sessions to closed TLS connections on incorrect ports. This leads to the eventual teardown of the connected session by Asterisk.
The attached image shows successful communication on port 35430 and then attempted SYN packets to other ports such as 37848, 57750 etc. These packets will never reach the endpoint as these have already been closed. This can be seen in the 'TCP Retransmission' entries. Asterisk should either attempt to use the open connection to contact the endpoint or give up trying when timing out. However, at present, Asterisk closes the active connection making the endpoint go offline. The only reason asterisk would attempt to contact and endpoint would be if it is retaining information such as BLF subscriptions after an endpoint disconnects. The disconnect does not happen when using TCP, however, Asterisk still attempts connnections to closed ports. | ||||
| Comments: | By: Asterisk Team (asteriskteam) 2017-05-05 06:06:36.810-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Rusty Newton (rnewton) 2017-05-05 13:36:42.366-0500 We require additional debug to continue with triage of your issue. Please follow the instructions on the wiki [1] for how to collect debugging information from Asterisk. For expediency, where possible, attach the debug with a '.txt' file extension so that the debug will be usable for further analysis. Thanks! [1] https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information By: Ross Beer (rossbeer) 2017-05-07 09:59:17.414-0500 I believe the issue is that Asterisk terminates the active subscriptions when the phone registers. In doing so it also tears down the active TLS connection. The debug would appear to show this. Rusty, I have sent a copy of the debug directly to you. By: George Joseph (gjoseph) 2017-05-08 08:03:05.255-0500 So is the trigger a client unregistering then re-registering? Did the client actually unregister or did the registration time out? By: Ross Beer (rossbeer) 2017-05-08 09:31:44.518-0500 Looking at the Wireshark and phone logs. The phone registered just before a disconnect for 120 seconds. Therefore the server should not have disconnected the TLS connection. I have sent the full debug logs to you directly. By: Rusty Newton (rnewton) 2017-05-09 08:59:07.442-0500 I never received any debug directly via E-mail. I'm not sure if [~gjoseph] did. By: Ross Beer (rossbeer) 2017-05-09 11:46:20.978-0500 Rusty - I have just resent and copied George in By: Ross Beer (rossbeer) 2017-05-16 09:14:23.297-0500 The ticket ASTERISK-27001 appears to be related. By: Rusty Newton (rnewton) 2017-05-24 12:43:12.386-0500 Ross can you test Ian's patch on ASTERISK-27001 to see if it has the same effect in your scenario? It isn't a fix but could help us verify the relationship. By: Ross Beer (rossbeer) 2017-05-25 03:51:52.536-0500 I'm using bundled PJSIP and therefore the patch will not apply to asterisk source. By: Ian Gilmour (tuxian) 2017-05-25 05:28:46.665-0500 Hi Ross, I use the bundled PJSIP too. You should be able to add the patch file to the third-party/pjproject/patches/ directory in a clean source tree and build asterisk. The patch will get applied as part of the build process. By: Ross Beer (rossbeer) 2017-05-25 17:42:07.253-0500 The patch as been applied as suggested by Ian above. I will monitor and confirm if this improves the situation. By: Ross Beer (rossbeer) 2017-05-26 08:42:32.993-0500 I have been running the patch since last night and I have not seen a disconnect since. I will continue to monitor over the weekend By: Asterisk Team (asteriskteam) 2017-06-09 12:00:01.654-0500 Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1]. [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines | ||||
