Re: SIP Trunk, numbers registering on non-5060 port

cmonks · ‎01-04-2008

I have a UC520 system setup with a SIP trunk to an ITSP. When my number goes out and registers with their system, it is using a random source port. the next time it registers it will create a duplicate registration and use a different port, then incoming calls start failing because the source port in our ITSP's database is wrong.

How can i get my lines to force registration from port 5060? why would they be coming from random ports? I have a CBAC firewall running inspecting SIP traffic, as well as UDP router-traffic. I tried disabling the sip inspection incase it was causing the port issue, with no change.

For now I have disabled registration (which is not required by our provider), but I would like a better solution.

Thanks,

paolo bevilacqua · ‎01-04-2008

Hi,

this is strange problem and would need to be troubleshoot in more detail.

When the router makes a registration, not matter the source port used in making it, it is telling the ITSP that he wants to receive calls at a given IP address in port 5060, and nothing else. By the way, this IP and port 5060 should never change across registrations.

And in any case, the previous registration is not being refreshed anymore, and should expire at the ITSP after a while.

This is why I see the problem can be at ITSP side, or detailed traces (debug ccsip message) should be read to understand what's going on.

cmonks · ‎01-04-2008

I have worked with the ITSP on this, and everything appears to be working fine on their end. When our box goes out and registers a line, it is telling them to use a random port (20000+). Calls work fine at this point, until our box re-registers and gives them another random port it seems to break. Or if I disable registration, their system defaults to using port 5060, which of course works fine.

So for some reason our box is telling them to send calls to us on a dynamic port, and I cannot figure out why.

On a side note, is there a way to view current registrations, and the associated port? ('sh sip reg status' does not show the port info). would the 'ccsip' debugs show this?

paolo bevilacqua · ‎01-04-2008

Yes debug ccsip message will tell you everything. Now honesty I didn't remember sip registration uses random ports.

Again, I think something is wrong at ITSP, because things should not break just due to a new registration, it should expire the old one and that's it.

cmonks · ‎01-04-2008

I find this part interesting:

Jan 4 19:32:23.763: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

REGISTER sip:66.23.129.253:5060 SIP/2.0

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191F1AD5

From: <>;tag=5A588514-1C07

To: <>

CSeq: 21 REGISTER

Contact: <>

Expires: 60

Jan 4 19:32:23.927: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 200 OK

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191F1AD5;rport=50654

From: <>;tag=5A588514-1C07

To: <>;tag=9c6a9fdfd4d16ebaa52f34c4c528cbe5.627b

Contact: <>;expires=60

The 'contact' field has changed the port, matching the 'rport=' field from the initial request. Does this tell anyone anything?

ccsip debug:

Jan 4 19:32:23.607: //-1/xxxxxxxxxxxx/SIP/Event/sipSPIEventInfo: Queued event f

rom SIP SPI : SIPSPI_EV_OUTBOUND_REGISTER

Jan 4 19:32:23.607: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

REGISTER sip:66.23.129.253:5060 SIP/2.0

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191E837

From: <>;tag=5A588514-1C07

To: <>

Date: Fri, 04 Jan 2008 19:32:23 GMT

Call-ID: 5830E5F7-BA3111DC-8C68EA74-12BC4CB1

User-Agent: Cisco-SIPGateway/IOS-12.x

Max-Forwards: 70

Timestamp: 1199475143

CSeq: 20 REGISTER

Contact: <>

Expires: 60

Content-Length: 0

Jan 4 19:32:23.759: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 401 Unauthorized

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191E837;rport=50654

From: <>;tag=5A588514-1C07

To: <>;tag=9c6a9fdfd4d16ebaa52f34c4c528cbe5.b994

Call-ID: 5830E5F7-BA3111DC-8C68EA74-12BC4CB1

CSeq: 20 REGISTER

WWW-Authenticate: Digest realm="*****", nonce="477e8ad85257689bada435146

87bba5b8d5eaacc"

Server: Sip EXpress router (0.9.6 (i386/linux))

Content-Length: 0

Warning: 392 192.168.1.50:5060 "Noisy feedback tells: pid=13953 req_src_ip=66.1

7.18.203 req_src_port=50654 in_uri=sip:66.23.129.253:5060 out_uri=sip:66.23.129.

253:5060 via_cnt==1"

Jan 4 19:32:23.763: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

REGISTER sip:66.23.129.253:5060 SIP/2.0

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191F1AD5

From: <>;tag=5A588514-1C07

To: <>

Date: Fri, 04 Jan 2008 19:32:23 GMT

Call-ID: 5830E5F7-BA3111DC-8C68EA74-12BC4CB1

User-Agent: Cisco-SIPGateway/IOS-12.x

Max-Forwards: 70

Timestamp: 1199475143

CSeq: 21 REGISTER

Contact: <>

Expires: 60

Authorization: Digest username="****",realm="*****",uri="sip:66.23.12

9.253:5060",response="ed6029920189bad63480fc6a5497c5d8",nonce="477e8ad85257689ba

da43514687bba5b8d5eaacc",algorithm=md5

Content-Length: 0

Jan 4 19:32:23.927: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 200 OK

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191F1AD5;rport=50654

From: <>;tag=5A588514-1C07

To: <>;tag=9c6a9fdfd4d16ebaa52f34c4c528cbe5.627b

Call-ID: 5830E5F7-BA3111DC-8C68EA74-12BC4CB1

CSeq: 21 REGISTER

Contact: <>;expires=60

Server: Sip EXpress router (0.9.6 (i386/linux))

Content-Length: 0

Warning: 392 192.168.1.50:5060 "Noisy feedback tells: pid=13963 req_src_ip=66.1

7.18.203 req_src_port=50654 in_uri=sip:66.23.129.253:5060 out_uri=sip:66.23.129.

253:5060 via_cnt==1"

paolo bevilacqua · ‎01-04-2008

Hi,

this trace is a bit difficult to read, the messages appears to be out of sequence according to timestamps ?

Anyway,It's the ITSP giving out an high port, as you can see the cisco is requesting 5060. There is no rport in the request as far I can see.

D you have or them have a NAT in between router and SER ?

cmonks · ‎01-04-2008

the first two sections of the debug i posted are excerpts from the entire debug. The final 4 sections of output are the actual debug of the sip registration.

Our UC520 is running NAT/CCME/CUE all on one box. My external interface has a cbac inspection inspecting udp router-traffic and sip. it also has an acl allowing udp 5060 and a range of udp ports for rtp traffic.

ip inspect log drop-pkt

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp router-traffic timeout 300

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW sip

!

interface FastEthernet0/0

ip access-group 104 in

ip nat outside

ip inspect SDM_LOW out

access-list 104 permit udp any any eq 5060

access-list 104 permit udp any eq 5060 any

access-list 104 permit udp any any range 16384 32767

paolo bevilacqua · ‎01-04-2008

Ok, does the NAT apply to SIP packets? Reasonably it should not, neither CBAC nor ACL.

As you can see below, the packet from router has nothing implying a registration request to anything else than 5060:

Jan 4 19:32:23.763: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

REGISTER sip:66.23.129.253:5060 SIP/2.0

Via: SIP/2.0/UDP **WANIP**:5060;branch=z9hG4bK191F1AD5

From: <>;tag=5A588514-1C07

To: <>

Date: Fri, 04 Jan 2008 19:32:23 GMT

Call-ID: 5830E5F7-BA3111DC-8C68EA74-12BC4CB1

User-Agent: Cisco-SIPGateway/IOS-12.x

Max-Forwards: 70

Timestamp: 1199475143

CSeq: 21 REGISTER

Contact: <>

Expires: 60

Authorization: Digest username="****",realm="*****",uri="sip:66.23.12

9.253:5060",response="ed6029920189bad63480fc6a5497c5d8",nonce="477e8ad85257689ba

da43514687bba5b8d5eaacc",algorithm=md5

Content-Length: 0