X-Lite unable to Connect across Subnet to PBXinaFlash

GPBX · April 7, 2011, 3:49am

ENV: PBXinaF v1.7.5.5, FreePBX v2.8.1.3, Asterisk v1.8.3.2

NETWORK:

   
        PBXinaFlash on eth0 w/ 172.24.10.0/23 (255.255.254.0) ==> NET1
        Endpoint/Phones on     172.30.50.0/22 (255.255.252.0) ==> NET2

PROBLEM SUMMARY: Unable to Connect to PBX when Endpoint/phone is on a separate subnet.

PROBLEM: If the endpoint/phone is on the same subnet as the PBX itself, I can successfully connect; However, if the endpoint is on a separate subnet, the connection attempt fails (X-Lite error log included below)

Verified:
     - Endpoint/PCs on NET2 can successfully ping, traceroute, access FreePBX
     - For troubleshooting purpose, the IPTABLES/firewall was disabled
     - Under FreePBX Web => Extenstions  =>
           * deny field set to the default: 0.0.0.0/0.0.0.0
           * allow field set to the default 172.24.10.0/255.255.255.0
       I had also tried several permutations for the value of the above two 
       fields (eg: deny=, allow=0.0.0.0/0.0.0.0
                   deny=0.0.0.0/0.0.0.0 allow=172.30.50.0/255.255.252.0
                   deny=0.0.0.0/0.0.0.0 allow=172.30.50.0/255.255.255.0
     - The User account/credentials are verified/correct by looking at the 
       password/secret for the given extension.

ERROR LOG (X-LITE V4): => "SIP registration failed; reason: 'SipError'; SIP error-code: 403; error-phrase: 'Forbidden (Bad auth)'"|psi::AccountImpl::OnRegistrationStatusChanged

Any help/guidance would be greatly appreciated.

-gpbx

SkykingOH · April 7, 2011, 11:26pm

If you do a ‘sip show settings’ from the Asterisk CLI you can be assured the settings are working.

I think they are stored in /etc/asterisk/sip_general_additional.conf

GPBX · April 8, 2011, 5:46am

‘sip show settings’ output confirms that the two internal subnets are considered “localnets” by asterisk:



Network Settings:

SIP address remapping: Enabled using externhost
Externhost: pbx.xyz.com
externaddr: <ISP.ASSIGNED.PUBLIC.IP>:0
Externrefresh: 120
Localnet: 172.24.10.0/255.255.254.0
172.30.48.0/255.255.252.0

The problem seems to be something different than NAT.

Going back to the X-Lite Log Entry:

ERROR LOG (X-LITE V4):
=> "SIP registration failed; reason: 'SipError'; SIP error-code: 403; error-phrase: 'Forbidden (Bad auth)'"|psi::AccountImpl::OnRegistrationStatusChanged

I wonder which SIP module/component is returning “‘Forbidden (Bad auth)’” (which seems to be a bogus error since the sip credentials are correct).

SkykingOH · April 8, 2011, 3:07pm

That auth error is almost always a symptom of a bad NAT transform. Is the externhost correct?

Are you sure there is no ALG between the two networks? What is the gateway between the two networks? Is it a router or a firewall?

GPBX · April 13, 2011, 5:19am

- The externhost is verified & correct. That is, the FQDN specified in the
  Externhost field resolves to the correct IP. 
- There is no ALG between the two subnets.
- A Layer-3 switch exists between the two subnets for inter VLAN routing.
- No Firewall exists (at present) between the two subnets (other than the one
  installed on the PinaF itself during installation).  For testing purposes, 
  I had even disabled iptables on the PBX server.  But no go.

How can I enable detailed debugging logs to see what’s happening (something more than the SIP 403)?

Note, if I put a laptop w/ X-Lite on the same subnet as the PBX – I can successfully login & make/receive calls. In this scenario, I do not get any auth/403 errors. It’s only when I move the sipclient/laptop to another subnet I get auth errors.

SkykingOH · April 13, 2011, 5:59am

Well the next step I would take is to remove all the permit and deny statements out, you don’t need them.

You already have SIP debugging on. You can turn on full Asterisk debug with ‘core set debug 255’

GPBX · April 13, 2011, 12:58pm

Thank you for your continued help on this.

I’m assuming that you’re referring to the FreePBX->Extensions/<Ext#>/Permit|Deny settings. If so, I had already tried the following combination:

- EMPTY permit/deny values
- Permit 0.0.0.0/0.0.0.0, Deny=EMPTY
- Permit 172.30.48.0/255.255.252.0 (sip-client subnet), Deny=EMPTY

However, changing permit/deny settings seems to have no effect on the sip-client login issue (auth/403).

I’ll work on turning on the full debug and report back.

Thank you.

SkykingOH · April 7, 2011, 3:55am

This is caused by NAT between the subnets. If you have an externip defined make sure you create another localnet statement for the adjacent private network.

GPBX · April 7, 2011, 7:12pm

SkykingOH,

I am not sure how/where to define localnet so NAT is not applied by Asterisk. Could you please explain?

GPBX · April 7, 2011, 8:13pm

As per suggestion, I added the localnets information from FreePBX GUI (Submitted & Applied Changes). However, still no go. That is, I am not able to connect to the PBX across subnet.

One interesting observation was that even though I made changes through the FreePBX->Tools->Asterisk SIP Settings, it doesn’t look like the underlying file: /etc/asterisk/sip.conf got changed with the localnet entries. I’m guessing that localnet entries are saved some place else as the FreePBX GUI does show the added localnets; it’s just the sip.conf file that doesn’t have the localnet entries.

-gpbx

GPBX · April 7, 2011, 2:08pm

Thanks for responding, SkykingOH.

There is no NAT between the two (NET1 & NET2) subnets.

Here’s what the network looks like:

ISP <-----> [AP/RTR]
              ^
    |--------------------|   
   NET1 (PinaF)        NET2 (Endpoints)
172.24.10.0/23          172.30.50.0/22

*Note: Only the [AP/RTR] in the above illustration does the NAT’ting for the
internal/private subnets.

SkykingOH · April 7, 2011, 3:20pm

I already answered your question, you need to define a localnet so NAT is not applied by Asterisk for that network.