Constant register/unregister - Stun problem?

Discussion in '3CX Phone System - General' started by cmac, Feb 1, 2012.

Thread Status:
Not open for further replies.
  1. cmac

    Joined:
    Feb 1, 2012
    Messages:
    2
    Likes Received:
    0
    Hi,

    I’ve been running the free 3CX server for several months with flawless service but have been having serious problems for the last couple of days.

    Setup details:
    3CX10sp5 on windows server 2003
    5 Linksys SPA921 phones, all on local network (no external users)
    5 VoIP provider incoming lines – 4x VoIPTalk and 1 x SipGate
    Only one VoIPTalk line used for outgoing calls
    Draytek Vigor 2830n router with ports open and forwarded as described in the how-to

    Problem details:
    During the night, two nights ago, a hacker was blacklisted several times despite me increasing the blacklist time to 2 hours. As far as I can tell, there was no access granted to the hacker and certainly no calls were made.
    Around the same time I started getting emails from the 3CX server saying that the VoIP providers were failing to register and then registering again. The SipGate line seemed to do this every 5 minutes, with the VoIP Talk lines doing it much less frequently.
    When in the office I tested incoming and outgoing lines and they only seemed to work around 1 in 4 or so. Incoming calls would sometimes get a busy line signal or the 3CX voice telling them that there was nobody available. Outgoing calls usually just seemed to timeout.
    I tried various things:
    - Restared all 3CX services
    - Restarted the server
    - Restarted the phones
    - Ran wireshark, found that the hacker was still pounding the server with SIP requests every 50ms so blocked him at the router.
    - Ran the firewall checker, which passed OK
    - Changed the SIP provider passwords on provider and 3CX end
    These actions don’t seem to have helped very much. The server logs are giving the following errors:

    For the SipGate connection:

    SIP/2.0 400 Bad Request
    Via: SIP/2.0/UDP 192.168.199.2:5060;received=**.***.***.**;branch=z9hG4bK-d8754z-3579f6121d3bf84a-1---d8754z-;rport=5060
    Contact: <sip:*******@**.***.***.**:5060;rinstance=764773c2db215e7e>;expires=29;received="sip:**.***.***.**:5060"
    To: <sip:*******@sipgate.co.uk:5060>;tag=fbf1d80521ea9f98078b6998e7669f9b.f9d2
    From: <sip:******@sipgate.co.uk:5060>;tag=612a812c
    Call-ID: OThiMzhiNzczYjcwOWE4YjQ2OWZhY2QwYmU0OTE1M2Y.
    CSeq: 8 REGISTER
    Content-Length: 0
    P-Registrar-Error: Invalid CSeq number


    For the VoIPTalk connections it is one of two errors:
    SIP/2.0 401 Unauthorized
    Via: SIP/2.0/UDP 192.168.199.2:5060;received=xx.xxx.xxx.xx;branch=z9hG4bK-d8754z-cb44a713af3dd865-1---d8754z-;rport=5060
    To: "***********"<sip:*********@voiptalk.org:5060>;tag=fd79486175647ed1617969929fdaad02.bd7b
    From: "***********"<sip:*********@voiptalk.org:5060>;tag=2a32b82a
    Call-ID: NWNhOWVlOTg0ZTk2NGRjODU2NjkzNmRjMWJlNTlmNzc.
    CSeq: 33 REGISTER
    Server: OpenSIPS (1.5.3-notls (x86_64/linux))
    WWW-Authenticate: Digest realm="voiptalk.org", nonce="4f29417f00017a25d44a148648fcd7eb2a8c864a07e04731", stale=true
    Content-Length: 0

    OR

    SIP/2.0 408 Request Timeout
    Via: SIP/2.0/UDP 192.168.199.2:5060;branch=z9hG4bK-d8754z-1c385849ea6a7510-1---d8754z-;rport
    To: <sip:*********@voiptalk.org:5060>;tag=8b27a356
    From: <sip:*********@voiptalk.org:5060>;tag=24762532
    Call-ID: YWZlMDE1YmVjMDA2YTJjZjFhZmRiNWE5OWYyYjRhYjI.
    CSeq: 99 REGISTER
    Content-Length: 0


    The only other error seems to be the Stun requests timing out:

    [CM506004]: STUN request to STUN server 96.9.132.83:3478 has timed out; used Transport: [ V4 192.168.199.2:5060 UDP target domain=unspecified mFlowKey=0 ]
    [CM506004]: STUN request to STUN server 96.9.132.83:3478 has timed out; used Transport: [ V4 192.168.199.2:5060 UDP target domain=unspecified mFlowKey=0 ]
    [CM506004]: STUN request to STUN server 96.9.132.83:3478 has timed out; used Transport: [ V4 192.168.199.2:5060 UDP target domain=unspecified mFlowKey=0 ]
    [CM506004]: STUN request to STUN server 96.9.132.83:3478 has timed out; used Transport: [ V4 192.168.199.2:5060 UDP target domain=unspecified mFlowKey=0 ]

    Could the lack of Stun be causing these problems? I have tried the default Stun server as well as the SipGate supplied one, and a few other public ones I got from a search. They all seemed to give the same results. Other than the hack attempt, I can’t think of any other activity that could have caused a change in behaviour overnight. I also don’t think that the hacker got through. I have tried temporarily taking the hacker’s IP off the blacklist, in case it was blacklisting our VoIP provider too, and temporarily disarmed the Avast firewall running, without success. And it seemed to pass the firewall tests without any of this anyway. So…. Does anybody have any ideas? Could it be the lack of Stun resolution – if so, does anyone have any ideas why it passes the firewall test but times out on the 3cx (and other) stun servers?

    Any ideas would be really appreciated.
     
  2. pacpac

    Joined:
    Jan 12, 2012
    Messages:
    45
    Likes Received:
    0
    Hi, I am not sure this will help. I had a problem with register/unregister multiple times on my RV042 router. I have 2 separate Internet connections coming in connected to each WAN port configured in Load Balancing mode. Without specifying that the IP of my ATA should only go to one WAN port, the extensions registered on the ATA, kept on registering/unregistering. I noted in the 3CX console, the extensions were changing IP address all the time. So, the solution was to define that the IP of the ATA (all traffic) should run only through one WAN port (WAN 1) only. This did the trick for me. Then I set a proper QoS configuration for upstream/downstream of the ATA IP. Maybe this could be of help to you.
     
  3. cmac

    Joined:
    Feb 1, 2012
    Messages:
    2
    Likes Received:
    0
    Thanks for the idea pacpac but I already have routing set for WAN1 and I can see that the IP addresses remains static. I do seem to have had some success though - STUN stopped timing out during the night last night and everything has been behaving since then. Not sure why this happened like this as I had three different stun servers defined and all three were timing out and then started working again, at a time when I wasn't doing anything else on the server or router. Anyway, all is well again. Thanks for the suggestion and for anyone else troubleshooting, this does indeed seem to have been a stun resolution problem.
     
Thread Status:
Not open for further replies.