Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Hosted 3cx - testing remote extensions won't auth

Discussion in '3CX Phone System - General' started by Wjames, May 24, 2012.

Thread Status:
Not open for further replies.
  1. Wjames

    Joined:
    May 24, 2012
    Messages:
    3
    Likes Received:
    0
    Hello all, I am a new user to 3cx, I work for an ITSP and we are testing 3cx hosted. I have installed the multi tenant framework, and have a test 3cx working, I have managed to register my trunks to our ITSP service, and if I use the 3cx softphone I can register and make and receive calls no problems.

    The problems begin when I try and register a remote extension. So scenario is 3cx (V10.0.24018.2322) running on win2k8 on real IP address in a colo, within the multi tenant framework.

    Trying to register extensions from a NAT environment, so phones have 10.0.10.x IP. Softphone is tested ok from this same network, but if I register a normal SIP phone, EG SPA504g then the register goes to 3cx, and 3cx responds with 407 proxy authentication required. The phone does not see this though, and re transmits the REGISTER.

    From wireshark trace, the reason the phone does this is because 3cx erroneusly sends the 407 back to port 5060 not the port from which the register originated, which it would have to do for the NAT router to route the reply back to the handset.
    But it does manage to reply to the REAL IP the register originated from, not 10.0.10.x IP so it must have some NAT intelligence, just that it replies to the wrong port (5060)

    Why is 3cx doing this, is it a bug? I don't see this issue with other PBX's like Asterisk, and Brekeke, so not sure what is going on.
    I have enabled and disabled STUN support - no change, I have also followed the guide here
    http://www.3cx.com/blog/voip-howto/remote-extensions/? to no avail, it seems that if 3cx is set on a server with a real IP and the remote extension is behind a NAT then 3cx cannot handle?

    Any advice appreciated.

    Thanks

    WJ
     
  2. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,569
    Likes Received:
    302
    What phones are you using?

    I think in the extension in 3cx you can set the remote port,to communicate on.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Wjames

    Joined:
    May 24, 2012
    Messages:
    3
    Likes Received:
    0
    Hi, I am using Cisco SPA504 and 508 and Yealink T26p. The trouble with nailing the port is its likely to change, as this is a nat'd environment. I could nail all of the phones to specific ports but then that would be a pain for a customer, who say has 25 phones behind a nat, they would have to have 25 ports all mapped through. This shouldn't be necessary though, as other PBX's handle NAT without trouble.

    Does anyone else have a quantity of phones running behind a NAT logging into a 3CX that is not behind a NAT?

    Before multi tenanted / hosted came out I guess most installs would be on site, and the PBX and phones would be behind the same NAT so no problems.
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,105
    Likes Received:
    329
    So the set is showing as registering with the public IP and a port NOT 5060, when in reality it is actually using 5060? Is the remote router doing some port translations?

    What type of router are you using, that might help someone come up with a solution if they are familiar with it. It may also be a setting in the set, something to do with STUN.
     
  5. Wjames

    Joined:
    May 24, 2012
    Messages:
    3
    Likes Received:
    0
    Hello Leejor, well thats the point the phone never registers because it nevers gets the response to the register! The reason for this is because 3cx replies to the wrong port, it replies to 5060 but the correct port is the one that the Register came from. If 3cx replied on that port, the router would then route the reply back to the phone, and it would then be able to complete the registration. I have pasted below the conversation and detail, in case anyone spots anything obvious.

    TO a.b.c.d [real IP of 3cx]
    From e.f.g.h [untrust IP of NAT router]

    udp.srcport == 13804 [nat'd egress port]
    udp.dstport == 5060

    REGISTER sip:a.b.c.d:5060 SIP/2.0
    Via: SIP/2.0/UDP 192.168.0.217:5060;branch=z9hG4bK-98d61dbc
    From: "Bob Nurmer" <sip:100@a.b.c.d>;tag=606fb58dda0c10o0
    To: "Bob Nurmer" <sip:100@a.b.c.d>
    Call-ID: 4f386729-6e4b5304@192.168.0.217
    CSeq: 24806 REGISTER
    Max-Forwards: 70
    Contact: "Bob Nurmer" <sip:100@192.168.0.217:5060>;expires=900
    User-Agent: Cisco/SPA504G-7.5.1a
    Content-Length: 0
    Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER, UPDATE
    Supported: replaces


    To e.f.g.h [untrust IP of NAT router]
    From a.b.c.d [real IP of 3cx]

    udp.srcport == 5060
    udp.dstport == 5060 This should be 13804 as this was the from port in the register

    SIP/2.0 407 Proxy Authentication Required
    Via: SIP/2.0/UDP 192.168.0.217:5060;branch=z9hG4bK-98d61dbc;received=e.f.g.h
    Proxy-Authenticate: Digest nonce="414d535c05cfd59906:99225fff829e86a56d419a2012632d32",algorithm=MD5,realm="3CXPhoneSystem"
    To: "Bob Nurmer"<sip:100@a.b.c.d>;tag=465ff82b
    From: "Bob Nurmer"<sip:100@a.b.c.d>;tag=606fb58dda0c10o0
    Call-ID: 4f386729-6e4b5304@192.168.0.217
    CSeq: 24806 REGISTER
    User-Agent: 3CXPhoneSystem 10.0.23053.0
    Content-Length: 0
     
  6. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Full wireshark capture and corresponding verbose logs of PBX may highlight location of the problem.
    3CX PhoneSystem does not do it since first release and it is really interesting why you experience this problem.

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.