Two NIC in Elastix - error 408 on remote phones

logtech

Joined
Apr 9, 2010
Messages
147
Likes
0
Points
0
#1
Elastix experts,



Meybe you can advice what could be wrong: Elastix server has 2 NICs internal and extarnal to Internet provider.
All phones in remote location are in VPN. When Elastix uses only internal NIC all phones are connected and provisioned without any problems. However, when I enable external NIC and SIP TRUNK goes up all phones in remote location ONLY shows 408 - timeout. ...... Phones in location where Elastix is placed are ok.

Thanks for any advice related to the problem.

logtech
 

Kalama Sutra

Joined
Apr 15, 2009
Messages
95
Likes
0
Points
0
#2
Logtech,

I'm not the most experienced here ....

But, more background might be needed.

Why 2 NIC's ? inside / outside WITH VPN ...

Others might correct me. :angry: Are you using your elastix / asterix / FreePBX box <<computer>> as some sort of router, too ?

If so, might be just a bit complicated. Whether or not you use an off the shelf VPN router or a FLOSS - old computer router, let these handle your VPN stuff.

In my own situation, I've an "office" where my PBX resides ... POTS <<plain old telephone system>> with 8 lines to a Sagnoma board -> out to system;

2 'official' <<we pay rent on them, good band width iSP's>> satellite offices on VPN & I've set up a pair of AIX2 devices when we travel; on portable computers, but gives us office presence. << even did a roadwarrior VPN to time share in BCS, MX ... now that was KOOL ... SW Washington # from Cabo ! >>

You say:

" When Elastix uses only internal NIC all phones are connected and provisioned without any problems. "

so why muck up the works :dry: ... use the other NIC in a FLOSS router ....

Regards,

Jim
 

logtech

Joined
Apr 9, 2010
Messages
147
Likes
0
Points
0
#3
We have two providers and one is only for IP Phones and Elastix. No I don't use Elastix as a router yet becasue I did not want to install Ip Tables since this configuration does not work. I will but I have to make it working.

NIC1 - internal networks (Elastix server and all Astras phones + other phones in remote location through VPN)

NIC2 - Trunk and Data provider

I know there are easier ways but I have to deal with this one with no option. When NIC2 is down all phone in remote + local phones work ok. When I UP NIC2 that is data provider only local phones can connect to Elastix. NIC2 has external IP, SUBNET, and its gateway.

I assume it would be DNS issue or DHCP and will examine these later. If you know or experience similar please let ma know, or any other advices highly appreciate.

LOG TECH
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
Actually I believe you have a routing issue, and to be quite realistic and to do it properly you will need to use a router to do that either the dual-homed Elastix box or some upline device, it's not trivial and it requires a VERY deep understanding of how IP traffic is routed, You can route traffic without IP tables but I think you will find it REALLY HARD. In your case stick with the prebuilt-router until you know more, they tend to work but making a multi-homed non routing Elastix box is very far from easy, and if as you say "I did not want to install Ip Tables since this configuration does not work" is begging the point, when you understand it it will, and further iptables as already "installed", whether you like it or not :)

regards

dicko

p.s. having two unqualified gateways will spoil you whole day, "How will it know which to use? "
 

logtech

Joined
Apr 9, 2010
Messages
147
Likes
0
Points
0
#5
I have ended up with same conclusion. I will try to add static route to eth0 - local NIC or just remove one of gateways.

LOG
 

logtech

Joined
Apr 9, 2010
Messages
147
Likes
0
Points
0
#6
I have encountered a small problem.

I have manually added static routes by:

[root@elastix ~]# ip route add 192.168.9.0/24 via 192.168.0.99
[root@elastix ~]# ip route add 192.168.25.0/24 via 192.168.0.99

this fixed all problems with routing. However, when I rebooted Elastix all earlier routes dissapeard.

How can I add this stuff forever so when reboot it stays in Elastix forever.

I have tried to add /etc/sysconfig/static-routes and/or route-eth0 and it does not work.

Could you please advice ?

Thank you for your help.

LOG
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#7
/etc/rc.local


is the last script run when entering run level 3, stick it in there.
 

logtech

Joined
Apr 9, 2010
Messages
147
Likes
0
Points
0
#8
Hmmm

1. Until you ever upgrade your initscripts package, then rc.local will get overwritten
2. The correct way to add permanent static routes to a system besides setting the default gateway is to create a file /etc/sysconfig/network-scripts/route-eth0 (or whichever interface you want to route through). You can add as many routes as you would like per interface by simply incrementing the number at the end of each statement. Once saved a restart of the network services will force a read of this route file.
The syntax of the file should look like this:
ADDRESS0=x.x.x.x
GATEWAY0=x.x.x.x
NETMASK0=x.x.x.x
ADDRESS1=x.x.x.x
GATEWAY1=x.x.x.x
NETMASK1=x.x.x.x

That's what I researched .....

LOG
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#9
1) no it won't
2) there is no "correct way" in Linux, just use the solution that works for you.

dicko

p.s. if you choose that route, the files in /etc/sysconfig/network-scripts that describe the network need hardlinking to the other two appropriate sub-directories in sysconfig, further, they should only be edited with hardlink aware editors.
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#10
Bumping an old topic because it fits me exactly... Well, almost.

Also a 2 nic server.

eth0 has a real IP and is on the internet. It has a default gateway and routes correctly.

eth1 has a 192.168.x.x IP and is on the internal lan. It has no default gateway, and no routing.

The route tables are correct. Cyrus-imapd is killed with "chkconfig cyrus-imapd off" and ssh, http, and https are bound to eth1 only, and mysql is bound to 127.0.0.1 only. (If you need to do it, /etc/ssh/sshd_config /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/ssl.conf /etc/my.cnf)

But I need sip open on both nics, and it is only listening on eth0. I will have internal and external extensions, and I will have some external sip trunks. The "second" Internet the system is plugged into is a low latency data T1 just for voice traffic, while the rest of the office uses a cable modem.

So what do I need to do to have sip open on all nics?

(Once I am done, I will make a howto... If only so I can do it again when it all comes apart... :unsure: )
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#11
netstat -aunt|grep 5060

will tell uyou what address range SIP (Asterisk) is listening on, if as normal and says

udp 0 0 0.0.0.0:5060 0.0.0.0:*

then it IS listening on all interfaces, so unless you have iptables blocking that on eth1 then it will work

you can set the binding addresses in /etc/asterisk/sip*.conf.

tcpdump -nn udp and port 5060 or portrange 10000-20000 -s0 -i eth1

will show all SIP and RTP (audio) traffic in and out on that interface
 

dwells

Joined
Sep 29, 2009
Messages
127
Likes
0
Points
0
#12
Hi All,
I have some experience with dual nics. I haven't completely read every single word in this thread, but in my experience, it's not that hard to get 2 nics working well together for this purpose: External customers(Accessing webservers and VoIP Reg), and internal routing (both data as a router and VoIP traffic) registering locally.

I was using Elastix as a Router, has public IP with Shorewall Firewall bridging into local network with basic traffic shaping. Local LAN from DHCP server with gateway to Public IP.

Using shorewall will allow you to give access to whatever NIC needs what.(Stop iptables)

It took quite a bit of playing and research to get this setup right, but it works well.

The catch right now is that, i don't have docs on total setup, but if there is enough demand i can give another full featured doc to follow.

Although I;m not using it in that exact fashion anymore, its only because I didn't have GiGaNiCs and it was a source of bottle necking, So I separated the internal LAN to another public path.
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#13
I wonder if that forest is somewhere behind all those trees... :blush:

One odd thing is that port 5060 does not show as open in zenmap... The other is that Linux softphones are less that mature. Put those togeather, and I thought it was a broke server, not a broke client. Two reinstalls later, and a totally redesigned network, and it was till broke. Never would have caught it without tcpdump. Thanks for the clear head. :lol:

And dwells, I plan on a howto or two for this setup when I am done. And it may include why the endpoint configurator won't push to Aastra phones without manually setting each tftp server. Once I figure that out, anyway. :)

Thanks guys!
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#14
I can't say I know what zenmap is but the nmap I posted was to be run on the server, if nmap (or whatever) is run from outside the box and shows it to be closed (don't forget it's udp) then you have a problem with ip-tables or some other packet filter somewhere between the monitoring host and the Elastix Server

Option 66 needs to be on each and every DHCP server configuration used to give a phone an address and must point to port 69 on the server for remote provisioning to work, although a previously previously provisioned locally with DHCP should be quite transportable even if the ultimate DHCP server has no option 66 (the local one will be remembered)

If you are using older Aastra phone you will need to take the tftp:// out of option 66 in etc/dhcpd.conf. They are broken 9122/9133 certainly and perhaps some others.

option tftp-server-name "10.65.65.100";
works for all Aastra's but no Polycoms

option tftp-server-name "tftp://10.65.65.100";
works for Polycoms and newer Aastras


If you find yourself in this conundrum, I suggest you use dnsmasq as your dhcp server as you can change the provisioning dependent on the MAC address of the client.
 

Lee Sharp

Joined
Sep 28, 2010
Messages
332
Likes
0
Points
0
#15
For the record, zenmap is just a gui for nmap. Slightly easier to run, and a lot easier to parse the logs.

And my DHCP server is on the firewall, and it sanity checks my input so it can only be an IP address. Trying the "file-name" option with tftp://192.168.1.10 to see if that helps. It is Aastra 6730i phones, so not that old, but not that new... Getting way off topic, so can you direct me to a endpoint-configuration how-to? Still lots of problems here. :S
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#16
The 6730 should be just fine with tftp:// your problem lies elswhere.

the endpoint configurator uses nmap to scan the network you put in the box, any mac address it recognizes by its "first three" will be presented if there is a matching file in

/var/www/html/modules/endpoint_configuration/libs/vendors/

it's that easy, it builds the <mac>.cfg file in /tftpboot and then its up to your DHCP/TFTP server to do their work.

You might want to change
/etc/xinetd.d/tftp

to

server_args = -s -c -vv /tftpboot

and tail -f /var/log/messages , the -vv will log the tftp activity.

Aastra have a much more functional XML provisioning script, on their web site, (other posts here)
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,565
Latest member
omarmenichetti
Top