Two NIC in Elastix - error 408 on remote phones

Discussion in 'General' started by logtech, Apr 9, 2010.

  1. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    Elastix experts,



    Meybe you can advice what could be wrong: Elastix server has 2 NICs internal and extarnal to Internet provider.
    All phones in remote location are in VPN. When Elastix uses only internal NIC all phones are connected and provisioned without any problems. However, when I enable external NIC and SIP TRUNK goes up all phones in remote location ONLY shows 408 - timeout. ...... Phones in location where Elastix is placed are ok.

    Thanks for any advice related to the problem.

    logtech
     
  2. Kalama Sutra

    Joined:
    Apr 15, 2009
    Messages:
    95
    Likes Received:
    0
    Logtech,

    I'm not the most experienced here ....

    But, more background might be needed.

    Why 2 NIC's ? inside / outside WITH VPN ...

    Others might correct me. :angry: Are you using your elastix / asterix / FreePBX box <<computer>> as some sort of router, too ?

    If so, might be just a bit complicated. Whether or not you use an off the shelf VPN router or a FLOSS - old computer router, let these handle your VPN stuff.

    In my own situation, I've an "office" where my PBX resides ... POTS <<plain old telephone system>> with 8 lines to a Sagnoma board -> out to system;

    2 'official' <<we pay rent on them, good band width iSP's>> satellite offices on VPN & I've set up a pair of AIX2 devices when we travel; on portable computers, but gives us office presence. << even did a roadwarrior VPN to time share in BCS, MX ... now that was KOOL ... SW Washington # from Cabo ! >>

    You say:

    " When Elastix uses only internal NIC all phones are connected and provisioned without any problems. "

    so why muck up the works :dry: ... use the other NIC in a FLOSS router ....

    Regards,

    Jim
     
  3. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    We have two providers and one is only for IP Phones and Elastix. No I don't use Elastix as a router yet becasue I did not want to install Ip Tables since this configuration does not work. I will but I have to make it working.

    NIC1 - internal networks (Elastix server and all Astras phones + other phones in remote location through VPN)

    NIC2 - Trunk and Data provider

    I know there are easier ways but I have to deal with this one with no option. When NIC2 is down all phone in remote + local phones work ok. When I UP NIC2 that is data provider only local phones can connect to Elastix. NIC2 has external IP, SUBNET, and its gateway.

    I assume it would be DNS issue or DHCP and will examine these later. If you know or experience similar please let ma know, or any other advices highly appreciate.

    LOG TECH
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Actually I believe you have a routing issue, and to be quite realistic and to do it properly you will need to use a router to do that either the dual-homed Elastix box or some upline device, it's not trivial and it requires a VERY deep understanding of how IP traffic is routed, You can route traffic without IP tables but I think you will find it REALLY HARD. In your case stick with the prebuilt-router until you know more, they tend to work but making a multi-homed non routing Elastix box is very far from easy, and if as you say "I did not want to install Ip Tables since this configuration does not work" is begging the point, when you understand it it will, and further iptables as already "installed", whether you like it or not :)

    regards

    dicko

    p.s. having two unqualified gateways will spoil you whole day, "How will it know which to use? "
     
  5. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    I have ended up with same conclusion. I will try to add static route to eth0 - local NIC or just remove one of gateways.

    LOG
     
  6. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    I have encountered a small problem.

    I have manually added static routes by:

    [root@elastix ~]# ip route add 192.168.9.0/24 via 192.168.0.99
    [root@elastix ~]# ip route add 192.168.25.0/24 via 192.168.0.99

    this fixed all problems with routing. However, when I rebooted Elastix all earlier routes dissapeard.

    How can I add this stuff forever so when reboot it stays in Elastix forever.

    I have tried to add /etc/sysconfig/static-routes and/or route-eth0 and it does not work.

    Could you please advice ?

    Thank you for your help.

    LOG
     
  7. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    /etc/rc.local


    is the last script run when entering run level 3, stick it in there.
     
  8. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    Hmmm

    1. Until you ever upgrade your initscripts package, then rc.local will get overwritten
    2. The correct way to add permanent static routes to a system besides setting the default gateway is to create a file /etc/sysconfig/network-scripts/route-eth0 (or whichever interface you want to route through). You can add as many routes as you would like per interface by simply incrementing the number at the end of each statement. Once saved a restart of the network services will force a read of this route file.
    The syntax of the file should look like this:
    ADDRESS0=x.x.x.x
    GATEWAY0=x.x.x.x
    NETMASK0=x.x.x.x
    ADDRESS1=x.x.x.x
    GATEWAY1=x.x.x.x
    NETMASK1=x.x.x.x

    That's what I researched .....

    LOG
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    1) no it won't
    2) there is no "correct way" in Linux, just use the solution that works for you.

    dicko

    p.s. if you choose that route, the files in /etc/sysconfig/network-scripts that describe the network need hardlinking to the other two appropriate sub-directories in sysconfig, further, they should only be edited with hardlink aware editors.
     
  10. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    Bumping an old topic because it fits me exactly... Well, almost.

    Also a 2 nic server.

    eth0 has a real IP and is on the internet. It has a default gateway and routes correctly.

    eth1 has a 192.168.x.x IP and is on the internal lan. It has no default gateway, and no routing.

    The route tables are correct. Cyrus-imapd is killed with "chkconfig cyrus-imapd off" and ssh, http, and https are bound to eth1 only, and mysql is bound to 127.0.0.1 only. (If you need to do it, /etc/ssh/sshd_config /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/ssl.conf /etc/my.cnf)

    But I need sip open on both nics, and it is only listening on eth0. I will have internal and external extensions, and I will have some external sip trunks. The "second" Internet the system is plugged into is a low latency data T1 just for voice traffic, while the rest of the office uses a cable modem.

    So what do I need to do to have sip open on all nics?

    (Once I am done, I will make a howto... If only so I can do it again when it all comes apart... :unsure: )
     
  11. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    netstat -aunt|grep 5060

    will tell uyou what address range SIP (Asterisk) is listening on, if as normal and says

    udp 0 0 0.0.0.0:5060 0.0.0.0:*

    then it IS listening on all interfaces, so unless you have iptables blocking that on eth1 then it will work

    you can set the binding addresses in /etc/asterisk/sip*.conf.

    tcpdump -nn udp and port 5060 or portrange 10000-20000 -s0 -i eth1

    will show all SIP and RTP (audio) traffic in and out on that interface
     
  12. dwells

    Joined:
    Sep 29, 2009
    Messages:
    127
    Likes Received:
    0
    Hi All,
    I have some experience with dual nics. I haven't completely read every single word in this thread, but in my experience, it's not that hard to get 2 nics working well together for this purpose: External customers(Accessing webservers and VoIP Reg), and internal routing (both data as a router and VoIP traffic) registering locally.

    I was using Elastix as a Router, has public IP with Shorewall Firewall bridging into local network with basic traffic shaping. Local LAN from DHCP server with gateway to Public IP.

    Using shorewall will allow you to give access to whatever NIC needs what.(Stop iptables)

    It took quite a bit of playing and research to get this setup right, but it works well.

    The catch right now is that, i don't have docs on total setup, but if there is enough demand i can give another full featured doc to follow.

    Although I;m not using it in that exact fashion anymore, its only because I didn't have GiGaNiCs and it was a source of bottle necking, So I separated the internal LAN to another public path.
     
  13. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    I wonder if that forest is somewhere behind all those trees... :blush:

    One odd thing is that port 5060 does not show as open in zenmap... The other is that Linux softphones are less that mature. Put those togeather, and I thought it was a broke server, not a broke client. Two reinstalls later, and a totally redesigned network, and it was till broke. Never would have caught it without tcpdump. Thanks for the clear head. :lol:

    And dwells, I plan on a howto or two for this setup when I am done. And it may include why the endpoint configurator won't push to Aastra phones without manually setting each tftp server. Once I figure that out, anyway. :)

    Thanks guys!
     
  14. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I can't say I know what zenmap is but the nmap I posted was to be run on the server, if nmap (or whatever) is run from outside the box and shows it to be closed (don't forget it's udp) then you have a problem with ip-tables or some other packet filter somewhere between the monitoring host and the Elastix Server

    Option 66 needs to be on each and every DHCP server configuration used to give a phone an address and must point to port 69 on the server for remote provisioning to work, although a previously previously provisioned locally with DHCP should be quite transportable even if the ultimate DHCP server has no option 66 (the local one will be remembered)

    If you are using older Aastra phone you will need to take the tftp:// out of option 66 in etc/dhcpd.conf. They are broken 9122/9133 certainly and perhaps some others.

    option tftp-server-name "10.65.65.100";
    works for all Aastra's but no Polycoms

    option tftp-server-name "tftp://10.65.65.100";
    works for Polycoms and newer Aastras


    If you find yourself in this conundrum, I suggest you use dnsmasq as your dhcp server as you can change the provisioning dependent on the MAC address of the client.
     
  15. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    For the record, zenmap is just a gui for nmap. Slightly easier to run, and a lot easier to parse the logs.

    And my DHCP server is on the firewall, and it sanity checks my input so it can only be an IP address. Trying the "file-name" option with tftp://192.168.1.10 to see if that helps. It is Aastra 6730i phones, so not that old, but not that new... Getting way off topic, so can you direct me to a endpoint-configuration how-to? Still lots of problems here. :S
     
  16. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    The 6730 should be just fine with tftp:// your problem lies elswhere.

    the endpoint configurator uses nmap to scan the network you put in the box, any mac address it recognizes by its "first three" will be presented if there is a matching file in

    /var/www/html/modules/endpoint_configuration/libs/vendors/

    it's that easy, it builds the <mac>.cfg file in /tftpboot and then its up to your DHCP/TFTP server to do their work.

    You might want to change
    /etc/xinetd.d/tftp

    to

    server_args = -s -c -vv /tftpboot

    and tail -f /var/log/messages , the -vv will log the tftp activity.

    Aastra have a much more functional XML provisioning script, on their web site, (other posts here)
     

Share This Page