SIP Registration in a Loadbalancing environment

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SIP Registration in a Loadbalancing environment

Kevin Mathy
Hi List, 

I'm trying to make the SIP Registering working for my customers with two Opensips 1.9 servers sharing the same DNS name.

Here is a schematic : 

                                              /=====> Registrar Server 1
SIP Phone =====> Access SBC 
                                              \=====> Registrar Server 2


I've got the same opensips.cfg on both servers, and here are some interesting points of the config : 

loadmodule "auth_db.so"
# ----- auth_db params -----
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "use_domain", no)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "password_column_2", "ha1b")
modparam("auth_db", "db_url","mysql://****************************************** ")
modparam("auth_db", "load_credentials", "$avp(password)=password")

# ----------------- module auth ---------------
loadmodule "auth.so"
# ----- auth params -----
modparam("auth","username_spec","$var(username)")
modparam("auth","password_spec","$avp(password)")
modparam("auth","calculate_ha1",1)
modparam("auth","disable_nonce_check", 1)




 if (is_method("REGISTER"))
    {
        xlog("L_INFO","$ci -- New REGISTER received from $si with Contact : $ct\n");
       
        if (!www_authorize("", "subscriber"))
        {
            if ($rc < 0)
            {
                switch ($rc)
                {
                    case -5:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Generic Error");
                    break;
                    case -4:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : No Credentials");
                    break;
                    case -3:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Stale nonce");
                    break;
                    case -2:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Valid User but Wrong Password");
                    break;
                    case -1:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Invalid User");
                    break;
                }
            }
            www_challenge("", "0");
            exit;
        }

        if (!save("location"))
        {
            xlog("L_INFO","$ci -- error with save_location from $au\n");
        }
        else
        {
            xlog("L_INFO","$ci -- save_location is OK from $au\n");
        }

        exit;
    }


So, as you can see, I configured the auth module with "disable_nonce_check" parameter, because of my "loadbalanced" architecture as it's said in the documentation (http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) .

But, when a SIP Phone tries to register, the first Register (without any credentials) is sent to the 1st Registrar. It's answered with a 401 Unauthorized containing a nonce.
Then, the 2nd Register (with credentials, and the previously given nonce) is sent to the 2nd Registrar; but it's still answered with a 401. 

Thanks to the return code of www_authorize, I see that it's for the "Stale Nonce" reason, even if "disable_nonce_check" is set to 1 ...

Maybe there's a misconfiguration, or a bug; so, I need your help :-)

Thanks a lot, 


Bien cordialement, 
Best Regards, 

Kevin MATHY | Ingénieur VoIP



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP Registration in a Loadbalancing environment

Kevin Mathy
An update about my previous mail :

I've tried to change the "disable_nonce_check" value, and set it to "0". The result is all the same, but there's a difference in the logs.

With disable_nonce_check set to 1 :
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03] and [52c5766c4e6664d7e26e5799601c34086c63cd66]
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: invalid nonce value received
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: stale nonce value received
Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M '


and with disable_nonce_check set to 0 :
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:pre_auth: invalid nonce value received
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 17
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M '
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:pre_auth: invalid nonce value received
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 18
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: nonce index= 18
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M '


It seems that the disable check nonce function doesn't completely disable the nonce checking, as there's still an inspection whatever is the value set.

Thanks for your help, 

Kevin


Bien cordialement, 
Best Regards, 

Kevin MATHY | Ingénieur VoIP



2014/1/2 Kevin Mathy <[hidden email]>
Hi List, 

I'm trying to make the SIP Registering working for my customers with two Opensips 1.9 servers sharing the same DNS name.

Here is a schematic : 

                                              /=====> Registrar Server 1
SIP Phone =====> Access SBC 
                                              \=====> Registrar Server 2


I've got the same opensips.cfg on both servers, and here are some interesting points of the config : 

loadmodule "auth_db.so"
# ----- auth_db params -----
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "use_domain", no)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "password_column_2", "ha1b")
modparam("auth_db", "db_url","mysql://****************************************** ")
modparam("auth_db", "load_credentials", "$avp(password)=password")

# ----------------- module auth ---------------
loadmodule "auth.so"
# ----- auth params -----
modparam("auth","username_spec","$var(username)")
modparam("auth","password_spec","$avp(password)")
modparam("auth","calculate_ha1",1)
modparam("auth","disable_nonce_check", 1)




 if (is_method("REGISTER"))
    {
        xlog("L_INFO","$ci -- New REGISTER received from $si with Contact : $ct\n");
       
        if (!www_authorize("", "subscriber"))
        {
            if ($rc < 0)
            {
                switch ($rc)
                {
                    case -5:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Generic Error");
                    break;
                    case -4:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : No Credentials");
                    break;
                    case -3:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Stale nonce");
                    break;
                    case -2:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Valid User but Wrong Password");
                    break;
                    case -1:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Invalid User");
                    break;
                }
            }
            www_challenge("", "0");
            exit;
        }

        if (!save("location"))
        {
            xlog("L_INFO","$ci -- error with save_location from $au\n");
        }
        else
        {
            xlog("L_INFO","$ci -- save_location is OK from $au\n");
        }

        exit;
    }


So, as you can see, I configured the auth module with "disable_nonce_check" parameter, because of my "loadbalanced" architecture as it's said in the documentation (http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) .

But, when a SIP Phone tries to register, the first Register (without any credentials) is sent to the 1st Registrar. It's answered with a 401 Unauthorized containing a nonce.
Then, the 2nd Register (with credentials, and the previously given nonce) is sent to the 2nd Registrar; but it's still answered with a 401. 

Thanks to the return code of www_authorize, I see that it's for the "Stale Nonce" reason, even if "disable_nonce_check" is set to 1 ...

Maybe there's a misconfiguration, or a bug; so, I need your help :-)

Thanks a lot, 


Bien cordialement, 
Best Regards, 

Kevin MATHY | Ingénieur VoIP




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP Registration in a Loadbalancing environment

shaheryarkh
Theoretically i agree that disable_nonce_check should take care of stale nonce problem, but in practice (using opensips 1.8.x), i observed that reducing nonce_expire actually works. So set nonce_expire to about 5 seconds and try again.

Also make sure to,

1. use same db backend for both opensips servers.
2. use reasonable DNS expiry, e.g. at least 300 seconds. I recommend enforcing registration expiry just under DNS expiry (typically DNS expiry - 5 seconds), so user re-registers with same server it started up with.

Whether it works or not, you should open a ticket in bug tracker so this behavior is corrected.

Thank  you.




On Thu, Jan 2, 2014 at 4:08 PM, Kevin Mathy <[hidden email]> wrote:
An update about my previous mail :

I've tried to change the "disable_nonce_check" value, and set it to "0". The result is all the same, but there's a difference in the logs.

With disable_nonce_check set to 1 :
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59128]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:check_nonce: comparing [52c5766c16b60d6ea7ab8993aac7645275d32b03] and [52c5766c4e6664d7e26e5799601c34086c63cd66]
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: invalid nonce value received
Jan  2 15:23:10 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c5766c4e6664d7e26e5799601c34086c63cd66", stale=true^M '
Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:pre_auth: stale nonce value received
Jan  2 15:23:47 redirect-2 /usr/local/sbin/opensips[59126]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c576918f68aa904540e6467d5a82697ba4b660", stale=true^M '


and with disable_nonce_check set to 0 :
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:pre_auth: invalid nonce value received
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 17
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59245]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c57e280000001160449fa1e7dbeb9fe8bd6d235d903f4e", stale=true^M '
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:pre_auth: invalid nonce value received
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:reserve_nonce_index: second= 19, sec_monit= -1,  index= 18
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: nonce index= 18
Jan  2 15:56:10 redirect-2 /usr/local/sbin/opensips[59247]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="REDIRECT", nonce="52c57e2800000012d49d9ee05dd12af13f29ed28bacffb06", stale=true^M '


It seems that the disable check nonce function doesn't completely disable the nonce checking, as there's still an inspection whatever is the value set.

Thanks for your help, 

Kevin


Bien cordialement, 
Best Regards, 

Kevin MATHY | Ingénieur VoIP



2014/1/2 Kevin Mathy <[hidden email]>
Hi List, 

I'm trying to make the SIP Registering working for my customers with two Opensips 1.9 servers sharing the same DNS name.

Here is a schematic : 

                                              /=====> Registrar Server 1
SIP Phone =====> Access SBC 
                                              \=====> Registrar Server 2


I've got the same opensips.cfg on both servers, and here are some interesting points of the config : 

loadmodule "auth_db.so"
# ----- auth_db params -----
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "use_domain", no)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "password_column_2", "ha1b")
modparam("auth_db", "db_url","mysql://****************************************** ")
modparam("auth_db", "load_credentials", "$avp(password)=password")

# ----------------- module auth ---------------
loadmodule "auth.so"
# ----- auth params -----
modparam("auth","username_spec","$var(username)")
modparam("auth","password_spec","$avp(password)")
modparam("auth","calculate_ha1",1)
modparam("auth","disable_nonce_check", 1)




 if (is_method("REGISTER"))
    {
        xlog("L_INFO","$ci -- New REGISTER received from $si with Contact : $ct\n");
       
        if (!www_authorize("", "subscriber"))
        {
            if ($rc < 0)
            {
                switch ($rc)
                {
                    case -5:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Generic Error");
                    break;
                    case -4:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : No Credentials");
                    break;
                    case -3:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Stale nonce");
                    break;
                    case -2:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Valid User but Wrong Password");
                    break;
                    case -1:
                    xlog("L_INFO","$ci -- REGISTER Failed because of : Invalid User");
                    break;
                }
            }
            www_challenge("", "0");
            exit;
        }

        if (!save("location"))
        {
            xlog("L_INFO","$ci -- error with save_location from $au\n");
        }
        else
        {
            xlog("L_INFO","$ci -- save_location is OK from $au\n");
        }

        exit;
    }


So, as you can see, I configured the auth module with "disable_nonce_check" parameter, because of my "loadbalanced" architecture as it's said in the documentation (http://www.opensips.org/html/docs/modules/1.9.x/auth.html#id250075) .

But, when a SIP Phone tries to register, the first Register (without any credentials) is sent to the 1st Registrar. It's answered with a 401 Unauthorized containing a nonce.
Then, the 2nd Register (with credentials, and the previously given nonce) is sent to the 2nd Registrar; but it's still answered with a 401. 

Thanks to the return code of www_authorize, I see that it's for the "Stale Nonce" reason, even if "disable_nonce_check" is set to 1 ...

Maybe there's a misconfiguration, or a bug; so, I need your help :-)

Thanks a lot, 


Bien cordialement, 
Best Regards, 

Kevin MATHY | Ingénieur VoIP




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: [hidden email]
Email: [hidden email]

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: SIP Registration in a Loadbalancing environment

Chen-Che Huang
In reply to this post by Kevin Mathy
Hi Kevin,

From my own understanding and experience, you should make the 1st and 2nd registration messages processed by the same SIP server. Otherwise, the SIP server processing the 2nd registration message will regard it as some kind of replayed message. Hope this is helpful for you.

Best wishes,
Chen-Che
Reply | Threaded
Open this post in threaded view
|

Re: SIP Registration in a Loadbalancing environment

Kevin Mathy
Hi Chen-Che-, 

Finally it's what I've done : there's no more loadbalancing between my two servers, but a failover mechanism based on SRV DNS entries.
Now it's OK.
However, thanks for your advice ;-)

Kevin


Bien cordialement, 
Best Regards, 

Kevin MATHY | Ingénieur VoIP



2014/1/3 microx <[hidden email]>
Hi Kevin,

From my own understanding and experience, you should make the 1st and 2nd
registration messages processed by the same SIP server. Otherwise, the SIP
server processing the 2nd registration message will regard it as some kind
of replayed message. Hope this is helpful for you.

Best wishes,
Chen-Che



--
View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/SIP-Registration-in-a-Loadbalancing-environment-tp7589151p7589153.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users