[Spce-user] Under what scenario could sipwise silently drop an invite?

Sat May 28 12:23:53 EDT 2016

Actually this is my fault since I didn't explain properly, sorry for that
guys.

The voipmonitor detected 11 calls from this endpoint like this, however
this very same endpoint made and received hundreds of calls yesterday alone
successfully, this is a Cisco UC PBX.

This is what the INVITE looks like with a couple details anomized. I do
think everything looks good on this INVITE, port is okay and the domain is
okay.

INVITE sip:19727612465 at sip.fusetelecom.com:5060 SIP/2.0
Via: SIP/2.0/UDP 10.30.28.1:5060;branch=z9hG4bKE5DB37D
From: "XXXX" <sip:787200xxxx at sip.fusetelecom.com>;tag=DB6B8ADC-17FC
To: <sip:1972761xxxx at sip.fusetelecom.com>
Date: Fri, 27 May 2016 14:10:16 GMT
Call-ID: 924D11CC-234B11E6-BB27E6D2-8EBB5E3A at sip.fusetelecom.com
Supported: 100rel,timer,resource-priority,replaces,sdp-anat
Min-SE:  600
Cisco-Guid: 2376044366-0592122342-3139626706-2394644026
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE,
NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Max-Forwards: 70
Timestamp: 1464358216
Contact: <sip:787200xxxx at 10.30.28.1:5060>
Call-Info: <sip:10.30.28.1:5060
>;method="NOTIFY;Event=telephone-event;Duration=2000"
Expires: 300
Allow-Events: telephone-event
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 324

v=0
o=CiscoSystemsSIP-GW-UserAgent 6165 9658 IN IP4 10.30.28.1
s=SIP Call
c=IN IP4 10.30.28.1
t=0 0
m=audio 17106 RTP/AVP 18 0 8 101 19
c=IN IP4 10.30.28.1
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:19 CN/8000

On Sat, May 28, 2016 at 12:05 PM, Marco Teixeira <admin at marcoteixeira.com>
wrote:

> It was an example.
> What i meant was that, usually, sniffers set the NIC to promiscuous,
> meaning that they will catch whatever garbage arrives at the IP stack. The
> iptables was an example. Others have pointed before, maybe your config is
> not binding to the correct port ? maybe you don't have the correct domain
> configured in sipwise ?
>
>
> ---
> Best regards
> Marco
> ---
>
>
> On Sat, May 28, 2016 at 1:18 PM, Abel Alejandro <
> aalejandro at alliedtechnologygrouppr.com> wrote:
>
>> Hey Marco,
>>
>> I do not mean the server iptables, I do not run anything other than
>> sipwise + sniffer, I mean the anti DDoS of the sipwise itself.
>>
>>
>>
>> On Sat, May 28, 2016 at 8:04 AM, Marco Teixeira <admin at marcoteixeira.com>
>> wrote:
>>
>>> Hi Abel,
>>> Carefull with your assumptions. As an example, if i run sip-ngrep on the
>>> server, it will see all the traffic even before iptables drops it...
>>> Em 27/05/2016 20:12, "Abel Alejandro" <
>>> aalejandro at alliedtechnologygrouppr.com> escreveu:
>>>
>>>> Well, the network capture is a network application that runs on the
>>>> same sipwise server, its from the voipmonitor.org guys, I dont see how
>>>> the network sniffer could capture the data and at the same time the server
>>>> not deliver it to the kamalio process.
>>>>
>>>> I sent you the pcap capture privately, but yes the domain looks
>>>> correct. Is there no chance the endpoint was banned during this time? Would
>>>> that skip the logs?
>>>>
>>>>
>>>> On Fri, May 27, 2016 at 2:59 PM, Daniel Grotti <dgrotti at sipwise.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> Well if no request are on Kamailio-lb, then invites never reached the
>>>>> server.
>>>>> Are you sure the invite was heading to the right sip domain?
>>>>>
>>>>> Daniel
>>>>> On May 27, 2016 8:51 PM, Abel Alejandro <
>>>>> aalejandro at alliedtechnologygrouppr.com> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I am testing a voipmonitor and just saw an interesting call where an
>>>>> endpoint sent to sipwise 3 invites and it never got answered. Mind you I am
>>>>> doing the voipmonitor capture at the sipwise server itself so there is no
>>>>> chance of network packet loss here.
>>>>>
>>>>> When I take a look at the logs I dont even see the request
>>>>> in kamailio-lb.log or kamailio-proxy.log , is there any other place I could
>>>>> check?
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Abel Alejandro*
>>>>>
>>>>> 787 586 8313 | 787 705 0555
>>>>> <joquendo at alliedtechnologygrouppr.com>
>>>>>
>>>>> 400 Calle Calaf 477
>>>>> San Juan, PR 00918
>>>>> aalejandro at alliedtechnologygrouppr.com
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> *Abel Alejandro*
>>>>
>>>> 787 586 8313 | 787 705 0555
>>>> <joquendo at alliedtechnologygrouppr.com>
>>>>
>>>> 400 Calle Calaf 477
>>>> San Juan, PR 00918
>>>> aalejandro at alliedtechnologygrouppr.com
>>>>
>>>> _______________________________________________
>>>> Spce-user mailing list
>>>> Spce-user at lists.sipwise.com
>>>> https://lists.sipwise.com/listinfo/spce-user
>>>>
>>>>
>>
>>
>> --
>> *Abel Alejandro*
>>
>> 787 586 8313 | 787 705 0555
>> <joquendo at alliedtechnologygrouppr.com>
>>
>> 400 Calle Calaf 477
>> San Juan, PR 00918
>> aalejandro at alliedtechnologygrouppr.com
>>
>
>

-- 
*Abel Alejandro*

787 586 8313 | 787 705 0555
<joquendo at alliedtechnologygrouppr.com>

400 Calle Calaf 477
San Juan, PR 00918
aalejandro at alliedtechnologygrouppr.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20160528/b98d043b/attachment-0001.html>