Jump to content

TLS Registration random failure


Carlos Montemayor
 Share

Recommended Posts

Hi,

 

I have been favoring TLS to register extensions on our hosted offering, however, something weird has started to appear lately. It has to do with failure to register with the pbx. That one method of transport work where other do not, is not new or estrange to me. What puzzles me, is that it appears not to follow a pattern. For example, in the same site, where some phones can work with tls, others need udp, and to compound the perplexity, the brand of the phone does not matter either, some Yealinks can and some do not, some snom phones (710s) and some do not. Also, deployments that had been working fine for several months with tls, are starting to require the change to udp to keep registration. And it is not that all the phones all a sudden need it. It is happening every now and then, but it seem to start to happen more often. The most extreme example, is my own phone, which is a Yealink T22P, which has 3 accounts. The first two currently have extensions that are using tls, but I could not register the third one, it had to go with udp.

 

What can be happening?

 

Regards

Link to comment
Share on other sites

It is a complex topic. First of all, it is good if you keep track of the registration e.g. by sending an email out when the registration status changes. I guess that is what you did to get an overview on the situation.

 

What you can do it try to narrow the problem down. If you are using TCP instead of TLS and the connection still drops occasionally, then you probably have a problem with your routing equipment that has only so-and-so many TCP connections and you are simply running out of it sometimes. For example, when the client is using lots of email and HTTP TCP connections, the router might drop the SIP connection.

 

If the problem is related to a specific site, I would say to 90 % it is the router. Also, you can specify the outbound proxy for every site. For example, if you have one client with a trouble router, you can specify as outbound proxy something with UDP, while other sites are still using TCP or TLS.

 

The last thing that comes to my mind is that a lot of equipment had to be updated recently because of the heartbleed problem. That might have have caused ripple effects with unstable TLS connections. Depending on what phone type you are using, the unfortunate OpenSSL version might be in use, which may be part of the problem. In that case, you should update the phones.

Link to comment
Share on other sites

Hi,

 

Thanks for the reply. It was hitting all across the board, I mean, in different sites as well as with different phones (Yealinks and snom's). I increased the setting of "SIP connections per second" and "total number of sip connections" and that did help a lot. I was unaware that I had to increase those parameters as my deployment was growing. Those settings are there to protect us against of external attacks, which is great, but had to be adjusted as we were growing. Now that we are looking into those settings, the total number of sip connections should be rather simple to set, it should be just above the total actual number of sip registrations that one has because of the current users, I guess, however, the number of sip connections per second is another thing. Is there a common sense rule regarding what to put there?

 

Also, regarding how to be aware of a problem with registration, yes, email helped me. However, I understand that the pbx has the feature of snmp and I imagine that as things grow, it would be a better solution to have something like a control panel that could be getting its information through snmp. Is there a recommendation regarding how to implant snmp for the pbx?

 

Regards

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...