On Tue, Aug 13, 2024 at 03:16:20PM +0000, Peter Fraser wrote: > I have looked at the phone longs all they show is the registration is not > working. > > I should also add, that I have tried restarting asterisk, that did not solve > the problem. > > I have a hard time tracking down the problem because the organization, > reboots the firewall about once an hour to make sure their phones work. > > So I have weekends and nights.
I have probably just as much clue as you here. One thing to do is perhaps measure the Maximum Segment Size (MTU?) of the link? You can use my script from my github: https://github.com/pbug44/misc/blob/main/mtuping.sh There is also an IPv6-similar script. What I have noticed is that if the DF flag is set on the packet and it's over the MTU of the router it is discarded and an ICMP should be sent to the phone. One way to mitigate that is switching to TLS or TCP mode. Or you could try my sipdiv.c program, but it needs a bit of hacking on possibly (it works in a single phone setup on my gateway through wireguard tunnels): https://github.com/pbug44/misc/tree/main/sipdiv What this does is it uses SDP compressed syntax to replace things like From:, To: etc etc and shortens it so that the packets would fit through a tunnel. Works for me lately. Usually by default my OpenBSD machines would fragment the packets from the phone if it was oversized but the UAS (an AVM Fritz!box) would discard any fragments. I don't know what your OpenBSD box does, maybe see if you are scrubbing fragments and if you need it? Also regarding DNS the phones most likely don't do DNSSEC validation. Make sure you have a local DNS server that does, and turn DNSSEC on. Perhaps you're facing DNS poisoning attacks? Phones are probably easy targets because they don't validate DNSSEC. Hope that helps, -pjp
