Author: James Courtier-Dutton Date: To: Hampshire LUG Discussion List CC: hampshire Subject: Re: [Hampshire] Are UDP responses allowed from a different source
port?
2009/11/6 Nick Chalk <nick@???>: > One for the network gurus.
>
> I have a Linux device that's monitoring two SIP
> servers. The health check method is to connect to
> port 5060/udp on each server, issue an OPTIONS
> command, then listen for a successful response.
>
> These health checks always succeed on one server,
> and always fail on the other. A packet dump shows
> that the successful server responds from 5060/udp;
> the failing server allocates a high port - around
> 50000/udp - for its response. Both servers are
> sending success responses.
>
It is a programming issue.
A udp port can receive from any source port, or be limited to a particular port.
As the SIP protocol tends to use 5060 both for send and receive ports,
maybe one implementation is assuming this and restricting its
reception based on it.
I think technically, one can have anything of the following and they are all OK.
1) Request: Host A:5060 -> Host B:5060, Response: Host B:5060 -> Host A:5060
2) Request: Host A:50000 -> Host B:5060, Response: Host B:5060 -> Host A:50000
3) Request: Host A:50000 -> Host B:5060, Response: Hose B:40000 -> Host A:5060
4) Request: Host A:5060 -> Host B:5060, Response: Hose B:40000 -> Host A:5060
I would therefore suggest that the health check program be modified to
handle the reply on:
1) src:dst port reversed in relation to the request.
2) any-src:dst=5060 for the reply.
In your particular case, it seems that (2) is all that is needed.
Alternatively, have the SIP device using the high port to be fixed on port 5060.
Using high src ports is normal for SIP, due to NAT devices being in the path.
