I've got a need to setup secure VoIP system:
1. 802.1x PEAP
2. Configuration encryption
3. TLS
4. SRTP
Phones: T22P, T28P, W52P, T38G, T46G
Testing on T22P with localized fw 7.72.14.6 and global 7.73.0.50
PBX is Asterisk 11.15
I've got it all working, but have stability/speed problems:
1. The phone using SIP TLS is, from time to time, not reachable and not able to make calls. It recovers shortly by itself. From Asterisk the phone apeears UNREACHABLE and the REACHABLE again. And it flaps here and there all the time:
Code:
[May 26 12:45:02] VERBOSE[29264] chan_sip.c: -- Registered SIP '1699' at 10.1.33.163:3120
[May 26 12:45:02] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (78ms / 2000ms)
[May 26 12:49:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 94
[May 26 12:49:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)
[May 26 12:54:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 99
[May 26 12:54:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (83ms / 2000ms)
[May 26 12:59:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 95
[May 26 12:59:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (86ms / 2000ms)
[May 26 13:02:07] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 80
[May 26 13:02:17] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (92ms / 2000ms)
[May 26 13:06:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 97
[May 26 13:06:58] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (114ms / 2000ms)
[May 26 13:13:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 90
[May 26 13:13:16] NOTICE[29264] chan_sip.c: Peer '1699' is now Reachable. (71ms / 2000ms)
[May 26 13:20:06] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 81
[May 26 13:20:45] VERBOSE[30199] chan_sip.c: -- Registered SIP '1699' at 10.1.33.163:2660
[May 26 13:20:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (80ms / 2000ms)
[May 26 13:22:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 79
[May 26 13:23:41] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (84ms / 2000ms)
[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Lagged. (3554ms / 2000ms)
[May 26 13:25:45] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (188ms / 2000ms)
[May 26 13:27:49] NOTICE[20945] chan_sip.c: Peer '1699' is now UNREACHABLE! Last qualify: 72
[May 26 13:28:42] NOTICE[30199] chan_sip.c: Peer '1699' is now Reachable. (73ms / 2000ms)
In the phone's logs there's nothing quite interesting, some TLS errors from time to time:
Code:
May 26 10:08:46 LIBD[352]: DCMN<3+error > SSL_connect select(read) error (Resource temporarily unavailable)
May 26 10:08:46 LIBD[352]: HTTP<3+error > Connect Error
May 26 10:08:46 ATP [352]: ATP <3+error > https to file failed, code = -3, msg = Connect Failed, retry = 1
2. Phone takes almost 5 minutes to download stuff from HTTPS server. It downloads 5 XML phonebooks (total size around 50k), firmware, dialnow, certificates, config. Here's the server's log for the bootup:
Code:
[26/May/2015:14:47:46 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:08 +0300] "GET /yealink/phonebooks/phonebook_a.xml HTTP/1.1" 200 13265 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:10 +0300] "GET /yealink/phonebooks/phonebook_b.xml HTTP/1.1" 200 391 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:16 +0300] "GET /yealink/phonebooks/phonebook_c.xml HTTP/1.1" 200 25620 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:31 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:32 +0300] "GET /yealink/phonebooks/phonebook_d.xml HTTP/1.1" 200 11529 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:52 +0300] "GET /yealink/phonebooks/phonebook_e.xml HTTP/1.1" 200 5940 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:48:54 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:49:49 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:00 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:10 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:22 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:33 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:44 +0300] "GET /yealink-test/dm1867/y000000000005.cfg HTTP/1.1" 200 4050 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:50:56 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:07 +0300] "GET /yealink/tls/yealink-sip.pem HTTP/1.1" 200 3205 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:19 +0300] "GET /yealink/dialnow.xml HTTP/1.1" 200 206 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:51:30 +0300] "GET /yealink/tls/ca-linux-2048.domain.ru.pem HTTP/1.1" 200 1659 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:16 +0300] "GET /yealink/tls/yealink-dot1x.pem HTTP/1.1" 200 3213 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:27 +0300] "GET /yealink-test/fw/T22_7.73.0.50.rom HTTP/1.1" 200 7321150 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
[26/May/2015:14:52:38 +0300] "GET /yealink-test/dm1867/0015654e2687.cfg HTTP/1.1" 404 316 "-" "Yealink SIP-T22P 7.73.0.50 00:15:65:4e:26:87"
It's not a problem by itself, but there seems to be a problem with phone's performance.
Is there anything i can do to make it send and receive calls stable?
Maybe some tweaks needed? Phone's syslog attached.
P.S.
The certificates are usual 2048-bit SHA1, so it shouldn't be too hard for the phone's CPU to handle them.