IAX

The IAX revision 2 protocol is used by the Asterisk VOIP PBX and FreeSwitch Softswitch as an alternative to SIP, H.323, etc. when connecting to other devices that support IAX (a limited list at the moment, but growing very rapidly). However meanwhile other software like Yate SofaSwitch and OPAL have added IAX2 support.

  • IAX2 is not the result of a standards group, rather a collaborative, community based effort
  • IAX2 uses a single UDP port 4569, and thus works well in NAT environments (the obsolete IAX1 protocol used port 5036). IAX2 uses ONLY one udp port for both control and data traffic. As outlined in point 4 of the IAX versus SIP topic with IAX you will always have audio if the control connection can be established.
  • IAX2 supports PKI-style authentication and trunking.
  • The Asterisk IAX2 driver has a jitter buffer. (The SIP driver doesn't in 1.2.x, but one has been added in 1.4.x. The IAX2 jitterbuffer is more mature however.)

Trunking

When trunking with IAX2, only the used bandwidth is allocated at all times. Other TDMoIP protocols used for trunking always allocate a certain amount of bandwidth to keep all channels open. IAX trunking allows multiple voice streams to share a single "trunk" to another server, reducing overhead created by IP packets. IAX always sends DTMF outline (RFC2833), eliminating the confusion often found with SIP.

It should be noted that trunking requires both sides to know each other (i.e. they need to be valid peers). If one side has trunk=yes and the other does not cannot validate the peer, you will get one-way audio. The easiest way to make this work is to use a register line to register to the systems you want to trunk with.

Jitterbuffer

One of the major advantages of IAX2 over SIP is the IAX2 jitterbuffer (in Asterisk 1.2.x and higher). This tends to improve the audio quality noticeably over non-ideal links like ADSL. To enable it, add:
jitterbuffer=yes

to iax.conf. A jitterbuffer was added to the SIP channel in Asterisk 1.4, but it is not as mature as the IAX2 jitterbuffer. Some additional background info is available here:

General NAT Issues

One of the other big selling points of IAX2 is the relative ease with which it integrates with NAT, especially compared with nightmare of SIP NAT traversal. IAX2 uses just one UDP port, 4569. That said, there are a few subtle "gotchas" to be aware of:

  • Consistent NAT. Address translation usually involves re-writing the source port, so that the NAT device can keep track of connections. For reliable two-way communications, the same re-writing must always be used. For instance - say your internal Asterisk server sends a registration message (using source and destination ports of 4569) to your IAX provider's server on the other side of the NAT device. The NAT device will re-write the source port to some random unused port number, like 14353. The provider's server will note your source port, so that it can contact your server if a call comes in. If you want to receive calls from the provider, you must ensure that the 14353 port stays associated with the 4569 port on your internal Asterisk server. Some firewalls DO NOT do this by default. For instance, on the Sonicwall TZ170, you must set "Firewall > VOIP > Enable consistent NAT" to "on".

  • Consistent NAT Timeouts. Once you ensure that your NAT device uses consistent NAT re-writing as described above, you need to be aware that there may be timeouts associated with the port mappings. For instance, if no traffic occurs on port 14353 (see example above) for X seconds, the 4569 <> 14353 mapping will be dropped by the firewall - and your IAX2 provider can't contact you any more! For instance, on my Sonicwall TZ170 (Enhanced OS), the default Firewall > Advanced > Default UDP Connection Timeout (seconds) setting is 30 seconds - less than the Asterisk default IAX2 registration refresh period of 60 seconds! Boost your timeout setting to something more than the registration refresh period. (To see your Asterisk IAX2 registration refresh period, type "IAX2 show registry" from the Asterisk console.)

It is possible to change the Asterisk registration refresh period by editing the source code and re-compiling. Change this line:
iax2.h: #define IAX_DEFAULT_REG_EXPIRE 60

Of course, you are likely to forget about your tweak when you upgrade, so beware...

NAT Implementation Issues - Random "Raw Hangups"

I used the Sonicwall TZ170 (with the enhanced OS) to provide NAT for IAX2, but it never worked properly. A fraction of calls would end almost immediately after they started, with Asterisk reporting a "raw hangup" error and INVAL packets, suggesting that some IAX2 packets were being lost, mis-ordered, or mis-translated. My IAX2 provider indicated that other customers had the same problem with Sonicwall devices, and recommended a SnapGear SG560 instead.

As a temporary workaround, I replaced the TZ170 with an older, simpler Sonicwall SOHO/10 device, and it worked fine.

The SnapGear SG560 worked great too, and it offered multiple WAN connections, failover, VPNs, etc. Great inexpensive device! Highly recommended for IAX2 / VOIP / NAT use.

Moral of the story: if you get random raw_hangup errors on your IAX2 connections, replace your NAT device. (If you get raw hangup errors that are not random, that suggests a configuration error instead - see "General NAT Issues" above.) - mjc


NAT Implementation Problems - Linux kernel

Olivier ADLER of FRANCE IP reports that:

Some NAT devices can exhibit a really nasty bug, when used in conjunction with a static IP pppoe or similar WAN connection.

The Linux kernel does not like at all to receive udp data during a WAN disconnect. During this period, NAT MAsquerading use the private LAN IP address of the source instead of the External public WAN IP, as there is no Public IP to use.

The bad thing is that after WAN reconnect, the kernel should rewrite the private LAN address to the new WAN public IP (the same one as we have a static address). But it does not do it. The kernel keep sending the Private Lan address ! So it does transmitt the non routable LAN address to the world !! And the IAX2 connection is broken.

Kernel 2.4 and 2.6.X are concerned. Kernel 2.6.22 need to be tested, as a new NAT code is present.

This bug does exhibit only if the WAN link has a static IP. With a dynamic IP, normal masquerading state is restored after the link reconnect.

It is evident that IAX2 cannot work with this problem, as the asterisk peer cannot send back acknowledgments to a private LAN IP. To restore the masquerading process, the source need to stop sending udp data on the IAX2 port during a time longer than the NAT udp session timeout. Typically more than 30 seconds on most routers.

Where things are even more worse, is that Asterisk, when it detects a registration problem, try to send registration requests almost each 2 or 3 seconds, holding the buggy state of the masquerading. Then the router is continously sending the private LAN address of the asterisk machine to the WAN.

Unfortunately there is no settings inside asterisk to define the registration retry period.

So the only way to stop this problem is to stop asterisk, or the IAX2_channel module, during more than 30 seconds. Another solution is to avoid IAX2 data to enter in the router during the same amount of time. But be careful, if you are using this latest method, a single frame entering the firewall during reconnect (when there is no external Public address) will taint the kernel.

Restarting the IAX2 channel is not everytime possible, this does not work if a call is using an IAX2 channel. So it is better to restart asterisk from a script.

The only way i have found to cleanly solve this problem is to remove the masquerading from the firewall tables, and use SNAT instead, specifying the fix IP in the rule.

Here is a typical WAN firewall NAT iptables rule :

iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE


Need to be replaced for a static WAN connection by :

iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to-source <your static public wan address>


This solve definitly and efficiently the IAX2 lost link problem, as well as the linux kernel tainting.

A report of the problem by another user :

This is something i've run into myself, and my VOIP IAX2 provider has this issue with many clients running Asterisk on TrixBox or custom made systems.

If our PPPoE goes down, we have to reboot our trixbox to get our IAX2 link to re-register. It will try and just keep timing out. I have the 4569 forwarded internal. I've put TCPDUMP on my Router. We have a fixed IP, i've done it all ;)

I have a dirty script that avoids havig to reboot the TrixBox and restore our service within 2 minutes of a blip automatically, and logs the 'blips' so i can see how 'reliable' our service is.

Here is the script. Its dirty, but it works. *IF* someone can help me get IAX2 working behind our NAT DSL session, let me know. I think its related to me not being able to use "Consistent NAT". We're using a Linksys WRT54GS with DD-WRT v230-SP2. Yes SPI is turned off, I tried all types and kinds of forwarding too! I'm a bigtime network guy so reply with detailed info if you have it for me....

With the script below, use a CRON job to execute it. Say every two minutes. Warning, memory leak will occur over time during LONG outages as when the system unloads/releads the IAX2 stuff a little bit of memory never gets released.

If anyone has feedback let me know. I'm not a bash guru but i solved the problem for us, so hey hey. The time delay between unloaing and reloading is key, not having that prevents the registration from working.

I'd say the guys who wrote the chan_iax2.so need to make it generate network traffic however this 'hack' does, if they DID, then IAX2 would work behind ANY flavor of NAT device, no matter how crappy and those of us stuck with PPPoE sessions. Get on it guys!
#!/bin/sh

#We record the status of the IAX2 Trunk

cd /root/ # I have script live in root,

#change to suit or use full
# paths in rest of script,
# i'm not BASH guru

/usr/sbin/asterisk -rx 'iax2 show registry' > reg_status
sleep 1

#We then Scan the Status and see if we're online or not...

TEST="Registered"
if grep $TEST reg_status > /dev/null
then
  exit #Abort, we are online, all is well...
fi

#IF we're this far down, we've lost IAX. Log the incident.

date >> slap.log

#Restart the IAX2 trunk. Delay required for some reason.

# comment from Olivier Adler : restarting the IAX2 channel is not possible if there are calls on it. It's better to restart asterisk.
# be carefull : restarting IAX2 channel or asterisk solve the masquerading problem, but does not clean the kernel tainting.

/usr/sbin/asterisk -rx 'unload chan_iax2.so' > /dev/null
sleep 60
/usr/sbin/asterisk -rx 'load chan_iax2.so' > /dev/null


White paper


Comparison of IAX and SIP


Comparison of IAX trunked

http://convergence.pk/iax2/trunked.html by wasim
Calculations in this comparison have many gross errors. I do not recommend use it. Just the first two errors: IP header size is 20 bytes, and RTP header size is 12. (ipse @ 03.01.2007)

IAX2 Tools



Software support


IAX2 Hardware

See Analog Telephone Adapters for a list of IAX2 compatible devices.

IAX2 Providers

VOIP Service Providers B2B Includes a list of IAX2 providers.

Created by: jht2,Last modification on Wed 05 of Nov, 2008 [12:16 UTC] by supersuzanne


Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - support@voip-info.org

Page Changes | Comments

 
Sponsored by:




Search: