Forum Replies Created
-
AuthorPosts
-
in reply to: SecAst not detecting attacks on FreePBX system #6674
You have discovered a problem in FreePBX! When creating the SecAst AMI user account and selecting ‘all’ for permissions in the FreePBX GUI, FreePBX does not actually add the ‘all’ permission. Instead FreePBX adds individual permissions and omits the ‘security’ permission.
Until this is fixed in FreePBX please do NOT create your AMI user account through the FreePBX GUI. Instead modify the manager_custom.conf file to manually insert the credentials. For example, your manager_custom.conf might look like this:
[teliumuser]
secret = teliumpassword!
deny=0.0.0.0/0.0.0.0
permit=172.31.0.0/255.255.0.0
permit=127.0.0.1/255.255.255.0
read = all
write = all
Where the username (in [] brackets) and the password (secret) match the values you set in the secast.conf file. If you need further assistance with this workaround please contact support.
The problem is that you have a space character after the backslash on line 5 (based on analyzing the config file sent). If you add any character after a backslash it means ‘escape’ as opposed to ‘continuation’. So SecAst stops reading your excludes at line 5.
The solution is to ensure you have no characters following the backslash character.
in reply to: CentOS 5 support #6631CentOS 5 was released in April 2007, so approximately 10 years ago (as of the time of this posting). Unfortunately several libraries/options our product depends upon are not supported on an OS that old. CentOS 5 is also no longer supported by the release organization after Q1 2014.
So you’ll have to upgrade your Linux. But CentOS 7 is worth the effort to upgrade!
in reply to: Backup PBX in cloud/AWS #6672Yes. No problem!
Many call centers are keeping their primary PBX’s on site (for performance and other reasons), and using the cloud for their backup PBX’s. HAAst will run on Amazon Web Services (AWS) + Amazon Elastic Cloud 2 (EC2), Microsoft Azure, and more, to create your primary PBX, backup PBX, or both. You can even place the HAAst operational database in Amazon Relational Data Services (RDS) or equivalent with both peers writing performance and operating data to the shared database. (The HAAst web GUI allows you to view combined and individual PBX reports in many areas). We do not recommend placing Asterisk configuration databases in RDS or equivalent – but this should not be a problem as they are fairly static and small.
Unlike other open source and closed source commercial HA products, HAAst does not use any LAN based protocols (NFS/DRBD/hearbeat/etc). HAAst is designed around only WAN based protocols, primarily it’s own PeerLink protocol. HAAst can accommodate large swings in network latency as would be seen in links between in-house servers and the cloud. HAAst (Commercial Unlimited edition) even learns these variations and adapts to the changes, so you never have a false positive fail-over of the cluster. This approach allows customers to even place their PBX instances in different Amazon Recovery Zone’s, and in different Regions.
With AWS, or any cloud provider, you will want to use their static network hardware option; Amazon calls it Elastic Network Interfaces (ENI). As of August 2016 Azure (ARM and ASM) support static network hardware (MAC address).
in reply to: Need higher GeoIP accuracy #6671Yes – we are able to offer a significantly more accurate GeoIP database; but this is not standard within SecAst. As of March 2016 this option costs $1000 USD, and we would provide you with a much larger GeoIP database and a code which causes SecAst to use this new database instead. This database is certified down to a higher level of accuracy within the city level.
Please contact Telium support if you would like to purchase this option. This option is not listed for sale on our website as this is not commonly purchased. We are also available to help you design alternative security measures using SecAst in case this is not the right approach for you.
in reply to: Call continuity / survival on failover #6670Telium’s call continuity feature (available in HAAst OEM edition) maintains all SIP/RTP traffic data in the event of a failover. When HAAst transitions from one cluster node to another, HAAst reconstructs the calls in/out of Asterisk exposing identical IP/port numbers to the outside world. The allows calls to resume without any user agents realizing a cluster failover has taken place. HAAst can also initiate events with Asterisk to resume call recordings, log data, etc. ensuring business requirements can be satisfied as well.
If you cannot use Telium’s call continuity capability you can still create a simplistic workaround. First of all it’s important to understand the limitations of the SIP protocol (regardless of HA product), and then design around those limitations. The SIP protocol does not allow for the midpoints (e.g. PBX) or endpoints (e.g. phone) to be seized without the midpoints/endpoints participating in SIP negotiation. This means that failure of a midpoint or endpoint results in failure of the call(s) since SIP communications cease. A future version of SIP may support seizing channels, but the IETF has not indicated any such upcoming functionality.
We know of at least one product on the market that claims a proprietary / ‘patented’ way to keep SIP calls up, but all they do is introduce a SIP proxy in front of the PBX which tries to re-establish the missing leg of a dropped call. These products don’t have much commercial success because they introduce a new single point of failure in front of the cluster (so if the proxy dies the entire cluster dies). In the case of power outage or network outage these proxy solutions do nothing and all calls drop. Telium has worked with vendors to design solutions for emergency call centers, hospitals, large commercial call centers, etc. and they all frown on placing a single point of failure in front of the cluster. An on-PBX solution (as offered by Telium) is the preferred solution.
Even large proprietary PBX vendors don’t support salvaging SIP calls in case of a complete PBX failure. They may offer “HA” options which transition calls in progress within or between PBX’s so long as the core of the PBX is still functional (so for example the PBX could withstand a media processor failure). However, they cannot salvage SIP calls in the event of a complete and immediate disconnect of the PBX (e.g. power failure, data center network failure, etc).
If you really want to try to salvage calls in progress (sometimes called ‘call continuity’ or ‘call survival’) with a do-it-yourself solution the best way to do so is at the ITSP/trunk provider. You can request that your carrier redirect any calls in progress which terminate without a SIP BYE command be redirected to a backup number/trunk. If your ITSP/Carrier will not do so, you can create your own SIP proxy but it should be collocated at your ITSP/carrier’s POP. Placing such a proxy on your premises is worthless (your cluster will appear to perform well in simplistic tests, but fail in real world outage scenarios), and is no different than the solutions mentioned above. You can try to use direct media with user agents (phones) that don’t drop a call if the SIP connection is unresponsive (eg; to registration) but this depends heavily on details of your implementation.
We would like to emphasize that Telium discourages adding a black box device or proxy in front of a cluster. However, if you still want to go down the DIY path you can create an open source version of the above (not recommended) product as described here: https://autocommander.aws2.ocg.ca/topic/patented-call-survival-add-on/ or you could design a solution which attempts to keep RTP up without SIP (we have a few posts on that topic).
in reply to: Problem starting Asterisk on SystemD+Initd system #6669UPDATE: Based on feedback this change helped some users, but hurt others. So we’ve created a SUPPORTCODE which you can add to your haast.conf file which will force HAAst to use initd, even if your Linux distribution uses systemd.
Just send an email to support requesting the code, and then HAAst will operate as it did before. Note that you must be running HAAst version 2.3.2.2 or later for the SUPPORTCODE to work.
in reply to: Do you support Debian Linux? #6668As of Dec 11th 2016 we now officially support Debian 8 LTS. Look for the Debian option on the download page.
Please note that we will create custom builds of our products for any major distribution / architecture for users of the commercial editions. Custom builds are created at no charge (for major platforms) and for-fee (for rare/unusual platforms).
Yes! HAAst would start without any problem.
A lot of people don’t realize that all other PBX HA solutions in the marketplace are based on DRBD, an open source product which creates a mirrored logical disk between peers. As a result, any corruption to files on one system are immediately mirrored to the other system! This is why critical call centers like 911/PSAP’s, hospitals, etc. will not allow DRBD based PBX solutions – each peer must be fully independent of the other.
HAAst is the only product which does not mirror the hard disk. HAAst synchronizes individual files/directories/databases that you specify, and, it only synchronizes if the peer is healthy! So a failing peer will never corrupt files on the other peer.
You’ll find that many configuration generators now offer an ‘HA’ module, and they are all based on DRBD. Some organizations like Elastix are very honest about this – and show you how to install the open source product for free. Some organizations are less forthcoming, and actually charge you $3000 for a free open source product (DRBD).
Vendors of other PBX HA solutions are not telling you the whole picture. Many HAAst clients start with HA modules built into configuration generators, and switch to HAAst after their ‘cluster’ couldn’t withstand any failure other than the most simplistic scenario of unplugging one box.
There are lots of other differences too. DRBD solutions don’t allow for configuration differences between peers. HAAst allows peers to have different trunks, users, dialplans, etc. (yet still share a common base that is synchronized), all things you can’t do if you simply mirror a disk.
Telium is a big supporter of free and open source software, and DRBD is a wonderful product. But adding DRBD to a PBX and calling it ‘HA’ is naive; just like adding RAID to a PBX and declaring it ‘HA’ is naive.
in reply to: How hard is it to install? #6666If you’ve never used Linux before, then installing any third party product onto Linux can be a challenge. Creating a Linux system from a CD/ISO is easy: click next>next>finish. So unfortunately that might artificially raise your confidence. Linux is not the most friendly system (compared to Windows).
Although our products target large commercial installations, we realize that a some of these organizations experiment with Asterisk using one of the free configuration generators (like Issabel(TM), FreePBX(TM), Elastix(TM), PIAF(TM), etc). For the convenience of these users we can create a virtual machine with Linux & FreePBX & Asterisk & HAAst & SecAst preinstalled. This should help Windows admins get up and running quickly.
If you want to install our products on an existing Linux PBX, then we’re here to help. We include support with all product sales – but I suspect you will exhaust the included support incidents quickly. I would recommend you purchase support assistance along with your software purchase. For a straight forward setup Telium can perform the entire installation and configuration with/for you in 4 hours, assuming this is a very simple cluster design. (But not setup your users/devices/dialplan etc in Asterisk).
We have also helped customers create prebuilt software images to their specifications. (This is useful if you plan to deploy PBX’s to numerous sites.) We can create bare metal images in Ghost, dd, and G4L formats to suit your needs, which you can use to deploy new systems at your convenience.
in reply to: Rasberry PI version of HAAst #6665HAAst is a commercial tool, targeted at large and commercial call centers. These environments don’t use Rasberry PI’s, so we haven’t compiled for the PI yet.
FreePBX targets home and small office installations (large commercial call centers don’t generally use FreePBX). However, as some of our developers are PI enthusiasts at home, we may chose to offer a free version of HAAst for the PI some day. But this would be a hobby version only!
If you are using a PI and want HAAst, please post to tell us the Linux distro & version you are using on the Pi (so we can figure out what to compile for).
in reply to: No phone support #6664We get hundreds of product downloads per week, many from people wanting to use the free edition. If we were to try to support these people by phone then we would have to add 10 people to our call center (which we can’t afford).
We created the support forums so that users could help solve each other’s problems, with input from the Telium support group to ensure the answers are accurate and complete.
Phone support is reserved for customers who have purchased 24/7 support agreements, while e-mail support is reserved for customers who have active maintenance agreements. But everyone is welcome to use the forums for self-service and occasional help from our support team.
in reply to: Downloading the unstable version #6663The ‘generic/unstable’ package is usually compiled on a leading edge Linux distro; e.g. Fedora 25 (i.e. the latest). We call this unstable because Linux distros like Fedora change so fast that even differences in point releases can break other software. We offer this as a package of last resort if nothing else works, and is only necessary if your hardware requires leading edge drivers (and we assume you therefore did not pick a mainstream LTS Linux Distro).
The good news for you is that Scientific Linux is actually based on Red Hat Linux. So for SL7 download the RH/CentOS7 package.
in reply to: Dual standby contention message #6662This message is normal; i.e. nothing to fix.
Dual standby contention means that one (or both) PBX’s discovered that it is in standby mode and the remote peer is as well. Once this condition is detected the PBX’s begin negotiation to determine who should promote.
After a manual failover, or following the failure of one peer, the other peer will detect that no one is in active mode and record the event.
This is a normal condition (so long as it is followed by a promotion by one peer).
in reply to: Failover during CPU spike #6661No! Don’t do that.
First of all, if you are running another program that consumes 100% CPU every 5 minutes, then you are likely introducing jitter/audio gaps into your open audio channels. This is not acceptable for any commercial PBX installation.
Next, although increasing the process priority of HAAst will allow it to better survive these CPU spikes, HAAst will still detect that Asterisk is unresponsive, Linux/driver services are unresponsive, etc. And HAAst will still (correctly) initiate a failover.
You need to fix the root of your problem: the graphing software. If this is started by cron, then I suggest you create a script that is launched by cron. In that script call your graphing software with nice/ionice values that makes it behave better. It’s never ok to have a program consume 100% CPU on your PBX!
-
AuthorPosts