11. Reference of Global Configuration Parameters

This referecence lists all global configuration parameters used in ABC SBC. Note that they have default values which are designated to accomodate most use-cases and can have massive impact on operation if changed: modify them only after careful consideration.

Any changes done in Global Config are applied immediately on the ABC SBC, and corresponding service(s) restarted or reloaded if needed. In case of HA pair, the Global Config changes have to be done on the active ABC SBC node gui, and then “Activate Sbc configuration” has to be used to propagate them also to the non-active node.

The configuration parameters are grouped as follows:

11.1. CDR Parameters

These parameters allow to define how and where CDRs are stored. See als more in Call Data Records (CDRs).

Parameter Name Description
Number of CDR files to keep CDR Retention policy. The ABC SBC produces CDRs for all completed calls in CSV form. Sets number of CDR files to keep.
Directory for exported CDR files: Directory in filesystem where the CSV CDRs are stored.
CDR files rotation frequency (daily,weekly, monthly) Sets the frequency of CDR files rotation. Use “daily”, “wwekly” or “monthly”. The number of rotated files to keep before deletion is set using the “Number of CDR files to keep”

11.2. Event Parameters

These parameters allow to define how and where events are stored. See also more in Events (optional).

Parameter Name Description
Number of days to keep old traffic log files Local retention policy. Particularly useful when no ABC Monitor is attached to the ABC SBC. Must be shorter than the retention policy at ABC Monitor – otherwise the ABC SBC may keep copying files that already expired at ABC Monitor. See Section ABC Monitor Initial Configuration
ABC Monitor address The events may be stored at a compatible external facility instead of local storage. In such a case, include the IP address or dns name of the facility here. Empty to disable.
Secondary ABC Monitor address The events may be stored at a compatible external facility instead of local storage. In such a case, include the IP address or dns name of the facility here. Empty to disable.
Replicate traffic logs to ABC Monitor Allows to push collected PCAPs (see Section Diagnostics Dashboard to a Monitor server using the rsync protocol.
Replicate traffic logs to secondary ABC Monitor Allows to push collected PCAPs (see Section Diagnostics Dashboard to a Monitor server using the rsync protocol.
Replicate recordings to ABC Monitor Allows to push recorded audio files (see Section Audio Recording to a Monitor server using the rsync protocol.
Replicate recordings to secondary ABC Monitor Allows to push recorded audio files (see Section Audio Recording to a Monitor server using the rsync protocol.
Delete traffic logs and recordings from Sbc after replicating to ABC Monitor If enabled, the traffic log and recording files will be deleted on Sbc side after replicating to the ABC Monitor server. This also reduces the network traffic from ABC SBC to ABC Monitor. The recommended configuration setting is enabled.
Replication rsync password rsync password to be used for replicating traffic logs and recorded audio.
Replication rsync password for secondary ABC Monitor rsync password to be used for replicating traffic logs and recorded audio.
Use secure TLS connection to ABC Monitor If enabled, events, traffic log and recording files will be pushed to ABC Monitor over TLS secured connection. It is highly recommended to install trusted certificate for this on ABC Monitor end instead of default self-signed.
Verify level for TLS connection to ABC Monitor Sets level of remote certificate verification for TLS connection to ABC Monitor, if secure connection is enabled. Use 0 no verification, 1 to verify peer certificate if present, 2 to verify peer certificate, 3 to verify peer with locally installed certificate, 4 to ignore CA chain and only verify peer certificate. Default value is 0 to allow default self-signed certificate on ABC Monitor and should be changed to 2 after trusted certificate is installed on ABC Monitor.
Number of hours to keep old recordings (0 to not delete) Retention policy for recored WAV files.
Disable events completely If enabled, no events will be generated from ABC SBC.
Generate an event if a SIP transaction reaches the defined number of retransmissions Allows to monitor failing incoming transactions and detect SIP UACs with connectivity issues. The events are of type “notice” and appear in ABC Monitor‘s Transport Dashboard. Use with care, a too low number will result in dramatic increase of events. If used, recommended value is 4.
Maximum number of events buffered in local Redis Retention policy for locally buffered events

11.3. Firewall Parameters

Parameter Name Description
Block SSH access to other than XMI and IMI interfaces If this checkbox is disabled, remote shell access will be permitted to any interface.
Block HTTPS gui access to other than XMI interface If this checkbox is disabled, administration GUI access will be permitted over any interface.
Drop UDP signaling packets not looking like SIP If enabled, any UDP packets not bearing a “SIP signature” will be discarded without further notice.
Blacklist IP addr for repeated ssh login failures If enabled, IP address of failed ssh login attempt will be put on blacklist, silenlty dropping all packets from it.
Time in seconds to check for repeated ssh failures Sets the time period during which the failed ssh login attempts are counted when considering adding IP address on blacklist.
Maximum number of ssh failures before blacklisting Sets the number of failed ssh login attempts, after which the IP address is added to blacklist.
Time in seconds to blacklist IP addr for ssh failures Sets the time how long the IP adress will be held on blacklist, before removing it from blacklist automatically.
Blacklist IP addr for repeated gui login failures If enabled, IP address of failed Sbc gui login will be put on blacklist, silenlty dropping all packets from it.
Time in seconds to check for repeated gui login failures Sets the time period during which the failed gui login attempts are counted when considering adding IP address on blacklist.
Maximum gui login failures before blacklisting Sets the number of failed gui login attempts, after which the IP address is added to blacklist.
Time in seconds to blacklist IP addr for gui login failures Sets the time how long the IP adress will be held on blacklist, before removing it from blacklist automatically.
Blacklist IP addr for repeated signaling failures If enabled, IP address of request that failed authentication, exceeded limit, failed sanity check, was dropped by Drop action or Log message for replies action was used, will be put on blacklist, silently dropping all packets from it. Note that the individual reasons for blacklisting have to be also enabled in CA settings or in the Drop or Log message for replies actions parameter. See Section Automatic IP Address Blocking for more details.
Signaling failures blacklist: IP address start score before any offense Sets the score used as a starting value before any offense has been registered. This start value will be decreased each time until it reaches 0 or less, which finally leads to the blacklisting of the incriminated IP address. See Section Automatic IP Address Blocking for more details.
Signaling failures blacklist: rate per second used to calculate a time-related bonus between offenses

Sets the allowed rate of offenses in events per second. This allows the score to recover slightly over time and thus can be understood as a bonus for good behavior.

See Section Automatic IP Address Blocking for more details.

Signaling failures blacklist: time in seconds to remove entries for which no event has occured from score calculation Sets the number of seconds after which, if no offense from a certain IP address has been seen, that IP address is removed from the scoring table. Should a new offense be registered from a deleted IP address, the start score will be used. This allows for keeping the scoring table at a reasonable size. See Section Automatic IP Address Blocking for more details.
Time in seconds to blacklist IP addr for signaling failures Sets the time how long the IP adress will be held on blacklist, before removing it from blacklist automatically (for drop, failed auth, limit, sanity). See Section Automatic IP Address Blocking for more details.
Parameter Name Description
Greylist: time delay in seconds to give IP a chance to prove validity If the traffic from IP address proves validity during this probation period, the source IP addr will be added to whitelist. Note that the corresponding action options like “Greylist IP address” or “Log to greylist” have to be used. See Section Automatic Proactive Blocking: Greylisting for more details.
Greylist: time period in seconds when IP can be blacklisted if repeats and did not prove validity If traffic from IP address did not prove validity during the probation time period, and new packet comes during this time period since first packet, the source IP addr will be added to blacklist. Note that the “Greylist” flag has to be enabled on ABC SBC signaling interface for this to work. All traffic from the IP addresses on blacklist will be silently dropped. See Section Automatic Proactive Blocking: Greylisting for more details.
Greylist: time in seconds to keep IP on blacklist Sets how long to keep the IP address on blacklist. After this time it is removed from blacklist and has a chance to prove validity again. See Section Automatic Proactive Blocking: Greylisting for more details.
Greylist: time in seconds to keep IP on whitelist Sets how long to keep IP address on whitelist. After this time it is removed from whitelist and has to prove validity again. See Section Automatic Proactive Blocking: Greylisting for more details.
Greylist: additional ports or port ranges (a:b) to check in addition to signaling ports, space separated Sets additional ports to ports defined on ABC SBC signaling interfaces. If used, traffic coming to this port(s) will be also subject to the greylisting procedure. You can specify single port(s) or port ranges (in format lower:higher), space separated. See Section Automatic Proactive Blocking: Greylisting for more details.
Allow SNMP on XMI interface If disabled, only loopback interface is enabled for incoming SNMP requests. If enabled, listens for incoming requests also on XMI (management) interface.
Enable rsync access to configuration master on XMI By default, the pull of Sbc config from configuration master is enabled only on IMI interface. This option allows it also using XMI interface IP address. Note: if using ssh for config pull from config master is enabled, any interface where ssh is enabled can be used regardless of this setting.
Blacklist: Log blacklisted IP addresses to syslog Log blacklisted IP addresses to syslog. Entries are logged in the following file: ‘/var/log/frafos/sems-blacklist.log’
Greylist: Log greylisted IP addresses to syslog Log greylisted IP addresses to syslog Entries are logged in the following file: ‘/var/log/frafos/sems-greylist.log’
Overall limit in packets per second from not approved IP addresses This option can be used to set overall packets per second limit on all IP addresses, that did not prove validity using “Greylist IP address” or “Log to greylist” action options. Use with caution. Use 0 to disable any rate limiting.

11.4. Low-level Parameters

These settings have effect only after reboot of the server. Additional information can be found in the Section Hardware Specific Configurations.

Caution: changing these parameters may dramatically change system behaviour. Their effect largely depends on used equipment.

Parameter Name Description
Interfaces where to enable RPS Network interfaces on which a “receive packet steering” kernel feature should be enabled, separated by spaces. While the kernel leaves this option by default off, turning it on can increase media throughput.
Interfaces where to set ethtool options Network interfaces where to apply the following coalesce and ringbuffer ethtool options. Separated by spaces.
Coalesce ethtool options Ethernet adapter coalescing options, syntax of ethtool. Applied on interfaces listed in “Interfaces where to set ethtool options”. This option allows to fine-tune a trade-off between less-CPU-intensive and more-real-time packet processing in kernel. The tuning outcome is specific to used network card.
Ringbuffer ethtool options Ethernet adapter rx/tx ring parameters, syntax of ethtool. Applied on interfaces listed in “Interfaces where to set ethtool options”. Fine-tuning this parameter is specific to used network card. Increasing buffer sizes allows to deal with temporary packet bursts, while latency may increase.
Interfaces where to bind irqs to CPUs Network interfaces on which the individual interrupts for receive and transmit queues should be statically bound to individual CPUs / CPU cores. This option may increase media throughput on network cards with multiple queues.
Run db check on boot If enabled, run “mysqlcheck” command during boot process. This option allows a safe recovery from an unexpected shutdown and is therefore by default turned on. The check may slowdown machine startup, especially if many events are kept in the Event database.
Clean tmp files on boot If enabled, clean-up system directory for temporary files.
Sems memory limit in % from total memory Limit Sems process memory maximum usage. Set to 0 for no limit.
Writeback after dirty bytes Max. ammount of data that system can cache before writing all back disk is initiated. Set to 0 to not update. Large cache can improve system performance during heavy writes. At the same time, risk of data loss in the case of unexpected failure is higher. The performance trade-offs may be particularly important on virtual machines with heavy writes, like when PCAP or WAV files are recorded. Various linux fora [1] [2] discuss this kernel option “vm.dirty_bytes”.
Background writeback after dirty bytes Amount of data system can cache before background writing back to disk is initiated. Set to 0 to not update. Like with the previous option, increased buffering provides better performance in load bursts and increased risk of data loss. Various linux fora [1] [2] discuss this kernel option “vm.dirty_background_bytes”.

11.5. Miscellaneous Parameters

Parameter Name Description
Perform Amazon setup steps at boot time: This option must be enabled when the ABC SBC is operated in Amazon Elastic Cloud. When set, the instance acquires important configuration information such as its public IP address, SSH key, IAM role and more during the boot time.
Enable Tryit web interface This option starts a Webserver that offers a demo JavaScript WebRTC application based on JSSIP. Note that this application only comes for demonstration purposes and is provided without any support or warranties

11.6. System Monitoring Parameters

These parameters allow to set up an email alarm if system resources are used excessively.

Parameter Name Description
email for sending alerts email address to which important alerts like reports on excessive CPU usage are sent.
mailserver for sending alerts by default the email is passed to a local SMTP relay
from address for sending alerts email address used for From in email alerts, system default is used if empty
1min load threshold CPU load threshold which if exceeded for one minute will raise an alarm
5min load threshold CPU load threshold which if exceeded for five minutes will raise an alarm (typically lower value than previous)
cpu wait % threshold threshold for % of CPU time in wait status to raise an alarm
memory usage % threshold threshold of memory occupation in % which if exceeded will raise an alarm
disk usage % threshold threshold of disk usage in % which if exceeded will raise an an alarm
send system monitoring data to ABC Monitor if remote ABC monitor is used, send system monitoring data to it together with signaling events
send extended system info emails when over treshold if enabled, email with more detaied system information will be sent when some monitoring threshold is reached
extended info emails frequency limit frequency of sending the extended info emails, use value with min, hour or day suffix

11.7. PCAP Parameters

These parameters allow to set up how the most recent SIP traffic is recorded on the system for sake of troubleshooting. The ABC SBC stores the SIP traffic in PCAP files of given size and deletes the least recent files. The PCAP files can be inspected in the administrative interface as shown in Secion User Recent Traffic.

Parameter Name Description
file size in MB for one pcap file maximum size of a PCAP file after which a new file is created
number of pcap files to keep PCAP retention policy. PCAP files are rotated and only the configured numer of PCAP files is kept. The least recent files are deleted.

11.8. Prompts Parameters

Parameter Name Description
Base directory for prompts Directory where the action “Refuse call with audio prompt” is expecting to find audio files to be played.

See also Playing Audio Announcements.

11.9. SEMS Parameters

These parameters determine the behaviour of the ABS-SBC “engine”, the SEMS signaling and media processor. The parameters are used primarily for troubleshooting and peformance tuning and shall be therfore changed only when there is a good reason for doing so.

Parameter Name Description
Session processor threads Changing the number of threads may on some SMP systems achieve better performance.
Media processor threads Changing the number of threads may on some SMP systems achieve better performance.
RTP receiver threads Changing the number of threads may on some SMP systems achieve better performance.
Call restore threads (HA) Changing the number of threads may on some SMP systems achieve better performance.
Force symmetric RTP for mediaserver apps: If enabled, embedded media processing actions will ignore IP addresses in callers’ SDP and send its RTP to wheere caller’s RTP came from.
RTP keep-alive frequency Defines how often if at all ABC SBC sends RTP keep-alive packets to its peers. See Setting RTP Inactivity Timer and Keepalive Timer.
RTP timeout Defines period of time after which a call is terminated if RTP packets stop arriving. See Setting RTP Inactivity Timer and Keepalive Timer.
Use raw sockets Performance optimization techniques for sending RTP packets on linux systems with slow UDP stack.
Default Destination Blacklist TTL Defines how long are unavailable IP destinations maintained on a blacklist to which no SIP traffic is sent by default. For Call Agent, a specific value may be entered in the Call Agent parameters. See IP Blacklisting: Adaptive Availability Management.
Add call variables into events If enabled, additional call variables info is added into call events.
Persistent redis storage If enabled, the calls state data that is stored in redis db, will be preserved during server reboot.
Load q850_reason call control module If enabled, the module for processing Q.850 reasons will be loaded. It can be used only if custom cc_q850_reason.conf file is provided.
Terminate dialog upon failure replies for in-dialog OPTIONS

Terminate dialog if in-dialog OPTIONS request fails with reply that should cause dialog termination.

Reply codes that should terminate the dialog according to RFC 5057 are: 404, 410, 416, 482, 483, 484, 485, 502, 604.

Additionally ABC SBC handles following replies the same way as those listed above: 408, 480.

Affects only INVITE based dialogs (i.e. calls).

The purpose of this option is to cope with interoperability issues caused by badly implemented SIP user agents that can’t handle in-dialog OPTIONS correctly.

Default value: on (terminate the dialog)

Remove filtered m-lines

Remove media lines filtered out by media whitelist/blacklist. These lines are left in SDP but marked as inactive if not enabled.

This option is applied globally on all calls with active media whitelist or blacklist (see Media Type Filtering).

The purpose of this option is to cope with interoperability issues caused by badly implemented SIP user agents that can’t handle inactive media streams correctly.

Default value: off (i.e. mark media lines as inactive)

Filter forced transports

Remove media lines that do not match outbound transport forced by Force RTP/SRTP action (see RTP and SRTP Interworking). These lines are left in SDP but converted to the required trasport if not enabled.

For example:

Caller is sending one audio stream over RTP and another audio stream over SRTP (comonly used when SRTP is configured as optional on a phone).

SRTP is forced in outbound rules on ABC SBC.

If Filter forced transports option is “off” ABC SBC forwards SDP with two audio streams to the callee both of them over SRTP.

If this option is “on” ABC SBC forwards SDP with just one audio stream over SRTP to the callee.

This option is applied globally on all calls using Force RTP/SRTP action.

The purpose of this option is to cope with interoperability issues caused by user agents that can’t handle multiple media streams of the same type.

Default value: off (i.e. convert the media lines to the forced transport)

Call transfers using late offer-answer

Use offer-less INVITE when generating new call leg during call transfer (unattended call transfer or call transfer replacing non-local call).

It is probably the only reliable way that should work. Unfortunatelly too many SIP UAs do not implement late offer-answer correctly.

Default value: off

Predefined payloads for call transfers

Coma separated list of codecs to be added into SDP of INVITE generated during call transfer (unattended call transfer or call transfer replacing non-local call).

If no codecs are listed, only codecs used within the call are used what can cause troubles if the destination doesn’t support these.

Only simple codecs can be used (no parameters can be specified).

For example: pcmu,pcma

Default value: empty

Learn remote media address interval

Interval (in milliseconds) after first RTP packet received in which RTP address may still change and will be re-learned. I.e. after that interval SEMS locks on the remote address. Especially for re-learning after re-Invite, this may prevent locking on the old address due to some late RTP packets from the old remote address.

Default value: 0 ms (disabled), lock on the first packet

Mariadb timeout for “Read call variables” queries

Timeout (in seconds) of Mariadb queries done when reading call variables using the action or condition “Read call variables”.

The main purpose of this parameter is to reduce problems caused by queries that may take too much time and block processing of other calls.

Please note that timeout of such Mariadb queries means that system is either overloaded or blocked and the root cause should be fixed instead of tuning the timeout value.

Negative value or 0 means that default timeout of the MySQL++ library will be used.

Default value: 5

Log level This option changes the SEMS syslog globally. See the Section Reference of Log Level Parameters for a full list of options.
Dump TLS session keys to file If enabled, the TLS session keys will be dumped to a file for diagnostics (into directory /data/pcap/tls_keys). Disabled by default.
SIPREC outbound interface Use Sbc interface name to force outbound interface for SIP recording. Leave empty by default.
Minimal supported TLS version The minimal supported TLS version on signaling interfaces. Use tls1 or tls1.1 or tls1.2.
TLS cipher list The supported TLS ciphers list for signaling interfaces, in openssl syntax.
Websocket ping-pong interval in seconds Interval in seconds to send keepalive ping-pong messages on websocket signaling interfaces. Use 0 to disable.
Soft limit for out-of-dialog transactions Number of active server transactions that, if passed, will trigger an alert event. This limit will only be taken into consideration when creating a server transaction which is not related in any way to an existing dialog. Use 0 to disable that feature.
Hard limit for out-of-dialog transactions Limit for the number of active server transactions, which will be enforced when creating a new server transaction not related to an existing dialog. The limit is enforced by replying to new requests with “503 Overloaded”. Additionnally, a corresponding monitoring event will be created. Use 0 to disable that feature.
Event throttling for soft/hard OOD limit Throttle the events generated by the hard & soft limit for out-of-dialog transactions to no more than one of each type (soft / hard) per configured time lapse in seconds. Use 0 to disable that feature.
Soft limit for in-dialog transactions Number of active server transactions that, if passed, will trigger an alert event. This limit will only be taken into consideration when creating a server transaction related to an existing dialog. Use 0 to disable that feature.
Hard limit for in-dialog transactions Limit for the number of active server transactions, which will be enforced when creating a new server transaction related to an existing dialog. The limit is enforced by replying to new requests with “503 Overloaded”. Additionnally, a corresponding monitoring event will be created. Use 0 to disable that feature.
Event throttling for soft/hard DLG limit Throttle the events generated by the hard & soft limit for in-dialog transactions to no more than one of each type (soft / hard) per configured time lapse in seconds. Use 0 to disable that feature.

11.10. SIP Parameters

These parameters set SIP timers, as defined in RFC 3261. All values are in ms.

11.11. SRTP Parameters

These parameters define the security handshake of Secure RTP. SRTP is always used for WebRTC and is used with some encryption-enabled SIP devices.

Parameter Name Description
Enable DTLS-SRTP Allow DTLS-based keying for SRTP traffic. By default, self-signed certificates are generated.
DTLS certificate file Certificate file. Optional. Keep empty for self-signed certificate. That’s the recommended configuration: other certificates may cause DTLS packets to become too large and consequently fail to traverse NATs due to IP fragmentation.
DTLS private key file Private key file. Optional.
SRTP crypto-suite Crypto-algorithms to be included in the keying protocols. At least one must be chosen.

11.12. SSL Parameters

These parameters define security credentials used by the SBC for TLS-transported signaling.

Parameter Name Description
Enable TLS Listen on TLS port for SIP traffic
Use Secure WebSockets If turned on, the websocket interfaces will be using TLS instead of TCP. HTTPS webpages using websockets must use WSS over TLS.
SSL certificate file Certificate file. Required for TLS.
SSL private key file Private key file. Required for TLS.
Trusted CA certificates file: Trusted CA Certificate. Optional if TLS or DTLS enabled
Mandate client certificate Optional: require the communication peer to present itself with a certificate. If turned off, no certificate will be required.

11.13. Syslog Parameters

These parameters allow to fine-tune behaviour of syslog daemon. This is primarily useful when the syslogs are configured to be sent to an external system.

Parameter Name Description
Syslog facility Name of syslog facility to use for logs from the main SBC processes. Possible values are ‘daemon’, ‘user’, ‘local0’, ‘local1’ ... ‘local7’.
Enable remote syslog server If turned on, syslog messages will be sent to an external syslog host additionally to the local filesystem.
Remote syslog server IP IP address of the external syslog server.
Remote syslog server port Port number on which the external syslog server listens.
Remote syslog transport Transport protocol on which an external syslog server listens.
Log level for remote syslog server Log messages above this level will be sent to the external syslog server.
Log files rotation frequency Sets the interval for log files rotation. Use “daily”, “weekly” or “monthly”.
Number of old log files to keep Sets the number of rotated log files to keep before deletion.

Footnotes

[1](1, 2) See reports on linux write caching https://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vm-dirty_ratio/
[2](1, 2) See Linux virtual memory subsystem options: https://www.kernel.org/doc/Documentation/sysctl/vm.txt