Skip to content

Instantly share code, notes, and snippets.

@bdm1981
Last active January 9, 2024 08:42
Show Gist options
  • Save bdm1981/db1ec15bf96f0b7f8954ebbdd24fda10 to your computer and use it in GitHub Desktop.
Save bdm1981/db1ec15bf96f0b7f8954ebbdd24fda10 to your computer and use it in GitHub Desktop.
Two more reasons to deploy secure SIP trunks - Troubleshooting Examples
show run
!
version 15.6
hostname BDM-border
!
boot-start-marker
boot system flash0 c2900-universalk9-mz.SPA.156-3.M5.bin
boot-end-marker
!
crypto pki trustpoint cube1
enrollment pkcs12
revocation-check none
rsakeypair cube1 2048
!
crypto pki trustpoint twilio
enrollment terminal
revocation-check none
rsakeypair RSA2048 2048
!
!
crypto pki certificate chain cube1
<omitted>
crypto pki certificate chain twilio
<omitted>
voice-card 0
dspfarm
dsp services dspfarm
!
!
!
voice service voip
ip address trusted list
ipv4 54.172.60.0 255.255.254.0
ipv4 54.244.51.0 255.255.255.252
allow-connections sip to sip
supplementary-service h450.12
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
srtp-auth sha1-80
registrar server expires max 600 min 60
asserted-id pai
early-offer forced
midcall-signaling passthru
!
!
voice translation-rule 1
rule 1 /\+1XXXXXXXXXX.*/ /4001/
!
voice translation-rule 2
rule 1 /^7\(.*\)/ /+\1/
!
voice translation-rule 3
rule 1 /^4.../ /+1XXXXXXXXXX/
!
!
voice translation-profile fix-in
translate called 1
!
voice translation-profile fix-out
translate calling 3
translate called 2
!
interface GigabitEthernet0/0
ip address dhcp
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.2 255.255.255.0
h323-gateway voip bind srcaddr 192.168.40.2
!
!
dspfarm profile 1 transcode universal security
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 12
associate application CUBE
!
dial-peer voice 2110 voip
description ** CUBE to CUCM **
destination-pattern [1234][0123][01].
session protocol sipv2
session target ipv4:192.168.202.70
voice-class sip options-keepalive down-interval 10
voice-class sip bind control source-interface GigabitEthernet0/1.40
voice-class sip bind media source-interface GigabitEthernet0/1.40
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 205 voip
description ** CUBE to Twilio **
translation-profile outgoing fix-out
destination-pattern 71[2-9]..[2-9]......
session protocol sipv2
session target sip-server
session transport tcp tls
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte sip-kpml sip-notify
srtp
codec g711ulaw
ip qos dscp cs4 signaling
no vad
!
dial-peer voice 1 voip
description ** SP to CUBE catchall **
translation-profile incoming fix-in
session protocol sipv2
incoming called-number .
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte sip-kpml sip-notify
srtp
codec g711ulaw
ip qos dscp cs4 signaling
no vad
!
!
sip-ua
authentication username bdmtls password 7 <omitted> realm sip.twilio.com
registrar dns:<omitted>.pstn.twilio.com expires 3600
sip-server dns:<omitted>.pstn.twilio.com
transport tcp tls v1.2
crypto signaling default trustpoint cube1
Symptom-1 - Call immediately fails
Debug command: `debug ccsip messages`
Jun 24 15:17:16.684: //8204/C85D2B800000/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 488 Secure SIP transport required
CSeq: 102 INVITE
Call-ID: 9F5E1116-B56411EA-A0ACB330-6833B562@192.168.210.190
From: <sip:+1650489XXXX@example.pstn.twilio.com>;tag=5ABA4D0-B9D
To: <sip:+1650489XXXX@example.pstn.twilio.com>;tag=81513095_6772d868_0d3cf14b-cd2f-4c45-82b8-f5e8b3429367
Via: SIP/2.0/UDP 192.168.210.190:5060;rport=50058;received=67.175.197.28;branch=z9hG4bK1A13571
Timestamp: 1593011836
Server: Twilio
Contact: <sip:172.25.90.100:5060>
X-Twilio-Error: 32209 TLS transport is required to place a secure call
Content-Length: 0
If tls isn’t enabled on the dial-peer the call will immediately be rejected with the above message.
Symptom-2 - Calls towards CUBE generate a fast busy
Debug command: `debug crypto pki validation`
Jun 24 15:36:17.311: CRYPTO_PKI: (A00A5) Adding peer certificate
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) Adding peer certificate
Jun 24 15:36:17.315: CRYPTO_PKI: ip-ext-val: IP extension validation not required
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) Check for identical certs
Jun 24 15:36:17.315: CRYPTO_PKI : (A00A5) Validating non-trusted cert
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) Create a list of suitable trustpoints
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) No suitable trustpoints found
Validate that the Digicert Root CA has been added to the router.
Symptom-3 - Calls from PBX to PSTN return a fast busy as soon as the call is answered
Debug command: `debug ccsip messages`
Jun 24 15:46:14.867: //8369/CF8638800000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 200 OK
Via: SIP/2.0/TCP 192.168.202.70:5060;branch=z9hG4bK2c69b134e8a853
From: <sip:4001@192.168.202.70>;tag=16986053~477a6d5f-d1cc-4ff5-9f80-c69b5dc422aa-20688291
To: <sip:+1650489XXXX@192.168.40.2>;tag=5C62700-1153
Date: Wed, 24 Jun 2020 15:46:06 GMT
Call-ID: cf863880-ef31753e-299125-46caa8c0@192.168.202.70
CSeq: 101 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: telephone-event
P-Asserted-Identity: <sip:+1650489XXXX@192.168.40.2>
Contact: <sip:+1650489XXXX@192.168.40.2:5060;transport=tcp>
Supported: replaces
Supported: sdp-anat
Server: Cisco-SIPGateway/IOS-15.6.3.M5
Session-ID: 7bcfa62c85405327ba8da80c6a236516;remote=931b98314623781572f63aaa16986052
Supported: timer
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 276
v=0
o=CiscoSystemsSIP-GW-UserAgent 3660 7734 IN IP4 192.168.40.2
s=SIP Call
c=IN IP4 192.168.40.2
t=0 0
m=audio 16552 RTP/SAVP 0
c=IN IP4 192.168.40.2
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:zcCGar0v7JnoVEaAvVGmH/BYw1LY05GET2YaElNp
a=rtpmap:0 PCMU/8000
a=ptime:20
If SRTP is enabled globally under: voice service voip and CUCM is not running in a secure mode, CUBE will attempt to negotiate SRTP and the call will fail. Issue the following command to disable SRTP globally.
`voice service voip
no srtp`
Symptom-4 - Calls from PBX to PSTN return a fast busy after a couple rings
Debug command: `debug ccsip messages
`Jun 24 15:50:46.258: //8397/736FE4000000/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/TCP 192.168.202.70:5060;branch=z9hG4bK2c69d05044a0b4
From: <sip:4001@192.168.202.70>;tag=16986206~477a6d5f-d1cc-4ff5-9f80-c69b5dc422aa-20688300
To: <sip:+1650489XXXX@192.168.40.2>;tag=5CA4F28-FF2
Date: Wed, 24 Jun 2020 15:50:41 GMT
Call-ID: 736fe400-ef317651-29913f-46caa8c0@192.168.202.70
CSeq: 101 INVITE
Allow-Events: telephone-event
Reason: Q.850;cause=47
Server: Cisco-SIPGateway/IOS-15.6.3.M5
Session-ID: 931b98314623781572f63aaa16986205;remote=0b0e9775bbcc56ba905dce65f44896b4
Content-Length: 0`
Confirm the dspfarm is configured and active. If SRTP-RTP interworking is required and the dspfarm isn’t active, the call setup will fail.
```
BDM-border#show dspfarm profile 1
Dspfarm Profile Configuration
Profile ID = 1, Service =Universal TRANSCODING, Resource ID = 1
Profile Description :
Profile Service Mode : secure
Profile Admin State : DOWN
Profile Operation State : DOWN
Application : CUBE Status : NOT ASSOCIATED
Resource Provider : FLEX_DSPRM Status : DOWN
Total Number of Resources Configured : 12
Total Number of Resources Available : 0
Total Number of Resources Out of Service : 12
Total Number of Resources Active : 0
Codec Configuration: num_of_codecs:4
Codec : g711ulaw, Maximum Packetization Period : 30
Codec : g711alaw, Maximum Packetization Period : 30
Codec : g729ar8, Maximum Packetization Period : 60
Codec : g729abr8, Maximum Packetization Period : 60
```
If the Profile Admin State AND Operation state are “DOWN” issue the following command. The Admin State should be “UP” and the Operation State should be “ACTIVE”
`dspfarm profile 1
no shut`
```
BDM-border#show dspfarm profile 1
Dspfarm Profile Configuration
Profile ID = 1, Service =Universal TRANSCODING, Resource ID = 1
Profile Description :
Profile Service Mode : secure
Profile Admin State : UP
Profile Operation State : ACTIVE
Application : CUBE Status : ASSOCIATED
Resource Provider : FLEX_DSPRM Status : UP
Total Number of Resources Configured : 12
Total Number of Resources Available : 12
Total Number of Resources Out of Service : 0
Total Number of Resources Active : 0
Codec Configuration: num_of_codecs:4
Codec : g711ulaw, Maximum Packetization Period : 30
Codec : g711alaw, Maximum Packetization Period : 30
Codec : g729ar8, Maximum Packetization Period : 60
Codec : g729abr8, Maximum Packetization Period : 60
TLS : ENABLED
```
Symptom-5 - Calls towards the PBX fail and debug ccsip messages doesn't return anything
Debug command: `debug ssl openssl errors`
```
BDM-border#debug ssl openssl errors
TLS errors debugging is on
BDM-border#
.Jun 24 16:31:04.901: opssl_SetPKIInfo entry
.Jun 24 16:31:04.901: CRYPTO_OPSSL: Can't find router cert.
```
This happens when the cube trustpoint is not valid. The following command can be run from a *nix system to confirm that CUBE is returning a certificate.
`openssl s_client -host 192.168.210.190(replace with cube ip) -port 5061 -prexit -showcerts`
When the certificate is not valid the following will be returned:
4526089836:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1593016422
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1593016422
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
With a valid certificate the following will be returned:
`openssl s_client -host 192.168.210.190 -port 5061 -prexit -showcerts`
CONNECTED(00000003)
depth=0 CN = BDM-border
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = BDM-border
verify return:1
4704274028:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 40
4704274028:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/CN=BDM-border
i:/CN=BDM-border
-----BEGIN CERTIFICATE-----
<omitted>
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=BDM-border
issuer=/CN=BDM-border
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1176 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: B1E98A066A7560D79F276F0C9F89B84E87A1368ED3689DB902C43C7426725F8D
Session-ID-ctx:
Master-Key: 9BD030A8102C11372F20AC22EBE8D4C5E759F2152EFCA11AF6D5B434C6525910A5FBF46720C6379517E1C4FEAD0E890E
Start Time: 1593016678
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
---
Certificate chain
0 s:/CN=BDM-border
i:/CN=BDM-border
-----BEGIN CERTIFICATE-----
<omitted>
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=BDM-border
issuer=/CN=BDM-border
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1176 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: B1E98A066A7560D79F276F0C9F89B84E87A1368ED3689DB902C43C7426725F8D
Session-ID-ctx:
Master-Key: 9BD030A8102C11372F20AC22EBE8D4C5E759F2152EFCA11AF6D5B434C6525910A5FBF46720C6379517E1C4FEAD0E890E
Start Time: 1593016678
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment