-
-
Save bdm1981/db1ec15bf96f0b7f8954ebbdd24fda10 to your computer and use it in GitHub Desktop.
Two more reasons to deploy secure SIP trunks - Troubleshooting Examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
show run | |
! | |
version 15.6 | |
hostname BDM-border | |
! | |
boot-start-marker | |
boot system flash0 c2900-universalk9-mz.SPA.156-3.M5.bin | |
boot-end-marker | |
! | |
crypto pki trustpoint cube1 | |
enrollment pkcs12 | |
revocation-check none | |
rsakeypair cube1 2048 | |
! | |
crypto pki trustpoint twilio | |
enrollment terminal | |
revocation-check none | |
rsakeypair RSA2048 2048 | |
! | |
! | |
crypto pki certificate chain cube1 | |
<omitted> | |
crypto pki certificate chain twilio | |
<omitted> | |
voice-card 0 | |
dspfarm | |
dsp services dspfarm | |
! | |
! | |
! | |
voice service voip | |
ip address trusted list | |
ipv4 54.172.60.0 255.255.254.0 | |
ipv4 54.244.51.0 255.255.255.252 | |
allow-connections sip to sip | |
supplementary-service h450.12 | |
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none | |
sip | |
srtp-auth sha1-80 | |
registrar server expires max 600 min 60 | |
asserted-id pai | |
early-offer forced | |
midcall-signaling passthru | |
! | |
! | |
voice translation-rule 1 | |
rule 1 /\+1XXXXXXXXXX.*/ /4001/ | |
! | |
voice translation-rule 2 | |
rule 1 /^7\(.*\)/ /+\1/ | |
! | |
voice translation-rule 3 | |
rule 1 /^4.../ /+1XXXXXXXXXX/ | |
! | |
! | |
voice translation-profile fix-in | |
translate called 1 | |
! | |
voice translation-profile fix-out | |
translate calling 3 | |
translate called 2 | |
! | |
interface GigabitEthernet0/0 | |
ip address dhcp | |
ip virtual-reassembly in | |
duplex auto | |
speed auto | |
! | |
interface GigabitEthernet0/1 | |
no ip address | |
ip virtual-reassembly in | |
duplex auto | |
speed auto | |
! | |
interface GigabitEthernet0/1.40 | |
encapsulation dot1Q 40 | |
ip address 192.168.40.2 255.255.255.0 | |
h323-gateway voip bind srcaddr 192.168.40.2 | |
! | |
! | |
dspfarm profile 1 transcode universal security | |
codec g729abr8 | |
codec g729ar8 | |
codec g711alaw | |
codec g711ulaw | |
maximum sessions 12 | |
associate application CUBE | |
! | |
dial-peer voice 2110 voip | |
description ** CUBE to CUCM ** | |
destination-pattern [1234][0123][01]. | |
session protocol sipv2 | |
session target ipv4:192.168.202.70 | |
voice-class sip options-keepalive down-interval 10 | |
voice-class sip bind control source-interface GigabitEthernet0/1.40 | |
voice-class sip bind media source-interface GigabitEthernet0/1.40 | |
dtmf-relay rtp-nte | |
codec g711ulaw | |
no vad | |
! | |
dial-peer voice 205 voip | |
description ** CUBE to Twilio ** | |
translation-profile outgoing fix-out | |
destination-pattern 71[2-9]..[2-9]...... | |
session protocol sipv2 | |
session target sip-server | |
session transport tcp tls | |
voice-class sip bind control source-interface GigabitEthernet0/0 | |
voice-class sip bind media source-interface GigabitEthernet0/0 | |
dtmf-relay rtp-nte sip-kpml sip-notify | |
srtp | |
codec g711ulaw | |
ip qos dscp cs4 signaling | |
no vad | |
! | |
dial-peer voice 1 voip | |
description ** SP to CUBE catchall ** | |
translation-profile incoming fix-in | |
session protocol sipv2 | |
incoming called-number . | |
voice-class sip bind control source-interface GigabitEthernet0/0 | |
voice-class sip bind media source-interface GigabitEthernet0/0 | |
dtmf-relay rtp-nte sip-kpml sip-notify | |
srtp | |
codec g711ulaw | |
ip qos dscp cs4 signaling | |
no vad | |
! | |
! | |
sip-ua | |
authentication username bdmtls password 7 <omitted> realm sip.twilio.com | |
registrar dns:<omitted>.pstn.twilio.com expires 3600 | |
sip-server dns:<omitted>.pstn.twilio.com | |
transport tcp tls v1.2 | |
crypto signaling default trustpoint cube1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Symptom-1 - Call immediately fails | |
Debug command: `debug ccsip messages` | |
Jun 24 15:17:16.684: //8204/C85D2B800000/SIP/Msg/ccsipDisplayMsg: | |
Received: | |
SIP/2.0 488 Secure SIP transport required | |
CSeq: 102 INVITE | |
Call-ID: 9F5E1116-B56411EA-A0ACB330-6833B562@192.168.210.190 | |
From: <sip:+1650489XXXX@example.pstn.twilio.com>;tag=5ABA4D0-B9D | |
To: <sip:+1650489XXXX@example.pstn.twilio.com>;tag=81513095_6772d868_0d3cf14b-cd2f-4c45-82b8-f5e8b3429367 | |
Via: SIP/2.0/UDP 192.168.210.190:5060;rport=50058;received=67.175.197.28;branch=z9hG4bK1A13571 | |
Timestamp: 1593011836 | |
Server: Twilio | |
Contact: <sip:172.25.90.100:5060> | |
X-Twilio-Error: 32209 TLS transport is required to place a secure call | |
Content-Length: 0 | |
If tls isn’t enabled on the dial-peer the call will immediately be rejected with the above message. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Symptom-2 - Calls towards CUBE generate a fast busy | |
Debug command: `debug crypto pki validation` | |
Jun 24 15:36:17.311: CRYPTO_PKI: (A00A5) Adding peer certificate | |
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) Adding peer certificate | |
Jun 24 15:36:17.315: CRYPTO_PKI: ip-ext-val: IP extension validation not required | |
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) Check for identical certs | |
Jun 24 15:36:17.315: CRYPTO_PKI : (A00A5) Validating non-trusted cert | |
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) Create a list of suitable trustpoints | |
Jun 24 15:36:17.315: CRYPTO_PKI: (A00A5) No suitable trustpoints found | |
Validate that the Digicert Root CA has been added to the router. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Symptom-3 - Calls from PBX to PSTN return a fast busy as soon as the call is answered | |
Debug command: `debug ccsip messages` | |
Jun 24 15:46:14.867: //8369/CF8638800000/SIP/Msg/ccsipDisplayMsg: | |
Sent: | |
SIP/2.0 200 OK | |
Via: SIP/2.0/TCP 192.168.202.70:5060;branch=z9hG4bK2c69b134e8a853 | |
From: <sip:4001@192.168.202.70>;tag=16986053~477a6d5f-d1cc-4ff5-9f80-c69b5dc422aa-20688291 | |
To: <sip:+1650489XXXX@192.168.40.2>;tag=5C62700-1153 | |
Date: Wed, 24 Jun 2020 15:46:06 GMT | |
Call-ID: cf863880-ef31753e-299125-46caa8c0@192.168.202.70 | |
CSeq: 101 INVITE | |
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER | |
Allow-Events: telephone-event | |
P-Asserted-Identity: <sip:+1650489XXXX@192.168.40.2> | |
Contact: <sip:+1650489XXXX@192.168.40.2:5060;transport=tcp> | |
Supported: replaces | |
Supported: sdp-anat | |
Server: Cisco-SIPGateway/IOS-15.6.3.M5 | |
Session-ID: 7bcfa62c85405327ba8da80c6a236516;remote=931b98314623781572f63aaa16986052 | |
Supported: timer | |
Content-Type: application/sdp | |
Content-Disposition: session;handling=required | |
Content-Length: 276 | |
v=0 | |
o=CiscoSystemsSIP-GW-UserAgent 3660 7734 IN IP4 192.168.40.2 | |
s=SIP Call | |
c=IN IP4 192.168.40.2 | |
t=0 0 | |
m=audio 16552 RTP/SAVP 0 | |
c=IN IP4 192.168.40.2 | |
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:zcCGar0v7JnoVEaAvVGmH/BYw1LY05GET2YaElNp | |
a=rtpmap:0 PCMU/8000 | |
a=ptime:20 | |
If SRTP is enabled globally under: voice service voip and CUCM is not running in a secure mode, CUBE will attempt to negotiate SRTP and the call will fail. Issue the following command to disable SRTP globally. | |
`voice service voip | |
no srtp` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Symptom-4 - Calls from PBX to PSTN return a fast busy after a couple rings | |
Debug command: `debug ccsip messages | |
`Jun 24 15:50:46.258: //8397/736FE4000000/SIP/Msg/ccsipDisplayMsg: | |
Sent: | |
SIP/2.0 503 Service Unavailable | |
Via: SIP/2.0/TCP 192.168.202.70:5060;branch=z9hG4bK2c69d05044a0b4 | |
From: <sip:4001@192.168.202.70>;tag=16986206~477a6d5f-d1cc-4ff5-9f80-c69b5dc422aa-20688300 | |
To: <sip:+1650489XXXX@192.168.40.2>;tag=5CA4F28-FF2 | |
Date: Wed, 24 Jun 2020 15:50:41 GMT | |
Call-ID: 736fe400-ef317651-29913f-46caa8c0@192.168.202.70 | |
CSeq: 101 INVITE | |
Allow-Events: telephone-event | |
Reason: Q.850;cause=47 | |
Server: Cisco-SIPGateway/IOS-15.6.3.M5 | |
Session-ID: 931b98314623781572f63aaa16986205;remote=0b0e9775bbcc56ba905dce65f44896b4 | |
Content-Length: 0` | |
Confirm the dspfarm is configured and active. If SRTP-RTP interworking is required and the dspfarm isn’t active, the call setup will fail. | |
``` | |
BDM-border#show dspfarm profile 1 | |
Dspfarm Profile Configuration | |
Profile ID = 1, Service =Universal TRANSCODING, Resource ID = 1 | |
Profile Description : | |
Profile Service Mode : secure | |
Profile Admin State : DOWN | |
Profile Operation State : DOWN | |
Application : CUBE Status : NOT ASSOCIATED | |
Resource Provider : FLEX_DSPRM Status : DOWN | |
Total Number of Resources Configured : 12 | |
Total Number of Resources Available : 0 | |
Total Number of Resources Out of Service : 12 | |
Total Number of Resources Active : 0 | |
Codec Configuration: num_of_codecs:4 | |
Codec : g711ulaw, Maximum Packetization Period : 30 | |
Codec : g711alaw, Maximum Packetization Period : 30 | |
Codec : g729ar8, Maximum Packetization Period : 60 | |
Codec : g729abr8, Maximum Packetization Period : 60 | |
``` | |
If the Profile Admin State AND Operation state are “DOWN” issue the following command. The Admin State should be “UP” and the Operation State should be “ACTIVE” | |
`dspfarm profile 1 | |
no shut` | |
``` | |
BDM-border#show dspfarm profile 1 | |
Dspfarm Profile Configuration | |
Profile ID = 1, Service =Universal TRANSCODING, Resource ID = 1 | |
Profile Description : | |
Profile Service Mode : secure | |
Profile Admin State : UP | |
Profile Operation State : ACTIVE | |
Application : CUBE Status : ASSOCIATED | |
Resource Provider : FLEX_DSPRM Status : UP | |
Total Number of Resources Configured : 12 | |
Total Number of Resources Available : 12 | |
Total Number of Resources Out of Service : 0 | |
Total Number of Resources Active : 0 | |
Codec Configuration: num_of_codecs:4 | |
Codec : g711ulaw, Maximum Packetization Period : 30 | |
Codec : g711alaw, Maximum Packetization Period : 30 | |
Codec : g729ar8, Maximum Packetization Period : 60 | |
Codec : g729abr8, Maximum Packetization Period : 60 | |
TLS : ENABLED | |
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Symptom-5 - Calls towards the PBX fail and debug ccsip messages doesn't return anything | |
Debug command: `debug ssl openssl errors` | |
``` | |
BDM-border#debug ssl openssl errors | |
TLS errors debugging is on | |
BDM-border# | |
.Jun 24 16:31:04.901: opssl_SetPKIInfo entry | |
.Jun 24 16:31:04.901: CRYPTO_OPSSL: Can't find router cert. | |
``` | |
This happens when the cube trustpoint is not valid. The following command can be run from a *nix system to confirm that CUBE is returning a certificate. | |
`openssl s_client -host 192.168.210.190(replace with cube ip) -port 5061 -prexit -showcerts` | |
When the certificate is not valid the following will be returned: | |
4526089836:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585: | |
--- | |
no peer certificate available | |
--- | |
No client certificate CA names sent | |
--- | |
SSL handshake has read 0 bytes and written 0 bytes | |
--- | |
New, (NONE), Cipher is (NONE) | |
Secure Renegotiation IS NOT supported | |
Compression: NONE | |
Expansion: NONE | |
No ALPN negotiated | |
SSL-Session: | |
Protocol : TLSv1.2 | |
Cipher : 0000 | |
Session-ID: | |
Session-ID-ctx: | |
Master-Key: | |
Start Time: 1593016422 | |
Timeout : 7200 (sec) | |
Verify return code: 0 (ok) | |
--- | |
--- | |
no peer certificate available | |
--- | |
No client certificate CA names sent | |
--- | |
SSL handshake has read 0 bytes and written 0 bytes | |
--- | |
New, (NONE), Cipher is (NONE) | |
Secure Renegotiation IS NOT supported | |
Compression: NONE | |
Expansion: NONE | |
No ALPN negotiated | |
SSL-Session: | |
Protocol : TLSv1.2 | |
Cipher : 0000 | |
Session-ID: | |
Session-ID-ctx: | |
Master-Key: | |
Start Time: 1593016422 | |
Timeout : 7200 (sec) | |
Verify return code: 0 (ok) | |
--- | |
With a valid certificate the following will be returned: | |
`openssl s_client -host 192.168.210.190 -port 5061 -prexit -showcerts` | |
CONNECTED(00000003) | |
depth=0 CN = BDM-border | |
verify error:num=18:self signed certificate | |
verify return:1 | |
depth=0 CN = BDM-border | |
verify return:1 | |
4704274028:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 40 | |
4704274028:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:585: | |
--- | |
Certificate chain | |
0 s:/CN=BDM-border | |
i:/CN=BDM-border | |
-----BEGIN CERTIFICATE----- | |
<omitted> | |
-----END CERTIFICATE----- | |
--- | |
Server certificate | |
subject=/CN=BDM-border | |
issuer=/CN=BDM-border | |
--- | |
No client certificate CA names sent | |
Server Temp Key: ECDH, P-256, 256 bits | |
--- | |
SSL handshake has read 1176 bytes and written 138 bytes | |
--- | |
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 | |
Server public key is 2048 bit | |
Secure Renegotiation IS supported | |
Compression: NONE | |
Expansion: NONE | |
No ALPN negotiated | |
SSL-Session: | |
Protocol : TLSv1.2 | |
Cipher : ECDHE-RSA-AES256-GCM-SHA384 | |
Session-ID: B1E98A066A7560D79F276F0C9F89B84E87A1368ED3689DB902C43C7426725F8D | |
Session-ID-ctx: | |
Master-Key: 9BD030A8102C11372F20AC22EBE8D4C5E759F2152EFCA11AF6D5B434C6525910A5FBF46720C6379517E1C4FEAD0E890E | |
Start Time: 1593016678 | |
Timeout : 7200 (sec) | |
Verify return code: 18 (self signed certificate) | |
--- | |
--- | |
Certificate chain | |
0 s:/CN=BDM-border | |
i:/CN=BDM-border | |
-----BEGIN CERTIFICATE----- | |
<omitted> | |
-----END CERTIFICATE----- | |
--- | |
Server certificate | |
subject=/CN=BDM-border | |
issuer=/CN=BDM-border | |
--- | |
No client certificate CA names sent | |
Server Temp Key: ECDH, P-256, 256 bits | |
--- | |
SSL handshake has read 1176 bytes and written 138 bytes | |
--- | |
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 | |
Server public key is 2048 bit | |
Secure Renegotiation IS supported | |
Compression: NONE | |
Expansion: NONE | |
No ALPN negotiated | |
SSL-Session: | |
Protocol : TLSv1.2 | |
Cipher : ECDHE-RSA-AES256-GCM-SHA384 | |
Session-ID: B1E98A066A7560D79F276F0C9F89B84E87A1368ED3689DB902C43C7426725F8D | |
Session-ID-ctx: | |
Master-Key: 9BD030A8102C11372F20AC22EBE8D4C5E759F2152EFCA11AF6D5B434C6525910A5FBF46720C6379517E1C4FEAD0E890E | |
Start Time: 1593016678 | |
Timeout : 7200 (sec) | |
Verify return code: 18 (self signed certificate) | |
--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment