ASBCE Question: URI contains invalid FQDN. DNS resolved address does not match the Interface address

[dsm600rr]

Hello all,

Having a bit of an issue with a clients ASBCE.

They have their

Data Network: 192.168.43.XXX

Phone Network: 10.0.0.XXX

IPO LAN: 192.168.23.254 / IP Route: 192.168.23.1 (Data)
IPO WAN: 10.0.0.1

ASBCE A1: 10.0.0.5 with its Gateway 10.0.0.1 (Avaya IPO WAN)
ASBCE B1: 192.168.24.1 GW / 192.168.24.2 (One-To-One-NAT)
ASBCE Management: 192.168.23.11 (Data Network)

I see IX Workplace hitting the ASBCE:

However I am getting a 403 on 46xxsettings.txt

I am thinking this issue is with an IP Route, just not sure exactly what. Thoughts? Thank you!

ACSS / ACIS

 

[IPOLackey]

Are you using self-signed certs, or is this a proper CA certificate?

We had this but was down to the latest R11.1 change to creating self-signed certs. Had to very carefully re-create that 3rd party cert for the SBC with the correct Alternative names.

 

[derfloh]

IPO tries to resolve the Hostnamen against it’s DNS server. It should match it’s own IP or the configured public IP in the LAN interface‘s topology Settings.

Usually you configure the internal DNS to resolve against the internal IP of the IPO.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

IPOLackey: They are running R11.0 with a Windows VM Pro. I spun up an application server here at my office and created the certificates.

derfloh: Their internal DNS is on the Data VLAN. They do not have DNS on the Voice VLAN (IPO on both Data/voice VLANs)

For the IPO DNS, I have the Internal DNS Server at: 192.168.23.25 (Data VLAN) / 8.8.8.8. Are you referring to split DNS? FQDN > ASBCE B1 > Internal DNS to IPO? The client does not want the ASBCE/Remote Workers on the Data VLAN with the Internal DNS Server. They are only using this for Remote J169's so I did not think Split DNS was required as the phones will not be brought back to the office. If it is required for this to work, I will let them know that we have to put the A1 Interface on the Data VLAN.

How I created the Certificates:

SANs:
DNS:FQDN
DNSomain
URI:sip:FQDN
URI:sipomain
IP:10.0.0.1 (IPO)

SANs:
DNS:FQDN
DNSomain




ACSS / ACIS

 

[dsm600rr]

A bit of an update.

If I check "SIP Remote Extension Enable" and put in the Public IP Address of the ASBCE B1 under "Network Topology" I can now get to

https://fqdn/46xxsettings.txt

My J179 updates its firmware and asks for a login. I enter in the extension and "Extension" password, the phone thinks a bit and then goes to "Acquiring Service"






ACSS / ACIS

 

[derfloh]

Is „use preferred phone ports“ enabled? If so you have to create a reverse proxy for Port 411 or disable that option.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

derfloh: "use preferred phone ports“ is not enabled.

ACSS / ACIS

 

[dsm600rr]

This ASBCE is behind a firewall, using one-to-one NAT per the client. I am assuming the "SIP Remote Extension Enable" and Pubic IP Address in the IPO "Network Topology" is not correct and should be removed, however it did allow me to get to the ttps://fqdn/46xxsettings.txt as well as I saw the phone upgrade its firmware and get to the login screen. Once I log it, it goes to "Acquiring Service"

I played around with IP Routes in the IPO from the Data to the Phone VLAN and nothing made a difference.

Is it possible the Firewall needs a route? Kinda stumped here.



ACSS / ACIS

 

[dsm600rr]

All,

Got everything working, was a split DNS Issue. Anyway - One small issue. Never seen this before. When I call my cell phone from the remote test J179, and hang up from my cell phone, the remote J179 displays this:

ACSS / ACIS

 

[derfloh]

Have a look at TraceSBC. Cell must generate a BYE message that should be forwarded to IPO and from there to the phone.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN

 

[dsm600rr]

Noticed something interesting in SSA. When I hang up the call its "Current State" still shows "Connected" however at the "Trace Output" you can see that the call "Disconnect from Destination End"

ACSS / ACIS

 

[dsm600rr]

I am not really sure how this could be IPO or ASBCE Related. Possible something SIP Related on the Firewall?

ACSS / ACIS

 

[derfloh]

I sent an answer in your other thread.

IP Office remote service
IP Office certificate check
CLI based call blocking
SCN fallback over PSTN