ASBCE TLS Remote Workers.

[Juancho2015]

Hi. I have some issues when trying to register remote TLS clients through SBC. I Installed the required certificates and I guess everything is configured correctly. Avaya Communicator says tah phone server is not available (TCP registration works fine).What I can see in traces is that SBC does not send server hello after receiving client hello.
Could that be caused by certificate issue? Is there any way to diagnose this and find a solution? Maybe I'm doing something wrong.
SBC is at Rls 7.0 (7.0.0-21-6602). PBX is an IPO 9.1
Thanks.

 

[jtc22]

To narrow down the troubleshooting on the certs have you tried TCP 5060 first? You can also post the traceSBC output here.

jtc22

 

[Juancho2015]

TCP signaling (Port 5060) works fine; phones register place and receive calls with no issues.
TraceSBC shows this:

 

[kyle555]

I'd start with GMT UNIX TIME from the future in the year 2047
TLS won't like that.

 

[Juancho2015]

Hi Kyle555

Thanks, I didn´t notice that! Howerver, I can see that SBC has the correct time and date.

Where that date comes from?

 

[Juancho2015]

Client time and date are correct also.

 

[Juancho2015]

Another capturo from the same SBC and client:

 

[Juancho2015]

Hi. I tested with SBC default certificates and TLS works fine. Is there a reason why the certificate bought from Godaddy doesn´t work?

 

[Juancho2015]

Hi there. I´m still having the same issue and Avaya´s support engineer did not provide a solution yet. Any ideas?

 

[kyle555]

If you're offering the godaddy cert from the SBC, you might need the whole chain/pcks12 with private key, or all the intermediate CAs between Godaddy's root and your cert in the SBC. Presuming the endpoints trust godaddy - 96xx wouldn't by default

 

[Juancho2015]

Hi Kyle.
The problem is that SBC does not offer the certificate. In fact, it does not even respond to client hello message. Are you saying that the issue is caused by incorrect certificate format?

 

[kyle555]

I's saying that the SBC would most likely (seeing as it's a security device) want to validate that certificate. Typically it would be issued to "yoursbc" from "godaddy issuing ca" and that "godaddy issuing ca" would get its cert from "godaddy intermediate" and it would get it's certificate from "godaddy root ca" and that the SBC would need all intermediate certificates between "yoursbc" and "godaddy root" to validate it and offer it.

Much like it's default cert from the generic Avaya CA. Except there's 1 level there. I think there's also something in the TLS profile about how many levels of verification it does on the cert - so, if you're 3 levels up, you need 3 or maybe 4 levels.

You might need to put the intermediate certs in 1 each as .pem, or as a pkcs12 with the whole chain - to say, that 1 pkcs12 file would include all the levels. Check the documentation about 3rd party certs to be sure.

 

[Juancho2015]

Thanks Kyle!
All I got fro Godaddy is these three files:
9e31ba744f1e78f5.crt
gd_bundle-g2-g1.crt
gdig2.crt

The first one is the certificate itself and the rest seem to be the CA certificates. Is one of them the intermediate I need? If so, how can I convert them to .pem or PK12 and then install it to SBC?

 

[kyle555]

OK, so 1 should be 'you', then issued by the 2nd and the 2nd got its cert from the godaddy ca, the 3rd. Does the SBC cert have the private key included in it?

 

[Juancho2015]

Yes, SBC cert du have the private key. Actually, the CSR and key were generated on this SBC.