Avaya SBC TLS configuration

[cfickes]

Moving SBC from TCP to TLS and all the provisioning in SM is completed, along with the required certificates, but I cannot get a link established Between SM and the SBC. I validated there are no firewall restrictions. The SBC traces show rst after TLS hello. What can I check to resolve this issue?

 

[wpetilli]

I just had this same issue and it had to do with my SBC config in section: Endpoint Flows / Server Flow tab. My signaling interface was incorrect.

 

[cfickes]

None of the interfaces changed in Server Flows from TCP to TLS, can you give me more details?

 

[wpetilli]

In my case I had to change the signaling interface in the server flow to the private interface to get a connection. I wasn't doing any changes with tls/tcp as you are.

 

[cfickes]

Understood, and I have all those setting correct, with TLS and the appropriate certs.

 

[wpetilli]

I don't know your deployment or if it has anything do with the connectivity between, but in SM did you setup the remote access section?

 

[cfickes]

The "Remote Access" is not configured but what relationship does it have with the SBC?

- Remote Access Configurations are used by Session Manager to map the SIP Proxy's Public IP Address to a Session Manager private SIP addresses.

 

[kyle555]

public IP 1.1.1.1 forwards to the SBC on B1 interface 2.2.2.2
SBC swtiches into the A1 address 3.3.3.3 to go to SM on 4.4.4.4

SM at 4.4.4.4 needs to know that registrations that come from 3.3.3.3 are really through the SBC and really phones pointing at 1.1.1.1

SM will then replace 4.4.4.4 with 1.1.1.1 in various SIP and PPM messages where it makes sense. "Your primary proxy is 4.4.4.4:5061" SM would have the smarts to say "1.1.1.1:5061".

 

[cfickes]

kyle555, I am not using proxies for the SBC, but are you saying this is required for TLS to work?

 

[kyle555]

https://www.devconnectprogram.com/fileMedia/download/f4e62c69-6c78-4380-b586-c3ef3ffe700c

p16

What does the TLS handshake look like? TLS hello from the phone to the SBC and RST from the SBC to the phone?

if so, you might have certificate issues, as in, the SBC isn't the smartest with them and just because you think you configured them properly and the web gui says you did doesn't mean that actually happened.

If you're not getting as far as the SBC offering it's cert to the phone in response to a TLS hello, then I'd reckon that's maybe an issue

cat /etc/sbce-version as root on the SBC. What're you running? Is it single box or EMS + separate SBC (HA or not)?

 

[cfickes]

The TLS handshake is between the SM and SBC. I am not using Remote Worker. I believe there might be a cert issue too but I am not sure how to resolve it.

I followed this link to provision the certs -

https://www.youtube.com/watch?v=PweEPzNTkvE

I am running 7.2.2.0-11-15522 and it's an EMS + separate SBC HA config.

 

[t2true]

I'd like to tackle moving SM and SBC to TLS. What documentation did you follow to accomplish this?

 

[cfickes]

I used the following Avaya documentation, along with the you tube for provisioning the certs.

https://www.devconnectprogram.com/fileMedia/download/366344a8-4558-4110-a4a3-5bb740ff4664

The SBC is 7.2.2 and the SM/SMGR/CM is all 8.0.

 

[cfickes]

kyle555/t2ture, do you any other comments/directions on my issue?

 

[kyle555]

tshark -i any -w /tmp/my.pcap and see if capturing off the wire from the SBC shows the same stuff as traceSBC from the SBC side and traceSM from the SM side.

You've either got a config issue or a bug - maybe reboot? Either you're doing it wrong, or the SBC is