Certificate Issue

[makemetrend]

What certificate should I use in Avaya Equinox Mobile and Windows? I have already the SystemManagerCA installed.

And also there's a weird events that I encountered. When i am onsite, i am using mobile data and succesfully registered on avaya equinox. But when I got home, using our wifi. I can't now connect.

please help me. thanks!

 

[kyle555]

I'm starting to become superstitious and not do softphones on 5060/5061 anymore. I've seen it with my own two eyes on a traceSBC that my Android hijacks port 5061.

So, when I'm all on mobile - I see registration and PPM just fine from my mobile public IP
When I'm on wifi, I see my mobile public IP register SIP and then PPM come from my wifi IP and my registration doesn't work.
So I pulled out my sim card. Then I just never sent any SIP registration.

Though, if you can hotspot a laptop thru the mobile and be OK and also run the laptop on wifi and be OK, you can prove it out.

Re certs:

https://downloads.avaya.com/css/P8/documents/101059875

A lot is changing. If you got a SMGR that was upgraded from 6.3, then the CA is still SHA1 signed even though all the SM certs are SHA256. iOS will start rejecting that soon.

What I've seen people do is get a cert with a bunch of subjectAlternativeNames. like aads.customer.com, sm8-sm100.customer.com, etc. So, if you make 1 key and 1 csr and get 1 cert back you can still load it as a 3rd party cert on more than 1 thing - like a SBC or AADS or a SM or a web gateway for Equinox web collaboration.

So if your SBC outside has that public cert AND you pop it on the AADS inside, then if you got the DNS stuff setup right, the equinox client can log in to AADS and download his dynamic config which can SET TRUSTCERTS SMGRCA.pem and use the 'coalesced truststore'. Apps can have their own trust store on top of the device's - firefox is like this on Windows already. So, doing that, anyone can get on AADS and then told to have their app trust SMGR thereafter without having to go through a whole exercise of distributing certs en masse.

 

[makemetrend]

hi kyle, i think our SMGRCa is already updated the public key is on 2048 and signature algorith is on SHA256with RSA.

ERTIFICATEVERSION X.509 v.3
CERTSERIALNUMBER 4B4FD5257CAF2A93
ISSUERDN CN=System Manager CA,OU=MGMT,O=AVAYA
VALIDFROM Thu Jun 27 14:31:41 PHT 2019
VALIDTO Sun Jun 24 14:31:41 PHT 2029
SUBJECTDN CN=System Manager CA,OU=MGMT,O=AVAYA
SUBALTNAME None
SUBDIRATTR None
PUBLICKEY RSA ( 2048bits)
BASICCONSTRAINTS CA, No path length constraint
KEYUSAGE DIGITALSIGNATURE, KEYCERTSIGN, CRLSIGN
EXTENDEDKEYUSAGE NOEXTENDEDKEYUSAGESPECIFIED
QUALIFIEDCERTSTATEMENT No
Signature Algorithm SHA256WITHRSA
Fingerprint SHA-1
993FC1B02C8FFECEFABA3A35D1748F18274A7612
Fingerprint MD5
D3597280BFD2D9496FEC4657D03B219E
Revoked
No

SMGRCA is the cert that I needed right? ive already uploaded the key and CA Certs on SBC.
My problem is that, Idk why on my windows pc on my home and on my mobile using our wifi, my mobile equinox is not working it says network unavailable even though i set up correctly the Phone Service.

 

[kyle555]

Certs aren't your immediate problem if it works thru the SBC and on mobile data. traceSBC...

 

[makemetrend]

Well. nothing goes thru the SBC when I did the traceSBC. Firewall vendor told me that they allowed any source in their public IP.

 

[makemetrend]

Just to have a quick update. I've already registered at mobile equinox but it's intermittend meaning when i am onsite, I have a succesful registration and after I went home tried to connect to equinox using my mobile then boom voip phone service is not current unavailable again.

The endpoint flows that I confgiured when I leave the client is working.

Help me on this please.

 

[kyle555]

tshark -i B1 port 5061

Do you see yourself coming in?

 

[avayaguy23]

is the wifi doing a double NAT? I've seen bad things happen when double nats come into play

 

[kyle555]

I'd be more suspicious of a SIP application layer gateway on a small commercial router in between. I think I do it through a double NAT all the time. As in, I have a beefier wifi router (192.168.0.x) behind my ISPs (192.168.1.x) and I've never noticed.

 

[makemetrend]

what will I do if it's in double NAT? I believe in our home router it's doing a NAT since this is a small commercial router.

 

[makemetrend]

because in our home our IP are 192.168.1.x and when I do a ipchicken it changes my IP

 

[avayaguy23]

Right. What i'm saying is if your home network is 192.168.1.x if say you are on comcast they will NAT you to a 10.x.x.x normally which will then get natted again to a public IP. This was a major issue with Polycom Video conferencing. The only solution was to use a vpn client that only used one NAT.

 

[kyle555]

Oh yeah, pretend public IPs suck. Technically, I'm not even sure that qualifies as "internet" service. Why can't I serve up some FTP on my public IP? Because it's 10.10.10.10? I guess that's when it's IPv6 time...

 

[makemetrend]

oh shit. this is really bad. in fact our SBC is in natted lols. and as of now, i cant register again on my mobile phone

one quick question, do I need a sip trunk tls from SBC to SM? or should I use instead the remote access in SM?

 

[kyle555]

You don't have a 'trunk' per se in the SBC - you have a server configuration. Your remote subscriber flows will map to use that to go to SM.

SM needs configuration to disable ppm rate limiting per IP and other little things to allow many registrations from the SBC, but no sip entity or trunk.

Also, if you're doing trunking and remote worker on the same SBC, use different IPs on A1 to go to SM so it doesn't get confused about whether an incoming invite is from the carrier or the remote worker.

 

[makemetrend]

ive already deleted the sip trunk tls between sbc and SM. thanks for the recommendation!

i am running out of options. errr. as of now, I still can't register thru mobile equinox. damn it. I've tried deleting the subscriber flows, and should mobile equinox will prompt a invalid password if it's really going to the SBC but no luck the error I got on my cp is unable to connect, check service configuration although it is already configured

 

[kyle555]

tshark -i B1 port 5061

Do that as root in the SBC.

See if your registers come in at all and work from there.

Do you see any incidents in the SBC? Like 'no subscriber flow matched"? That would at least prove messages are coming into the SBC and it isn't programmed right.

 

[makemetrend]

hi kyle, i got 0 captures when I tried to ctrl + z it says.

no encountered like that. but in the firewall it allow all ports. so i cant blame the firewall now

 

[kyle555]

Yes you can. You need to see packets come in on B1. Without that, all your config might be right, you're not getting anywhere.

Something that is a bit confusing is how they label the nics in the VM vs in the SBC. Maybe do ifconfig in the SBC and note B1's MAC and make sure that's the NIC with the MAC on the DMZ VLAN. Otherwise, if you take a new SBC and deploy it as a single box, it'll start with 1 NIC and when you start the install in the web gui it'll make 6 NICs all on the same VLAN. It's not always intuitive if A1,A2,B1,B2 get ethernet adapter 2,3,4,5 in VMware or whatever.

It might not be a firewall problem, but network is still in your way.

 

[makemetrend]

Thanks kyle!

Please correct me if i am wrong, B1 should be in the same vlan of A1, right? As of now, the SBC is connected to the core switch. Here's the diagram.

RW > Internet > FW/NAT > CORE SWITCH > SBC B1 > SBC A1 > SM > CM > Station.

Once FW received traffic from B1 it will forward to SBC B1.