Cisco ATA 186 to SBC

[JuanAvaya]

thread690-1775149
Hi
Just coming back to this issue but this time I am trying to register the ATA to SM through SBC.
For some reason SBC receives the REGISTER but immediately sends it OUT again through its B1 interface instead of sending it to SM (through A1). Below is the traceSBC

ATA SBC SBC-B1
10:02:49.376 |--REGISTE->| | SIP: (1) sip:200.5.xxx.xxx Exp:3600 --------------------> public SBC ip
10:02:49.376 | |--REGISTE->| SIP: (1) sip:200.5.xxx.xxx Exp:3600
10:02:49.376 |<-Forbidd--| | SIP: (1) 403 Forbidden




For other devices like Equinox for Android, a good traceSBC

Android SBC SM
10:31:56.571 |--REGISTE->| | SIP: (0) sip:sip.aca.org.ar Exp:3600 -------------------> sip domain
10:31:56.571 | |--REGISTE->| SIP: (0) sip:sip.aca.org.ar Exp:3600
10:31:56.571 | |<-Unautho--| SIP: (0) 401 Unauthorized
10:31:56.571 |<-Unautho--| | SIP: (0) 401 Unauthorized
10:31:57.573 |--REGISTE->| | SIP: (0) sip:sip.aca.org.ar Exp:3600
10:31:57.573 | |--REGISTE->| SIP: (0) sip:sip.aca.org.ar Exp:3600
10:31:57.573 | |<--200 OK--| SIP: (0) 200 OK (REGISTER)
10:31:57.573 |<--200 OK--| | SIP: (0) 200 OK (REGISTER)



The main difference is the sip domain which there is no place to configure it in the Cisco ATA. I guess SBC does not exactly know where to send the packets to.

Any SBC/SM/SIP expert around??

 

[kyle555]

You actually have to see the packets, not just the copy paste of the ladder!

Presuming your ATA is piggy-backing on the same config that makes other clients work, then the SBC should be sending something to SM. The SBC should/could also overwrite the IP with a domain name and/or SM can have a default domain for UDP port 5060/TCP5060 and TLS 5061 if not otherwise specified by the device.

You can also have certain user-agent strings in the SBC map to certain flows, like user agent Avaya* gets to do anything and user agent "anything else" is forbidden. But, at the very least, the forbidden is telling you something. Whether it's the SBC that receives that from SM or comes up with it on its own will tell you where you want to look next.

 

[JuanAvaya]

Made a step forward!

I added the Cisco ATA 186 as a user agent on SBC and now I get an Unauthorized message from the SM. The extension exists and can be registered without using the SBC.

ATA SBC SM
10:29:21.310 |--REGISTE->| | SIP: (0) sip:sbc.aca.org.ar Exp:3600
10:29:21.310 | |--REGISTE->| SIP: (0) sip:sip.aca.org.ar Exp:3600
10:29:21.310 | |<-Unautho--| SIP: (0) 401 Unauthorized
10:29:21.310 |<-Unautho--| | SIP: (0) 401 Unauthorized
10:29:21.311 |--REGISTE->| | SIP: (0) sip:sbc.aca.org.ar Exp:3600
10:29:21.311 |<-Unautho--| | SIP: (0) 401 Unauthorized
10:29:22.311 |--REGISTE->| | SIP: (0) sip:sbc.aca.org.ar Exp:3600
10:29:22.311 |<-Unautho--| | SIP: (0) 401 Unauthorized
(sorry the trace is compacted but I guess you get it anyway)


This is what the Unauthorized says:

SIP/2.0 401 Unauthorized
From: "ATA 2869" <sip:2869@sip.aca.org.ar;user=phone>;tag=952885292
To: "ATA 2869" <sip:2869@sip.aca.org.ar;user=phone>;tag=12562873778988648_local.1415807579405_89703259_89977560
CSeq: 1 REGISTER
Call-ID: 4068342316@10.120.11.8
Via: SIP/2.0/TCP 10.100.90.203:5060;branch=z9hG4bK-s1632-000167697307-1--s1632-
Server: AVAYA-SM-6.3.9.0.639011

http://WWW-Authenticate:

Digest realm="sip.aca.org.ar",qop="auth",opaque="1234567890abcedef",nonce="161c37ed213dd7a8ae1d3afaed71a33793e1439de1c",algorithm=MD5,stale=false
Av-Global-Session-ID: 9d6f1f20-18b6-11e8-a8ee-6c3be5a668f0
Content-Length: 0

 

[kyle555]

Right. That's SM saying "now you should register again, but with a digest response that is a function of that nonce + your communication profile password in your SIP user in SMGR". The next register message from the ATA should have some kind of digest authentication, where, if correct, the SM will answer with 200OK.

So, for SIP profile 2689@sip.aca.org.ar, what's the communication profile password? and is it properly entered in the ATA? Is the 2nd register after the first 401 any different than the first register message?

You want to see authentication in the 2nd Register message like in message 5 here:

https://www.cisco.com/c/en/us/td/do...ion/guide/sip/sip30ad/SIP88APH.html#wp1007167

So, is your trace from the SBC or the SM? What happens when you trace from the SM? I'm seeing some parts that are "sbc.aca" and others that are 'sip.aca'.

Here's a good article on it. He mentions that typically, you'll see 407 for endpoints and 401 for servers. Almost like SM is seeing you being a server. It would only do that if the Register it got could not be associated to a SIP handle of a user

https://andrewjprokop.wordpress.com/2015/01/27/understanding-sip-authentication/

 

[JuanAvaya]

So, for SIP profile 2689@sip.aca.org.ar, what's the communication profile password? and is it properly entered in the ATA? Is the 2nd register after the first 401 any different than the first register message?

The password is ok and the 2nd REGISTER is just the same as the first one.


So, is your trace from the SBC or the SM? What happens when you trace from the SM? I'm seeing some parts that are "sbc.aca" and others that are 'sip.aca'.

The trace is from the SBC. In the SM you only see the first incoming REGISTER and the first outgoing Unauthorized. That's all.
sbc.aca.org.ar is just the name for the public ip of the SBC while sip.aca.org.ar is the SIP domain configured in the system. SBC Overwrites the ip/domain and puts the sip.aca.org.ar.

Why would SBC respond with Unauthorized to the second REGISTER instead of passing it to SM again?

 

[kyle555]

If there's no proxy-authorization or

http://www-authentication

header in the 2nd register, then the ATA isn't trying to provide a hash of its password to satisfy the registrar. That could be why the SBC rejects it if it passes the 1st register to SM but not the 2nd.