Connecting Multiple UCXs via Sip Trunks over VPN issues

[sstelecom]

I am in need of some guidence...

I have a customer with (3) UCX systems; Site A, Site B and Site C. When I installed these systems approximatly 8 months ago they were using a Windstream MPLS network. I was able to use SIP trunks and connect each system with no issues (I was amazed how easy it was). The customer has recently switched to AT&T Fiber with a VPN. Once we cut this over we can not dial from site to site using the SIP trunks, although Site A can dial Site B or C but Site B or C can not dial any site.

I can goto Site C and connect a Nortel Phone to Site A's UCX over the VPN using port 7000, I can also goto Site C and connect a SIP phone over the VPN using port 5060.

When I do SIP SHOW PEERS my Status says Ok, like they are registered.

I am in need of help UCX is blaming the network and AT&T is claiming they are not blocking anything. Ohh...I van also ping each UCX from any site.

Please Help

 

[theislandtech]

Sounds like the VPN is allowing traffic in one direction only.
Check the firewall rules at all sites. Many firewalls will allow pings by default but block other traffic.
If firewall is ok, then more info about your overall configuration is needed. (Router types, ip subnets for local lan and vpn, outgoing routes, trunk config, etc).
Is the VPN server hosted on each sites router or the UCX?
At Site C with the phones registered to Site A will calls complete to all locations and that phone can receive calls from all locations?

I have a 4 Site (non UCX system) customer connected without a VPN using IAX2 trunks, 3 digit dialing.

 

[emtsupport]

here is what we found regarding this issue:

The first thing we saw was that the host entries in the SIP trunks were misconfigured. they were pointing to their own ip address not the far end ip address. We corrected the address on the Site1 location and the Site2 location. The third location which I'll refer to as Site3 was configured correctly.


The site with the 192.168.1.X subnet appears to have a SIP Application enabled on the device at 192.168.1.254. This allows us to call Site2 or Site3 from Site1 but prevents any calls coming into Site1 from the other two sites. Due to the fact that the SIP Application is modifying the system IP address with the ip address of the SIP Application device, IP authentication fails.

The traceroute from Site1 to the other sites shows that the call does not route through the 254 device.


[root@ucx50 ~]# ifconfig (this is Site1)
eth0 Link encap:Ethernet HWaddr 00:E0:66:89:40:2E
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:66ff:fe89:402e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8046496 errors:0 dropped:0 overruns:0 frame:0
TX packets:7565674 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1500648841 (1.3 GiB) TX bytes:1488713091 (1.3 GiB)
Interrupt:169 Memory:dfe00000-dfe10000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:215982 errors:0 dropped:0 overruns:0 frame:0
TX packets:215982 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38855328 (37.0 MiB) TX bytes:38855328 (37.0 MiB)

tun8 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.99.93.178 P-t-P:10.99.93.177 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:20983 errors:0 dropped:0 overruns:0 frame:0
TX packets:24920 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2455786 (2.3 MiB) TX bytes:12420900 (11.8 MiB)

[root@ucx50 ~]# traceroute 192.168.2.20 (traceroute to Site3)
traceroute to 192.168.2.20 (192.168.2.20), 30 hops max, 40 byte packets
1 192.168.1.9 (192.168.1.9) 0.335 ms 0.283 ms 0.251 ms
2 192.168.99.3 (192.168.99.3) 4.808 ms 4.847 ms 5.043 ms
3 192.168.2.20 (192.168.2.20) 5.192 ms 5.216 ms 5.395 ms

[root@ucx50 ~]# traceroute 192.168.0.20 (traceroute to Site2
traceroute to 192.168.0.20 (192.168.0.20), 30 hops max, 40 byte packets
1 192.168.1.9 (192.168.1.9) 0.295 ms 0.235 ms 0.193 ms
2 192.168.99.56 (192.168.99.56) 15.972 ms 15.979 ms 16.058 ms
3 192.168.0.20 (192.168.0.20) 16.315 ms 16.376 ms 16.442 ms



The traceroute from Site2 shows that the call will route through the 254 device. The SIP headers get modified incorrectly and the call fails.

[root@ucx20 ~]# ifconfig (this is Site2)
eth0 Link encap:Ethernet HWaddr 00:E0:669:20:5F
inet addr:192.168.0.20 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6053415 errors:0 dropped:0 overruns:0 frame:0
TX packets:5718444 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1073676222 (1023.9 MiB) TX bytes:1051208256 (1002.5 MiB)
Interrupt:50 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:146047 errors:0 dropped:0 overruns:0 frame:0
TX packets:146047 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:31344175 (29.8 MiB) TX bytes:31344175 (29.8 MiB)

tun8 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.99.89.202 P-t-P:10.99.89.201 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:14500 errors:0 dropped:0 overruns:0 frame:0
TX packets:16451 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1710126 (1.6 MiB) TX bytes:6425201 (6.1 MiB)

[root@ucx20 ~]# traceroute 192.168.1.20 (traceroute to Site1)
traceroute to 192.168.1.20 (192.168.1.20), 30 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.228 ms 0.199 ms 0.221 ms
2 192.168.1.254 (192.168.1.254) 6.009 ms 5.501 ms 6.937 ms
3 192.168.1.20 (192.168.1.20) 18.070 ms 17.995 ms 18.486 ms

[root@ucx20 ~]# traceroute 192.168.2.20 (traceroute to Site3)
traceroute to 192.168.2.20 (192.168.2.20), 30 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.248 ms 0.238 ms 0.248 ms
2 192.168.1.254 (192.168.1.254) 5.734 ms 5.501 ms 5.457 ms
3 * * *
4 192.168.99.3 (192.168.99.3) 9.994 ms 9.975 ms 10.136 ms
5 192.168.2.20 (192.168.2.20) 10.131 ms 10.472 ms 10.638 ms
[root@ucx20 ~]#

and if we look at the traceroute from the Site3 location we see the calls being routed through the 254 device here also.

[root@ucx20 ~]# ifconfig (this is Site3)
eth0 Link encap:Ethernet HWaddr 00:E0:669:202
inet addr:192.168.2.20 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5417481 errors:0 dropped:0 overruns:0 frame:0
TX packets:4628455 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:960047832 (915.5 MiB) TX bytes:929574919 (886.5 MiB)
Interrupt:50 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40729 errors:0 dropped:0 overruns:0 frame:0
TX packets:40729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3723486 (3.5 MiB) TX bytes:3723486 (3.5 MiB)

tun8 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.99.93.90 P-t-P:10.99.93.89 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:21839 errors:0 dropped:0 overruns:0 frame:0
TX packets:28664 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2077201 (1.9 MiB) TX bytes:17795966 (16.9 MiB)

[root@ucx20 ~]# traceroute 192.168.0.20 (traceroute to Site1)
traceroute to 192.168.0.20 (192.168.0.20), 30 hops max, 40 byte packets
1 192.168.2.1 (192.168.2.1) 0.213 ms 0.186 ms 0.195 ms
2 192.168.1.254 (192.168.1.254) 9.607 ms 9.462 ms 4.947 ms
3 * * *
4 192.168.99.56 (192.168.99.56) 10.078 ms 10.080 ms 10.175 ms
5 192.168.0.20 (192.168.0.20) 10.713 ms 10.429 ms 10.602 ms

[root@ucx20 ~]# traceroute 192.168.1.20 (traceroute to Site2)
traceroute to 192.168.1.20 (192.168.1.20), 30 hops max, 40 byte packets
1 192.168.2.1 (192.168.2.1) 0.247 ms 0.204 ms 0.273 ms
2 192.168.1.254 (192.168.1.254) 7.607 ms 5.274 ms 4.924 ms
3 192.168.1.20 (192.168.1.20) 5.433 ms 5.320 ms 6.140 ms
[root@ucx20 ~]#

We do not know what the device is at 192.168.1.254 as it is not a gateway configured in any of our systems. When a sip message travels through this device the ip address in the contact header gets replaced with 192.168.1.254. When this occurs we reject the message because 192.168.1.254 is not configured anywhere in any of our UCx systems.

This information was reported to the reseller on August 7 and we have not heard back from them as to whether this has been resolved or not.

I just wanted to provide this information to the community for two reasons, first to make everyone aware of these SIP ALG's and what they do (modify the SIP messages) and secondly to show how to troubleshoot an issue like this.