IX Workplace remote worker failover from ipo primary to secondary 3

[UCMen33260]

Hi team,

I'm a new member on TEK-TIPS looking to share my skills, to help members and to be helped too

I deployed a primary and a secondary IPO and an SBCE for remote workers.
When the primary IPO fails, IX Workplace is unable to register on IPO secondary.
Someone has tested this and have a solution?
Thank you

Best regards

 

[UCMen33260]

I found that on IX logs:

2020-02-21 23:43:27,141 DEBUG [CSDKEventLoop] - [ClientSDK] > CSIPIdentity[102]:: Discovered Proxy Set
SignalingServerGroup {

RegistrationGroup {

SimultaneousRegistrationsLimit = 1

SignalingServer {
ServerName = ipo-a-01.mydomain.com
FailbackPolicy = auto
Addrs = {
}
TransportToPortMap {
TLS :5061
}
PreloadedRoutes = {
}
IsPermanentMemberOfRegistrationGroup = false
}
}


RegistrationGroup {

SimultaneousRegistrationsLimit = 1

SignalingServer {
ServerName = tcp://ipo-a-02.mydomain.com:5060
FailbackPolicy = auto
Addrs = {
}
TransportToPortMap {
TCP : 5060
}
PreloadedRoutes = {
}
IsPermanentMemberOfRegistrationGroup = false
}
}

}

 

[UCMen33260]

I tried that:

I cleared IX config and registering again using the IPO secondary 46xxsettings file.
So, IX is registered on IPO secondary.
I disconencted the IPO secondary and waiting 10 min.
I donwloaded the IX logs file and surprise ! logs shows same issue, in this case inverted so:


SET SIP_CONTROLLER_LIST "ipo-a-02.mydomain.fr:5061;transport=tls,ipo-a-01.mydomain.fr:5060;transport=tcp"

Result of troubleshooting:

Always the fallback system SIP controller is on TCP 5060...

I will do a deepdive on IPO linux files...

Regards

 

[UCMen33260]

Hi,

I found a solution and now IX resiliency is working fine between IPO primary and secondary !

regards

 

[derfloh]

Would you share your solution?

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

Yes of course !

My issue was on SIP Servers on SBCE:

I used TCP, so when IX connect on the IPO primary, I see on the (200 OK):

<ipo>
backup_ipoffice_server="ipo-a-02.mydomain:5060;transport=tcp";
FAILBACK_POLICY="auto";
</ipo>

I changed the protocol on both SIP Server to TLS and the backup_ipoffice_server is on TLS 5061 now!

Another important thing, I must change TLS from 1.2 to 1.0 in IPO security settings.
Without this change, System status shows an error: unsupported protocol version.

I'm working on that, I'll upgrade IPO on SP2

Another thing, When I select a TLS Client Profile on SIP Server, IX don't connect and SBCE shows errors on (Incidents tab):

Incident Type TLS Handshake Failed Category TLS Certificate
Timestamp February 24, 2020 12:30:33 PM CET Device SBC-CLUSTER
Cause error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Incident Type TLS Handshake Failed Category TLS Certificate
Timestamp February 24, 2020 12:30:33 PM CET Device SBC-CLUSTER
Cause unable to get issuer certificate


I'm working on that now !

regards

 

[derfloh]

Probably the SBC doesn't know the IPOs server certificate.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

Strange, because I use the same certificate on SBCE and IPO.
I use a Let's Encrypt SSL Certificate.

 

[derfloh]

And the server 'name' the SBC users to the connect to IPO matches the IPO certificate name?

And the SBC has let's encrypt as a trusted CA?

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

Here is client/server profiles:

Does I need to install the CA on the EMS ?

 

[derfloh]

Yes... You have the IPO Root in the peer Certificate Authorities you will need the let's encrypt root certificates if the IPO uses a let's encrypt certificate.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

No, I have the Let's Encrypt CA, (IPO_A_ROOT_V1 is only the name used).

The issue is that when I requested the SSL certificate on Lets Encrypt website, I received a CA Bundle that contain the CA and the intermediate CA.
The SBCE don't support that maybe...

 

[derfloh]

The bundle contains the server certificate AND the root certificates. You have to extract it or download the needed root certificates from let's encrypt.

And you have to adress IPO via FQDN instead of IP address I guess. Because the let's encrypt certificate will probably not contain the internal IP of IPO in it's SANs.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

No, Let's Encrypt bundle contain CA only: here is an example from Lets Encrypt website

And certificate is provided separatly:

 

[derfloh]

And the server 'name' the SBC users to the connect to IPO matches the IPO certificate name?

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

yes

 

[UCMen33260]

The certificate issue appear only when I select a TLS Client profile on SIPServer:

This feature seems to be not mondatory.

 

[derfloh]

Server IP/FQDN is 10.200.26.1 and this is probably not a SAN in the certificate.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

Public certification authority don't provide certificates with IP addresses on the SAN.

 

[derfloh]

Then you have to replace the IP in your server profile with a FQDN that is part of the certificate. And adjust internal DNS so that SBC is still able to find IPO.

IP Office remote service
Fixed price SIP trunk configuration
CLI based call blocking
SCN fallback over PSTN

 

[UCMen33260]

TLS Client Profile must be NONE on my configuration, because my SIP Servers are (Call Server type) and DNS Query type is forced on NONE/A when you select Call Server

Information from Avaya SBCE documentation :

But I confirm that Ihave an issue on my certificate and TLS profiles configuration.

To use FQDN in my SIP Servers, I should have a DNS resolution internally, but the problem in SBCE, that I cannot select a DNS server for each interface (B1, B2, A1).

And in my case, I need DNS resolution on B1 interface, because B1 is used for SIP Trunk, and Trunk Server use SRV like DNS Query type to resolve the Registrar SIP.

I'm looking for a solution on that DNS problem.