No SIP Incoming Calls

[num025]

We have a current setup of an SM 6.1 linked with a CM 6.0 media server using a G450 as a gateway, all of which are NATed behind a Checkpoint firewall (1-to-1 for SM and CM). We have no problems sending out calls through the far-end SIP entities, however we somehow can't get inbound calls from those same SIP entities even though we had all the routings/dial patterns already set.

When we did a traceSM on the call we saw that the domain is still set at the SM's public IP thus is not recognized by SM to be an authoritative domain. We were forced to do a regular expression on the called number but when it finally got to CM it replied with a "488 Not Acceptable Here" SIP message. We also got these denial events after that particular message:

19:22:44     denial event 2309: Drop call codec mismatch D1=0x50063 D2=0x800052c
19:22:44     active trunk-group 1 member 94    cid 0x52c
19:22:44     denial event 2300: Ept capabilities mismatch D1=0x2 D2=0x2
19:22:44     denial event 2300: Ept capabilities mismatch D1=0x2 D2=0x2
19:22:44     idle trunk-group 1 member 94    cid 0x52c
19:22:48 TRACE COMPLETE trunk-group  1 cid 0x0

To be honest, we're a bit stumped right now as to what's keeping the call from getting to a CM extension.

 

[PBXHowTo]

Quick response to the Denial messages:

2309: Drop call, codec mismatch.
2300: Endpoint connects to TDM bus or is hairpinned capabilities
mismatch.

What is the end point sending? (G.711, G.729, etc.) and what is your codec set setup as in the PBX? (display ip-codec-set)

Is hairpinning enabled in your sig group?

Also, is your checkpoint allowing TLS/TCP through?

What I have done to see if it willpass both ways is to put the IP address of the end point in the auth domain.

Give it a shot... long shot but worth a try.

 

[num025]

Here are some of the CM configs:

IP-Network-Region 2:

           Voice System name:                - IP NETWORK REGION            
  Region: 2                                                                     
Location: 1       Authoritative Domain: ciqhyd.com                              
    Name: CM to SM Link                                                         
MEDIA PARAMETERS                Intra-region IP-IP Direct Audio: yes            
      Codec Set: 1              Inter-region IP-IP Direct Audio: yes            
   UDP Port Min: 2048                      IP Audio Hairpinning? n              
   UDP Port Max: 65535                                                          
DIFFSERV/TOS PARAMETERS                                                         
 Call Control PHB Value: 46                                                     
        Audio PHB Value: 46                                                     
        Video PHB Value: 26                                                     
802.1P/Q PARAMETERS                                                             
 Call Control 802.1p Priority: 6                                                
        Audio 802.1p Priority: 6                                                
        Video 802.1p Priority: 5      AUDIO RESOURCE RESERVATION PARAMETERS     
H.323 IP ENDPOINTS                                       RSVP Enabled? n        
  H.323 Link Bounce Recovery? y                                                 
 Idle Traffic Interval (sec): 20                                                
   Keep-Alive Interval (sec): 5                                                 
            Keep-Alive Count: 5                                                 
                                                                                
                               IP NETWORK REGION                                
                                                                                
 RTCP Reporting Enabled? y                                                      
                                                                                
 RTCP MONITOR SERVER PARAMETERS                                                 
   Use Default Server Parameters? y                                             
                                                                                
                                                                                
                                                                                
                                                                                
                               IP NETWORK REGION                                
                                                                                
INTER-GATEWAY ALTERNATE ROUTING / DIAL PLAN TRANSPARENCY                        
 Incoming LDN Extension:                                                        
 Conversion To Full Public Number - Delete:    Insert:                          
 Maximum Number of Trunks to Use for IGAR:                                      
 Dial Plan Transparency in Survivable Mode? n                                   
                                                                                
BACKUP SERVERS(IN PRIORITY ORDER)    H.323 SECURITY PROFILES                    
 1                                   1   challenge                              
 2                                   2                                          
 3                                   3                                          
 4                                   4                                          
 5                                                                              
 6                                   Allow SIP URI Conversion? y                
                                                                                
TCP SIGNALING LINK ESTABLISHMENT FOR AVAYA H.323 ENDPOINTS                      
   Near End Establishes TCP Signaling Socket? y                                 
                       Near End TCP Port Min: 61440                             
                       Near End TCP Port Max: 61444                             
                                                                                
                                                                                
                                                                                
 Source Region: 2     Inter Network Region Connection Management     I       M  
                                                                     G  A    t  
 dst codec direct   WAN-BW-limits   Video      Intervening      Dyn  A  G    c  
 rgn  set   WAN  Units    Total Norm  Prio Shr Regions          CAC  R  L    e  
 1    2     y    NoLimit                                             n       t  
 2    1                                                                all      
 3                                                                              
 4                                                                              
 5                                                                              
 6                                                                              
 7                                                                              
 8                                                                              
 9                                                                              
 10                                                                             
 11                                                                             
 12                                                                             
 13                                                                             
 14                                                                             
 15

IP-Codec-Set 2

      Voice System name: McGraw-Hill S8300D - IP Codec Set                      
                                                                                
    Codec Set: 2                                                                
                                                                                
    Audio        Silence      Frames   Packet                                   
    Codec        Suppression  Per Pkt  Size(ms)                                 
 1: G.729             n         2        20                                     
 2: G.711MU           n         2        20                                     
 3:                                                                             
 4:                                                                             
 5:                                                                             
 6:                                                                             
 7:                                                                             
                                                                                
                                                                                
                                                                                
                                                                                
                          IP Codec Set                                          
                                                                                
                              Allow Direct-IP Multimedia? n                     
                                                                                
                                                                                
                                                                                
    	            Mode               Redundancy                                  
    FAX             t.38-standard       0                                       
    Modem           off                 0                                       
    TDD/TTY         US                  3                                       
    Clear-channel   n                   0

Signaling-Group 1

                                SIGNALING GROUP                                 
                                                                                
 Group Number: 1              Group Type: sip                                   
  IMS Enabled? y        Transport Method: tls                                   
        Q-SIP? n                                             SIP Enabled LSP? n 
     IP Video? n                                   Enforce SIPS URI for SRTP? y 
  Peer Detection Enabled? y  Peer Server: SM                                    
                                                                                
                                                                                
                                                                                
   Near-end Node Name: procr                 Far-end Node Name: mnl-sesmgr      
 Near-end Listen Port: 5061                Far-end Listen Port: 5061            
                                        Far-end Network Region: 2               
                                                                                
Far-end Domain: ciqhyd.com                                                      
                                             Bypass If IP Threshold Exceeded? n 
Incoming Dialog Loopbacks: eliminate                  RFC 3389 Comfort Noise? n 
         DTMF over IP: rtp-payload            Direct IP-IP Audio Connections? y 
Session Establishment Timer(min): 3                     IP Audio Hairpinning? n 
         Enable Layer 3 Test? yoice System name: MInitial IP-IP Direct Media? nP
H.323 Station Outgoing Direct Media? n            Alternate Route Timer(sec): 6

I think the end-point or far-end uses G.711/G.729, I could try and verify this later.

Is hairpinning required? I tried this call going out an analog trunk on that same CM which should reach one of the SIP entities in SM.

I'll have to ask about the Checkpoint part though as I'm not the one administering it.

So you mean to say I'll change the auth domains ip-network-region 1 and signaling-group 1 to the far-end IP address or should I create new ones for it?

Hey thanks again for the reply!

 

[PBXHowTo]

Ok, the IP address will only work in the TCP config. Since you have TLS, the security needs to match across the call setup but the strange part is the mismatch codec msg. I usually saw that when I tried to send G.729 calls to Microsoft Lync as Lync will only support G.711. Anyway...

I have hairpinning on, but you can try it on and off to see the results.

What you can do is setup a secondary SIP Trunk and sig group but set it as TCP for testing to see if the calls can go two way.

If that works, then you know it is a security issue with the TLS transport as it has to be trusted throughout the call.

Curious to see if the Checkpoint allows 5060 and 5061 both ways. Is QoS assured across the pipe?

 

[num025]

Thanks for the suggestions, however I tried all of those things but we were still having problems. The thing is, we were now able to at least get to the called number and have a good call for about several seconds before being dropped off with a busy signal, which was before I had done the changes you have suggested.

It's quite odd that virtually no changes were done on the Avaya end between now and yesterday yet we experienced some "improvements" on incoming calls (on all SIP entities to boot!).

 

[num025]

We conducted some inbound test calls and here's what we got from traceSM:

Do note that we were already engaged in the said call but it seems CM is still sending "ringing" SIP messages which was eventually replaced with a "timeout" message, ending the call with a busy tone. Also, for the whole duration of the call we experienced one-way audio to the called party.

We tried several configurations (reverted back to non-shuffled calls, got a separate TCP link to SM, etc.) to no avail. The only thing that made a difference is when we restricted the codec to G.729 which resulted in a "488 not acceptable here" message from CM and was not successfully able to make the call. Anyone has thoughts on this one why it's happening?

 

[num025]

It seems that if we used a codec other than G.711MU inbound calls will only ring then ends with a busy tone. However one side-effect is that we could now use outbound calls without any voice drops if G.729 is used. Quite a dilemma indeed...