SBCE Initial setup 2

[avAyATEKky]

I have installed EMS/SBCE in a virtual environment with a 50 license on a stand alone weblm all v6.3.

First issue I am having is having the SBCE connect to the WebLM it keeps error out I did the

http://(ip

Address):52233/WebLM/LicenseServer and all sorts of break downs.

Second I install a device but I am completely confused on setting it up waht IPs go where etc.. and reading the Docs make me more confuse Avaya has no straight forward documents that I came across on the support site.

Also this is a test environment where the SBCE ove has been setup for two dedicated VM NICs. Me assuming 1 for internet and 1 for intranet. So my plan was to put an IP Phone ont the internet side and see if I could connect to the Intranet through the SBC.


Today Makes Tomorrow

 

[montyzummer]

what do you mean POC ? what are you trying to get running with the Iphone as there are some specific rules that will need to be configured on the SBC depending on what you are trying to achieve

ACSS (UC/SBCE/SM/SME)

Not that they mean a thing anymore , get a brain dump pass the test crash the system.

 

[wpetilli]

We are POC'ng remote worker (Avaya Communicator on iPhone). Avaya provided a trial license for us to use to trial the SBC etc.. before we decide to purchase. The SBC's/EMS/WEBLM were all spun up and they assisted in the configuration. My security folks opened the FW ports and I'm now at the point where I'm getting a cert error on the iphone. They are emailing me bits and pieces of info and not in real time. Basically, the SBC's look to have the default/demo cert that came with the install, my SM's are all using their demo certs and not SMGR, and from the emails it sounds like I have a bunch of cert changes to make. It sounds like they are asking me to replace the SM demo cert with the SMGR cert and then that same cert on the phone and SBC.

 

[kyle555]

You can get away with initTM -d on SM to use the demo certs and if you load those on the iPhone and they're still on the SBC, you'll be fine.

Don't expect One-X Communciator SIP with Presence to work, but for basic telephony, you should be ok...so long as you don't need the headphone jack

 

[montyzummer]

Ahh proof of concept .. i see .... anyway +1 for what Kyle has told you , i have it set up and working in this mannor.

ACSS (UC/SBCE/SM/SME)

Not that they mean a thing anymore , get a brain dump pass the test crash the system.

 

[wpetilli]

Ok, I'll try using the default SM cert. I'll have to export that and apply on the SBC.

 

[kyle555]

No you don't need to - try registering TLS to the SBC - you'll see it has the default Avaya cert signed by the Avaya CA just like SM so you can get away with it there.

Also, I tried getting custom certs on the SBC but its a pain and wants the private keys of things - so you wouldn't be able to load anything you didn't set up yourself anyway.

 

[wpetilli]

Well that did something different.. this time the phone is saying VOIP Cert problem -- there's a prob w/the security cert required for VOIP phone service.

 

[wpetilli]

I also exported and installed the trust cert from SM to the phone and I no longer have cert errors, but I keep getting login failed. the extension/pwrd in SMGR look all correct, so I'm now troubleshooting that.

 

[wpetilli]

I bypassed the SBC and ensured I can register directly to Session Manager to eliminate an issue with the extension/pwrd.

I'm now running a traceSBC and when I try to login from external the trace results come back with:

14:01:49.840 |--CHello-->| | TLS: (T1) Client Hello
14:01:49.840 |<--SHello--| | TLS: (T1) Server Hello
14:01:49.840 |<---Cert---| | TLS: (T1) Certificate (CN=Avaya SBC Edge)
14:01:49.840 |<-SHelloD--| | TLS: (T1) Server Hello Done
14:01:50.000 |--CKeyEx-->| | TLS: (T1) Client Key Exchange
14:01:50.159 |--EncHand->| | TLS: (T1) Encrypted Handshake Message
14:01:50.894 |--REGISTE->| | SIP: (0) sips:test.blackstone.com Exp:3600
14:01:50.894 |<-Forbidd--| | SIP: (0) 403 Forbidden


10.254.105.119:5061 -- TLS --> 107.107.56.163:56239
SIP/2.0 403 Forbidden
From: <sips:6499@test.blackstone.com>;tag=19164DAB-6C6B-4778-8A52-5E6EE6F2BEDE
To: <sips:6499@test.blackstone.com>;tag=zXcVbNmc4b4ca52d
CSeq: 1 REGISTER
Call-ID: 6A16C0CB-F002-4DD5-B2CC-CAB888F280ED
Via: SIP/2.0/TLS 10.25.78.64:50536;branch=z9hG4bKDFE2408A-5421-4DE9-9C21-1B6E04A5A0FC
Content-Length: 0

 

[kyle555]

OK, so your certs are OK. What does the SBC do with the register message? does it proxy it to a SM?

If not, that's when you're looking into your endpoint flows and server flows in the doc for SBC for remote workers.

 

[wpetilli]

Nothing ever makes it to Session Manager. We see if passes through the FW to the SBC and it dies in there. I went through the doc and I'm not seeing anything out of the ordinary that wasn't config'd.

 

[kyle555]

Yeah, the SBC is a pain like that. It has a bunch of layers that you need to have setup to go through for it to pass the registration along.

Log into the EMS and check for incidents on top - you'll probably see something subscriber flow not matched or something to that effect. It most likely lends itself to thinking you missed a step somewhere.

Endpoint flows, session flows, server profiles, user agents, whether it's setup to allow/accept on TCP/or TLS inside or outside and what it does afterwards on the inside - make it TCP or not... you get the idea.

 

[wpetilli]

Thanks again.. I'm just super frustrated. It took avaya 3 months just to get me the trial license, the resource to setup and now it's radio silence. Actually, there are those incidents you mentioned.

Incident Details

General Information
Incident Type Registration Denied Category Policy
Timestamp September 19, 2016 5:21:04 PM EDT Device sbce1
Cause No Subscriber Flow Matched

Message Data
Method Name REGISTER
Call ID B83171E5-82C1-4B18-96BB-D1EA753F303D From 6499@test.blackstone.com
To 6499@test.blackstone.com Source IP 107.107.61.255
Destination IP 10.254.105.119

 

[kyle555]

Yup. Been there, buddy. You're missing a checkbox or two somewhere - that's it. Your SBC wouldn't be whining if it knew how to manage what you were throwing at it. You've unfortunately got a config problem.

 

[wpetilli]

Stupid question, but I'm not seeing this in any of the docs on the Session Manager section.. does the SBC need to be created as a SIP Entity, with entity links to SM?

 

[Wanebo]

Yes the SBCE needs to have a entity link to the ASM.

That missing would result in the incident you are seeing.

 

[kyle555]

I disagree. You need an entity link for trunking, but not for set registration. In the SBC you'd need a "server profile" to manage how the SBC proxies the registration to SM, but it isn't a question of an entity link in SM.

 

[wpetilli]

I was able to get an 'sbc' resource for 30 mins and he messed around with the user agent/subscriber flow and the traffic finally made it down to SM, but I'm still getting 401 unauthorized on the SM and 403 forbidden on the SBC. I retested registering directly to SM and that worked so I know the user ext/pwrd is good, but I'm failing on invalid login/pwrd at the device.

 

[mattKnight]

Just a heads up , if you have your SBC`s in a HA config , something that Avaya slipped under the radar is the your private interfaces need to be on a different subnet to your core equipment (session manager , CM) as if they are not the way the SBC`s handle GARP during an inter change will result in loss of audio , trust me this is something that will happen and cause head scratching as its totally random.

Great catch Monty and starred for it! I've seen similar with a duplex ACM, with handsets in the same network.

Have you had the same issue with the Public/dirty interfaces or is it just that the networking kit is better at handling gARP than Servers/handsets/media gateways?




Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[kyle555]

is it TLS end to end, or does the SBC go TCP from the inside to SM?
And, is SM set up to allow that?