SMGR & ASBCE Certificates 1

[Bonker1974]

Hi
Do anyone know where I can find a document on how to use the Avaya SMGR as a certificate authority for ASBCE.
We have a ASMGR and ASM 8.0 with SBCE with SIP trunks using TLS between the ASM and SBCE
In the trace on the ASM we are getting "407 Proxy Authentication Required" I believe it has to do with the certificate.




Any help would be greatly appreciated


Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[kyle555]

Nope. If you're getting a SIP response, then that means you had a TLS handshake first and that means your certs are OK.

You probably just loaded up the SMGR CA on the SBC and the SBC is the "client" toward SM and trusts the cert SM sent in the TLS handshake.

You're getting a 407 because SM isn't associating the request to an entity/entity link. SM supports sets and trunks. So when a request comes in, it'll analyze it to see if its IP/port matches a known entity link. If it doesn't, it'll presume it's a set and is giving a 407 to get the phone to send the request again with its password which shows up as a hashed value in a nonce.

So, if you had a plain old SIP phone registered, when you try to make a call, you'll send SM a invite, it'll send you a 407, you'll send another invite with a nonce, and SM will continue along. You're getting the 407 because SM can't associate it to a trunk and is presuming its a set.

 

[Bonker1974]

Kyle555, Thanks for the information very informative. But this is a SIP trunk. We are doing IP Auth with the CO.
So what you are saying there are some configuration issue on the SM? Maybe adaption issue?

Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[kyle555]

look in a traceSM

does the invite toward sm have ip/port of a matching entity link?

 

[Bonker1974]

I saw were it was sending the traffic over port 5060 when it should be using 5061. I was able to correct that not the calls are using port 5061.

After correcting that now I am getting "500 Server Internal Error"


SIP/2.0 500 Server Internal Error │
06:5│Organization: Metaswitch Networks │
06:5│Supported: resource-priority, siprec, 100rel, replaces │
06:5│Record-Route: <sip:172.16.103.55:5061;ipcs-line=464667;lr;transport=tls> │
06:5│Record-Route: <sip:NAD-SM@172.16.103.54;av-asset-uid=rw-36ce40af;lr;transport=TLS> │
06:5│Record-Route: <sip:127.0.0.2:15061;transport=tls;ibmsid=local.1565157285143_7253873_7253890│
06:5│;lr> │
06:5│Record-Route: <sip:NAD-SM@172.16.103.54;av-asset-uid=rw-36ce40af;lr;transport=TLS> │
06:5│Record-Route: <sip:172.16.103.55:5061;ipcs-line=464666;lr;transport=tls> │
06:5│Contact: <sip:172.16.103.55:5061;transport=tls;gsid=77d815c0-48d7-11ea-babf-000c29159aac;as│
06:5│m=1> │
06:5│To: <sip:2426032920@172.16.103.54:5061>;tag=sip+1+91b60232+512f2f3c │
06:5│From: <sip:2423027835@172.16.103.55>;tag=24.51.100.100+1+be4f0101+e8ab0b93 │
06:5│Server: DC-SIP/2.0 AVAYA-SM-8.0.0.0.800035 │
06:5│Call-ID: f67dae18efbc155b5773db1c55a9012f │
06:5│CSeq: 846667984 INVITE │
06:5│Via: SIP/2.0/TLS 172.16.103.55:5061;branch=z9hG4bK-s1632-001627714650-1--s1632-

Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[Bonker1974]

I have corrected 500 Server Internal Error, I had to correct the dial plan.

Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[Bonker1974]

I have this other issue this this same sip trunk, The call ring but it going out over another trunk rather than ringing the phone.

Trunk to ASM is 98 and trunk 99 is voicemail



time data

10:51:00 TRACE STARTED 02/06/2020 CM Release String R018x.00.0.822.0
10:59:57 SIP<INVITE sip:2426032920@nad.local SIP/2.0
10:59:57 Call-ID: 187c5a51660317452dc6861df5941010
10:59:57 active trunk-group 98 member 187 cid 0x27f0
10:59:57 term trunk-group 99 cid 0x27f0
10:59:57 seize trunk-group 99 member 10 cid 0x27f0
10:59:57 Calling Number & Name 2423027835 NO-CPName
10:59:57 SIP>INVITE sip:2426032920@nad.local SIP/2.0
10:59:57 Call-ID: b8b314c448f941eabe120c294eb93
10:59:57 Setup digits 2426032920
10:59:57 Calling Number & Name 2423027835 NO-CPName
10:59:57 SIP<SIP/2.0 100 Trying
10:59:57 Call-ID: b8b314c448f941eabe120c294eb93
10:59:57 Proceed trunk-group 99 member 10 cid 0x27f0
10:59:57 SIP<SIP/2.0 200 OK

Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[kyle555]

whats the whole call flow?

 

[Bonker1974]

11:58:22 TRACE STARTED 02/06/2020 CM Release String R018x.00.0.822.0
11:58:28 SIP<INVITE sip:2426032920@nad.local SIP/2.0
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:28 active trunk-group 98 member 187 cid 0x3c2c
11:58:28 term trunk-group 99 cid 0x3c2c
11:58:28 seize trunk-group 99 member 35 cid 0x3c2c
11:58:28 Calling Number & Name 2423027835 NO-CPName
11:58:28 SIP>INVITE sip:2426032920@nad.local SIP/2.0
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 Setup digits 2426032920
11:58:28 Calling Number & Name 2423027835 NO-CPName
11:58:28 SIP<SIP/2.0 100 Trying
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 Proceed trunk-group 99 member 35 cid 0x3c2c
11:58:28 SIP<SIP/2.0 200 OK

time data
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 SIP>ACK sip:172.16.103.75:5060;transport=tcp SIP/2.0
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 SIP>SIP/2.0 200 OK
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:28 active trunk-group 99 member 35 cid 0x3c2c
11:58:28 G711MU ssff ps:20
rgn:1 [172.16.103.75]:8000
rgn:1 [172.16.103.15]:2078
11:58:28 xoip options: fax:T38 modemT tty:US uid:0x5003a
xoip ip: [172.16.103.15]:2078
11:58:28 G711MU ssff ps:20
rgn:1 [172.16.103.55]:35486
rgn:1 [172.16.103.15]:2094
11:58:28 xoip options: fax:T38 modemT tty:US uid:0x5027c
xoip ip: [172.16.103.15]:2094

LIST TRACE

time data
11:58:28 SIP<ACK sip:172.16.103.13;transport=tcp;asm=1 SIP/2.0
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:28 SIP>INVITE sip:172.16.103.75:5060;transport=tcp SIP/2.0
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 SIP<SIP/2.0 100 Trying
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 SIP<SIP/2.0 200 OK
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:28 SIP>INVITE sip:91817cb0925192a218defd281a5a2e6d@172.16.103.
11:58:28 SIP>55:5061;transport=tls;gsid=e6dbc960-4901-11ea-babf-000c
11:58:28 SIP>29159aac;asm=1 SIP/2.0
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:28 SIP<SIP/2.0 100 Trying
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:28 SIP<SIP/2.0 200 OK
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158

LIST TRACE

time data
11:58:28 SIP>ACK sip:91817cb0925192a218defd281a5a2e6d@172.16.103.55:
11:58:28 SIP>5061;transport=tls;gsid=e6dbc960-4901-11ea-babf-000c291
11:58:28 SIP>59aac;asm=1 SIP/2.0
11:58:28 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:28 SIP>ACK sip:172.16.103.75:5060;transport=tcp SIP/2.0
11:58:28 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:32 SIP<BYE sip:172.16.103.13;transport=tcp;asm=1 SIP/2.0
11:58:32 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:32 SIP>SIP/2.0 200 OK
11:58:32 Call-ID: 946bb53f8490bd4640b57e799fadc158
11:58:32 SIP>BYE sip:172.16.103.75:5060;transport=tcp SIP/2.0
11:58:32 Call-ID: e5ceecd249141eaa0ae0c294eb93
11:58:32 idle trunk-group 98 member 187 cid 0x3c2c


Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[Bonker1974]

Sip Trace on ASM

SM100 172.16.103.15 ─────────────┬───────────┬───────────┬───────────┬───────────┬───────────────────────────────────────────────────────────────────────────────────────────────12:01:11.449 │──INVITE──►│ │ │ │ (2) T:2426032920 F:2423027835 U:2426032920
12:01:11.451 │◄──Trying──│ │ │ │ (2) 100 Trying
12:01:11.454 │ │──INVITE──►│ │ │ (2) T:2426032920 F:2423027835 U:2426032920 P:terminating
12:01:11.455 │ │◄──Trying──│ │ │ (2) 100 Trying
12:01:11.467 │ │◄──200 OK──│ │ │ (2) 200 OK (INVITE)
12:01:11.467 │◄═══════════════G711u═════════════►│ │ (2) RTP 172.16.103.55:35488 <-G711u-> 172.16.103.15:2084
12:01:11.469 │◄──200 OK──│ │ │ │ (2) 200 OK (INVITE)
12:01:11.482 │────ACK───►│ │ │ │ (2) sip:172.16.103.13
12:01:11.483 │ │────ACK───►│ │ │ (2) sip:172.16.103.13
12:01:11.512 │ │◄──reINVIT─│ │ │ (2) T:2423027835 F:2426032920 U:91817cb0925192a218defd281a5a2e6d
12:01:11.512 │◄═════════════════════G711u═══════════════════►│ (2) RTP 172.16.103.55:35488 <-G711u-> 172.16.103.75:8000
12:01:11.513 │ │──Trying──►│ │ │ (2) 100 Trying
12:01:11.514 │◄──reINVIT─│ │ │ │ (2) T:2423027835 F:2426032920 U:91817cb0925192a218defd281a5a2e6d
12:01:11.519 │──Trying──►│ │ │ │ (2) 100 Trying
12:01:11.532 │──200 OK──►│ │ │ │ (2) 200 OK (INVITE)
12:01:11.534 │ │──200 OK──►│ │ │ (2) 200 OK (INVITE)
12:01:11.553 │ │◄────ACK───│ │ │ (2) sip:91817cb0925192a218defd281a5a2e6d@172.16.103.55:5061
12:01:11.554 │◄────ACK───│ │ │ │ (2) sip:91817cb0925192a218defd281a5a2e6d@172.16.103.55:5061
12:01:16.057 │────BYE───►│ │ │ │ (2) sip:172.16.103.13
12:01:16.059 │ │────BYE───►│ │ │ (2) sip:172.16.103.13
12:01:16.060 │ │◄──200 OK──│ │ │ (2) 200 OK (BYE)
12:01:16.061 │◄──200 OK──│ │ │ │ (2) 200 OK (BYE)






Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[Bonker1974]

The SIP Trunk between the CM and the SM is TCP, I'm wondering if that needs to be TLS rather than TCP.

Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[kyle555]

No, you'd get some other error like a 405 method not allowed. The SIPS URI scheme defines that. If A trunks to B trunks to C and A-->B is TLS and B-->C is TCP, if A sends a request that sip://1234@whatever.com, B will send to C and C will accept. If it was sips://1234@whatever.com, C should reject because SIPS dictates it must be end to end TLS.

I still don't know what your call flow is, but the trace you have there shows a normal call setup and the reinvites to shuffle off a DSP and go direct.

 

[Bonker1974]

I believe this is what you are talking about with call flow.

Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[kyle555]

Well, we got past the 407. Now your trace shows what appears to be a normally happy 5 second phone call. What went wrong? The end that sent the bye didn't intend to terminate the call?

I'd look at a traceSBC of the same call. Probably some final ACK not making it back or something and some signaling timer expired even though media got setup

 

[Bonker1974]

Ok I figured out why the calls were coming in on one trunk and going over another trunk. The issue were in the locations Ihad to tell it what trunk is the SM route.
After doing that Im getting 604 Does not Exist Anywhere (INVITE Loop Detected)



Avaya SBCE NAD-CM SM100 172.16.105.49 ─────────────┬───────────┬───────────┬───────────┬────────────────────────────────────────────────────────────────────────────19:48:02.465 │──INVITE──►│ │ │ (2) T:2426032920 F:2424773350 U:2426032920
19:48:02.466 │◄──Trying──│ │ │ (2) 100 Trying
19:48:02.483 │ │──INVITE──►│ │ (2) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.484 │ │◄──Trying──│ │ (2) 100 Trying
19:48:02.487 │ │◄──INVITE──│ │ (3) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.489 │ │──Trying──►│ │ (3) 100 Trying
19:48:02.491 │ │──INVITE──►│ │ (3) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.491 │ │◄──Trying──│ │ (3) 100 Trying
19:48:02.494 │ │◄──INVITE──│ │ (4) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.497 │ │──Trying──►│ │ (4) 100 Trying
19:48:02.498 │ │──INVITE──►│ │ (4) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.499 │ │◄──Trying──│ │ (4) 100 Trying
19:48:02.501 │ │◄──INVITE──│ │ (5) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.501 │ │──Trying──►│ │ (5) 100 Trying
19:48:02.505 │ │──INVITE──►│ │ (5) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.505 │ │◄──Trying──│ │ (5) 100 Trying
19:48:02.507 │ │◄──INVITE──│ │ (6) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.508 │ │──Trying──►│ │ (6) 100 Trying
19:48:02.510 │ │──INVITE──►│ │ (6) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.511 │ │◄──Trying──│ │ (6) 100 Trying
19:48:02.513 │ │◄──INVITE──│ │ (7) T:2426032920 F:2424773350 U:2426032920 P:terminating
19:48:02.513 │ │──Does no─►│ │ (7) 604 Does not Exist Anywhere (INVITE Loop Detected)
19:48:02.513 │ │◄────ACK───│ │ (7) sip:2426032920@nad.local
19:48:02.514 │ │◄──Does no─│ │ (6) 604 Does not Exist Anywhere (INVITE Loop Detected)
19:48:02.551 │ │────ACK───►│ │ (6) sip:2426032920@nad.local
19:48:02.573 │ │──Does no─►│ │ (6) 604 Does not Exist Anywhere (INVITE Loop Detected)
19:48:02.573 │ │◄────ACK───│ │ (6) sip:2426032920@nad.local
19:48:02.574 │ │◄──Does no─│ │ (5) 604 Does not Exist Anywhere (INVITE Loop Detected)
19:48:02.574 │ │────ACK───►│ │ (5) sip:2426032920@nad.local


Leadership determines the direction of the company. Organization determines the potential of the company. Personnel determines the success of the company.

 

[kyle555]

You got a routing loop.

Loop detection is a SM feature. Look in the SM admin guide - basically, it means if SM gets the same FROM/TO/P-Asserted-Identity ping-ponging more than a couple of times, it tries to kill the call.