cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

SIP Phones Unauthorized to Register in CME across ASA Site to Site VPN

1406
Views
0
Helpful
3
Comments

Question

I have a customer that is running CME 12 and all of his phones located at the office where the CME resides work just fine.  We just connected a satellite office to it using a ASA to ASA Site to Site VPN Tunnel.  The remote site is working great except none of the phones at that site are allowed to register with CME.  All of the phones have their proper IPs from DHCP with their required Option 150 and proper Gateway.

In fact when I run a debug ccsip all I see all of the phones trying to register with CME.  But they are all being rejected.

 

I have both networks defined to CME as Trusted.  All of the voice register pools are fine because if I bring the phones over to the main office they register and work just fine.

 

voice service voip
 ip address trusted list
  ipv4 10.100.200.0 255.255.255.0
  ipv4 10.10.200.0 255.255.255.0

 

I am allowing all protocols and ports both ways across the tunnel with the ACLs.

I have no-proxy-arp route-lookup on my NAT statements on both ASA's.

I have tried it with both

policy-map global_policy
 class inspection_default

  inspect sip

 

and no inspect sip

 

Still getting this message when the phones at the remote site try and register...

 

092673: *Feb 11 09:53:41.539 CST: //1577/07D93A6682DB/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.100.200.103:5060;branch=z9hG4bK51fac813
From: <sip:13@10.10.200.1>;tag=0cd0f84a9a7e00121754f809-09250a68
To: <sip:13@10.10.200.1>;tag=AD238C-2618
Date: Mon, 11 Feb 2019 15:53:41 GMT
Call-ID: 0cd0f84a-9a7e0011-4d2da414-78742b53@10.100.200.103
Server: Cisco-SIPGateway/IOS-15.7.3.M1
CSeq: 148 REGISTER
WWW-Authenticate: Digest realm="",nonce="E0C8D8B50011508C",algorithm=MD5,qop="auth"Content-Length: 0

 

What am I doing wrong?

 

Answer

 

Comments
Cisco Employee

Can you please share the show run from the CME router? Also please collect 

debug ccsip message

debug voice register events

debug voice register error

 

Can you please try configuring the authenticate realm as well under the voice register global?

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/command/reference/cme_cr/cme_a1ht.html#wp3680833860

Rising star

Hi There,

 

It sounds like you are hitting the issue that occurs when SIP phones are not on the same subnet as the CME gateway. The phones need to be configured to authenticate using a SIP digest username and password.

 

This would explain why when you have the phone in the local office it works, and when it is in the remote office it does not work.

 

Example configuration is below:

voice service voip
allow-connections sip to sip
sip
bind control source-interface GigabitEthernet0/1
bind media source-interface GigabitEthernet0/1
!
voice register global
mode cme
source-address 10.10.200.1 port 5060
max-dn 50
max-pool 50
authenticate register
!
voice register dn 1
number 2000
!
voice register pool 1
id mac 0011.2233.4455
type 8845
number 1 dn 1
dtmf-relay sip-notify
username 2000 password mypassword
codec g711ulaw

Below is a link to the full CME guide:

 

Keep in mind that the configuration referenced is GLOBAL, you will need to configure all voice register pools (phones) with a user/pass after adding "authenticate  register". You will not need to punch in the credentials on the phones themselves, the credentials are passed to the phones through their configuration files. 

 

Please let us know how it goes!

 

*** Please mark posts as helpful and/or correct if appropriate

 

 

Beginner

Hi Great team;

 

I have exactly the same problem, can anyone advise on this issue?

 

Waiting hearing from you guys


@ICS-BDUNCAN wrote:

Question

I have a customer that is running CME 12 and all of his phones located at the office where the CME resides work just fine.  We just connected a satellite office to it using a ASA to ASA Site to Site VPN Tunnel.  The remote site is working great except none of the phones at that site are allowed to register with CME.  All of the phones have their proper IPs from DHCP with their required Option 150 and proper Gateway.

In fact when I run a debug ccsip all I see all of the phones trying to register with CME.  But they are all being rejected.

 

I have both networks defined to CME as Trusted.  All of the voice register pools are fine because if I bring the phones over to the main office they register and work just fine.

 

voice service voip
 ip address trusted list
  ipv4 10.100.200.0 255.255.255.0
  ipv4 10.10.200.0 255.255.255.0

 

I am allowing all protocols and ports both ways across the tunnel with the ACLs.

I have no-proxy-arp route-lookup on my NAT statements on both ASA's.

I have tried it with both

policy-map global_policy
 class inspection_default

  inspect sip

 

and no inspect sip

 

Still getting this message when the phones at the remote site try and register...

 

092673: *Feb 11 09:53:41.539 CST: //1577/07D93A6682DB/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.100.200.103:5060;branch=z9hG4bK51fac813
From: <sip:13@10.10.200.1>;tag=0cd0f84a9a7e00121754f809-09250a68
To: <sip:13@10.10.200.1>;tag=AD238C-2618
Date: Mon, 11 Feb 2019 15:53:41 GMT
Call-ID: 0cd0f84a-9a7e0011-4d2da414-78742b53@10.100.200.103
Server: Cisco-SIPGateway/IOS-15.7.3.M1
CSeq: 148 REGISTER
WWW-Authenticate: Digest realm="",nonce="E0C8D8B50011508C",algorithm=MD5,qop="auth"Content-Length: 0

 

What am I doing wrong?

 

Answer


@ICS-BDUNCAN wrote:

Question

I have a customer that is running CME 12 and all of his phones located at the office where the CME resides work just fine.  We just connected a satellite office to it using a ASA to ASA Site to Site VPN Tunnel.  The remote site is working great except none of the phones at that site are allowed to register with CME.  All of the phones have their proper IPs from DHCP with their required Option 150 and proper Gateway.

In fact when I run a debug ccsip all I see all of the phones trying to register with CME.  But they are all being rejected.

 

I have both networks defined to CME as Trusted.  All of the voice register pools are fine because if I bring the phones over to the main office they register and work just fine.

 

voice service voip
 ip address trusted list
  ipv4 10.100.200.0 255.255.255.0
  ipv4 10.10.200.0 255.255.255.0

 

I am allowing all protocols and ports both ways across the tunnel with the ACLs.

I have no-proxy-arp route-lookup on my NAT statements on both ASA's.

I have tried it with both

policy-map global_policy
 class inspection_default

  inspect sip

 

and no inspect sip

 

Still getting this message when the phones at the remote site try and register...

 

092673: *Feb 11 09:53:41.539 CST: //1577/07D93A6682DB/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.100.200.103:5060;branch=z9hG4bK51fac813
From: <sip:13@10.10.200.1>;tag=0cd0f84a9a7e00121754f809-09250a68
To: <sip:13@10.10.200.1>;tag=AD238C-2618
Date: Mon, 11 Feb 2019 15:53:41 GMT
Call-ID: 0cd0f84a-9a7e0011-4d2da414-78742b53@10.100.200.103
Server: Cisco-SIPGateway/IOS-15.7.3.M1
CSeq: 148 REGISTER
WWW-Authenticate: Digest realm="",nonce="E0C8D8B50011508C",algorithm=MD5,qop="auth"Content-Length: 0

 

What am I doing wrong?



 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here