CME Phone REGISTER via Internet (404 Not Found)

johnhart · ‎06-24-2012

Hi VoIPers & Sippers,

After a false start I have now got a very basic CME configuration (with 2901) going which:

1. Provides Internet Facing SIP Proxy

2. Supports generic SIP clients (Mac OS X Blink & iPhone Acrobit/Groundwire and Grandstream GXV3175)

3. Allows me to call SIP extensions within an internal 192.168.X.X network

However I cannot get my iPhone to REGISTER successfully from outside (via public Internet)

Here is the core of my config:

voice service voip

ip address trusted list <-- I have deliberately turned off "ip address trusted list" as I am using ZBFW to handle security

ipv4 0.0.0.0 0.0.0.0

allow-connections sip to sip

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

sip <- I have not put a bind command, as SIP Proxy is acting as application gateway btw public/private network and I want it to listen on both interfaces

registrar server expires max 600 min 60

localhost dns:FROGHOP.com

!

voice class codec 1 <- I want the negoitation of CODECs to be done by endpoints via SDP as this reduces load on gateway and is also more flexible

codec preference 1 transparent

!

voice class codec 2 <- This set of CODECS will be used for B2BUA gatewaying to external SIP Service Providers and my own SPA3102 ATA for PSTN

codec preference 1 g711alaw

codec preference 2 g711ulaw

codec preference 3 g729br8

codec preference 4 g729r8

codec preference 5 g723ar53

codec preference 6 g723ar63

codec preference 7 g723r53

codec preference 8 g723r63

codec preference 9 g726r16

codec preference 10 g726r24

codec preference 11 g726r32

!

voice register global

mode cme

max-dn 20

max-pool 25

load 8961 8961/sip8961.9.2-2SR1-9 <--- These are just here because the documentation indicate the should be.

load 7942 7942-62/SIP42.9-2-1S <-- My network is 100% SIP with no SCCP and no firmware downloading/management

authenticate register

authenticate realm FROGHOP.com

timezone 47

time-format 24

date-format D/M/Y

tftp-path flash:

create profile sync 0014049064062229

!

voice register dn 1 <- This is the sample roaming DN, which I want to beble to use to get/place SIP calls while: at home, in office or travelling

number 613333

allow watch

name Joe Toad

label jt-sip

!

voice register dn 2

number 6113333

allow watch

name LineA Home

label linea

!

voice register dn 3

number 6123333

allow watch

name LineB Home

label lineb

!

….

!

voice register pool 1

id mac BEE0.BEE1.BEE2 <-- Dummy mac address for the roaming case.

number 1 dn 1

voice-class codec 1

username joe password XXXXXXXX

!

voice register pool 2

id mac 000A.9255.9097

number 1 dn 2

voice-class codec 1

username linea password XXXXXXXX

!

voice register pool 3

id mac 000B.8233.9B86

number 1 dn 3

voice-class codec 1

username lineb password XXXXXXX

!

....

I turned on "debug ccsip messages" and got the following trace:

Which hightlights the problems is that CME is returning a "404 Not Found" error, when the REGISTER is coming in via internet while it works fine when coming from the internal PRIVATE 192.168.X.X network.

I presume that I am missing something very basic here, that I need to do to ensure that the REGISTER from the Internet goes through ok.

Received:

REGISTER sip:FROGHOP.com SIP/2.0

Via: SIP/2.0/UDP 10.197.31.18:2525;branch=z9hG4bKfaUSJlXb1d982vqa;rport

Contact: <sip:613333@10.197.31.18:2525;rinstance=50094A52>;expires=0

Max-Forwards: 70

From: "Joe Toad" <sip:613333@FROGHOP.com>;tag=8AB69B07421347565B0F51ACE8E78AB1

Allow: OPTIONS, INVITE, ACK, REFER, CANCEL, BYE, NOTIFY, MESSAGE

Supported: replaces, path

User-Agent: Acrobits Softphone Business/2.3

To: "Joe Toad" <sip:613333@FROGHOP.com>

Expires: 0

Call-ID: 2100FCC8292E2B193740F66A68E0B56D9ACE8E9A

CSeq: 962 REGISTER

Content-Length: 0

001110: Jun 24 10:24:44.746 UTC: //109/99899ED2805F/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 404 Not Found

Via: SIP/2.0/UDP 10.197.31.18:2525;branch=z9hG4bKfaUSJlXb1d982vqa;rport;received=1.140.3.65

From: "Joe Toad" <sip:613333@FROGHOP.com>;tag=8AB69B07421347565B0F51ACE8E78AB1

To: "Joe Toad" <sip:613333@FROGHOP.com>;tag=7DA624-977

Date: Sun, 24 Jun 2012 10:24:44 GMT

Call-ID: 2100FCC8292E2B193740F66A68E0B56D9ACE8E9A

Server: Cisco-SIPGateway/IOS-12.x

CSeq: 962 REGISTER

Content-Length: 0

001111: Jun 24 10:24:48.066 UTC: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

REGISTER sip:FROGHOP.com SIP/2.0

Via: SIP/2.0/UDP 10.197.31.18:2525;branch=z9hG4bKfaUSJlXb1d982vqa;rport

Contact: <sip:613333@10.197.31.18:2525;rinstance=50094A52>;expires=0

Max-Forwards: 70

From: "Joe Toad" <sip:613333@FROGHOP.com>;tag=8AB69B07421347565B0F51ACE8E78AB1

Allow: OPTIONS, INVITE, ACK, REFER, CANCEL, BYE, NOTIFY, MESSAGE

Supported: replaces, path

User-Agent: Acrobits Softphone Business/2.3

To: "Joe Toad" <sip:613333@FROGHOP.com>

Expires: 0

Call-ID: 2100FCC8292E2B193740F66A68E0B56D9ACE8E9A

CSeq: 962 REGISTER

Content-Length: 0

001112: Jun 24 10:24:48.066 UTC: //109/99899ED2805F/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 404 Not Found

Via: SIP/2.0/UDP 10.197.31.18:2525;branch=z9hG4bKfaUSJlXb1d982vqa;rport;received=1.140.3.65

From: "Joe Toad" <sip:613333@FROGHOP.com>;tag=8AB69B07421347565B0F51ACE8E78AB1

To: "Joe Toad" <sip:613333@FROGHOP.com>;tag=7DA624-977

Date: Sun, 24 Jun 2012 10:24:48 GMT

Call-ID: 2100FCC8292E2B193740F66A68E0B56D9ACE8E9A

Server: Cisco-SIPGateway/IOS-12.x

CSeq: 962 REGISTER

Content-Length: 0

Could the ZBFW be causing a problem with external access?

Currently I have policy for:

OUT-ZONE -> SELF == SIP Inspect (to allow incoming calls to hit CME)

SELF -> OUT-ZONE == SIP Inspect (to allow CME to establish call with external SIP Service Providers)

Thanks in advance to anyone who can help.

Cheers,

John.

johnhart · ‎06-25-2012

IOSers & VoIPers,

I have done some more testing on the remote phone and have found that the remote phone does not appear to be getting any response back from CME.

I getting the input messagse and have configured ZBFW with SIP inspect from OUT-ZONE to SELF as I could see that UDP messages to port 5060 where getting dropped.

What is the behvaior of ZBFW for the return SIP message?

If a SIP REGISTER or INVITE is received on port 5060 does ZBFW inspect mean that the port is then opened to allow the return reponse which can be on any UDP port to get past the ZBFW and back to the OUT-ZONE?

Also I addedb 'bind into sip configuration as documentation seems to indicate that this is needed:

<>

!

voice service voip

ip address trusted list

ipv4 0.0.0.0 0.0.0.0

allow-connections sip to sip

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

sip

bind control source-interface Loopback0

registrar server expires max 600 min 60

localhost dns:FROGSTOMP.com

!

<>

Here is lastest SIP Message trace:

<>

000308: Jun 25 11:40:19.510 UTC: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

REGISTER sip:FROGSTOMP.com SIP/2.0

Via: SIP/2.0/UDP 10.169.174.195:2526;branch=z9hG4bKFZvENjUgCu9E2als;rport

Contact: <613333>;expires=0

Max-Forwards: 70

From: "Joe Toad" <>613333@FROGSTOMP.com>;tag=B6C4A9291D65343D263E88C1D1ECC345

Allow: OPTIONS, INVITE, ACK, REFER, CANCEL, BYE, NOTIFY, MESSAGE

Supported: replaces, path

User-Agent: Acrobits Softphone Business/2.3

To: "Joe Toad" <>613333@FROGSTOMP.com>

Expires: 0

Call-ID: 2100FCC8292E2B193740F66A68E0B56D9ACE8E9A

CSeq: 1163 REGISTER

Content-Length: 0

000309: Jun 25 11:40:19.510 UTC: //78/50DB48C6803E/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 404 Not Found

Via: SIP/2.0/UDP 10.169.174.195:2526;branch=z9hG4bKFZvENjUgCu9E2als;rport;received=110.150.231.102

From: "Joe Toad" <>613333@FROGSTOMP.com>;tag=B6C4A9291D65343D263E88C1D1ECC345

To: "Joe Toad" <>613333@FROGSTOMP.com>;tag=404F4C-13C0

Date: Mon, 25 Jun 2012 11:40:19 GMT

Call-ID: 2100FCC8292E2B193740F66A68E0B56D9ACE8E9A

Server: Cisco-SIPGateway/IOS-12.x

CSeq: 1163 REGISTER

Content-Length: 0

<>

Thank you to any ZBFW/SIP guru who can help.

John.

ADAM CRISP · ‎06-27-2012

Hi,

Have you a voice source-group configured at all ?

Adam

johnhart · ‎06-28-2012

Hi Adam,

thanks for response.

I do not have any "voice source-group" items in my configuration.

I have since done more testing and played around with the ZBFW configuration.

I found that to get SIP in and out network you need to have:

SELF -> OUT-ZONE sip inspect

OUT-ZONE -> SELF sip inspect

OUT-ZONE -> IN-ZONE sip inspect (where I have Loopback0 terminator for SIP & NAT)

PRIVATE-ZONE -> OUT-ZONE sip inspect (this is where NAT'ed 192.168.x.x network is)

I am now able to Register over the Internet but, only from some networks...

For example if I got into an office which as Class B addresses on its Intranet then I can Register from there via the Blink client but not the iPhone Groundwire/Acrobits client.

If I go into iPhone Groudwire/Acrobits client and configure the Account/Hacks Settings to set the sending port to 5060 then it works ok.

If I connect my Mac to network via iPhone tethering then I cannot Register via Blink client from Mac.

So it appears that the problem may be with NAT or filtering within Service Provder network..

All these variable make it very hard to diagnose the problem.

Now the problem I am having is that while I can do register from some external (Internet) networks...

I cannot get INVITE to work...

I will post some more into after I have done some more testing.

John.

shiblyibrahim · ‎06-28-2012

Hey John,

Have you checked the firewall settings?

It could be that firewall is simply blocking. I have had a similar issue it was the Firewall being in the way.

If you are using VPN on iPhone similar issue. By all means it could be either the ip address being blocked or the ports being blocked.

Please rate the post Shibly Ibrahim