Solved: Re: CUBE "403 forbidden"

torsten.brink · ‎11-27-2011

Hi NetPro´s,

I actually try to configure the new introduced passthrough feature on CUBE.

My idea is to register a 3rd party IP-Phone to a CUCM but with the CUBE as a Border between both, so here´s the call flow:

PhoneA -> CUBE -> CUCM -> PhoneB

The registration itself works fine, PhoneA is registered with the IP-address of the CUBE on CUCM, also calls from CUCM PhoneB to PhoneA (behind the CUBE) work fine.

However I´m not able to make an outgoing call from PhoneA via CUBE via CUCM to PhoneB.

The call (INVITE) get´s stuck in the CUBE and refuses the connection with a "403 Forbidden" message to PhoneA.

I´m not able to find the root cause, why the CUBE refuses the connection... any idea´s??

Many thanks in advance...

Cheers

Torsten

NetVoiceOps · ‎11-27-2011

Can you please try removing removing the default command "ip address trusted authenticate" as a test:

!

voice service voip

no ip address trusted authenticate

!

See whether you get a change in behaviour or not as the case maybe.

View solution in original post

Senthil Kumar Sankar · ‎11-27-2011

Hi Torsten,

While checking the logs, Once your Phone B sends the Invite, sip errors are being wriiten like below

*Nov 27 13:05:30.423: //-1/xxxxxxxxxxxx/SIP/Error/sipSPI_validate_own_ip_addr: ReqLine IP addr does not match with host IP addr

*Nov 27 13:05:30.427: //-1/xxxxxxxxxxxx/SIP/Error/sipSPI_validate_own_ip_addr: ReqLine IP addr does not match with host IP addr

Any access list configured ? Can you also paste the successfull incoming call debug messages.

Regards,

Senthil

torsten.brink · ‎11-27-2011

Hi Senthil,

I think you mean PhoneA, as this is the INVITE which comes to CUBE.. and then the call stucks.

There´re not any access lists configured, nor there´s NAT/PAT in use.

Just for better understanding the IP-network informations here:

network1 192.168.178.0/24

PhoneA .22

network2 172.16.10.0/24

CUBE .1

CUCM .11

network3 172.16.110.0/24

PhoneB .10

The CUBE has a interface Gi0/0 with Sub-Interfaces (0/0.178, 0/0.10, 0/0.110). Gi0/0.10 is binded for SIP usage (172.16.10.1).

I´ll get some traces from the "working scenario" the other way round (so the call from PhoneB via CUCM via CUBE to PhoneA).

Cheers

Torsten.

NetVoiceOps · ‎11-27-2011

Can you please try removing removing the default command "ip address trusted authenticate" as a test:

!

voice service voip

no ip address trusted authenticate

!

See whether you get a change in behaviour or not as the case maybe.

Senthil Kumar Sankar · ‎11-27-2011

Hi Torsten,

Thanks for the information. Do you have incoming dial-peer configured ?

If there is no incoming dial-peer configured, Can we configure one and place the below passthru header in it

voice-class sip pass-thru headers unsupp

After doing this test and check.

Regards,

Senthil

torsten.brink · ‎11-28-2011

Hi NetworkVoiceOps,

Hi Senthil,

the command "no ip address trusted authenticate" made the difference, after setting the command, the INVITE was forwarded to CUCM (which was the root issue in my case).

Now the INVITE message was send to CUCM, but as response I received a 401 unauthorized and then a 503 Service Unavailable, as the CUBE is not sending any digest authentication to the CUCM.

To solve this issue I added the command "authentication username xxx password yyy realm zzz" under sip-ua and then the 401 unauthorized of CUCM get´s answered with a INVITE with digest authentication..CUCM accept´s the INVITE and call is getting established !

So just to summarize I attached the configuration of the CUBE and the ccsip message trace...

Many thanks to all !!!

Cheers

Torsten.