CUBE: SRTP fails because of 2 valid audio m lines

ROBERT SCHUKNECHT · ‎05-31-2018

I can not get SRTP working in the following Setup:

Unify/Siemens IP Phone ---- Unify/Siemens PABX ---- CUBE ---- CUCM ---- Cisco Phone

For the CUBE i am using a Cisco 4331 with IOS XE 16.07.01.

The PABX is sending a SIP Invite including 2 audio m-Lines, 1 for SRTP (SAVP) and 1 for RTP (AVP). (Please see the attached SIP Invite: SIP INVITE OSV-CUBE SANITIZED.txt)

The Cube answers with a 488 unacceptable media, and in the output of a debug ccsip all i see:

May 29 17:02:31.559 METDST: //128863/25495E0D801E/SIP/Error/sipSPICheckForkingCriteria:
2 Valid Audio Mlines is not supported, hence disconnect the call..

Is this a limitation/Bug of CUBE not supporting 2 audio m-Lines? Are there any workarounds i could use to get SRTP working?

As a side note: It is not possible to use "pass-thru sdp..."

Any help/tip is welcome!

/Robert

M02@rt37 · ‎05-31-2018

Hi @ROBERT SCHUKNECHT

Is it possible for you to share your dial peer configuration and your voice service voip menu.

Witch encryption for RTPdo you use on your CUBE?

Between your CUBE and CUCM do you configure SRTP too, or are you only with srtp to rtp internetworking mode on your CUBE?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ROBERT SCHUKNECHT · ‎06-01-2018

Hi Benode371,

between CUCM and CUBE i am using SRTP, also. And, SRTP is working fine when the call is initiated from the CUCM side.

What do you mean by "Witch encryption for RTPdo you use on your CUBE?"

Please find the requested config snippets attached.

R0g22 · ‎06-01-2018

Take a log with the following debugs and making a failed call -

debug ccsip message
debug ccsip error
debug voice ccapi inout

We should have more information in there to see what is happening. Also, are you doing a SRTP to RTP inter working through the CUBE or is it SRTP to SRTP end to end ?

ROBERT SCHUKNECHT · ‎06-04-2018

Hi Nipun,

we want do SRTP to SRTP with fallback to RTP, if RTP is not possible between the involved Endpoints.

Please find attached the requested log of a failed call.

As you can see in the log the CUBE is not accepting the the first INVITE because the PABX is sending the INVITE with 2 Audio M-Lines (1 x RTP/SAVP and 1 x RTP/AVP).

*Jun 4 10:15:18.243: //52/405D47718035/SIP/Error/sipSPICheckForkingCriteria:
2 Valid Audio Mlines is not supported, hence disconnect the call..
*Jun 4 10:15:18.243: //52/405D47718035/SIP/Error/sipSPIHandleInviteMedia:
Media Negotiation failed for an incoming call
*Jun 4 10:15:18.243: //52/405D47718035/SIP/Error/sipSPIContinueNewMsgInvite:
Unacceptable media indicated for INVITE

/Robert

M02@rt37 · ‎06-04-2018

Hi @ROBERT SCHUKNECHT

Which encryption on your siemens pabx do you use? Is it in adequation with CUBE configuration?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ROBERT SCHUKNECHT · ‎06-04-2018

i am not sure what you mean by "Which encryption on your siemens pabx do you use?".

SRTP is working fine when the call is initiated from the Cisco side.

/Robert

M02@rt37 · ‎06-04-2018

Ok @ROBERT SCHUKNECHT

You have perhaps dissociated inbound and outbound dial-peer on your CUBE....that's the reason why it's OK in one way.

What about inboud dial peer on CUBE from pabx? Do you configure srtp fallback too?

Do you configure srtp on voice service voip ? Or in each dial-peer? Sha-32 80 ....?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ROBERT SCHUKNECHT · ‎06-04-2018

Currently i am using only 2 Dial-Peers

Dial-Peer 100 incoming from / outgoing to CUCM:

dial-peer voice 100 voip
description --- TO AND FROM CUCM ---
session protocol sipv2
session transport tcp tls
session server-group 100
destination dpg 100
incoming uri via 100
voice-class sip profiles 100
voice-class sip options-keepalive profile 100
no voice-class sip error-code-override total-calls failure
voice-class sip copy-list 100
dtmf-relay rtp-nte
codec g711alaw
ip qos dscp cs3 signaling
no vad

and Dial-Peer 200 incoming from / Outgoing To Siemens/Unify PABX

dial-peer voice 200 voip
description --- TO AND FROM OSV ---
session protocol sipv2
session transport tcp tls
session server-group 200
destination dpg 200
incoming uri via 200
voice-class sip profiles 100
voice-class sip options-keepalive profile 200
no voice-class sip error-code-override total-calls failure
voice-class sip copy-list 100
dtmf-relay rtp-nte
codec g711alaw
ip qos dscp cs3 signaling
no vad

Dial-Peer matching is working as expected. No errors there.

SRTP Fallback and also srtp-auth are configured globally under "voice service voip".

voice service voip
no ip address trusted authenticate
mode border-element license capacity 100
media bulk-stats
srtp fallback
allow-connections sip to sip
redundancy-group 1
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
modem passthrough nse codec g711alaw
sip
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
session transport tcp tls
rel1xx disable
header-passing
error-passthru
srtp-auth sha1-32 sha1-80
asserted-id pai
midcall-signaling passthru media-change
midcall-signaling preserve-codec
srtp negotiate cisco
early-offer forced
privacy-policy passthru
pass-thru headers unsupp
pass-thru subscribe-notify-events all
pass-thru content unsupp
sip-profiles inbound
no call service stop
send 180 sdp

Going back to my original question: Should CUBE accept 1 SDP with 2 Audio M-Lines?

/Robert