Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2738
Views
40
Helpful
16
Replies

Inbound SIP profiles and OPTIONS ping with NAT

James Hawkins
Level 8
Level 8

‎01-22-2023 06:12 AM

Hello,

I have an ISR 4431 running 17.3.5 which is acting as a CUBE behind a Paolo Alto firewall.

The CUBE links to a Five9 cloud contact center system using TLS.

Five9 are sending SIP Options pings and the CUBE needs to respond to these to bring the service up.

debug ccsip messages shows the Options messages being received by the CUBE as shown below:

000233: Jan 22 13:45:41.509: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
OPTIONS sip:213.168.241.14:5061 SIP/2.0
Via: SIP/2.0/TLS 3.248.131.150:5061;branch=z9hG4bK00B1901e672abab7ab9
From: <sip:3.248.131.150>;tag=gK0034b832
To: <sip:213.168.241.14>
Call-ID: 130075547_133926838@3.248.131.150
CSeq: 856446 OPTIONS
Max-Forwards: 1
Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,UPDATE,OPTIONS,MESSAGE,PUBLISH
Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed
Contact: <sip:3.248.131.150:5061>
Content-Length: 0

The message contains the public IP address 213.168.241.14 that the firewall NATs to  rather than the internal address used by the CUBE which is 10.52.254.68

I have created a SIP profile to translate the addresses as shown below.

voice class sip-profiles 591
 description Five9 inbound OPTIONS
 request OPTIONS sip-header SIP-Req-URI modify "sip:213.168.241.14:5061 SIP/2.0" "sip:10.52.254.68:5061 SIP/2.0"
 request OPTIONS sip-header To modify "213.168.241.14 "10.52.254.68"

Using the SIP-Profile Test Tool the config above performs the required translation as shown below: 

 

017974: Jan 21 15:03:38.955: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg: Received: OPTIONS sip:10.52.254.68:5061 SIP/2.0Via: SIP/2.0/TLS 3.248.131.150:5061;branch=z9hG4bK00B3404a61956628271 From: <sip:3.248.131.150>;tag=gK004249c9 To: <sip:10.52.254.68>Call-ID: 130026517_66379330@3.248.131.150 CSeq: 301223 OPTIONS Max-Forwards: 1 Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,UPDATE,OPTIONS,MESSAGE,PUBLISH Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: <sip:3.248.131.150:5061> Content-Length: 0 Timestamp: 3757158218955 UTC Timestamp:3757158218955 Source Filename: rbt6BE6.tmp
 
I have tried applying this using a dedicated dial-peer using URI matching on via as shown below:
 
voice class uri 59 sip
host ipv4:3.248.131.150
host ipv4:208.69.29.54
!
dial-peer voice 591 voip
description ### Inbound WAN side to Five9 SBCs ###
session protocol sipv2
session transport tcp tls
incoming uri via 59
voice-class sip profiles 591 inbound
voice-class sip bind control source-interface GigabitEthernet0/0/2
voice-class sip bind media source-interface GigabitEthernet0/0/2
dtmf-relay rtp-nte
codec g711alaw
no vad
!
 
This does not apply the required translations.
 
I also tried applying the SIP profile at the global level but that does not work either.
 
voice service voip
 sip
  sip-profiles 591 inbound
 
Can anyone tell me what I am doing wrong or how dial-peer matching for Options ping traffic can be troubleshooted.
 
 
 
 
 

 

 

Labels:
0 Helpful
16 Replies 16

Roger Kallberg
VIP
VIP

‎01-22-2023 06:26 AM

Recommend you to look at the documentation for Direct Routing integration for MS Teams as it covers this.



Response Signature


James Hawkins
Level 8
Level 8
In response to Roger Kallberg

‎01-22-2023 07:49 AM

Thanks Roger, that link has been helpful as I did not know that a SIP profile could be associated with a voice class sip-options-keepalive 

I still cannot get it to modify the inbound Options message received from the Five9s SBC

0 Helpful

Roger Kallberg
VIP
VIP
In response to James Hawkins

‎01-22-2023 08:24 AM

Do you have this under global SIP configuration “sip-profiles inbound”? Also check that you have a IOS version that supports using SIP profiles inbound.



Response Signature


TechLvr
Spotlight
Spotlight

‎01-22-2023 11:07 AM

@James Hawkins Have you tried the following method?

voice class sip-profiles 591
rule 1 request OPTIONS sip-header SIP-Req-URI modify "213.168.241.14" "10.52.254.68"
rule 2 request OPTIONS sip-header To modify "213.168.241.14" "10.52.254.68"
rule 3 response ANY sip-header SIP-Req-URI modify "213.168.241.14" "10.52.254.68"
rule 4 response ANY sip-header To modify "213.168.241.14" "10.52.254.68"

voice class sip-profiles 592
rule 3 response ANY sip-header SIP-Req-URI modify "10.52.254.68" "213.168.241.14"
rule 4 response ANY sip-header To modify "10.52.254.68" "213.168.241.14"

voice class sip-options-keepalive 591
sip-profiles 591 inbound
sip-profiles 592

dial-peer voice 591 voip
description ### Inbound WAN side to Five9 SBCs ###
voice-class sip options-keepalive profile 591

You may need a sip profile and voice class sip options-keepalive on the outbound dial peer towards five9 also but try the above configs first and let us know how it goes. 

Scott Leport
Level 7
Level 7

‎01-23-2023 01:16 AM

Hi James,

I had to do something similar a while ago like this, albeit with one or two differences, e.g. in my situation it was a private SIP trunk formed over SIP TCP 5060 rather than TLS, but I don't think that matters here.

The config I used was something like this:

Voice-class sip-profiles 1000
 Rule 10 request ANY sdp-header SIP-Req-URI modify “213.168.241.14” “10.52.254.68”

This was then applied to the inbound dial-peer and I was able to bring the SIP trunk up.

That worked for me, but the config that @TechLvr is more of a complete solution and may work better for you depending on what the requirements of your service provider are.

James Hawkins
Level 8
Level 8

‎01-24-2023 06:36 AM

Thanks to all that replied.

I am still testing but one thing that I had not done was enabled inbound SIP profiles as shown below:

voice service voip

 sip

  sip-profiles inbound

This is apparently needed before inbound SIP profiles will work however they are applied.

Thanks again

0 Helpful

James Hawkins
Level 8
Level 8

‎01-25-2023 03:17 AM

Progress report.

I have resolved the Options issues both inbound and outbound with the help of suggestions on here.

I am now working on modifying the outbound INVITE request. Changing most of the fields is simple but the INVITE SDP contains two Connection-Info entries.

c=IN IP4 10.52.254.68

A SIP profile request ANY sdp-header Connection-Info modify "10.52.254.68" "213.168.241.14" only modifies the first entry and the second remains unmodified.

I tried a remove followed by a modify but this removes the first entry but does not change the second one.

request ANY sdp-header Connection-Info remove
request ANY sdp-header Connection-Info modify "10.52.254.68" "213.168.241.14"

Is there any way to resolve this either by stopping the INVITE containing two entries or by using sip profiles to remove one and modify the other?

I have found the document at the link below that discusses the issue but does not consider how to remove one entry and modify the other 

https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-border-element/116010-dup-c-lines-problem-solution-00.html 

0 Helpful

Roger Kallberg
VIP
VIP
In response to James Hawkins

‎01-25-2023 04:05 AM

If you post the Invite, without any sensitive information, it would be easier to check this in Cisco’s SIP profile test tool.



Response Signature


0 Helpful

Scott Leport
Level 7
Level 7
In response to James Hawkins

‎01-27-2023 01:41 AM

Good to hear you got the OPTIONS bit sorted out.

Re the two "c" entries, does this matter? I mean did the provider say that one of these entries needs to be removed?

If you need to change the IP in both, the outbound Layer 7 fixup section in this link has a configuration example which can be used to change the "Connection-Info" and the "Audio-Connection-Info" SIP headers:
https://www.cisco.com/c/en/us/support/docs/voice/ip-telephony-voice-over-ip-voip/211306-In-Depth-Explanation-of-Cisco-IOS-and-IO.html#anc45

 

0 Helpful

James Hawkins
Level 8
Level 8

‎01-25-2023 05:52 AM

Hi Roger,

The original INVITE is shown below:

020926: Jan 25 09:40:46.007: //128096/2D5BA30098F3/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:+3134467xxxx@3.248.131.150:5061 SIP/2.0
Via: SIP/2.0/TLS 10.52.254.68:5061;branch=z9hG4bK9DD6E02
From: <sip:+44753984xxxx@10.52.254.68>;tag=13303EB6-31D
To: <sip:+3134467xxxx@3.248.131.150>
Date: Wed, 25 Jan 2023 09:40:46 GMT
Call-ID: 2D5C65E5-9BCB11ED-98F9925C-B425E97C@10.52.254.68
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE: 1800
Cisco-Guid: 0760980224-2613776877-2566099548-3022383484
User-Agent: Cisco-SIPGateway/IOS-17.3.5
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1674639646
Contact: <sip:+44753984xxxx@10.52.254.68:5061;transport=tls>
Expires: 180
Allow-Events: telephone-event
Max-Forwards: 67
P-Asserted-Identity: <sip:+44753984xxxx@10.52.254.68>
Session-ID: c6006d2db08c5dbdb631994da0a04467;remote=00000000000000000000000000000000
Session-Expires: 3600;refresher=uac
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 590
v=0
o=CiscoSystemsSIP-GW-UserAgent 2096 5078 IN IP4 10.52.254.68
s=SIP Call
c=IN IP4 10.52.254.68
t=0 0
m=audio 14648 RTP/SAVP 8 101
c=IN IP4 10.52.254.68
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=crypto:1 AEAD_AES_256_GCM inline:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
a=crypto:2 AEAD_AES_128_GCM inline:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
a=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The are two entries of c=IN IP4 10.52.254.68 in the SDP. I need to delete one and change the other to c=IN IP4 213.168.241.14

I can modify or remove the first entry using SIP profiles but cannot modify or remove the second one.

TechLvr
Spotlight
Spotlight
In response to James Hawkins

‎01-25-2023 07:13 AM

Though you don't have to remove the first c line but here is what you can do based on this invite.

voice class sip-profiles 100
rule 10 request ANY sdp-header Connection-Info remove
rule 20 request ANY sdp-header Audio-Connection-Info modify "10.52.254.68" "213.168.241.14"

If you want to keep/modify both c lines, you can use the SIP profile I sent just earlier in my previous response.

TechLvr
Spotlight
Spotlight

‎01-25-2023 06:49 AM

@James Hawkins Use "Connection-Info" for the first c line, and "Audio-connection-Info" for the second c line such as the example below. If it does not work for some reason, then post the invite as Roger suggested.  

voice class sip-profiles 100
rule 10 request ANY sdp-header Connection-Info modify "10.52.254.68" "213.168.241.14"
rule 20 request ANY sdp-header Audio-Connection-Info modify "10.52.254.68" "213.168.241.14"

James Hawkins
Level 8
Level 8
In response to TechLvr

‎01-25-2023 07:47 AM

Thank you!

I did not realize that Connection-Info and Audio-Connection-Info were different things. 

In other SIP connection Invites on the CUBE there is no Audio-Connection-Info entry in the SDP. Is there an issue with having both in the Invite?

0 Helpful
Customers Also Viewed These Support Documents