SIP trunk OPTIONS request

Alexey Platov · ‎04-15-2013

Hello everybody

There is a CUCM (SW version) 7.1.5 with direct SIP trunk connection to Alcatel OXE.

On ALU side they want to use OOD OPTIONS keep-alive mode activated.

Am I right that 7.1.5 CUCM doea not support sending OPTIONS requests on SIP trunk?

Also, if we use digest authentification on this trunk without OPTIONS request activated then calls from ALU just goes fine - OXE receives "403

Proxy authentification required" to the initial INVITE and then sends INVITE with authentification parameters.

If OPTIONS request is activated then 1st OPTIONS request receives "403 Unauthorized". ALU then sends OPTINS with the same digest credentials but no answer is received from CUCM.

Do we need an additianal configuration on CUCM side so OPTIONS request also coild be authentificated?

Thanks in advance,

Ayodeji Okanlawon · ‎04-15-2013

Alexey,

CUCM7.1 does not support options ping. This feature I belive was introuduced in CUCM 8.X

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Alexey Platov · ‎04-16-2013

OK. Just as I thought.

Do you have any idea on OPTIONS request authorization?

Ayodeji Okanlawon · ‎04-16-2013

If OPIONS ping is not supported, then I am not sure how it will support request authorization..unless I ont undrstand your question

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Alexey Platov · ‎04-16-2013

OPTIONS request receiving should be supported by any UA, it is written in RFC.

OK, CUCM 7.1.5 can not be configured to send this request for keep-alive to the opposite side, that's clear now.

But on receiving such message from the opposite side we have different behaviour

1. If "Enable Digest Authentication" option is disabled in SIP Trunk Security Profile configuration then CUCM answers to the OPTIONS request with "SIP/2.0 200 OK" and, of course, no incoming calls' INVITEs are challenged with "Proxy Authentification required".

2. If "Enable Digest Authentication" option is enabled in SIP Trunk Security Profile configuration then CUCM answers to the OPTIONS request with "SIP/2.0 401 Unauthorized" and ignores all other OPTIONS requests. OPTIONS request is repeated with digest credentials but this is ignored by CUCM. No calls is possible to CUCM as gateway is seen as unreachable.

3. If "Enable Digest Authentication" option is enabled in SIP Trunk Security Profile configuration and the opposite party is configured not to send OPTIONS then incoming calls are challenged with "Proxy Authentification required".and succesfully delivered.

So if OPTIONS ping is not supported then cases 1 and 3 is OK. But why in case 2 iCUCM is answering with 401 Unauthorized and ignores next OPTIONS messages?

.

Ayodeji Okanlawon · ‎04-16-2013

Ok..I understand your point now. You might need to open a TAC case to find out why its not responding to the Options with the authentication credentials...Is there a response tag in the next authentication request from the Alcatel side?

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Alexey Platov · ‎04-16-2013

Thanks for your info. Isn't 7,1,5 at the end of support? Anyway looks like it is better to upgrade to something fresh.

Just for information.

This is the trace. Initial OPTIONS, an 401 answer from CUCM,and OPTIONS with credentials which is never answered by CUCM. And this last request does not contain any tag in "To:" header.

-> SEND MESSAGE TO NETWORK (10.1.1.221:5060 [UDP]) (BUFF LEN = 426)

----------------------utf8-----------------------

OPTIONS sip:10.1.1.221 SIP/2.0

Accept: application/sdp

User-Agent: OmniPCX Enterprise R9.1

To: sip:10.1.1.221

From: sip:192.168.92.6;tag=0826088f187c9b904d7c365ae3dfe001

Contact: <192.168.92.6>

Call-ID: 82eb2af540d5259ad744b4b84c991d7c@192.168.92.6

CSeq: 704884675 OPTIONS

Via: SIP/2.0/UDP 192.168.92.6;branch=z9hG4bK0d7668c7097dfb6968204a2c76fef932

Max-Forwards: 70

Content-Length: 0

-------------------------------------------------

-> RECEIVE MESSAGE FROM NETWORK (10.1.1.221:5060 [UDP])

----------------------utf8-----------------------

SIP/2.0 401 Unauthorized

Date: Tue, 16 Apr 2013 13:34:00 GMT

Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY

From: sip:192.168.92.6;tag=0826088f187c9b904d7c365ae3dfe001

WWW-Authenticate: Digest realm="REALM", nonce="Kcxq15lrZKqPX+w+BBo+ItuC1IewGhNY", algorithm=MD5

Content-Length: 0

To: sip:10.1.1.221;tag=1531506407

Call-ID: 82eb2af540d5259ad744b4b84c991d7c@192.168.92.6

Via: SIP/2.0/UDP 192.168.92.6;branch=z9hG4bK0d7668c7097dfb6968204a2c76fef932

CSeq: 704884675 OPTIONS

-------------------------------------------------

-> SEND MESSAGE TO NETWORK (10.1.1.221:5060 [UDP]) (BUFF LEN = 602)

----------------------utf8-----------------------

OPTIONS sip:10.1.1.221 SIP/2.0

Accept: application/sdp

User-Agent: OmniPCX Enterprise R9.1

To: sip:10.1.1.221

From: sip:192.168.92.6;tag=0826088f187c9b904d7c365ae3dfe001

Contact: <192.168.92.6>

Call-ID: 82eb2af540d5259ad744b4b84c991d7c@192.168.92.6

CSeq: 704884676 OPTIONS

Max-Forwards: 70

Authorization: Digest username="cucmsip",realm="REALM",nonce="Kcxq15lrZKqPX+w+BBo+ItuC1IewGhNY",algorithm=MD5,uri="sip:10.1.1.221",response="715d454986a2588f3cb31731946ab11b"

Via: SIP/2.0/UDP 192.168.92.6;branch=z9hG4bKeaf44f4d016b44e514a355fc3fe5082f

Content-Length: 0

--

Ayodeji Okanlawon · ‎04-17-2013

The new OPTIONS request look okay with the correct credentials, the nonce, the algorithm and the response tag. I had a look on the cisco bug tool to see if there was a bug related to this, but I didnt find any. I suggest you contact TAC on this..

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Please rate all useful posts

Alexey Platov · ‎04-17-2013

Thanks a lot.