cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5911
Views
26
Helpful
20
Replies

SIP-UA Missing Header issue

Rizwan Haider
Level 1
Level 1

Hi,

 

we are trying to register Etisalat SIP via registrar dns:vims-siptrunk.etisalat.ae but getting 401 unauthorized from telco. They are saying we have to send another request with header including domain name, credentials and MD5 encryption. As per Etisalat, we are missing header. any one who did configuration from CUCM > 2900 voice gateway >> Telco ONT >> Telco.

 

sip-ua
credentials username +97142746222@ims.etisalat.ae password 7 1315062A1209337D6F realm ims.etisalat.ae
authentication username +97142746222@ims.etisalat.ae password 7 0103173C420E315865 realm ims.etisalat.ae
registrar dns:vims-siptrunk.etisalat.ae expires 3600

 

2 Accepted Solutions

Accepted Solutions

Suggest that you configure this with a tenant configuration instead as that a better way to do it. Below should be a good starting point for this, however it likely needs adoption to fit your specific needs.

voice class tenant 2000
  registrar dns:vims-siptrunk.etisalat.ae expires 3600
  credentials username +97142746222@ims.etisalat.ae password 7 1315062A1209337D6F realm ims.etisalat.ae
  authentication username +97142746222@ims.etisalat.ae password 7 1315062A1209337D6F
  no remote-party-id
  timers dns registrar-cache 95
  sip-server dns:vims-siptrunk.etisalat.ae
  connection-reuse
  audio forced
  bind control source-interface GigabitEthernet0/1
  bind media source-interface GigabitEthernet0/1
  no pass-thru content custom-sdp
  sip-profiles 10
  outbound-proxy dns:vims-siptrunk.etisalat.ae reuse
  early-offer forced
!
dial-peer voice 100 voip
 description Inbound calls from PSTN
 translation-profile incoming PSTN-IN
 session protocol sipv2
 incoming uri via PSTN
 voice-class codec 10  
 voice-class sip tenant 2000
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 110 voip
 description Outbound calls to PSTN
 translation-profile outgoing PSTN-OUT
 session protocol sipv2
 session server-group 2000
 destination e164-pattern-map 2000
 voice-class codec 10  
 voice-class sip tenant 2000
 voice-class sip options-keepalive profile 2000
 dtmf-relay rtp-nte
 no vad

In particular it is dropping the realm from the authentication as that is usually not needed and is known to cause issues.



Response Signature


View solution in original post

But be aware: which way to configure it, depends on the format of username in the Authentication header, recieved by provider (in the RE-REGISTER message from CUBE to provider):

  • If the provider wants the username delivered in the format "username" --> you can use Rogers config example
  • If the provider wants the username delivered in the format "username@domain" --> you need to use my config example

But maybe you are lucky and the provider supports both formats.

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

View solution in original post

20 Replies 20

Suggest that you configure this with a tenant configuration instead as that a better way to do it. Below should be a good starting point for this, however it likely needs adoption to fit your specific needs.

voice class tenant 2000
  registrar dns:vims-siptrunk.etisalat.ae expires 3600
  credentials username +97142746222@ims.etisalat.ae password 7 1315062A1209337D6F realm ims.etisalat.ae
  authentication username +97142746222@ims.etisalat.ae password 7 1315062A1209337D6F
  no remote-party-id
  timers dns registrar-cache 95
  sip-server dns:vims-siptrunk.etisalat.ae
  connection-reuse
  audio forced
  bind control source-interface GigabitEthernet0/1
  bind media source-interface GigabitEthernet0/1
  no pass-thru content custom-sdp
  sip-profiles 10
  outbound-proxy dns:vims-siptrunk.etisalat.ae reuse
  early-offer forced
!
dial-peer voice 100 voip
 description Inbound calls from PSTN
 translation-profile incoming PSTN-IN
 session protocol sipv2
 incoming uri via PSTN
 voice-class codec 10  
 voice-class sip tenant 2000
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 110 voip
 description Outbound calls to PSTN
 translation-profile outgoing PSTN-OUT
 session protocol sipv2
 session server-group 2000
 destination e164-pattern-map 2000
 voice-class codec 10  
 voice-class sip tenant 2000
 voice-class sip options-keepalive profile 2000
 dtmf-relay rtp-nte
 no vad

In particular it is dropping the realm from the authentication as that is usually not needed and is known to cause issues.



Response Signature


Hi Roger,

 

Thank you for your quick reply. we are running Version 15.2(4)M3. Voice class tenant command is not able to configure currently.

 

I will upgrade at least Cisco IOS 15.6(2)T onwards and will post here results.

 

regards,

For that platform I would recommend you to go for 15.7(3)M8.



Response Signature


Hi Roger,

 

Thanks for this.

 

There is a requirement of MD5 checksum also to be sent. Is the below configuration accommodating this?

Or, the below configuration also needed?

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-cube-sip-tls.html?bookSearch=true#task_2ED64664C3684347A1A4F6BED1FE298D

 


With best regards...
Ashok

That is for TLS. That's not related to registration, it's media encryption. That's a completely different thing. What specifically is it the SP wants to use MD5 for? It does not sound like it would be for TLS, but for the registration challenge.



Response Signature


What @Roger Kallberg mentioned, is sending the Authentication Header in the REGISTER message. This header then includes the MD5 algorithm.

What you mean with the link, is how to configure SIP over TLS. So two different things here.

 

AFAIK there is currently no possibility to force CUBE to already send the Authentication header in the initial REGISTER message (from CUBE to Provider).

CUBE only adds the Authentication Header, after it gets challenged by the Provider with a "401 Unauthorized" or "407 Proxy Authentication Required".

This is called "Digest Authentication"

 

SIP diagramm.png

And also the recommendation from my side:

Always use tenant configuration.

  • It's more scalable (if you have more than one provider connected to 1 CUBE)
  • It's needed when SRST is co-located on the same CUBE
  • It's how CUBE is configured these days (SIP trunk registration isn't done in SIP-UA anymore)

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

Hi Roger,

 

You have mentioned sip-profiles 10 under voice class tenant 2000. can you please define sip-profile template where we have to send header with domain name, credentials and MD5 encryption. 

 

Thanks.

That's not what the SIP profile is used for, I took the config of one of our SBC's that is using registrations. You can disregard that part.

For reference only this is what that SIP profile would look like. You can not take that straight off if you where to use it.

voice class sip-profiles 10
 request INVITE sip-header SIP-Req-URI modify "<SP IP>" "<SP domain>" 
 request ANY sip-header From modify "<SBC internal IP>" "<SBC external IP>" 
 request ANY sip-header From modify "From:(.*)(<sip:.*@).*>" "From: \2<SP domain>>" 
 response ANY sip-header From modify "From:(.*)(<sip:.*@).*>" "From: \2<SP domain>>" 
 request INVITE sip-header To modify "To:(.*)(<sip:.*@).*>" "To: \2<SP domain>>" 
 request ANY sip-header To modify "To:(.*)(<sip:.*@).*>" "To: \2<SP domain>>" 
 response ANY sip-header To modify "To:(.*)(<sip:.*@).*>" "To: \2<SP domain>>" 
 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@).*>" "Remote-Party-ID: \2<SP domain>>" 
 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@).*>" "Remote-Party-ID: \2<SP domain>>" 


Response Signature


The sip-profile, that @Roger Kallberg mentioned was just included in his example configuration. You can just skip it or configure a profile, depending on the requirements that you have.

 

What you mean with "we have to send header with domain name"? Which domain should be included in which header?

Do you have an example REGISTER message, how it currently looks like and how it should look like?

 

For "credentials and MD5 encryption" see my other reply.

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

Hi Winter,

 

please find attached reference snapshot with successful SIP registrar registration from another brand but same Telco connection type.

 

Hope it clear to make sample template.

 

thanks.

Do you also have a log about the SIP messages that you are currently sending / receiving?

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

Hi,

 

These are captured before but results are same in attached file. 

I checked the logs:

Seeing this error message from the provider in the answer:

 

 

*Dec 5 11:51:02.599: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 400 Bad Request
Via: SIP/2.0/UDP 10.221.223.72:5060;branch=z9hG4bK17FE9C
Call-ID: 680BF099-54F811EC-86B4E035-89621916
From: <sip:anonymous@anonymous>
To: <sip:anonymous@anonymous>;tag=cpjcod5z
CSeq: 2 REGISTER
Warning: 399 10.238.70.201 "SS280000F1048642L11603179[00000] From header absent or undecipherable",399 10.238.70.201 "SS280000F1048642L16911595[00000] To header absent or undecipherable"
Content-Length: 0

 

Your Register message looks like this:

*Dec  5 11:51:02.595: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent: 
REGISTER sip:vims-siptrunk.etisalat.ae:5060 SIP/2.0
Via: SIP/2.0/UDP 10.221.223.72:5060;branch=z9hG4bK17FE9C
From: <sip:+97142746222@ims.etisalat.ae@vims-siptrunk.etisalat.ae>;tag=1D3778-C9E
To: <sip:+97142746222@ims.etisalat.ae@vims-siptrunk.etisalat.ae>
Date: Sun, 05 Dec 2021 11:51:02 GMT
Call-ID: 680BF099-54F811EC-86B4E035-89621916
User-Agent: Cisco-SIPGateway/IOS-15.2.4.M3
Max-Forwards: 70
Timestamp: 1638705062
CSeq: 2 REGISTER
Contact:<sip:+97142746222@ims.etisalat.ae@10.221.223.72:5060>
Expires:  3600
Supported: path
Content-Length: 0

You have double domain in your headers.

Change the credential command to the following:

credentials number +97142746222 username +97142746222@ims.etisalat.ae password 7 1315062A1209337D6F realm ims.etisalat.ae

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

Or possibly change it to this

voice class tenant 2000
  credentials username +97142746222 password 7 1315062A1209337D6F realm ims.etisalat.ae
  authentication username +97142746222 password 7 1315062A1209337D6F


Response Signature