cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5436
Views
2
Helpful
14
Replies

Cisco Cube and Genesys CX - Setup TLS connection

MiB
Level 1
Level 1

Hi all,

I'm trying to configure a trunk between my Cisco CUBES(ISR4431) to Genesys Cloud for a new implementation

Has anybody made this challange ?

It works with SIP/RTP and SIP/SRTP but when i switch to SIP with TLS it fails.

TLS Handshake between Cube an Genesys is completed and cube sents a invite to Genesys but no response to this, TLS Connection will be closed from Genesys side. Otherwise, call from Genesys cloud, i can see TLS Handshake in pcap at my cube but i dont get data from there after tls is completed.

Unfortunately, the genesys colleagues have almost no information and access to the system as it is a cloud service.

(Their service partner looks like they don't have a clue either)

 

I run 17.06.03a on cube, TLS to CUCM works fine

may someone has implemented this successfully

Thanks

 

 

 

14 Replies 14

b.winter
VIP
VIP

Do you see open TLS connections towards Genesys in "show sip-ua connections tcp tls details"?
Can you post a full output of "debug ccsip all" and also the running config (without sensitive data like username, password, enable secret, ...)

Can you please share your configuration that you made in the CUBE to establish the trunk with Genesis PureCloud please thank you.

MiB
Level 1
Level 1

yes, i see TLS connection, i see a successful handshake in pcap on cube s interface.

TAC confirmed that TLS connection is fine.

Genesys doesn´t reply to an INVITE for my site, they don´t send any SIP , so Genesys should step in with troubleshooting assistance.

Unfortunately we don t get any usefull thing for genesys support. They ask us to check our firewall .......

 

If the TLS is up and running, then you can only assume, that the SIP INVITE gets to the other side. As it is encrypted, you won't see in any pcap trace.
And if the other side is not very helpful, then you are ...

Have you asked, if the platform is answering SIP OPTIONS ping? If yes, you could check with that, if at least the platform is answering to something.
It doesn't automatically mean, that they then answer your SIP INVITE, as the message or some headers could be in the wrong format. But then, they need to provide you the info, how the INVITE needs to look like.

no, they don´t answer to options ping.

We see that they terminate TLS by sendiung RST 

But we get an Answer from Genesys Support .Quote: "While working with my colleague he reminded me that we have seen very similar behavior from a Cube in the past. The previous customer was able to take their captures to Cisco and Cisco was able to identify an issue. The fix Cisco recommended may not be universal to all cubes or environment so I won’t mention what the fix was here."

we see this before - but i don t tell you more about this - ..... unbelievable

 

add: ios is now 17.6.4

(17.6.3 has defect CSCwb40096 Extra "+" getting added in Outgoing Invite in Contact/FROM/PAI header no. )

If they don't provide any info about how to interconnect with them, then it's just trail and error.

MiB
Level 1
Level 1

I have a opened a TAC case and get one of the best TAC Engineers - he found a solution

The issue is affected by packet size, so we can fix it with ip tcp mss 1400 or/and ip tcp path-mtu-discover

 

This is a hell of a finding. Great work (y).

Hello MIB, Trying to set up TLS between CUBE and Genesys, could you please sharing the configuration that you used in CUBE ? 

Hi MIB,

I am trying to enable TLS on my connection between my CUBE and Genesys Cloud. Could you share your experience please?

Thanks.

alisha_rascon01
Level 1
Level 1

Setting up a TLS (Transport Layer Security) connection between Cisco Cube and Genesys CX involves configuring both systems to use secure communication. Here's a general guide on how you can achieve this:

Cisco Cube TLS Configuration:

1. Generate Certificates:

- Obtain or generate X.509 certificates for the Cisco Cube. You may use a certificate authority (CA) to sign these certificates.

2. Upload Certificates to Cisco Cube:

- Upload the generated certificates (public and private key) to the Cisco Cube.

- Use the following commands on the Cisco Cube:

voice service voip
tls srtp
certificate <certificate_name> [password <password>]

3. Configure SIP TLS on Cisco Cube:

- Enable SIP TLS on the Cisco Cube using the following commands:

voice service voip
sip
bind control source-interface <interface_name>
tls bind source-interface <interface_name>

4. Define SIP Profile:

- Define a SIP profile that uses TLS. Example:

voice class sip-profiles 1

request ANY sip-header Via modify "<sip_profile_name>"

5. Apply SIP Profile:

- Apply the SIP profile to your voice service configuration:

voice service voip

sip

sip-profiles 1

eljose_lol
Level 1
Level 1

Hello MIB, Trying to set up TLS between CUBE and Genesys, could you please sharing the configuration that you used in CUBE ?