cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
2
Helpful
7
Replies

TLS handshake failure CUBE to ITSP

mmoulson2
Level 1
Level 1

Hello,

I am trying to establish a TLS SIP trunk to my ITSP.

The ISTP have a bit of an odd setup in that I need to send outbound calls to one peer IP but I receive calls from them on a different IP.

The outbound part seems to work fine with TLS enabled.

However incoming calls don't work at all. I don't get any SIP debug when I try to make an inbound test call. The only thing I get in the log is:
%SIP-2-TLS_HANDSHAKE_FAILED: TLS handshake failure - remote_addr=X.X.X.X

I followed this very useful post on generating a CSR to get a public signed cert onto my device:
Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community
I also uploaded the root CA provided by the signing authority from my ITSP as a trust point.

I should add that is I turn off TLS then it all seems to work OK so I know my network side is all good.

Any ideas much appreciated.

 

1 Accepted Solution

Accepted Solutions

Vaijanath Sonvane
VIP Alumni
VIP Alumni

Hi @mmoulson2,

TLS handshake error is mostly related to certificates installed on the router and communication to peer address. Are the firewall ports opened for incoming traffic to this CUBE router? 

Also, I don't see "SRTP" command under dial peer 1 which is ingress from ITSP:

dial-peer voice 1 voip
 description *** Ingress from ITSP***
 session protocol sipv2
 session transport tcp tls
 incoming uri via FromISTP
 incoming uri from FromISTP
 dtmf-relay rtp-nte
 codec g711ulaw
 ip qos dscp cs3 signaling
 no vad

Try this command "show crypto pki certificates" and make sure certificates are showing correctly and provide the output of below debug commands:

debug crypto pki messages
debug crypto pki transactions
debug ssl openssl msg
debug ssl openssl states
debug ip tcp transactions

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

View solution in original post

7 Replies 7

b.winter
VIP
VIP

Why don't you post the config as a starting point? (Which you could have included in your OP already^^).

mmoulson2
Level 1
Level 1

Sorry being lazy and trying to avoid having to do a sanitized version of the config! I was hoping someone would see the post and come up with some gotcha!

Attached.

Because for every problem there is always just one solution ... "TLS issue? Oh yes, this must exactly be this problem and here is the only solution." ^^

Stupid question: How should anybody be possible to help you with this text-snippet?!
You have a TLS problem to / from certain IPs, but you clear every IP out of your config or log snippets.

Are you sure you want help? Or are you just a troll?

If you don't want to / or cannot provide valuable info, I'm out.

I provided what I could given the sensitivity of information on the internet. I apologies if that is not sufficient to provide any assistance.

I was hoping someone would see the error message and make a suggestion as to the reason.

I find your tone and the accusation that I am a troll totally unnecessary.

Vaijanath Sonvane
VIP Alumni
VIP Alumni

Hi @mmoulson2,

TLS handshake error is mostly related to certificates installed on the router and communication to peer address. Are the firewall ports opened for incoming traffic to this CUBE router? 

Also, I don't see "SRTP" command under dial peer 1 which is ingress from ITSP:

dial-peer voice 1 voip
 description *** Ingress from ITSP***
 session protocol sipv2
 session transport tcp tls
 incoming uri via FromISTP
 incoming uri from FromISTP
 dtmf-relay rtp-nte
 codec g711ulaw
 ip qos dscp cs3 signaling
 no vad

Try this command "show crypto pki certificates" and make sure certificates are showing correctly and provide the output of below debug commands:

debug crypto pki messages
debug crypto pki transactions
debug ssl openssl msg
debug ssl openssl states
debug ip tcp transactions

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

Thank you Vaijanath it was a certificate problem.

The debug showed me:
CRYPTO_PKI: Can't find signature certificate for trustpoint (zerossl)
CRYPTO_PKI: Done with local cert chain fetch 18.
CRYPTO_OPSSL: Can't find router cert.
The "show crypto pki certificates" showed that the CA cert was uploaded rather than the device certificate.

To fix it I did:

crypto pki authenticate <tp name>

And pasted the CA root.

Then:

crypto pki import <tp name> certificate

And pasted the device cert.

My inbound calls are now working as expected.

You are correct with the SRTP on the dial peer, the ITSP advised we turn that off during the troubleshooting. I will get that turned back on now as well.

Many thanks for your time and advise.

Vaijanath Sonvane
VIP Alumni
VIP Alumni

Hi @mmoulson2,

Good to hear your issue is resolved.

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.