Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
2
Helpful
7
Replies

TLS handshake failure CUBE to ITSP

Go to solution
mmoulson2
Level 1
Level 1

‎05-31-2024 04:51 AM

Hello,

I am trying to establish a TLS SIP trunk to my ITSP.

The ISTP have a bit of an odd setup in that I need to send outbound calls to one peer IP but I receive calls from them on a different IP.

The outbound part seems to work fine with TLS enabled.

However incoming calls don't work at all. I don't get any SIP debug when I try to make an inbound test call. The only thing I get in the log is:
%SIP-2-TLS_HANDSHAKE_FAILED: TLS handshake failure - remote_addr=X.X.X.X

I followed this very useful post on generating a CSR to get a public signed cert onto my device:
Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community
I also uploaded the root CA provided by the signing authority from my ITSP as a trust point.

I should add that is I turn off TLS then it all seems to work OK so I know my network side is all good.

Any ideas much appreciated.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vaijanath Sonvane
VIP Alumni
VIP Alumni

‎05-31-2024 06:50 AM

Hi @mmoulson2,

TLS handshake error is mostly related to certificates installed on the router and communication to peer address. Are the firewall ports opened for incoming traffic to this CUBE router? 

Also, I don't see "SRTP" command under dial peer 1 which is ingress from ITSP:

dial-peer voice 1 voip
 description *** Ingress from ITSP***
 session protocol sipv2
 session transport tcp tls
 incoming uri via FromISTP
 incoming uri from FromISTP
 dtmf-relay rtp-nte
 codec g711ulaw
 ip qos dscp cs3 signaling
 no vad

Try this command "show crypto pki certificates" and make sure certificates are showing correctly and provide the output of below debug commands:

debug crypto pki messages
debug crypto pki transactions
debug ssl openssl msg
debug ssl openssl states
debug ip tcp transactions

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

View solution in original post

7 Replies 7

Go to solution
b.winter
VIP
VIP

‎05-31-2024 05:03 AM

Why don't you post the config as a starting point? (Which you could have included in your OP already^^).

0 Helpful

Go to solution
mmoulson2
Level 1
Level 1

‎05-31-2024 05:16 AM - edited ‎05-31-2024 05:18 AM

Sorry being lazy and trying to avoid having to do a sanitized version of the config! I was hoping someone would see the post and come up with some gotcha!

Attached.

Preview file
3 KB
0 Helpful

Go to solution
b.winter
VIP
VIP
In response to mmoulson2

‎05-31-2024 05:31 AM - edited ‎05-31-2024 05:32 AM

Because for every problem there is always just one solution ... "TLS issue? Oh yes, this must exactly be this problem and here is the only solution." ^^

Stupid question: How should anybody be possible to help you with this text-snippet?!
You have a TLS problem to / from certain IPs, but you clear every IP out of your config or log snippets.

Are you sure you want help? Or are you just a troll?

If you don't want to / or cannot provide valuable info, I'm out.

0 Helpful

Go to solution
mmoulson2
Level 1
Level 1
In response to b.winter

‎05-31-2024 06:13 AM

I provided what I could given the sensitivity of information on the internet. I apologies if that is not sufficient to provide any assistance.

I was hoping someone would see the error message and make a suggestion as to the reason.

I find your tone and the accusation that I am a troll totally unnecessary.

0 Helpful

Go to solution
Vaijanath Sonvane
VIP Alumni
VIP Alumni

‎05-31-2024 06:50 AM

Hi @mmoulson2,

TLS handshake error is mostly related to certificates installed on the router and communication to peer address. Are the firewall ports opened for incoming traffic to this CUBE router? 

Also, I don't see "SRTP" command under dial peer 1 which is ingress from ITSP:

dial-peer voice 1 voip
 description *** Ingress from ITSP***
 session protocol sipv2
 session transport tcp tls
 incoming uri via FromISTP
 incoming uri from FromISTP
 dtmf-relay rtp-nte
 codec g711ulaw
 ip qos dscp cs3 signaling
 no vad

Try this command "show crypto pki certificates" and make sure certificates are showing correctly and provide the output of below debug commands:

debug crypto pki messages
debug crypto pki transactions
debug ssl openssl msg
debug ssl openssl states
debug ip tcp transactions

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

Go to solution
mmoulson2
Level 1
Level 1
In response to Vaijanath Sonvane

‎05-31-2024 07:30 AM

Thank you Vaijanath it was a certificate problem.

The debug showed me:
CRYPTO_PKI: Can't find signature certificate for trustpoint (zerossl)
CRYPTO_PKI: Done with local cert chain fetch 18.
CRYPTO_OPSSL: Can't find router cert.
The "show crypto pki certificates" showed that the CA cert was uploaded rather than the device certificate.

To fix it I did:

crypto pki authenticate <tp name>

And pasted the CA root.

Then:

crypto pki import <tp name> certificate

And pasted the device cert.

My inbound calls are now working as expected.

You are correct with the SRTP on the dial peer, the ITSP advised we turn that off during the troubleshooting. I will get that turned back on now as well.

Many thanks for your time and advise.

0 Helpful

Go to solution
Vaijanath Sonvane
VIP Alumni
VIP Alumni

‎05-31-2024 07:37 AM

Hi @mmoulson2,

Good to hear your issue is resolved.

 

 

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

0 Helpful
Customers Also Viewed These Support Documents