05-31-2024 04:51 AM
Hello,
I am trying to establish a TLS SIP trunk to my ITSP.
The ISTP have a bit of an odd setup in that I need to send outbound calls to one peer IP but I receive calls from them on a different IP.
The outbound part seems to work fine with TLS enabled.
However incoming calls don't work at all. I don't get any SIP debug when I try to make an inbound test call. The only thing I get in the log is:
%SIP-2-TLS_HANDSHAKE_FAILED: TLS handshake failure - remote_addr=X.X.X.X
I followed this very useful post on generating a CSR to get a public signed cert onto my device:
Creating a CSR, Authenticating a CA and Enrolling Certificates on IOS XE - Cisco Community
I also uploaded the root CA provided by the signing authority from my ITSP as a trust point.
I should add that is I turn off TLS then it all seems to work OK so I know my network side is all good.
Any ideas much appreciated.
Solved! Go to Solution.
05-31-2024 06:50 AM
Hi @mmoulson2,
TLS handshake error is mostly related to certificates installed on the router and communication to peer address. Are the firewall ports opened for incoming traffic to this CUBE router?
Also, I don't see "SRTP" command under dial peer 1 which is ingress from ITSP:
dial-peer voice 1 voip
description *** Ingress from ITSP***
session protocol sipv2
session transport tcp tls
incoming uri via FromISTP
incoming uri from FromISTP
dtmf-relay rtp-nte
codec g711ulaw
ip qos dscp cs3 signaling
no vad
Try this command "show crypto pki certificates" and make sure certificates are showing correctly and provide the output of below debug commands:
debug crypto pki messages
debug crypto pki transactions
debug ssl openssl msg
debug ssl openssl states
debug ip tcp transactions
05-31-2024 05:03 AM
Why don't you post the config as a starting point? (Which you could have included in your OP already^^).
05-31-2024 05:16 AM - edited 05-31-2024 05:18 AM
05-31-2024 05:31 AM - edited 05-31-2024 05:32 AM
Because for every problem there is always just one solution ... "TLS issue? Oh yes, this must exactly be this problem and here is the only solution." ^^
Stupid question: How should anybody be possible to help you with this text-snippet?!
You have a TLS problem to / from certain IPs, but you clear every IP out of your config or log snippets.
Are you sure you want help? Or are you just a troll?
If you don't want to / or cannot provide valuable info, I'm out.
05-31-2024 06:13 AM
I provided what I could given the sensitivity of information on the internet. I apologies if that is not sufficient to provide any assistance.
I was hoping someone would see the error message and make a suggestion as to the reason.
I find your tone and the accusation that I am a troll totally unnecessary.
05-31-2024 06:50 AM
Hi @mmoulson2,
TLS handshake error is mostly related to certificates installed on the router and communication to peer address. Are the firewall ports opened for incoming traffic to this CUBE router?
Also, I don't see "SRTP" command under dial peer 1 which is ingress from ITSP:
dial-peer voice 1 voip
description *** Ingress from ITSP***
session protocol sipv2
session transport tcp tls
incoming uri via FromISTP
incoming uri from FromISTP
dtmf-relay rtp-nte
codec g711ulaw
ip qos dscp cs3 signaling
no vad
Try this command "show crypto pki certificates" and make sure certificates are showing correctly and provide the output of below debug commands:
debug crypto pki messages
debug crypto pki transactions
debug ssl openssl msg
debug ssl openssl states
debug ip tcp transactions
05-31-2024 07:30 AM
Thank you Vaijanath it was a certificate problem.
The debug showed me:
CRYPTO_PKI: Can't find signature certificate for trustpoint (zerossl)
CRYPTO_PKI: Done with local cert chain fetch 18.
CRYPTO_OPSSL: Can't find router cert.
The "show crypto pki certificates" showed that the CA cert was uploaded rather than the device certificate.
To fix it I did:
crypto pki authenticate <tp name>
And pasted the CA root.
Then:
crypto pki import <tp name> certificate
And pasted the device cert.
My inbound calls are now working as expected.
You are correct with the SRTP on the dial peer, the ITSP advised we turn that off during the troubleshooting. I will get that turned back on now as well.
Many thanks for your time and advise.
05-31-2024 07:37 AM
Hi @mmoulson2,
Good to hear your issue is resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide