08-10-2011 10:22 AM - edited 03-07-2019 01:38 AM
Hi everybody,
I've an issue with an UC540 behind a Cisco Router 877 with NAT.
The topology is like this:
INTERNET (SIP Provider) <--NAT--> Router 877 <--> UC540 <--> LAN
I performing NAT from inside to the outside. I've no problem to make calls from internal phones but I cannot receive any calls from the SIP trunk. After a debug ip nat sip on the 877 I've seen this error:
007413: Aug 10 16:09:25.248: NAT: SIP: [1] processing SIP/2.0 401 Unauthorized message
On the UC540 I also have seen this message:
001045: //-1/503429BD80FD/SIP/Error/sact_idle_new_message_invite: Invalid URL in incoming INVITE
After some research on the WEB I've found that the problem is because the UC540 see in the "From" field of the INVITE message a different address (it should be the same of the SIP Provider to which the UC540 is registered, in this case voip.eutelia.it)....
I've the following rules of NAT on the 877 for SIP:
ip nat inside source static tcp UC540_WAN_IP 5060 MY_PUBLIC_IP 5060 extendable
ip nat inside source static udp UC540_WAN_IP 5060 MY_PUBLIC_IP 5060 extendable
My config on the UC is:
sip-ua
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar dns:voip.eutelia.it expires 3600
sip-server dns:voip.eutelia.it
host-registrar
!
and after:
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip
registrar server expires max 3600 min 3600
localhost dns:voip.eutelia.it
outbound-proxy dns:voip.eutelia.it
no update-callerid
sip-profiles 1000
!
voice class sip-profiles 1000
request ANY sdp-header Connection-Info remove
response ANY sdp-header Connection-Info remove
!
How I can resolve this issue? There is some tests that I can perform to isolate the problem?
Thanks in advance.
08-10-2011 11:23 AM
Hi, to start you are best off running a ccsip debug making an inbound call and posting the result here.
Quick question, take a look at the debug and you should see an invite:
Received:
INVITE sip:44xxxxxxx@192.168.xxx.xxx:5060 SIP/2.0
What is the IP in the invite?
Also take a look at the debug and see if you can find other IP address and question what they are and are they correct. Speak to the provider and ask them what IP address you should be trusting, maybe you need permit in the access list.
HTH
Craig.
08-10-2011 12:14 PM
Hi Craig,
Thanks for the answer.
I already have done a debug ccsip message, debug ccsip error but now I'm out of office so I can paste it here. However in the INVITE I see:
INVITE sip:xxxxxxx@voip.eutelia.it:5060 SIP/2.0
I think that this is correct beacuse this means that the 877 correctly forward the INVITE with the correct "From" field.
I already know that the SIP Provider make the inbound calls with differents IP Address (and not with the same to which the UC is registered) and this is why I've the :
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
in the confiugration. This means that the UC can accept an INVITE from all IP addresses.
Is this correct? I also have read in the previuos search that this is a NAT issue...
Do you have other suggestions?
Thanks.
08-10-2011 02:59 PM
Hi Stefano,
It would be easier to use CCA to configure the SIP trunk side of things, and you may need to add in there more IP not just the one that resolves to the SIP URI, SBC's can be clustered and thus come from different IP's the Cisco will have issues with this unless it recognizes them.
Have a look at this image, this section is located in the following place: Ports & Trunks >> Sip Trunks>> Advanced tab and then click ADD to add a new IP address.
At one stage I had a few IP addresses, the one I have listed is the secondary that my ITSP has if the first SBC has issues, or load balancing kicks in.
Give that a try and see if it resolves it
Cheers,
David.
08-14-2011 09:35 AM
Hi David,
I've tried your suggestion but without result. I've configured the UC540 only with the CCA 3.1 but I have had the same result. I post some debug results with the hope that someone can help me:
1) This is the debug ip nat sip on the first router (877)
[cut]
001775: Aug 14 16:18:36.035: NAT: SIP: Contact header found
001776: Aug 14 16:18:36.035: NAT: SIP: Trying to find expires parameter
001777: Aug 14 16:18:36.035: NAT: SIP: [1] register:0 door_created:0
001778: Aug 14 16:18:36.039: NAT: SIP: [1] message body found
001779: Aug 14 16:18:36.039: NAT: SIP: Media Lines present:1
001780: Aug 14 16:18:36.039: NAT: SIP: Translated m= (83.211.227.13, 58288) -> (83.211.227.13, 58288)
001781: Aug 14 16:18:36.039: NAT: SIP: old_sdp_len:417 new_sdp_len :417
001782: Aug 14 16:18:36.047: NAT: SIP: [0] processing SIP/2.0 400 Bad Request - 'Invalid Host' message
001783: Aug 14 16:18:36.047: NAT: SIP: [0] register:0 door_created:0
001784: Aug 14 16:18:36.047: NAT: SIP: [0] register:0 door_created:0
001785: Aug 14 16:18:36.047: NAT: SIP: [0] register:0 door_created:0
001786: Aug 14 16:18:36.051: NAT: SIP: [0] register:0 door_created:0
001787: Aug 14 16:18:36.103: NAT: SIP: [1] processing ACK message
001788: Aug 14 16:18:36.103: NAT: SIP: [1] register:0 door_created:0
001789: Aug 14 16:18:36.103: NAT: SIP: [1] register:0 door_created:0
001790: Aug 14 16:18:36.103: NAT: SIP: [1] register:0 door_created:0
001791: Aug 14 16:18:36.335: NAT: SIP: [1] processing INVITE message
001792: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001793: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001794: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001795: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001796: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001797: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001798: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0
001799: Aug 14 16:18:36.335: NAT: SIP: Contact header found
001800: Aug 14 16:18:36.335: NAT: SIP: Trying to find expires parameter
001801: Aug 14 16:18:36.339: NAT: SIP: [1] register:0 door_created:0
001802: Aug 14 16:18:36.339: NAT: SIP: [1] message body found
001803: Aug 14 16:18:36.339: NAT: SIP: Media Lines present:1
001804: Aug 14 16:18:36.339: NAT: SIP: Translated m= (83.211.227.11, 53494) -> (83.211.227.11, 53494) <-- this is the IP from the SIP Server?
001805: Aug 14 16:18:36.339: NAT: SIP: old_sdp_len:417 new_sdp_len :417
001806: Aug 14 16:18:36.347: NAT: SIP: [0] processing SIP/2.0 400 Bad Request - 'Invalid Host' message
001807: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0
001808: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0
001809: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0
001810: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0
001811: Aug 14 16:18:36.399: NAT: SIP: [1] processing ACK message
001812: Aug 14 16:18:36.403: NAT: SIP: [1] register:0 door_created:0
001813: Aug 14 16:18:36.403: NAT: SIP: [1] register:0 door_created:0
001814: Aug 14 16:18:36.403: NAT: SIP: [1] register:0 door_created:0
001815: Aug 14 16:18:36.599: NAT: SIP: [1] processing INVITE message
001816: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001817: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001818: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001819: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001820: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001821: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001822: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0
001823: Aug 14 16:18:36.599: NAT: SIP: Contact header found
001824: Aug 14 16:18:36.599: NAT: SIP: Trying to find expires parameter
001825: Aug 14 16:18:36.603: NAT: SIP: [1] register:0 door_created:0
001826: Aug 14 16:18:36.603: NAT: SIP: [1] message body found
001827: Aug 14 16:18:36.603: NAT: SIP: Media Lines present:1
001828: Aug 14 16:18:36.603: NAT: SIP: Translated m= (62.94.199.34, 51122) -> (62.94.199.34, 51122) <-- This is another IP Address from the SIP Server ?
001829: Aug 14 16:18:36.603: NAT: SIP: old_sdp_len:414 new_sdp_len :414
001830: Aug 14 16:18:36.611: NAT: SIP: [0] processing SIP/2.0 400 Bad Request - 'Invalid Host' message
001831: Aug 14 16:18:36.615: NAT: SIP: [0] register:0 door_created:0
2) This is the debug ccsip error on the UC540
003077: //-1/xxxxxxxxxxxx/SIP/Error/sipSPI_validate_own_ip_addr: ReqLine IP addr does not match with host IP addr
003078: //-1/4FBCB7E28046/SIP/Error/sact_idle_new_message_invite: Invalid URL in incoming INVITE
3) This is the debug ccsip message on the UC540
003079: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:xxxxxxxx@87.30.226.13:64043 SIP/2.0
Record-Route: <83.211.227.21>83.211.227.21>
Via: SIP/2.0/UDP 83.211.227.21;branch=z9hG4bK63f6.99aac1.1
Via: SIP/2.0/UDP 195.62.226.4:5060;rport=62153;received=195.62.226.4;x-route-tag="tgrp:Slot6";branch=z9hG4bK2A90B8F725
From:
To: <>>xxxxxxxx@voip.eutelia.it>
Call-ID: 92743698-C5C911E0-9987A52A-99A453FB@195.62.226.4
User-Agent: Cisco-SIPGateway/IOS-12.x
CSeq: 101 INVITE
Max-Forwards: 9
Remote-Party-ID:
Contact:
Expires: 180
Allow-Events: telephone-event
Content-Type: application/sdp
Content-Length: 415
P-hint: 2 Niente 2
v=0
o=CiscoSystemsSIP-GW-UserAgent 5240 2172 IN IP4 195.62.226.4
s=SIP Call
c=IN IP4 62.94.199.35
t=0 0
m=audio 53882 RTP/AVP 18 8 0 4 3 125 101
c=IN IP4 62.94.199.35
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=yes
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:4 G723/8000
a=fmtp:4 bitrate=5.3;annexa=no
a=rtpmap:3 GSM/8000
a=rtpmap:125 X-CCD/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
003082: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 400 Bad Request - 'Invalid Host'
Via: SIP/2.0/UDP 83.211.227.21;branch=z9hG4bK63f6.99aac1.1,SIP/2.0/UDP 195.62.226.4:5060;rport=62153;received=195.62.226.4;x-route-tag="tgrp:Slot6";branch=z9hG4bK2A90B8F725
From:
To: <>>xxxxxxxxx@voip.eutelia.it>;tag=508E810-1011
Date: Sun, 14 Aug 2011 16:29:40 GMT
Call-ID: 92743698-C5C911E0-9987A52A-99A453FB@195.62.226.4
CSeq: 101 INVITE
Allow-Events: telephone-event
Reason: Q.850;cause=100
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0
003083: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
ACK sip:xxxxxxxxxx@87.30.226.13:64043 SIP/2.0
Via: SIP/2.0/UDP 83.211.227.21;branch=z9hG4bK63f6.99aac1.1
From:
Call-ID: 92743698-C5C911E0-9987A52A-99A453FB@195.62.226.4
To:
CSeq: 101 ACK
Max-Forwards: 70
User-Agent: SPS EUT RM GW 01
Content-Length: 0
Thanks in advance.
08-14-2011 11:08 PM
Hi Stafano,
It is at this point I need to ask if you could please post the running configuration of both the UC and the 800 series router, please make sure all sensitive information is either removed or replaced with some "XXXX's"
Something is not right there is a mismatch between the UC and the 800 series router and also what the ITSP is providing, those debugs are not enough for me to work of, although someone else might be able to.
Cheers,
David.
08-19-2011 09:08 AM
Hi David,
thanks for your help.
I send you the UC540 (cutted in some parts) and the 877 config files.
I remeber you that the topology is:
INTERNET <---- ADSL ---> (WAN IF: STATIC PUBLIC IP) Cisco 877 (192.168.75.1) <------> (WAN: 192.168.75.254) UC540 (192.168.200.1) ---> (192.168.200.0/24 LAN)
I perform NAT on the Dialer0 interface and on the UC540 WAN interface.
Thanks a lot.
09-02-2011 03:19 AM
Hi,
is there any news? Can someone help me?
Thanks in advance.
Stefano
12-30-2011 10:53 AM
Ciao Stefano,
hai poi risolto il problema??
Ho lo stesso problema anch'io con eutelia.
Grazie e buon anno!
01-02-2012 03:32 AM
Hi Giuseppe,
I've partially resolved this issue removing the access-list that CCA creates in the section "voice service voip".
Partially beacuse sometimes it works but sometimes I loose the calls. I haven't investigated too much but I'm sure that this is a NAT problem.
I've noted that CCA creates this access-list only permitting to receive incoming calls that have as source the same IP address of the other side of the Trunk (it should be 83.211.227.11). The problem is that Eutelia doesn't use the same address in the incoming calls so they were dropped by the UC500.
I'm thinking now that this problem should be resolved using an "ip nat outside --> inside" to translate the IP from Eutelia in the VLan1 IP Address of the 877 so the UC500 use this address as source of the all incoming calls. However I have yet to try this solution.
Important!! This is a potential security issue because in this way you will accept calls from every IPs. The best solution is to add in this access-list all the possibile IPs that Eutelia uses but I was unable to make a complete list (and I'm still waiting an answer from the Support Desk).
Your scenario is the same? Do you use CCA or CLI?
Have you already tried with another SIP Provider?
Hope this can help.
Thank you and happy new year.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: