Cisco 877 NAT and SIP issues

Stefano Pilla · ‎08-10-2011

Hi everybody,

I've an issue with an UC540 behind a Cisco Router 877 with NAT.

The topology is like this:

INTERNET (SIP Provider) <--NAT--> Router 877 <--> UC540 <--> LAN

I performing NAT from inside to the outside. I've no problem to make calls from internal phones but I cannot receive any calls from the SIP trunk. After a debug ip nat sip on the 877 I've seen this error:

007413: Aug 10 16:09:25.248: NAT: SIP: [1] processing SIP/2.0 401 Unauthorized message

On the UC540 I also have seen this message:

001045: //-1/503429BD80FD/SIP/Error/sact_idle_new_message_invite: Invalid URL in incoming INVITE

After some research on the WEB I've found that the problem is because the UC540 see in the "From" field of the INVITE message a different address (it should be the same of the SIP Provider to which the UC540 is registered, in this case voip.eutelia.it)....

I've the following rules of NAT on the 877 for SIP:

ip nat inside source static tcp UC540_WAN_IP 5060 MY_PUBLIC_IP 5060 extendable

ip nat inside source static udp UC540_WAN_IP 5060 MY_PUBLIC_IP 5060 extendable

My config on the UC is:

sip-ua

credentials username xxxxxxx password 7 xxxxxxxx realm voip.eutelia.it

no remote-party-id

retry invite 2

retry register 10

timers connect 100

registrar dns:voip.eutelia.it expires 3600

sip-server dns:voip.eutelia.it

host-registrar

!

and after:

voice service voip

ip address trusted list

ipv4 0.0.0.0 0.0.0.0

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

supplementary-service h450.12

no supplementary-service sip moved-temporarily

no supplementary-service sip refer

sip

registrar server expires max 3600 min 3600

localhost dns:voip.eutelia.it

outbound-proxy dns:voip.eutelia.it

no update-callerid

sip-profiles 1000

!

voice class sip-profiles 1000

request ANY sdp-header Connection-Info remove

response ANY sdp-header Connection-Info remove

!

How I can resolve this issue? There is some tests that I can perform to isolate the problem?

Thanks in advance.

craig.corbett · ‎08-10-2011

Hi, to start you are best off running a ccsip debug making an inbound call and posting the result here.

Quick question, take a look at the debug and you should see an invite:

Received:

INVITE sip:44xxxxxxx@192.168.xxx.xxx:5060 SIP/2.0

What is the IP in the invite?

Also take a look at the debug and see if you can find other IP address and question what they are and are they correct. Speak to the provider and ask them what IP address you should be trusting, maybe you need permit in the access list.

HTH

Craig.

Stefano Pilla · ‎08-10-2011

Hi Craig,

Thanks for the answer.

I already have done a debug ccsip message, debug ccsip error but now I'm out of office so I can paste it here. However in the INVITE I see:

INVITE sip:xxxxxxx@voip.eutelia.it:5060 SIP/2.0

I think that this is correct beacuse this means that the 877 correctly forward the INVITE with the correct "From" field.

I already know that the SIP Provider make the inbound calls with differents IP Address (and not with the same to which the UC is registered) and this is why I've the :

ip address trusted list

ipv4 0.0.0.0 0.0.0.0

in the confiugration. This means that the UC can accept an INVITE from all IP addresses.

Is this correct? I also have read in the previuos search that this is a NAT issue...

Do you have other suggestions?

Thanks.

David Trad · ‎08-10-2011

Hi Stefano,

It would be easier to use CCA to configure the SIP trunk side of things, and you may need to add in there more IP not just the one that resolves to the SIP URI, SBC's can be clustered and thus come from different IP's the Cisco will have issues with this unless it recognizes them.

Have a look at this image, this section is located in the following place: Ports & Trunks >> Sip Trunks>> Advanced tab and then click ADD to add a new IP address.

At one stage I had a few IP addresses, the one I have listed is the secondary that my ITSP has if the first SBC has issues, or load balancing kicks in.

Give that a try and see if it resolves it

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

Stefano Pilla · ‎08-14-2011

Hi David,

I've tried your suggestion but without result. I've configured the UC540 only with the CCA 3.1 but I have had the same result. I post some debug results with the hope that someone can help me:

1) This is the debug ip nat sip on the first router (877)

[cut]

001775: Aug 14 16:18:36.035: NAT: SIP: Contact header found

001776: Aug 14 16:18:36.035: NAT: SIP: Trying to find expires parameter

001777: Aug 14 16:18:36.035: NAT: SIP: [1] register:0 door_created:0

001778: Aug 14 16:18:36.039: NAT: SIP: [1] message body found

001779: Aug 14 16:18:36.039: NAT: SIP: Media Lines present:1

001780: Aug 14 16:18:36.039: NAT: SIP: Translated m= (83.211.227.13, 58288) -> (83.211.227.13, 58288)

001781: Aug 14 16:18:36.039: NAT: SIP: old_sdp_len:417 new_sdp_len :417

001782: Aug 14 16:18:36.047: NAT: SIP: [0] processing SIP/2.0 400 Bad Request - 'Invalid Host' message

001783: Aug 14 16:18:36.047: NAT: SIP: [0] register:0 door_created:0

001784: Aug 14 16:18:36.047: NAT: SIP: [0] register:0 door_created:0

001785: Aug 14 16:18:36.047: NAT: SIP: [0] register:0 door_created:0

001786: Aug 14 16:18:36.051: NAT: SIP: [0] register:0 door_created:0

001787: Aug 14 16:18:36.103: NAT: SIP: [1] processing ACK message

001788: Aug 14 16:18:36.103: NAT: SIP: [1] register:0 door_created:0

001789: Aug 14 16:18:36.103: NAT: SIP: [1] register:0 door_created:0

001790: Aug 14 16:18:36.103: NAT: SIP: [1] register:0 door_created:0

001791: Aug 14 16:18:36.335: NAT: SIP: [1] processing INVITE message

001792: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001793: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001794: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001795: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001796: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001797: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001798: Aug 14 16:18:36.335: NAT: SIP: [1] register:0 door_created:0

001799: Aug 14 16:18:36.335: NAT: SIP: Contact header found

001800: Aug 14 16:18:36.335: NAT: SIP: Trying to find expires parameter

001801: Aug 14 16:18:36.339: NAT: SIP: [1] register:0 door_created:0

001802: Aug 14 16:18:36.339: NAT: SIP: [1] message body found

001803: Aug 14 16:18:36.339: NAT: SIP: Media Lines present:1

001804: Aug 14 16:18:36.339: NAT: SIP: Translated m= (83.211.227.11, 53494) -> (83.211.227.11, 53494) <-- this is the IP from the SIP Server?

001805: Aug 14 16:18:36.339: NAT: SIP: old_sdp_len:417 new_sdp_len :417

001806: Aug 14 16:18:36.347: NAT: SIP: [0] processing SIP/2.0 400 Bad Request - 'Invalid Host' message

001807: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0

001808: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0

001809: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0

001810: Aug 14 16:18:36.347: NAT: SIP: [0] register:0 door_created:0

001811: Aug 14 16:18:36.399: NAT: SIP: [1] processing ACK message

001812: Aug 14 16:18:36.403: NAT: SIP: [1] register:0 door_created:0

001813: Aug 14 16:18:36.403: NAT: SIP: [1] register:0 door_created:0

001814: Aug 14 16:18:36.403: NAT: SIP: [1] register:0 door_created:0

001815: Aug 14 16:18:36.599: NAT: SIP: [1] processing INVITE message

001816: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001817: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001818: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001819: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001820: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001821: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001822: Aug 14 16:18:36.599: NAT: SIP: [1] register:0 door_created:0

001823: Aug 14 16:18:36.599: NAT: SIP: Contact header found

001824: Aug 14 16:18:36.599: NAT: SIP: Trying to find expires parameter

001825: Aug 14 16:18:36.603: NAT: SIP: [1] register:0 door_created:0

001826: Aug 14 16:18:36.603: NAT: SIP: [1] message body found

001827: Aug 14 16:18:36.603: NAT: SIP: Media Lines present:1

001828: Aug 14 16:18:36.603: NAT: SIP: Translated m= (62.94.199.34, 51122) -> (62.94.199.34, 51122) <-- This is another IP Address from the SIP Server ?

001829: Aug 14 16:18:36.603: NAT: SIP: old_sdp_len:414 new_sdp_len :414

001830: Aug 14 16:18:36.611: NAT: SIP: [0] processing SIP/2.0 400 Bad Request - 'Invalid Host' message

001831: Aug 14 16:18:36.615: NAT: SIP: [0] register:0 door_created:0

2) This is the debug ccsip error on the UC540

003077: //-1/xxxxxxxxxxxx/SIP/Error/sipSPI_validate_own_ip_addr: ReqLine IP addr does not match with host IP addr

003078: //-1/4FBCB7E28046/SIP/Error/sact_idle_new_message_invite: Invalid URL in incoming INVITE

3) This is the debug ccsip message on the UC540

003079: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

INVITE sip:xxxxxxxx@87.30.226.13:64043 SIP/2.0

Record-Route: <83.211.227.21>

Via: SIP/2.0/UDP 83.211.227.21;branch=z9hG4bK63f6.99aac1.1

Via: SIP/2.0/UDP 195.62.226.4:5060;rport=62153;received=195.62.226.4;x-route-tag="tgrp:Slot6";branch=z9hG4bK2A90B8F725

From: ;tag=5EEA7730-68E

To: <>xxxxxxxx@voip.eutelia.it>

Call-ID: 92743698-C5C911E0-9987A52A-99A453FB@195.62.226.4

User-Agent: Cisco-SIPGateway/IOS-12.x

CSeq: 101 INVITE

Max-Forwards: 9

Remote-Party-ID: ;party=calling;screen=yes;privacy=off

Contact:

Expires: 180

Allow-Events: telephone-event

Content-Type: application/sdp

Content-Length: 415

P-hint: 2 Niente 2

v=0

o=CiscoSystemsSIP-GW-UserAgent 5240 2172 IN IP4 195.62.226.4

s=SIP Call

c=IN IP4 62.94.199.35

t=0 0

m=audio 53882 RTP/AVP 18 8 0 4 3 125 101

c=IN IP4 62.94.199.35

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=yes

a=rtpmap:8 PCMA/8000

a=rtpmap:0 PCMU/8000

a=rtpmap:4 G723/8000

a=fmtp:4 bitrate=5.3;annexa=no

a=rtpmap:3 GSM/8000

a=rtpmap:125 X-CCD/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

003082: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 400 Bad Request - 'Invalid Host'

Via: SIP/2.0/UDP 83.211.227.21;branch=z9hG4bK63f6.99aac1.1,SIP/2.0/UDP 195.62.226.4:5060;rport=62153;received=195.62.226.4;x-route-tag="tgrp:Slot6";branch=z9hG4bK2A90B8F725

From: ;tag=5EEA7730-68E

To: <>xxxxxxxxx@voip.eutelia.it>;tag=508E810-1011

Date: Sun, 14 Aug 2011 16:29:40 GMT

Call-ID: 92743698-C5C911E0-9987A52A-99A453FB@195.62.226.4

CSeq: 101 INVITE

Allow-Events: telephone-event

Reason: Q.850;cause=100

Server: Cisco-SIPGateway/IOS-12.x

Content-Length: 0

003083: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

ACK sip:xxxxxxxxxx@87.30.226.13:64043 SIP/2.0

Via: SIP/2.0/UDP 83.211.227.21;branch=z9hG4bK63f6.99aac1.1

From: ;tag=5EEA7730-68E

Call-ID: 92743698-C5C911E0-9987A52A-99A453FB@195.62.226.4

To: @voip.eutelia.it>;tag=508E810-1011

CSeq: 101 ACK

Max-Forwards: 70

User-Agent: SPS EUT RM GW 01

Content-Length: 0

Thanks in advance.

David Trad · ‎08-14-2011

Hi Stafano,

It is at this point I need to ask if you could please post the running configuration of both the UC and the 800 series router, please make sure all sensitive information is either removed or replaced with some "XXXX's"

Something is not right there is a mismatch between the UC and the 800 series router and also what the ITSP is providing, those debugs are not enough for me to work of, although someone else might be able to.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

Stefano Pilla · ‎08-19-2011

Hi David,

thanks for your help.

I send you the UC540 (cutted in some parts) and the 877 config files.

I remeber you that the topology is:

INTERNET <---- ADSL ---> (WAN IF: STATIC PUBLIC IP) Cisco 877 (192.168.75.1) <------> (WAN: 192.168.75.254) UC540 (192.168.200.1) ---> (192.168.200.0/24 LAN)

I perform NAT on the Dialer0 interface and on the UC540 WAN interface.

Thanks a lot.

Stefano Pilla · ‎09-02-2011

Hi,

is there any news? Can someone help me?

Thanks in advance.

Stefano

Giuseppe Di Marco · ‎12-30-2011

Ciao Stefano,

hai poi risolto il problema??

Ho lo stesso problema anch'io con eutelia.

Grazie e buon anno!

Stefano Pilla · ‎01-02-2012

Hi Giuseppe,

I've partially resolved this issue removing the access-list that CCA creates in the section "voice service voip".

Partially beacuse sometimes it works but sometimes I loose the calls. I haven't investigated too much but I'm sure that this is a NAT problem.

I've noted that CCA creates this access-list only permitting to receive incoming calls that have as source the same IP address of the other side of the Trunk (it should be 83.211.227.11). The problem is that Eutelia doesn't use the same address in the incoming calls so they were dropped by the UC500.

I'm thinking now that this problem should be resolved using an "ip nat outside --> inside" to translate the IP from Eutelia in the VLan1 IP Address of the 877 so the UC500 use this address as source of the all incoming calls. However I have yet to try this solution.

Important!! This is a potential security issue because in this way you will accept calls from every IPs. The best solution is to add in this access-list all the possibile IPs that Eutelia uses but I was unable to make a complete list (and I'm still waiting an answer from the Support Desk).

Your scenario is the same? Do you use CCA or CLI?

Have you already tried with another SIP Provider?

Hope this can help.

Thank you and happy new year.