Appears to be a certificate issue - we are getting a TLS Fatal Alert 48 - Unknown CA from the carrier when we are the server (calls/sip connection is inbound w/ respect to our CUBE).

Carrier is requesting we disable mutual authentication; which I don't believe is a configurable option on the 4K, and also shouldn't be causing this problem.

Just seems like the lack of documentation/technical support for doing this implies that it is very rarely done. Was curios if anyone has successfully implemented it, how they went about it, and what issues they ran into.

-Thanks

Yes, outbound calls work - TLS Handshake completes (we receive certificate from carrier, authenticate it, and begin encrypted session).

Below is screenshot of packet capture when our CUBE is acting as the server:

Thanks for the response,

The fatal error is coming from the carrier.

The mutual authentication is something that the carrier asked about - is this a configurable option on the CUBE (IOSXE 16.5.1b)? A document I found from 2008 said that the CUBE always performed mutual authentication when acting as the server; wasn't sure if maybe this has changed since then. I found an old config guide for the ASR1K which said that per-interface tls mutual authentication for SIP was added in XE version 2.6 - but this command has either been removed since then, or isn't available on the 4K.

-Thanks

Ok thanks for the info,

We ended up getting this working, and wasn't related to mutual authentication - turns out the ITSP needed to import our entire certificate chain, and not just our identity cert + singing CA certificate. Why they even needed to install our identity certificate seems a little silly since by installing/trusting our singing CA certificate they should be able to validate our identity certificate using that when we send our identity cert as part of the TLS handshake. I guess different applications go about it a little different than others.

-Thanks