Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2824
Views
0
Helpful
2
Replies

CUCM-VCS Integration VCS B2BUA Encryption Call Failures

William Bell
VIP Alumni
VIP Alumni

‎06-17-2014 08:58 AM - edited ‎03-18-2019 03:05 AM

All,

I have the following scenario:

 

CUCM 9.1.2SU1

VCS X8.1.1

MX300 endpoints (CUCM registered) 

We are not running in mixed mode on CUCM

 

We want media streams with external call parties to be encrypted. We do have TLS end-to-end but I don't believe we can support SRTP to the MX300s registered to UCM w/o provisioning mixed mode (based on Cisco docs). So, we are attempting to use Media encryption policy on the VCS. Specifically, we set one of the traversal client zone to use "Best effort". This works for most calls but we have seen a couple of calls fail.

From end user perspective, failures manifest as a call that gets connected and is immediately torn down. 

On the VCS, we will see the following when looking at the call history:

The B2BUA Encryption component is disconnected after ~3 seconds. The disconnect reason is: B2BUA disconnected call on the ingress saying "mismatched transport type in answer".

Based on context clues, this points to TLS negotiation. The thing is, if I set the media policy back to "auto" then the call connects fine and the transport is TLS. At least, it reports TLS on my VCS-C and VCS-E.

 

Any pointers that someone is willing to toss my way?

 

Thanks in advance,

 

Bill (@ucguerrilla)

 

 

 

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Matthieu LIENART
Level 1
Level 1

‎11-11-2014 12:16 AM

Won't help but I have a very similar but slightly different scenario with:

  • CUCM 9.1
  • VCS 8.2.2
  • Jabber 10 or CUCM registered TC endpoint

As for settings:

  • CUCM-VCS SIP trunk is TCP not encrypted (never got it to work following the doc step by step....)
  • VCS-C to VCS-E is TLS as setup on the doc.
  • On the VCS-C, the DNSZone Media Encrytion mode is set to "Auto"

Some SIP calls work perfectly (i.e. the Cisco test endpoints) but some users have issues. Dialing partners' cloud service video-conference, the call connects and gets dropped immediately. I created myself a trial account on that service to test and can reproduce it all the time. I can see the call coming in my cloud service client and when I accept it it just drops.

On the VCS-C,

  • I see a SIP 200 OK
  • an then a call component status=disconnected  type=B2BUA
StateInactive
Start time2014-11-11 16:51:22
Duration5 seconds
Disconnect reason summarydisconnected
Disconnect reason detailsB2BUA disconnected call on the Egress saying "Received 'Request Timeout' to mid-dialog request"

 

But on the VCS-E in the call history, I only see and "408 request timeout".

When I call my Jabber account from that service it works well. But in that case the second call component with type B2BUA shows:

StateInactive
Start time2014-11-11 17:14:02
Duration40 seconds
Disconnect reason summaryBYE
Disconnect reason detailsEgress disconnected call
Tag3d14cee5-01ad-4468-9e3b-e0925dde15d4
Box call serial number1bc2473f-2a09-4dea-8ffd-a7e88a3ef05b

 

Have also no clue of what is happening

0 Helpful

Aaron Wilson
Level 5
Level 5
In response to Matthieu LIENART

‎03-03-2016 06:58 PM

Anyone find a resolution to this? I have seen some similar things. Loopback test to Cisco works fine (encrypted), call to WebEx CMR fails.

-Aaron

0 Helpful
Customers Also Viewed These Support Documents