VCS-Expressway outbound dialing issues

Hermanus Janse van Vuuren · ‎04-29-2013

Hi,

I hope someone can just point me in the right direction here.

I have a VCS-E ---- F/W ----- Internet

I can make a succesfull H.323 call to another IP out on the internet.

But when I make a SIP call it fails under the call history it shows as leaving my VCS-E and F/W as SIP and returns as H.323 and gives me the error 480 Temorary Unavailible.

How do I get my VCS-E to send the calls as SIP and receive it back as a SIP call.

My VCS-E has a 1 to 1 NAT to a public IP on the F/W.

What am I doing wrong?

2013-04-29 10:15:08

2013-04-29 10:15:09

1 second

sip:5000@example.com

sip:ny.publicspy.tsec@cisco.com

Traversal

SIP <-> H323

480 Temporarily Not Available

This system

View

Call details

You are here: Status Calls Calls Call details

Call information
State	Connection Failed
Start time	2013-04-29 10:15:08
End time	2013-04-29 10:15:09
Duration	1 second
Tag	e7ca80ac-b0a4-11e2-a57a-0010f325e27c
Serial number	e7ca7ef4-b0a4-11e2-a0ea-0010f325e27c

Bandwidth
Requested	768 kbps
Allocated	0 kbps

Leg 1
Bandwidth node	Default Subzone
Source alias 1	sip:5000@example.com (Url)
Target alias 1	sip:ny.publicspy.tsec@cisco.com (Url)
Protocol	SIP
Address	xxx.xxx.xxx.xxx:5061
Transport	TLS
Reason	Temporarily Not Available
Cause	480

Leg 2
Bandwidth node	Cisco
Target alias 1	sip:ny.publicspy.tsec@cisco.com (Url)
Protocol	SIP
Address	64.102.249.41:5061
Transport	TLS
Encryption type	None

Leg 3
Bandwidth node	Cisco
Target alias 1	(Unknown)
Protocol	SIP
Address	Not set
Transport	SIP Transport Protocol Undefined

Leg 4
Bandwidth node	DNSZone
Target alias 1	sip:ny.publicspy.tsec@cisco.com (Url)
Protocol	SIP
Address	64.102.249.41:5061
Transport	TLS
Encryption type	None

Leg 5
Bandwidth node	DNSZone
Target alias 1	sip:ny.publicspy.tsec@cisco.com (Url)
Protocol	SIP
Address	64.102.249.41:5060
Transport	TCP
Encryption type	None

Leg 6
Bandwidth node	DNSZone
Target alias 1	ny.publicspy.tsec@cisco.com (Url)
Protocol	H323
Address	64.102.249.41:1720
Encryption type	None
Reason	Unreachable destination
Cause	No route to destination

Session 1
Status	Failed
Media routed	False
Call routed	True
Participant 1	Leg 1
Participant 2	Leg 2
Bandwidth allocated	0 kbps
Bandwidth requested	768 kbps

Session 2
Status	Failed
Media routed	False
Call routed	True
Participant 1	Leg 1
Participant 2	Leg 4
Bandwidth allocated	768 kbps
Bandwidth requested	768 kbps
Route	DefaultSubZone -> DefaultSZtoDNSZ -> DNSZone

Session 3
Status	Failed
Media routed	False
Call routed	True
Participant 1	Leg 1
Participant 2	Leg 5
Bandwidth allocated	768 kbps
Bandwidth requested	768 kbps
Route	DefaultSubZone -> DefaultSZtoDNSZ -> DNSZone

Session 4
Status	Failed
Media routed	True
Call routed	True
Participant 1	Leg 1
Participant 2	Leg 6
Bandwidth allocated	682 kbps
Bandwidth requested	682 kbps

Search Rule:

Search (4)

State: Completed

Found: False

Reason: Temporarily Not Available

Info: Bandwidth allocation failed

Type: SIP (INVITE)

CallSerial Number: e7ca7ef4-b0a4-11e2-a0ea-0010f325e27c

Tag: e7ca80ac-b0a4-11e2-a57a-0010f325e27c

Source (1)
- Authenticated: False
- Aliases (1)
- - Alias (1)
  - - Type: Url
  - - Origin: Unknown
    - Value: 5000@example.com
- Zone (1)
- - Name: DefaultSubZone
- - Type: Local
- Path (1)
- - Hop (1)
    - Address: xxx.xxx.xxx.xxx:5061

Destination (1)
- Alias (1)
- - Type: Url
- - Origin: Unknown
- - Value: sip:ny.publicspy.tsec@cisco.com

StartTime: 2013-04-29 10:15:08

Duration: 1.36

SubSearch (1)
- Type: Transforms
- Action: Not Transformed
- ResultAlias (1)
- - Type: Url
- - Origin: Unknown
- - Value: ny.publicspy.tsec@cisco.com
- SubSearch (1)
- - Type: Admin Policy
- - Action: Proxy
- - ResultAlias (1)
  - - Type: Url
  - - Origin: Unknown
  - - Value: ny.publicspy.tsec@cisco.com
- - SubSearch (1)
  - - Type: FindMe
  - - Action: Proxy
  - - ResultAlias (1)
    - - Type: Url
    - - Origin: Unknown
    - - Value: ny.publicspy.tsec@cisco.com
  - - SubSearch (1)
    - - Type: Search Rules
    - - SearchRule (1)
      - Name: LocalZoneMatch
      - Zone (1)
        Name: LocalZone
        Type: Local
        Protocol: SIP
        Found: False
        Reason: Not Found
        StartTime: 2013-04-29 10:15:08
        Duration: 0
        Gatekeeper (1)
        Address: 172.20.4.241:0
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@cisco.com
      - Zone (2)
        Name: LocalZone
        Type: Local
        Protocol: H323
        Found: False
        Reason: Not Found
        StartTime: 2013-04-29 10:15:08
        Duration: 0
        Gatekeeper (1)
        Address: 172.20.4.241:0
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@cisco.com
    - - SearchRule (2)
      - Name: Cisco
      - Zone (1)
        Name: Cisco
        Type: DNS
        Protocol: SIP
        Found: False
        Reason: Temporarily Not Available
        StartTime: 2013-04-29 10:15:08
        Duration: 0.31
        Gatekeeper (1)
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@cisco.com
      - Zone (2)
        Name: Cisco
        Type: DNS
        Protocol: H323
        Found: False
        Reason: Resource unavailable - No route for bandwidth calculation
        StartTime: 2013-04-29 10:15:08
        Duration: 0.01
        Gatekeeper (1)
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@cisco.com
    - - SearchRule (3)
      - Name: DNS zone search rule
      - Zone (1)
        Name: DNSZone
        Type: DNS
        
        Protocol: SIP
        Found: False
        Reason: Request Timeout
        StartTime: 2013-04-29 10:15:08
        Duration: 0.02
        Gatekeeper (1)
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@cisco.com
      - Zone (2)
        Name: DNSZone
        Type: DNS
        Protocol: H323
        Found: True
        StartTime: 2013-04-29 10:15:08
        Duration: 0.95
        Gatekeeper (1)
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@cisco.com

Best Regards

Martin Koch · ‎04-29-2013

Hi Janse!

It might be different things here which can cause issues.

First, if you have 1:1 nat upfront the VCS-E you need to have the "Dual interface" option key, even

if you use only one interface, but that option also gives you a setting where you can define the

outside NAT ip on the VCS.

You also need to take care if you are using a NATed interface that all communication is done

towards that external IP, if you require communication with an internal ip or clustering you would need

the secondary interface as well.

There are some more postings regards this topic in the forum, please search for it.

If you do not have the key, thats the first thing to fix as this is a main requirement!

If its in place:

Check that there are no ALG/Inspection/NAT helper or other SIP/H323 Layer3 features enabled

on your firewall, that might lock something up.

I tried the address mysef, and that might be a bad address to check on external sip communication,

it seems that cisco address is only reachable via h323:


 |SIP/2.0 404 Not Found
 Via: SIP/2.0/TLS xxx;egress-zone=DNS;xxx
 Via: SIP/2.0/TLS xxx
 Call-ID: xxx@192.168.101.62
 CSeq: 100 INVITE
 From: xxx
 To: <>ny.publicspy.tsec@cisco.com>;tag=xxx
 Server: TANDBERG/4120 (X7.2.1)
 Warning: 399 64.103.25.133:5061 "Policy Response"
 Content-Length: 0

But at least an interworked call should work from your sip client.

Not sure how your sip settings are, I noticed I did not get encrypted media towards the remote site,

depending on your settings (force encryption) that can also cause issues.

Please rate the postings via the stars below and set the thread to answered if it is!

Please remember to rate helpful responses and identify

Hermanus Janse van Vuuren · ‎04-29-2013

Managed to make the call out using the following URI.

I ahve the dual network card option key everything, it seems like some sort of DNS or SRV record issue maybe for the return path???

sip:ny.publicspy.tsec@64.102.249.41 (Url)

Search (20)

State: Completed

Found: True

Type: SIP (INVITE)

CallRouted: True

CallSerial Number: bb85a632-b0ab-11e2-9329-0010f325e27c

Tag: bb85a7f4-b0ab-11e2-8f09-0010f325e27c

Source (1)
- Authenticated: False
- Aliases (1)
- - Alias (1)
  - - Type: Url
  - - Origin: Unknown
    - Value: admin@example.com
- Zone (1)
- - Name: DefaultSubZone
- - Type: Local
- Path (1)
  - Hop (1)
    - Address: xxx.xxx.xxx.xxx:5060

Destination (1)
- Alias (1)
- - Type: Url
- - Origin: Unknown
- - Value: sip:ny.publicspy.tsec@64.102.249.41

StartTime: 2013-04-29 11:04:00

Duration: 1.11

SubSearch (1)
- Type: Transforms
- Action: Not Transformed
- ResultAlias (1)
- - Type: Url
- - Origin: Unknown
- - Value: ny.publicspy.tsec@64.102.249.41
- SubSearch (1)
- - Type: Admin Policy
- - Action: Proxy
- - ResultAlias (1)
  - - Type: Url
  - - Origin: Unknown
  - - Value: ny.publicspy.tsec@64.102.249.41
- - SubSearch (1)
  - - Type: FindMe
  - - Action: Proxy
  - - ResultAlias (1)
    - - Type: Url
    - - Origin: Unknown
    - - Value: ny.publicspy.tsec@64.102.249.41
  - - SubSearch (1)
    - - Type: Search Rules
    - - SearchRule (1)
      - Name: LocalZoneMatch
      - Zone (1)
        Name: LocalZone
        Type: Local
        Protocol: SIP
        Found: False
        Reason: Not Found
        StartTime: 2013-04-29 11:04:00
        Duration: 0
        Gatekeeper (1)
        Address: 172.20.4.241:0
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@64.102.249.41
      - Zone (2)
        Name: LocalZone
        Type: Local
        Protocol: H323
        Found: False
        Reason: Not Found
        StartTime: 2013-04-29 11:04:00
        Duration: 0
        Gatekeeper (1)
        Address: xxx.xxx.xxx.xxx:0
        
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@64.102.249.41
    - - SearchRule (2)
      - Name: DNS zone search rule
      - Zone (1)
        Name: DNSZone
        Type: DNS
        Protocol: SIP
        Found: True
        StartTime: 2013-04-29 11:04:00
        Duration: 1.04
        Gatekeeper (1)
        Alias (1)
        Type: Url
        Origin: Unknown
        Value: ny.publicspy.tsec@64.102.249.41

Best Regards

Martin Koch · ‎04-29-2013

Did you factory default the VCS reacently?

Do you have all the needed defautl links?

Logging in as admin via ssh/console and execute:

xcommand DefaultLinksAdd

might be worth giving a try.

Besies that, did you check with the dns lookup tool that your DNS is getting properly resolved?

Also do not forget to check the firewall and your vcs and router nat setup

Janse: Please rate the postings!

Please remember to rate helpful responses and identify

Hermanus Janse van Vuuren · ‎04-29-2013

No Factory reset reacently was configured out of the box.

I have all the dafault links plus the ones I have added.

xcommand DefaultLinksAdd

*r Result (status=OK): /
*r/end

OK

DNS Lookup works if I do it for cisco.com but not for the full URI.

A	cisco.com.	10618	IN	A	72.163.4.161
AAAA	cisco.com.	86400	IN	AAAA	2001:420:1101:1::a
SRV	_h323ls._udp.cisco.com.	8030	IN	SRV	1 0 1719 vcsgw.cisco.com.
SRV	_h323cs._tcp.cisco.com.	86400	IN	SRV	1 0 1720 vcsgw.cisco.com.
SRV	_sips._tcp.cisco.com.	8030	IN	SRV	1 0 5061 vcsgw.cisco.com.
SRV	_sip._tcp.cisco.com.	8029	IN	SRV	1 0 5060 vcsgw.cisco.com.

On my firewall I see the calls leave as SIP and comes back as H.323 for some reason when dialing the full URI.

But dialing the URI with the @xxx.xxx.xxx.xxx that I get from my call history when trying to resolve the full URI it works like a charm.

I will be moving the VCS-E to a DMZ zone later when the network is upgraded and ready but for testing and demo purposes I need to get it working with a 1:1 NAT using one LAN port on the VCS-E. So when the VCS-E moves to the DMZ I will bring up my VCS-C again as well.

Best Regards

sagsheth · ‎04-30-2013

Hi Janse,

Have you tried to resolve DNS from VCS-E? if not please check if VCS-E has correct DNS server and is able to resolve SRV records for cisco.com.

Please see the snippet.

SearchRule (3)
- Name: DNS zone search rule
- Zone (1)
- - Name: DNSZone
  - Type: DNS
- - Protocol: SIP
- - Found: False
- - Reason: Request Timeout
- - StartTime: 2013-04-29 10:15:08
- - Duration: 0.02
- - Gatekeeper (1)
  - - Alias (1)
    - - Type: Url
    - - Origin: Unknown
    - - Value: ny.publicspy.tsec@cisco.com

Here Request times out, so call is sent out as H323.

Let me know if you have any queries.

Regards,

Sagar

Hermanus Janse van Vuuren · ‎04-30-2013

I am moving my VCS-E to a DMZ zone next week with a public IP getting away from the NAT situation, will test next week and give feedback thank you.

Best Regards

Mark Turpin · ‎12-08-2014

I really hate to comment on such an old thread...

But I had a similar issue with a similar problem. I found that in my case, this was resolved by using TCP instead of TLS. When I changed my endpoints to use TCP, the ASA inspecting the SIP traffic and offering the NAT conversion for me was able to see the traffic and change the IP's correctly. Calls worked fine after that point.

--
-Mark Turpin