03-05-2013 06:30 AM - edited 03-18-2019 12:43 AM
We see that few of our E20's - most of them on internet hangs as soon as the endpoint is booted.
If the endpoint is booted without network cable, then the E20 is stable.
If the SIP configuration is removed, the E20 is stable.
As soon as we put in the SIP config and the E20 is registering over SIP, the device hangs.
We can see from root that the Tandberg application to fail - tsh from root cli says "unable to connect application"
Is this a known issue with TE4.1.1.
If we disable SIP and use only H323 - device is stable.
VCS - X7.2.1
Solved! Go to Solution.
03-07-2013 02:01 AM
Hello,
the logfiles you sent from the E20 show an issue with the Marvell chip which is an ethernet controller inside the E20.
Feb 26 07:59:02 (none) main: FPGA programmed OK
Feb 26 07:59:02 (none) main: marvell.c: ioctl(9, -2146669310, ...)==-1, errno==14, Bad address
Feb 26 07:59:02 (none) main: platform/marvell/marvell.c:132: marvell_ioctl: Assertion `0 && "Marvell ioctl Failure"' failed.
Feb 26 07:59:02 (none) main: Received signal SIGABRT (6) in thread 0x4082a4c0, TID 1704
Feb 26 07:59:02 (none) main: Registers:
Feb 26 07:59:02 (none) main: R0: 00000000 R1: 000006a8 R2: 00000006 R3: 000006a8
Feb 26 07:59:02 (none) main: R4: 00000006 R5: 40826bdc R6: 40826000 R7: 0000010c
Feb 26 07:59:02 (none) main: R8: 00000bdc R9: 00000000 R10: 4082a4c0 FP: be976974
Feb 26 07:59:02 (none) main: PC: 407206f8 IP: be976978 SP: be97695c LR: 407206c4
Feb 26 07:59:02 (none) main: ERR: 00000000 CPSR: 20000010 FAULT: 00000000 TRAP: 00000000
Feb 26 07:59:02 (none) main: OLDMSK: 00000000
Our defect tracking system is down, so could not find a matching ddts for this, but to me, this looks like hardware.
Will verify with engineering.
The recent change you talk about can cause E20s to crash. There's a defect open on this :
CSCue59199 - Boot: SIPAUTH error: unable to clear signature (gState=1)
When we get challenged on a SIP presence subscribe message, the E20 crashes. When that happens you will see a message like "Authorization to SUBSCRIBE got proxy-challenged in 407 SUBSCRIBE".
Now the historical logfiles you sent for the specific E20 does not match that ddts. Do you have other E20s crashing when you enable SIP? If so, can you send the historical logfiles of such a device which now no longer crashes with SIP disabled?
Below is the sequence prior to the crash.
Could you collect some SIP debugs and try enable SIP on 1 E20 please?
From the tsh do :
log ctx sippacket debug 9
When the unit crashes, disable SIP again and forward the logfiles to verify.
Mar 3 11:43:43 (none) main: User admin(1001) successfully executed command '/Presence/Subscribe/Start URI: 91000001' from sweet-brew-7.cisco.com.
Mar 3 11:43:43 (none) main: 8241.76 SipStack I: SipEv: Active Subscribe to '
' of type 'presence', unsolicited=0
Mar 3 11:43:43 (none) main: 8241.76 SipStack I: SipUa GRUU added OK
Mar 3 11:43:43 (none) main: 8241.77 SipPacket PacketDump: Proto: SIP, Name: SUBSCRIBE
SIP/2.0, Direction: Outgoing, RemoteAddress: 10.106.93.69:5061, GroupEntity:
, Time: 8241765, Content: !!!<
Mar 3 11:43:43 (none) main: 8241.77 SipPacket SUBSCRIBE
SIP/2.0
Mar 3 11:43:43 (none) main: 8241.77 SipPacket Via: SIP/2.0/TLS 171.69.87.88:5061;branch=z9hG4bKb13dc154a422586a9cb016c9d7ac0a3f.1;rport
Mar 3 11:43:43 (none) main: 8241.77 SipPacket Call-ID:
Mar 3 11:43:43 (none) main: 8241.77 SipPacket CSeq: 101 SUBSCRIBE
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Contact:
Mar 3 11:43:43 (none) main: 8241.78 SipPacket From:
;tag=92c18ad11538b1bd
Mar 3 11:43:43 (none) main: 8241.78 SipPacket To:
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Max-Forwards: 70
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Route:
Mar 3 11:43:43 (none) main: 8241.78 SipPacket User-Agent: TANDBERG/257 (TE4.1.1.271887Beta1)
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Expires: 3600
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Event: presence
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Accept: application/pidf+xml
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Content-Length: 0
Mar 3 11:43:43 (none) main: 8241.78 SipPacket
Mar 3 11:43:43 (none) main: 8241.78 SipPacket >!!!
Mar 3 11:43:43 (none) main: 8242.02 SipPacket PacketDump: Proto: SIP, Name: SIP/2.0 407 Proxy Authentication Required, Direction: Incoming, RemoteAddress: 10.106.93.69:5061, GroupEntity:
, Time: 8242018, Content: !!!<
Mar 3 11:43:43 (none) main: 8242.02 SipPacket SIP/2.0 407 Proxy Authentication Required
Mar 3 11:43:43 (none) main: 8242.02 SipPacket Via: SIP/2.0/TLS 171.69.87.88:5061;branch=z9hG4bKb13dc154a422586a9cb016c9d7ac0a3f.1;received=171.69.87.88;rport=36924
Mar 3 11:43:43 (none) main: 8242.02 SipPacket Call-ID:
Mar 3 11:43:43 (none) main: 8242.03 SipPacket CSeq: 101 SUBSCRIBE
Mar 3 11:43:43 (none) main: 8242.03 SipPacket From:
;tag=92c18ad11538b1bd
Mar 3 11:43:43 (none) main: 8242.03 SipPacket To:
;tag=aaa367e278a7ece0
Mar 3 11:43:43 (none) main: 8242.03 SipPacket Server: TANDBERG/4120 (X7.2.1)
Mar 3 11:43:43 (none) main: 8242.03 SipPacket Proxy-Authenticate: Digest realm="akgvcsc1.ciscolab.com", nonce="bb98866b8387ba58270573abceefb75e19dcde22e51b036493413ef0b5cd", opaque="AQAAAK5Mba8WRqO56xvFJpIWzjCx51zZ", stale=FALSE, algorithm=MD5, qop="auth"
Mar 3 11:43:43 (none) main: 8242.04 SipPacket Content-Length: 0
Mar 3 11:43:43 (none) main: 8242.04 SipPacket
Mar 3 11:43:43 (none) main: 8242.04 SipPacket >!!!
Mar 3 11:43:43 (none) main: Authorization to SUBSCRIBE got proxy-challenged in 407 SUBSCRIBE
Mar 3 11:43:43 (none) main: Received signal SIGSEGV (11) in thread 0x4084d450, TID 1809
Mar 3 11:43:43 (none) main: Illegal memory access at: 0x8
Mar 3 11:43:43 (none) main: Registers:
03-12-2013 03:12 AM
Since you confirmed that the issue your are encountering is indeed CSCue59199, can you mark this thread as being "answered" ?
The reason why E20 is crashing is due to that ddts I mentioned :
CSCue59199 - Boot: SIPAUTH error: unable to clear signature (gState=1)
That ddts is not fixed in any release yet, but there are ways to prevent the E20 being challenged using NTLM so it no longer crashes. VCS changes must be done to avoid the NTLM going out to the E20.
The bug has more info found at bugtoolkit.
Conditions:
VCS registers E20 as an unauthenticated device because the SubZone where E20 registers to is set to "Do not check credentials". After the E20 registers, it will update its Presence information. VCS needs to Authenticate a device before providing Presence, hence the VCS sends an NTLM Challenge (SIP 407 Proxy Auth Required). Once E20 receives this SIP message, it crashes
Workaround:
Make sure the Default Zone and the SubZone where the E20 registers are set to "Treat as Authenticated" or "Check Credentials". The E20 device must be authenticated by the VCS in the SUBSCRIBE process.
If the Presence is provided by a Neighbor VCS, make sure the following configuration is set correctly in the Neighbor Zones in both sides:
SIP Authentication Trust Mode: On
In this way, the VCS will identify as Authenticated Devices all the messages coming from Neighbor Devices that have already been authenticated by the Neighbor VCS
Finally, make sure NTLM Protocol Challenges is set to "Auto" in all VCS's. In X7.2 and later, this setting can be found in AD Configurations. In X7.1, you can find it under Device Authentication Configuration.
03-05-2013 06:35 AM
Hard to tell what's going on without any logfiles. Please attach historical logfiles. Your E20 seems to have crashed.
03-06-2013 11:37 PM
The logfiles can be retrieved using a WEB browser pointed to your E20.
03-07-2013 01:08 AM
03-07-2013 02:01 AM
Hello,
the logfiles you sent from the E20 show an issue with the Marvell chip which is an ethernet controller inside the E20.
Feb 26 07:59:02 (none) main: FPGA programmed OK
Feb 26 07:59:02 (none) main: marvell.c: ioctl(9, -2146669310, ...)==-1, errno==14, Bad address
Feb 26 07:59:02 (none) main: platform/marvell/marvell.c:132: marvell_ioctl: Assertion `0 && "Marvell ioctl Failure"' failed.
Feb 26 07:59:02 (none) main: Received signal SIGABRT (6) in thread 0x4082a4c0, TID 1704
Feb 26 07:59:02 (none) main: Registers:
Feb 26 07:59:02 (none) main: R0: 00000000 R1: 000006a8 R2: 00000006 R3: 000006a8
Feb 26 07:59:02 (none) main: R4: 00000006 R5: 40826bdc R6: 40826000 R7: 0000010c
Feb 26 07:59:02 (none) main: R8: 00000bdc R9: 00000000 R10: 4082a4c0 FP: be976974
Feb 26 07:59:02 (none) main: PC: 407206f8 IP: be976978 SP: be97695c LR: 407206c4
Feb 26 07:59:02 (none) main: ERR: 00000000 CPSR: 20000010 FAULT: 00000000 TRAP: 00000000
Feb 26 07:59:02 (none) main: OLDMSK: 00000000
Our defect tracking system is down, so could not find a matching ddts for this, but to me, this looks like hardware.
Will verify with engineering.
The recent change you talk about can cause E20s to crash. There's a defect open on this :
CSCue59199 - Boot: SIPAUTH error: unable to clear signature (gState=1)
When we get challenged on a SIP presence subscribe message, the E20 crashes. When that happens you will see a message like "Authorization to SUBSCRIBE got proxy-challenged in 407 SUBSCRIBE".
Now the historical logfiles you sent for the specific E20 does not match that ddts. Do you have other E20s crashing when you enable SIP? If so, can you send the historical logfiles of such a device which now no longer crashes with SIP disabled?
Below is the sequence prior to the crash.
Could you collect some SIP debugs and try enable SIP on 1 E20 please?
From the tsh do :
log ctx sippacket debug 9
When the unit crashes, disable SIP again and forward the logfiles to verify.
Mar 3 11:43:43 (none) main: User admin(1001) successfully executed command '/Presence/Subscribe/Start URI: 91000001' from sweet-brew-7.cisco.com.
Mar 3 11:43:43 (none) main: 8241.76 SipStack I: SipEv: Active Subscribe to '
' of type 'presence', unsolicited=0
Mar 3 11:43:43 (none) main: 8241.76 SipStack I: SipUa GRUU added OK
Mar 3 11:43:43 (none) main: 8241.77 SipPacket PacketDump: Proto: SIP, Name: SUBSCRIBE
SIP/2.0, Direction: Outgoing, RemoteAddress: 10.106.93.69:5061, GroupEntity:
, Time: 8241765, Content: !!!<
Mar 3 11:43:43 (none) main: 8241.77 SipPacket SUBSCRIBE
SIP/2.0
Mar 3 11:43:43 (none) main: 8241.77 SipPacket Via: SIP/2.0/TLS 171.69.87.88:5061;branch=z9hG4bKb13dc154a422586a9cb016c9d7ac0a3f.1;rport
Mar 3 11:43:43 (none) main: 8241.77 SipPacket Call-ID:
Mar 3 11:43:43 (none) main: 8241.77 SipPacket CSeq: 101 SUBSCRIBE
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Contact:
Mar 3 11:43:43 (none) main: 8241.78 SipPacket From:
;tag=92c18ad11538b1bd
Mar 3 11:43:43 (none) main: 8241.78 SipPacket To:
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Max-Forwards: 70
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Route:
Mar 3 11:43:43 (none) main: 8241.78 SipPacket User-Agent: TANDBERG/257 (TE4.1.1.271887Beta1)
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Expires: 3600
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Event: presence
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Accept: application/pidf+xml
Mar 3 11:43:43 (none) main: 8241.78 SipPacket Content-Length: 0
Mar 3 11:43:43 (none) main: 8241.78 SipPacket
Mar 3 11:43:43 (none) main: 8241.78 SipPacket >!!!
Mar 3 11:43:43 (none) main: 8242.02 SipPacket PacketDump: Proto: SIP, Name: SIP/2.0 407 Proxy Authentication Required, Direction: Incoming, RemoteAddress: 10.106.93.69:5061, GroupEntity:
, Time: 8242018, Content: !!!<
Mar 3 11:43:43 (none) main: 8242.02 SipPacket SIP/2.0 407 Proxy Authentication Required
Mar 3 11:43:43 (none) main: 8242.02 SipPacket Via: SIP/2.0/TLS 171.69.87.88:5061;branch=z9hG4bKb13dc154a422586a9cb016c9d7ac0a3f.1;received=171.69.87.88;rport=36924
Mar 3 11:43:43 (none) main: 8242.02 SipPacket Call-ID:
Mar 3 11:43:43 (none) main: 8242.03 SipPacket CSeq: 101 SUBSCRIBE
Mar 3 11:43:43 (none) main: 8242.03 SipPacket From:
;tag=92c18ad11538b1bd
Mar 3 11:43:43 (none) main: 8242.03 SipPacket To:
;tag=aaa367e278a7ece0
Mar 3 11:43:43 (none) main: 8242.03 SipPacket Server: TANDBERG/4120 (X7.2.1)
Mar 3 11:43:43 (none) main: 8242.03 SipPacket Proxy-Authenticate: Digest realm="akgvcsc1.ciscolab.com", nonce="bb98866b8387ba58270573abceefb75e19dcde22e51b036493413ef0b5cd", opaque="AQAAAK5Mba8WRqO56xvFJpIWzjCx51zZ", stale=FALSE, algorithm=MD5, qop="auth"
Mar 3 11:43:43 (none) main: 8242.04 SipPacket Content-Length: 0
Mar 3 11:43:43 (none) main: 8242.04 SipPacket
Mar 3 11:43:43 (none) main: 8242.04 SipPacket >!!!
Mar 3 11:43:43 (none) main: Authorization to SUBSCRIBE got proxy-challenged in 407 SUBSCRIBE
Mar 3 11:43:43 (none) main: Received signal SIGSEGV (11) in thread 0x4084d450, TID 1809
Mar 3 11:43:43 (none) main: Illegal memory access at: 0x8
Mar 3 11:43:43 (none) main: Registers:
03-11-2013 10:44 PM
Hi Danny,
Yes you are right. We are getting a crash following a SIP Presence Subscribe.
Jan 1 06:15:48 (none) main: Authorization to SUBSCRIBE got proxy-challenged in 407 SUBSCRIBE
Jan 1 06:15:48 (none) main: Received signal SIGSEGV (11) in thread 0x4084d450, TID 1826
Jan 1 06:15:48 (none) main: Illegal memory access at: 0x8
Jan 1 06:15:48 (none) main: Registers:
Jan 1 06:15:48 (none) main: R0: 4192f1f9 R1: 000003c0 R2: 8a2ebf18 R3: 00000000
Jan 1 06:15:48 (none) main: R4: 00000000 R5: 4192ebdc R6: 00000001 R7: 00000078
Jan 1 06:15:48 (none) main: R8: 4192ebd4 R9: 00000000 R10: 00000008 FP: 4084cacc
Jan 1 06:15:48 (none) main: PC: 007cfe30 IP: 000005c8 SP: 4084ca90 LR: 007cfd94
Jan 1 06:15:48 (none) main: ERR: 00000017 CPSR: 20000010 FAULT: 00000008 TRAP: 0000000e
Jan 1 06:15:48 (none) main: OLDMSK: 00000000
1778.69 SipPacket PacketDump: Proto: SIP, Name: SIP/2.0 407 Proxy Authentication Required, Direction: Incoming, RemoteAddress: 115.112.251.34:5060, GroupEntity: 5212593f6032700f@203.99.192.27, Time: 1778684, Content: !!!<
1778.69 SipPacket SIP/2.0 407 Proxy Authentication Required
1778.69 SipPacket Via: SIP/2.0/TCP 203.99.192.27:5060;branch=z9hG4bK8b0a6dba8f2ccee420664579e4ec3240.1;received=203.99.192.27;rport=39352;ingress-zone=DefaultSubZone
1778.69 SipPacket Call-ID: 5212593f6032700f@203.99.192.27
1778.69 SipPacket CSeq: 101 SUBSCRIBE
1778.69 SipPacket From: <>>ABC@video.gg.com>;tag=54020edd62302085
1778.69 SipPacket To: <>>609160037@video.gg.com>;tag=260b1bce948ae702
1778.69 SipPacket Server: TANDBERG/4120 (X7.2.1)
1778.69 SipPacket Proxy-Authenticate: Digest realm="vcsc.video.gg.com", nonce="d34ecc64f5e7b0abc9067dce57099b1be740b6cd099122e377633655d4b1", opaque="AQAAAET4omQDHsmcwJls30RE53TlDEMt", stale=FALSE, algorithm=MD5, qop="auth"
1778.69 SipPacket Proxy-Authenticate: NTLM realm="vcsc.video.gg.com", qop="auth", targetname="vcsc.video.gg.com"
1778.69 SipPacket Content-Length: 0
1778.69 SipPacket
1778.70 SipPacket >!!!
03-11-2013 11:44 PM
The only change we had is enable NTLM auth on VCS-Control. Prevously it was local.
So, my question is would only an NTLM challenge crash the E20..?
03-12-2013 03:12 AM
Since you confirmed that the issue your are encountering is indeed CSCue59199, can you mark this thread as being "answered" ?
The reason why E20 is crashing is due to that ddts I mentioned :
CSCue59199 - Boot: SIPAUTH error: unable to clear signature (gState=1)
That ddts is not fixed in any release yet, but there are ways to prevent the E20 being challenged using NTLM so it no longer crashes. VCS changes must be done to avoid the NTLM going out to the E20.
The bug has more info found at bugtoolkit.
Conditions:
VCS registers E20 as an unauthenticated device because the SubZone where E20 registers to is set to "Do not check credentials". After the E20 registers, it will update its Presence information. VCS needs to Authenticate a device before providing Presence, hence the VCS sends an NTLM Challenge (SIP 407 Proxy Auth Required). Once E20 receives this SIP message, it crashes
Workaround:
Make sure the Default Zone and the SubZone where the E20 registers are set to "Treat as Authenticated" or "Check Credentials". The E20 device must be authenticated by the VCS in the SUBSCRIBE process.
If the Presence is provided by a Neighbor VCS, make sure the following configuration is set correctly in the Neighbor Zones in both sides:
SIP Authentication Trust Mode: On
In this way, the VCS will identify as Authenticated Devices all the messages coming from Neighbor Devices that have already been authenticated by the Neighbor VCS
Finally, make sure NTLM Protocol Challenges is set to "Auto" in all VCS's. In X7.2 and later, this setting can be found in AD Configurations. In X7.1, you can find it under Device Authentication Configuration.
03-07-2013 12:50 AM
What kind of network is that? Did you ever sniff on the network whats going on there?
I have had put a sip enabled E20 with TE4.1.1 on a public non firewalled IP address
(just to see how it behaves) and it never crashed.
You have the typical sip scans which will cause the system to ring, but that does not
sould like the issue here.
I would see if there is some other strange packets going on, like CDP, ...
Put a network tracer, a switch with a mirror port or a hub in between the system and its
network and sniff whats happening.
Please remember to rate helpful responses and identify
03-07-2013 01:11 AM
The E20's are connecting from Home Internet - mostly behind a DSL.
The recent change we had is, enabled AD auth for Jabber on VCS with NTLM.
So, we enabled check credentials on the VCS-C's traversal zone.
I will try to get a capture from the wire and post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide