I'm having an issue where I can't get one of my VCS controls to get SIP working on a traversal zone.
SIP on neighbour zones work fine, H323 on both traversal and neighbour zones are fine. The VCS-C and VCS-E are on the same switch - no firewall in between so it's not like any ports are being blocked. I can get SIP working from a different VCS-C to the same VCS-E and it works fine.
No matter what I try, I can always get the traversal zone to come up with H323 but not with SIP - when I look at the zone on VCS-C it says: SIP Failed to connecto to [VCS-E IP address]:[Port]: No response from system.
The network log on VCS-C indicates that the VCS-E is sending back SIP messages (Recieve Response Code=401....)
What is IP address on VCS Expressway and VCS Control that connecting on same switch?
> I can get SIP working from a different VCS-C to the same VCS-E and it works fine.
I assume this different VCS-C is on different network subnet and not on same switch as VCS-C that you are experiencing issue, isn’t it?
401 messages is requesting for authentication. so that's normal. If the credentials are properly configured and the ports are opened properly then it should work.
what ports are opened and how the expressway setup? is it single NIC or dual nic.
BTW, SIP traversal link between VCS-E and VCS-C required unique port per traversal link.
So if you have two traversal SIP zone on VCS-E, you will need configure two different ports (one for each traversal zone, i.e. 7001 for first traversal zone to VCS-C-1 and 7002 for second traversal zone to VCS-C-2).
Same port have to configure on traversal client zone on VCS-C as SIP port.
Tamonori - the IPs are 126.96.36.199 (VCS-C) and 188.8.131.52 (VCS-E). When I got the SIP traversal zone working to the VCS-E from a different VCS-C, it was from a different subnet. It's all single NIC.
I can't see how it could be authentication as H323 is working fine on the same traversal zone using the same credentials.
As for the ports, they are currently using port 7020 (I've tried using lots of different ports for the SIP - I am aware that each traversal zone needs its own port).
I've tried getting my VCS-C to make a traversal zone to a different VCS-E and I get the exact same problem, so it looks like the issue is with the VCS-C...
OK, does SIP transport in traversal zone configuration match up?
Have you try both TCP and TLS?
Also what is configuration for “Authentication policy” in traversal zone configuration, “Do not check credentials”?
I've got it configured at TCP on both sides (I don't have TLS enabled).
Authentication policy is "Treat as authenticated" but I have tried "Do not check credentials" and there was no change. In both instances, the authentication policy and transport type is the same on both sides.
One other strange thing I've noticed - When I look at my list of zones on the VCS-E, the traversal zone in question has "Off" for its SIP status, even though SIP is definitely turned on in the zone config. I also tried manually setting SIP mode to "on" via CLI for this zone but it still displays as "off" on the list of zones.
What is SIP mode configuration under VCS Configuration > Protocol > SIP > Configuration ? Is it set to "on"?
Also what isTCP mode configuration, "on" as well?
They are both set to on - this VCS-C has several neighbour zones where SIP is working fine - including to the same VCS-E (long story as to why I want a neighbour and traversal zone between the same VCS's!)
I’d suggest to open TAC case to follow up this more detail level.
If you can provide diagnostic log and tcpdump from both VCS-C and VCS-E (start taking a log then enable the traversal link from VCS-C to capture traversal link negotiation) will help us to analysis the issue you are experiencing on your VCS-C.
I remember a simillar case. but issue was H.323 not showing active in that case, yours Sip is not showing active. :)
What are the values for TCP/UDP keep alive timers on the traversal server zone?? have you changed any settings in there?
if you change the values it could be possbile that value is large enough for the firewall to keep the NAT bindings open.
can you confirm if the values are default for TCP/UDP keep alives, retry intervals etc? if possible try following steps.
- delete the traversal client zone
- delete traversal server zone
- take the backup of both the vcs
- reboot the vcs
- create the traversal server zone
- create the traversal client zone
Do you mean the retry timer? If so that's default, 120. There's actually no firewall between these devices - they are on the same switch.
I will try deleting and recreating the zone, thanks.