Solved: VCS starter pack - Movi from home

ronin2k8cronus · ‎10-20-2011

Hi guys,

I have a problem with registering a Movi client to a VCS Starter pack over the Internet.

My design is this: Movi - Internet - Router - VCS Starter pack (no TMS). The VCS is connected to LAN with one interface and is static nated to the internet with the cisco router that sits in front of it.

I am able to register the movi client to the vcs if the movi is connected to the local lan. The setting on the vcs are simple :

Default Zone - Authentication Policy - Check Credential

Default Subzone - Authentication Policy - Threat as authenticated

When I try to connect the movi client from my home (over the internet - no VPN) I get this messages:

Oct 20 14:05:45	tvcs: Event="Message Sent" Service="SIP" Src-ip="X" Src-port="5060" Dst-ip="Y" Dst-port="29284" Protocol="TCP" Num-bytes="426" Level="4" UTCTime="2011-10-20 11:05:45,349"
Oct 20 14:05:45	tvcs: Event="Response Sent" Service="SIP" Src-ip="X" Src-port="5060" Dst-ip="Y" Dst-port="29284" Protocol="TCP" Method="SUBSCRIBE" To="sip:provisioning@cronus.ro" Response-code="404" Level="3" UTCTime="2011-10-20 11:05:45,349"
Oct 20 14:05:45	tvcs: Event="Request Received" Service="SIP" Src-ip="Y" Src-port="29284" Dst-ip="X" Dst-port="5060" Protocol="TCP" Method="SUBSCRIBE" Request-URI="sip:silviu@cronus.ro" Level="3" UTCTime="2011-10-20 11:05:45,347"
Oct 20 14:05:45	tvcs: Event="Message Received" Service="SIP" Src-ip="Y" Src-port="29284" Dst-ip="X" Dst-port="5060" Protocol="TCP" Num-bytes="987" Level="4" UTCTime="2011-10-20 11:05:45,347"
Oct 20 14:05:43	tvcs: Event="Message Sent" Service="SIP" Src-ip="X" Src-port="5060" Dst-ip="Y" Dst-port="29284" Protocol="TCP" Num-bytes="581" Level="4" UTCTime="2011-10-20 11:05:43,726"
Oct 20 14:05:43	tvcs: Event="Response Sent" Service="SIP" Src-ip="10.1.101.10" Src-port="5060" Dst-ip="109.166.141.13" Dst-port="29284" Protocol="TCP" Method="SUBSCRIBE" To="sip:provisioning@cronus.ro" Response-code="407" Level="3" UTCTime="2011-10-20 11:05:43,726"
Oct 20 14:05:43	tvcs: Event="Request Received" Service="SIP" Src-ip="Y" Src-port="29284" Dst-ip="X" Dst-port="5060" Protocol="TCP" Method="SUBSCRIBE" Request-URI="sip:silviu@cronus.ro" Level="3" UTCTime="2011-10-20 11:05:43,726"

I read

Cisco VCS Expressway Starter Pack - Cisco TelePresence Deployment Guide - Cisco VCS X5.1 and I think I did everything right, but since it is not working clearly I didn't do smth right.

Does anyone has any ideaa from the logs?

Thank you for your help.

Martin Koch · ‎10-20-2011

Some remarks:

* which vcs version do you use? It seems to be something >=X6

* check the domain: cronus.ro is added as the sip domain and is also set up ad the domain in movi

* are you sure your password is correct?

* you can also try to set the default zone, default subzone (and maybe other zones involved) to "treat as authenticated" just so see if you can register

* do you have the "dual interface option", this would be required in your deployent

Please remember to rate helpful responses and identify

View solution in original post

awinter2 · ‎10-21-2011

Hi Ronin,

if your VCS-E is behind a static NAT, you will need a 'Dual network interfaces' option key for your VCS-E in order for this to work properly (As Martin pointed out in his comment). Although you don't necessarily have to actively use both network interfaces, this option key also unlocks the static NAT features of the VCS-E, allowing you to configure the VCS-E so that it is aware of its public NAT address, to ensure that call signaling and media packets are sent to the correct IP address.

You can find more information about static NAT on the VCS in the VCS Administrator's guide at www.cisco.com/support.

Hope this helps,

Andreas

View solution in original post

Arun Kumar · ‎10-20-2011

Hi Ronin,

Check that the Internal VCS and External VCS names on the Movi Advanced dialog are resolvable by the Movi PC and resolve to the VCS Expressway Starter Pack address, for example by attempting to ping the DNS names. (These are the addresses Movi uses when requesting to be provisioned.)

Check that the Cluster name (FQDN for provisioning) on the VCS configuration > Clustering page of VCS is resolvable by the Movi PC and resolves to the VCS Expressway Starter Pack address, for example by attempting to ping the DNS name.

Following IP ports must be open to the VCS through the firewall:

- 5060 (if basic SIP connection is required)

- 5061 (for SIP over TLS)

- 50000 to 52399 (for media)

you can enable the SIP logs on movi PC and see what's going on or share here (before you modify this file close your Movi):

C:\Documents and Settings\\Local Settings\Application Data\Cisco\Movi\2.0\Logs

Logs.ini

[SIP]

Level=TRACE

start movi and see if still issues. Check the SIP logs.

HTH

Arun

Martin Koch · ‎10-20-2011

Some remarks:

* which vcs version do you use? It seems to be something >=X6

* check the domain: cronus.ro is added as the sip domain and is also set up ad the domain in movi

* are you sure your password is correct?

* you can also try to set the default zone, default subzone (and maybe other zones involved) to "treat as authenticated" just so see if you can register

* do you have the "dual interface option", this would be required in your deployent

Please remember to rate helpful responses and identify

ronin2k8cronus · ‎10-21-2011

Hi,

I got a log from the Movi client and it looks like this:

2011-10-21 12:19:40,030 INFO PID 4008 TID 4064 SIP

Outgoing SIP message: --------------------------------------------- Movi to VCS

SUBSCRIBE sip:myuser@mydomain.ro SIP/2.0

Via: SIP/2.0/TCP 10.81.112.124:57700;branch=z9hG4bK3c5385d1c2ee4ddb90b1dd39afbcb392.1;rport

Call-ID: fb3d4f26cf429089@127.0.0.1

CSeq: 201 SUBSCRIBE

Contact:

From: <>myuser@mydomain.ro>;tag=1d36923721670340

To: <>provisioning@mydomain.ro>

Max-Forwards: 70

Route:

User-Agent: TANDBERG/771 (MCX 4.2.0.10318 (multistream))

Expires: 3600

Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.2.0.10318;clientid="S-1-5-21-3877805953-4107524849-2931270436";connectivity=1

Accept: application/pidf+xml

Content-Length: 0

2011-10-21 12:19:40,262 INFO PID 4008 TID 4064 SIP

Incoming SIP message: --------------------------------------------- VCS to Movi

SIP/2.0 407 Proxy Authentication Required

Via: SIP/2.0/TCP 10.81.112.124:57700;branch=z9hG4bK3c5385d1c2ee4ddb90b1dd39afbcb392.1;received=109.166.140.252;rport=49640

Call-ID: fb3d4f26cf429089@127.0.0.1

CSeq: 201 SUBSCRIBE

From: <>myuser@mydomain.ro>;tag=1d36923721670340

To: <>provisioning@mydomain.ro>;tag=4831368554890ed9

Server: TANDBERG/4097 (X6.0)

Proxy-Authenticate: Digest realm="my_FQDN", nonce="326d795db723c3efc67372061bd4aa29df64512a07e3d46e077c99f4696a", opaque="AQAAAE6oBYRFGLdsMl2POYluxq4MZL1q", stale=FALSE, algorithm=MD5, qop="auth"

Content-Length: 0

2011-10-21 12:19:41,589 INFO PID 4008 TID 4064 SIP

Outgoing SIP message: --------------------------------------------- Movi to VCS

SUBSCRIBE sip:myuser@mydomain.ro SIP/2.0

Via: SIP/2.0/TCP 10.81.112.124:57700;branch=z9hG4bK1c9ba25f292891cf38f892af9d3f61ae.1;rport

Call-ID: fb3d4f26cf429089@127.0.0.1

CSeq: 202 SUBSCRIBE

Contact:

From: <>myuser@mydomain.ro>;tag=1d36923721670340

To: <>provisioning@mydomain.ro>

Max-Forwards: 70

Route:

User-Agent: TANDBERG/771 (MCX 4.2.0.10318 (multistream))

Expires: 3600

Proxy-Authorization: Digest nonce="326d795db723c3efc67372061bd4aa29df64512a07e3d46e077c99f4696a", realm="my_FQDN", qop=auth, opaque="AQAAAE6oBYRFGLdsMl2POYluxq4MZL1q", username="myuser", uri="sip:mydomain.ro", response="ff4d18476a9c1bf49f49cdaa55c2600b", algorithm=MD5, nc=00000001, cnonce="0aac78542d575b8a7c2a7242e43b28f6"

Event: ua-profile;model=movi;vendor=tandberg.com;profile-type=user;version=4.2.0.10318;clientid="S-1-5-21-3877805953-4107524849-2931270436";connectivity=1

Accept: application/pidf+xml

Content-Length: 0

2011-10-21 12:19:41,840 INFO PID 4008 TID 4064 SIP

Incoming SIP message: --------------------------------------------- VCS to Movi

SIP/2.0 404 Not Found

Via: SIP/2.0/TCP 10.81.112.124:57700;branch=z9hG4bK1c9ba25f292891cf38f892af9d3f61ae.1;received=109.166.140.252;rport=49640;ingress-zone=DefaultZone

Call-ID: fb3d4f26cf429089@127.0.0.1

CSeq: 202 SUBSCRIBE

From: <>myuser@mydomain.ro>;tag=1d36923721670340

To: <>provisioning@mydomain.ro>;tag=e88aec8221d8250b

Server: TANDBERG/4097 (X6.0)

Warning: 399 my_vcs_localIPAddress:5060 "Not Found"

Content-Length: 0

The design is like this:

Movi(109.166.140.252) ---> Internet provider( I see an intermediate Ip address in the logs 10.81.112.124) ---> Router 2811 ---> VCS (only one internal IP address my_vcs_localIPAddress, with the router doing static nat to my_vcs_globalIPAddress). Since the router is doing static nat all ports are opened.

Form the messages I ca see:

1) Movi is sending registration request

2) VCS is asking me to authenticate

3) Movi is sending the authentication data

4) VCS does not autheticate me and I see this warning :

Warning: 399 my_vcs_localIPAddress:5060 "Not Found". In the warning is my vcs local Ip address. Maybe here should be the global ip (this looks like a problem - but i do not know how to fix it)

From the Movi Client I can ping the vcs FQDN (which is the same with the external vcs name).

Since I am doing static nat all ports are opened on the firewall.

I am using vcs X6.0.

The domain is correct.

The password is correct since I can connect from the local lan.

I tried a few differnt combination of check credential and threat as autenticated to no effect.

I dont think I have the dual interface option, can that be the problem?

Thank you for your help.

awinter2 · ‎10-21-2011

Hi Ronin,

if your VCS-E is behind a static NAT, you will need a 'Dual network interfaces' option key for your VCS-E in order for this to work properly (As Martin pointed out in his comment). Although you don't necessarily have to actively use both network interfaces, this option key also unlocks the static NAT features of the VCS-E, allowing you to configure the VCS-E so that it is aware of its public NAT address, to ensure that call signaling and media packets are sent to the correct IP address.

You can find more information about static NAT on the VCS in the VCS Administrator's guide at www.cisco.com/support.

Hope this helps,

Andreas

ronin2k8cronus · ‎10-21-2011

Thank you for your answer.

Will the 'Dual network interfaces' option key also be necessary for URI inbound and outboud dialing if my vcs is behind a static nat?

Have a nice day.

awinter2 · ‎10-21-2011

Hi,

the option key is required for all external connectivity while the VCS-E is behind a static NAT.

Regards

Andreas

ronin2k8cronus · ‎10-21-2011

We are a Cisco Gold Partner and the URI inbound and outboud dialing feature I was trying to implement in order to call a video endpoint at Cisco HQ in Romania.

Is there a way to do that without the 'Dual network interfaces' option key?

Thank you.

awinter2 · ‎10-21-2011

Hi Ronin,

as I mentioned in my previous message, the option key is required for all external connectivity for the VCS-E, including inbound/outbound URI dialing, in a scenario where the VCS-E is located behind a NAT device.

Regards

Andreas

Martin Koch · ‎10-21-2011

There are at least two parts:

the provisioning/registration itself, with some tricks it might be even possible to succeed here,

but not to forget the media of the calls (audio/video) what will definitly cause trouble, as the

VCS-E could not work properly to traverse the firewall as it would announce a wrong internal ip

which is not reachable from the outside.

You can set up the VCS-E in a DMZ on a public IP with no NAT.

But please open only the ports towards the public internet which are reqired, blocking internal&management ports (like ssh, https, ldap, ...)

If the IP of the VCS is behind NAT, you need the Dual Interface option key.

Btw, if you use the domain which is mentioned in your first post, you do not have SRV records for it,

I would also fix that, so your users can be reached by external systems :-)

Please remember to rate helpful responses and identify

ruben.montes · ‎01-25-2012

Hi,

My topology is the same but I'm having some troubles:

VCS Starter Package with Dual interface but only LAN1 connected to inside --> L3 switch --> Firewall --> Internet

In this topology, there are some external calls that fail, from the troubleshooting, only the calls that come NATed by a home router are working properly. When the Movi client has a public IP, it is not working.

Any idea? Maybe some relation with SIP header ip/L3 header ip mismatch?

Thanks in advance!