cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
10
Replies

VCS X8.5.1 SIP TLS to CUCM 8.6.2

josef.berkley
Level 1
Level 1

I'm having problems enabling TLS on my SIP trunk from the VCS to CUCM.

The SIP trunk shows active on the VCS, but I can't make calls from VCS to CUCM or from CUCM to VCS.

Before configuring TLS, I was able to make these calls.

With TLS enabled, the VCS search for calls from VCS to CUCM show the call rejected and give the reason "Forbidden"

Calls from CUCM to VCS get fast busy and I do not see anything in the search history on the VCS.

I've restarted the trunk and call manager service on the CUCM servers, but no change.

I'm not really sure where to go from here.

I followed the following guide for configuring the SIP trunk. http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-10-and-X8-5.pdf

 

Any help is appreciated.

Thanks,

Joe

10 Replies 10

Richard Bayes
Level 1
Level 1

Hi Josef, 

Have you had any luck so far with this. I have experienced something similar in regards to TLS SIP trunk between CUCM 10.0 and VCS X8.5

Richard,

No, still having the same issue. I take it you never got it to work either?

Joe

Martin Koch
VIP Alumni
VIP Alumni

It would be interesting to see the status of the sip trunk on cucm and the neigbor zone on the VCS as well as the logs of both and sure also how you configured it.

Please remember to rate helpful responses and identify

Martin,

The SIP trunk on CUCM just shows a status of "Ready".

I think CUCM 9 and 10 would show up or down, but 8.6.2 which we're using just shows "Ready"

 

The VCS zone shows SIP: Reachable for all three servers in the CUCM cluster.

Unfortunately, I can't upload the configuration/logs right now. I'd hoped that there might be something "known" that might explain why I saw the zone as active, but calls still failed.

Especially considering the fact that I don't see any search when I call from CUCM to VCS, I'm not really sure where to start looking.

Do you have any suggestions on where I can start checking?

Thanks for responding.

Joe

But you also changed from TCP to TLS on the VCS neighbor zone config and the port from 5060 to 5061?

 

On CUCM you can enable option packets to really see the status.

 

Think to look the VCS logs might be a easier start than RTMT on CUCM.

Please remember to rate helpful responses and identify

I have the same issue Martin identical in everything with another environment, TCP 5060 trunk works fine,

 

But when using TLS 5061 this is using CUCM 10.0.1 and it shows Up and good on both sides of the sip trunk (certificates have been exchanged) everything, I dont even think the call leaves the CUCM when dialing and when you make a call from the VCS side it just shows up forbidden in the search history.

I have read from some sources which dont clearly give an answer but suggest when doing a TLS sip zone to the CUCM you can't use the standard zone profile? and got to use a custom one? maybe this is where the issue is?

 

Also to add the CUCM has a secured TP device attached to it and trying to call a TLS registered device on the VCS.

Richard & Josef, please double check the sip profile setting for cucm:

 

http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-10-and-X8-5.pdf

 

 

Please remember to rate helpful responses and identify

I have again checked these and identical to what I set up, We have a multiple TX9000's on the CUCM in Secure mode working perfect and can make Encrypted calls to the TPS server via a TPS TCP Trunk.

but any calls to the VCS just fail on a VCS To CUCM Trunk using TLS with a fast busy signal. and the VCS doesn't even show a search history for it.

In the eyes of the VCS and the CUCM there is no Issues with the TLS SIP Trunk it seems to be working, but It seems SIP TLS packets don't even leave the CUCM. I have tried almost every resource known, and thought it was me just having some random issue until I saw Josef post the same issue.

Tomorrow I will check the X.509 names on the CUCM SIP Security Profile as this is the only thing I can think of that might cause the SIP trunk to be OK up but not route correctly maybe?

 

Yeah, I've went through everything again and still nothing. I'm trying to set up a packet capture now to see  if that helps identify what's happening between CUCM and VCS.

Perfect, I have not been near our system and not wanted to bring a live link now working on TCP until we get a change window. So if you find anything out please let me know would be useful. maybe the whole SIP trunk up status is a not showing the true status.

Rich

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: