Hi,

could you post your config? I have done several installation here in Germany with CompanyFlex and never had an Registration issue.

My tenant config looks like this:

voice class tenant 2000
  registrar dns:tel.t-online.de expires 480 tcp
  credentials number +491992960000000xxxxx username +491992960000000xxxxx@tel.t-online.de password <password> realm tel.t-online.de
  authentication username +491992960000000xxxxx@tel.t-online.de password <password> realm tel.t-online.de
  no remote-party-id
  timers dns registrar-cache ttl
  sip-server dns:tel.t-online.de
  session transport tcp
  no session refresh
  header-passing
  error-passthru
  asserted-id ppi
  bind control source-interface <Interface>
  bind media source-interface <Interface>
  no pass-thru content custom-sdp
  conn-reuse
  outbound-proxy dns:55113619yyyy.primary.companyflex.de
  privacy-policy passthru

You should get the SIP-Servers automatically via SRV lookup. I wouldn't recommend to configure them manually into the router.

The tenant looks good.

But as you can't resolve the FQDN's, your focus should be on your DNS problem.

Which DNS-servers are you using?

Which internet circuit are you using? Is it a T-Mobile one? Is it a fixed access or with DSL dial-up?

Normally, T-Mobile gives you the info, which DNS-server you should use.

If you have a DSL access, then you will get the DNS-server from the DSL dial-up automatically (like you would get the IP-address details)

You could try with one of the following DNS-servers: 194.25.0.60, 194.25.0.52, 194.25.0.68

Can't you just post the full config? (without any sensitive info)

It doesn't help, if you just throw small pieces of info around.

What about the general setup? Is the router directly connected to the internet? Is a FW infront? If yes, does it allow DNS traffic?

Maybe you start with explaining such basic stuff too.

Hey! Here is my latest running config.

This CUBE Connect to a Switch on the Voice VLAN, there is a NAT Policy in place for our Public IP for SIP, any traffic from the CUBE going out the firewall will have that Public SIP IP and traffic coming back to that Public IP will be sent to the CUBE. Its based off this from the guide by the provider

ip access-list extended FROM-DT-TO-CUBE
remark ### Permitted ISP Public address Range ###
permit udp 217.0.0.0 0.0.31.255 range 1025 65534 any
permit udp 217.0.128.0 0.0.15.255 range 1025 65534 any
permit tcp 217.0.0.0 0.0.31.255 any eq 5060
permit tcp 217.0.128.0 0.0.15.255 any eq 5060
permit tcp any any established
remark ### Deutsch Telekom DNS ###
permit udp host 194.25.0.60 eq domain any
permit udp host 194.25.0.52 eq domain any
permit udp host 194.25.0.68 eq domain any
remark ### Permitted PING from inside to outside ###
permit icmp 217.0.0.0 0.0.31.255 any
permit icmp 217.0.128.0 0.0.15.255 any
permit icmp any any echo-reply
remark ### Deny all Other traffic ###
deny ip any any

Also i can confirm the NAT policy works, if i ping any of the 3 DNS Servers they provided it works fine, if i try to ping any other public facing IP it will time out, so the only traffic allowed back to that Public IP is from the Provider from the specified networks.

First:

I accept a very welcome "thank you" for the guide ';-)' Because how the config is done, I recognize it as my own (sip-profiles, descriptions, NAT rules, ...)

I don't know how you got it, but it seems it's circling around ':-)'

Second:

In general: Just because you can ping the IP's, doesn't mean the service that you trying to use is working.

In your case: Just because you can ping the DNS-Servers, doesn't mean you can send / receive DNS-traffic to / from the server.

Maybe you should run a debug to troubleshoot your DNS-problem, or get in touch with the FW guy.

ha thats awesome!

I verified that the policy on the firewall is open for everything in that IP range. Its even more open then the policy in your guide.

I do have a debug of

debug ip dns view

debug ip domain

debug ccsip info

dubug ccsip non-call

It looks like DNS SRV lookup is work, but im not entirely sure. I sent it over to Cisco TAC who was also trying to help.

looks like im getting this DNS error

1465213: Jul 7 15:36:15.019: //-1/000000000000/SIP/Info/notify/262144/ccsipRegisterSetTargetInfo: p2p mode with Registrar Server = dns:tel.t-online.de
1465214: Jul 7 15:36:15.019: //-1/000000000000/SIP/Info/verbose/262144/ccsipRegisterSetTargetInfo: Parsing The Registrar Address
1465219: Jul 7 15:36:15.019: //-1/000000000000/SIP/Info/verbose/262144/ccsip_spi_outgoing_register: ccb's vrfid is set to 0
1465222: Jul 7 15:36:15.020: //-1/xxxxxxxxxxxx/SIP/Info/info/262144/sipSPIIncrementOverloadCount: Local 1 Global 1
1465224: Jul 7 15:36:15.020: //-1/000000000000/SIP/Info/verbose/262144/act_idle_outgoing_register: In act_idle_outgoing_register
1465225: Jul 7 15:36:15.020: //34976/000000000000/SIP/Info/info/262144/act_idle_outgoing_register: Send REGISTER to 55113799****.primary.companyflex.de:5060
1465251: Jul 7 15:36:15.026: //-1/xxxxxxxxxxxx/SIP/Info/notify/262144/ccsip_api_register_target_dns_resolved: ttl = -1
1465252: Jul 7 15:36:15.026: //-1/xxxxxxxxxxxx/SIP/Info/info/262144/sipSPIDecrementOverloadCount: Count:Local 0 Global 0
1465253: Jul 7 15:36:15.026: //-1/xxxxxxxxxxxx/SIP/Info/critical/262144/ccsipRegisterClearCallCountZeroTimer: Clearing call count zero timer
1465255: Jul 7 15:36:15.026: //-1/xxxxxxxxxxxx/SIP/Info/notify/262144/ccsip_register_reset_dns_cache: CCSIP_REGISTER:: registrar 0 DNS resolved addr reset
1465256: Jul 7 15:36:15.026: //34976/000000000000/SIP/Info/notify/262144/sipSPIRegPthruProcessResponse: Processing response w/ resp code == 503
1465257: Jul 7 15:36:15.026: //-1/xxxxxxxxxxxx/SIP/Info/verbose/262144/sipSPIGetRPCBFromRCB: Retreiving RCB [0x7EFF23C584D8] from RPCB [0x0]
1465258: Jul 7 15:36:15.026: //34976/000000000000/SIP/Info/critical/262144/sipSPIRegPthruProcessResponse: Error NO RPCB

As your doing address translation do you have the needed SIP profile to modify the content of the SDP so that it remaps the public address to the private and the reverse? That is if you’re not doing all this with an application aware firewall functionality that can do this transformation for you.

This does not mean that the content of the SDP is also changed. A normal NAT only change the content of the IP header. That is not enough for SIP services to work as you’ll still have the original IP address information in the SDP headers. So you’ll either need to have a firewall that is capable of also altering this information, that’s where an application aware firewall comes into play or you’ll need to modify this on the SBC with SIP profiles in both ingress and egress direction.

To get an idea of what you need to do please have a look at the setup of a Cisco Cube for Microsoft Direct Routing documentation. It contains a great example on how to handle address translation with SIP services.