Solved: Re: Cisco Cube - SIP - T-Mobile Company Flex Service - Page 3

msasala · ‎07-05-2022

We recently had to move from an ISDN Hand-Off to a SIP Based Service from T-Mobile called Company Flex

I was able to find a guide from another post, https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/discussions-uc-infrastructure/168390/1/Telekom%20Company%20Flex%20DE.pdf

I am not able to get the SIP Trunk to register to tel.t-online.de

It looks like the A record for them was replaced with an SRV record, but im not sure what would need to be done from the CUBE side to setup a connection to the SIP Domain.

Roger Kallberg · ‎07-08-2022

I did not have the link handy yesterday, so I could not pass it along to you. This is the document that I refereed to. Direct Routing for Microsoft Phone System with Cisco Unified Border Element (CUBE)

Elliot Dierksen · ‎07-07-2022

You can't ping it because it is an SRV record (service locator), not an A record (name to IP). see the following to be able to look up an SRV record.

C:\>nslookup -type=any tel.t-online.de.

Non-authoritative answer:
tel.t-online.de nameserver = ns1.edns.t-ipnet.de
tel.t-online.de nameserver = ns2.edns.t-ipnet.de
tel.t-online.de nameserver = ns3.edns.t-ipnet.de
tel.t-online.de nameserver = ns4.edns.t-ipnet.de
tel.t-online.de nameserver = ns5.edns.t-ipnet.de
tel.t-online.de nameserver = ns6.edns.t-ipnet.de
tel.t-online.de
        primary name server = ns1.edns.t-ipnet.de
        responsible mail addr = hostmaster.t-ipnet.net
        serial  = 2018022700
        refresh = 43200 (12 hours)
        retry   = 1800 (30 mins)
        expire  = 1209600 (14 days)
        default TTL = 21600 (6 hours)
tel.t-online.de ??? unknown type 35 ???
tel.t-online.de ??? unknown type 35 ???
tel.t-online.de ??? unknown type 35 ???

ns1.edns.t-ipnet.de     internet address = 212.185.255.209
ns1.edns.t-ipnet.de     AAAA IPv6 address = 2003:180:8::53
ns2.edns.t-ipnet.de     internet address = 212.185.255.217
ns2.edns.t-ipnet.de     AAAA IPv6 address = 2003:180:8:100::53
ns3.edns.t-ipnet.de     internet address = 212.185.255.225
ns3.edns.t-ipnet.de     AAAA IPv6 address = 2003:180:8:200::53

msasala · ‎07-19-2022

I wanted to post what needed to be done to Register the SIP Trunk.

In April the Telkom changed to using TLS Registration and we needed their public cert installed and referenced in the sip-ua config. Here is what made the registration work

voice class tenant 2000
registrar dns:tel.t-online.de expires 480 tcp tls
credentials number +4919929600000044XXXX username +4919929600000044XXXX@tel.t-online.de password 6 (password) realm tel.t-online.de
authentication username +49199296000000449050@tel.t-online.de password 6 (password) realm tel.t-online.de
no remote-party-id
timers dns registrar-cache ttl
sip-server dns:tel.t-online.de
session transport tcp tls
no session refresh
header-passing
error-passthru
asserted-id ppi
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
no pass-thru content custom-sdp
conn-reuse
sip-profiles 3000
outbound-proxy dns:55113799XXXX.primary.companyflex.de
privacy-policy passthru

sip-ua
timers connection aging 10
no transport udp
transport tcp tls v1.2
crypto signaling default trustpoint (cert name)

We also ran into an issue with RTP, now that TLS is being used, we need to add these commands to the DIal-Peers

Provider Dial-Peers

srtp

CUCM Dial Peers

voice-class sip srtp negotiate cisco

srtp fallback

Lastly, we had run into this Bug on the version i had just installed, glad someone from TAC was able to help with this as i was very lost on why calls were not working.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz80171

b.winter · ‎07-19-2022

If I remember correctly, if the internet connection you are using for the SIP trunk is not from Telekom, then SIP / RTP encryption is mandatory within the CompanyFlex SIP trunk

Nuno Melo · ‎07-27-2022

What b.winter is correct,

Deutsch Telekom Company flex product does not allow sip sessions over port 5060 if the internet access is not provided by them. Meaning that if the public ip does not belong to a circuit or access from Deutsch Telekom.

If a 3rd party ISP is being used to reach Deutsch Telekom sip srv records this is only allowed using SIP TLS, so Deutch telekom only propagates the non secure SIP srv records on their network, everything outside just resolves the SIP TLS SRV records on port 5061.

THis means that the SBC has to conform the following per-conditions:

Has to have a Security License - SEC-K9, so its possible to use the CUBE security feature-set
Outside Call-Leg needs to use SIP TLS/SRTP
Telekom Certificate needs to be installed on the on the SBC so it can be used to encrypt the Signaling/RTP steams
- https://www.telesec.de/assets/downloads/PKI-Repository/T-TeleSec_GlobalRoot_Class_2.cer
SIP normalization needs to be used to add specific security SDP parameters that are mandatory by Telekom
- https://cpbx-hilfe.deutschland-lan.de/de/ratgeber-zur-konfiguration/spezialkonfigurationen/mediasec?mode=administrator