cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1335
Views
4
Helpful
15
Replies

CME SIP connection stop after 7 seconds

wabbot22
Level 1
Level 1

Hi,
I´ve a ISR 2921 with CME 12.0.
I moved now the outside connection from ISDN to a SIP connection.
If I now call an outside phone, you can talk exact 7 seconds, after that the internal phone looks
like you hook up and the external phone is still connected and you can hear nothing.

I´ve attached a debug ccsip message output and parts of the config.
What can I debug more ? Specialy why the internal phone hookup without an error message or something.

One important thing: The Router is located behind an ASA and has a private IP.
Actually there is erything allowed for the router IP and there is a NAT overload to the WAN interface configured.

Many thanks....

 

15 Replies 15

I don't see the attached debug and config file. Can you provide those?

Maren

 

Can you please share the network configuration as well as outline how you have connected your router to the service provider?



Response Signature


As you use CME and a SIP trunk to your service provider that uses registration it is a requirement to use a tenant configuration for your service provider. Something along the line with this should do.

voice class uri PSTN sip
 host ipv4:[C.C.C.C]
 host C.C.*.* ; wildcard to match IP network of telco SIP proxy range C.C.0.0 0.0.255.255 
;add as many line as there are needed for ITSP service

sip-ua
 no credentials number +496136xxxxxx username username@t-online.de password 7 password realm tel.t-online.de
 no authentication username username@t-online.de password 7 password realm tel.t-online.de
 no registrar dns:tel.t-online.de expires 3600
 no sip-server dns:tel.t-online.de
 no host-registrar
 registrar ipv4:[router IP] expires 3600

voice class tenant 2000
 credentials number +496136xxxxxx username username@t-online.de password 7 password realm tel.t-online.de
 authentication username username@t-online.de password 7 password realm tel.t-online.de
 registrar dns:tel.t-online.de expires 3600
 sip-server dns:tel.t-online.de
 host-registrar
 bind control source-interface GigabitEthernet0/0/1
 bind media source-interface GigabitEthernet0/0/1
 outbound-proxy dns:tel.t-online.de reuse
 audio forced
 connection-reuse ;if ITSP provider require same ports in ingress and egress invite, otherwise omit this command

dial-peer voice 11 voip
 description *** Incoming calls to SIP Trunk ***
 no translation-profile outgoing 5
 no session target dns:tel.t-online.de
 no incoming called-number .T
 incoming uri via PSTN
 voice-class sip tenant 2000

dial-peer voice 12 voip
 description *** Outgoung SIP Trunk ***
 no translation-profile incoming 4
 voice-class sip tenant 2000

dial-peer voice 13 voip
 description *** Outgoung SIP Trunk ***
 no translation-profile incoming 4
 voice-class sip tenant 2000

voice service voip
 ip address trusted list
  ipv4 217.0.0.0 255.0.0.0
  no ipv4 0.0.0.0 0.0.0.0
  ipv4 [C.C.C.C]
  ;or
  ipv4 [C.C.C.C] 255.255.255.xxx
  ;add as many line as there are needed for ITSP service
 no allow-connections h323 to h323
 no allow-connections h323 to sip
 no allow-connections sip to h323
 no h323
 address-hiding
 mode border-element 

This also contains some cleanups and additions for best practices configuration, for example you have turned off the security in your router by this command in the ip address trusted list section "ipv4 0.0.0.0 0.0.0.0". This is really not recommended.



Response Signature


+5 to @Roger Kallberg for the best practices info!

The debug shows that you are receiving a 200OK message when the far-end phone picks up, and your system is sending an ACK as it should. But one second later, you are receiving another 200OK message as if the far-end did not receive the ACK you sent. And another one second after that and so on until you have sent four ACKs. At that point, the far-end is still sending 200OK messages and your side stops sending ACKs. 

I would bring this to your service provider to determine why the ACKs you are sending are not completing, or if you are required to continue to send the ACKs to maintain the connection (possibly related to the Proxy Auth - I don't work with that often so I don't know).

wabbott22.jpg

 Maren

wabbot22
Level 1
Level 1

I´ve changed the configuration like Roger tells, but exact the same behaviour....
You can see a short topology plan attached.
To contact german Telekom isn´t the easiest thing, because they don´t understand that I use a CISCO CME and not a device which they offer

The Telekom folks don't need to know what you are using for call processing internally. The issue is with the SIP signaling on the trunk between your system and their system. That is the part that I would ask them about.

Maren

wabbot22
Level 1
Level 1
 

Based on your topology it looks like you may be using a single interface in your CME router. That’s not the best idea. It is recommended to use dual interfaces in your router when you use it as an SBC.

Also typically NAT can cause a whole load of problems and issues with SIP communication. For this it is typically needed to use SIP profile(s) to modify the content of the headers in the SIP dialogue. Otherwise the IPs listed in the dialogue does not match the expected values. There are quite a few posts on this topic in the forum. Have a look at them see what you’ll likely need to do.



Response Signature


I don’t see the interface configuration from your router. Can you please share that?



Response Signature


wabbot22
Level 1
Level 1

On the Interface Gi0/0 there is only the IP Address configured and OSPF not more.

I´ve also tried to connect the router temporary directly to the internet line
and this works fine. So from my point of view, the problem is the NAT situation.

Sorry, my daily business is much more security an datacenter not UC.
My understanding from an SBC is that there is one connection to the
Internet and one to the LAN, or is behind NAT also ok ?
Can you give me an idea what I´ve to look/searching for ?

Many Thanks !!!!

An SBC would normally have two interfaces, one for the internal network connection and another for the connection with the service provider. It can be behind a device that does NAT, but then you for the most need to use at least one SIP profile to rewrite the content of a number of headers in the SIP signaling. That it works when you have it directly connected would in my view point to that this is your problem. If you search for this in the community I’m sure you’ll find quite a few posts on this topic.



Response Signature


This is an example taken from one of our SBCs that is behind a device that does NAT.

 

! Outbound on inbound dial peer and on outbound dial peer
voice class sip-profiles 10
 rule 5 request ANY sip-header From modify "<router IP on inside interface>" "router IP on outside interface" 
 rule 10 request ANY sip-header Contact modify "<sip:(.*)@router IP on outside interface:5060>" "<sip:\1@<NAT IP>:5060>" 
 rule 20 response ANY sip-header Contact modify "<sip:(.*)@<router IP on outside interface>:5060>" "<sip:\1@<NAT IP>:5060>" 
 rule 30 request ANY sip-header Via modify "SIP(.*) <router IP on outside interface>(.*)" "SIP\1 <NAT IP>\2" 
 rule 40 request INVITE sip-header Requested-By modify "sip:<router IP on outside interface>>" "sip:<NAT IP>>" 
 rule 50 request ANY sdp-header Session-Owner modify "<router IP on outside interface>" "<NAT IP>" 
 rule 60 response ANY sdp-header Session-Owner modify "<router IP on outside interface>" "<NAT IP>" 
 rule 70 request ANY sdp-header Connection-Info modify "<router IP on outside interface>" "<NAT IP>" 
 rule 80 response ANY sdp-header Connection-Info modify "<router IP on outside interface>" "<NAT IP>" 
 rule 90 request ANY sdp-header Audio-Connection-Info modify "<router IP on outside interface>" "<NAT IP>" 
 rule 100 response ANY sdp-header Audio-Connection-Info modify "<router IP on outside interface>" "<NAT IP>" 


! On SIP option ping profile
voice class sip-profiles 200
 rule 10 request ANY sip-header Via modify "SIP(.*) <router IP on outside interface>(.*)" "SIP\1 <NAT IP>\2" 
 rule 20 request OPTIONS sip-header From modify "<sip:<router IP on outside interface>" "<sip:<NAT IP>" 
 rule 30 request ANY sip-header To modify "<sip:<router IP on outside interface>" "<sip:<NAT IP>" 
 rule 40 request OPTIONS sip-header Contact modify "<sip:<router IP on outside interface>" "<sip:<NAT IP>" 
 rule 50 response ANY sdp-header Connection-Info modify "<router IP on outside interface>" "<NAT IP>" 
 rule 60 response ANY sdp-header Audio-Connection-Info modify "<router IP on outside interface>" "<NAT IP>" 


! Inbound on inbound dial peer
voice class sip-profiles 100
 rule 10 request OPTIONS sip-header SIP-Req-URI modify "<NAT IP>" "<router IP on outside interface>" 
 rule 20 request ANY sip-header To modify "<sip:<NAT IP>" "<sip:<router IP on outside interface>" 


! Apply configuration to use the SIP profiles
voice service voip
 sip
  sip-profiles inbound
! 
voice class sip-options-keepalive 200
 sip-profiles 200
! 
dial-peer voice 100 voip
 description Incoming Dial-Peer from ITSP
 voice-class sip profiles 10
 voice-class sip profiles 100 inbound
!
dial-peer voice 110 voip
 description Outbound Dial-Peer for calls to ITSP
 voice-class sip profiles 10
 voice-class sip options-keepalive profile 200

 

You'll need to adopt this to fit your specific needs and some part(s) might go into the tenant configuration instead of on the dial peers. You'll have to read up on this and come up with what works for you.



Response Signature