Re: CUP 7.0.3 - CUP 7.0.3 Inter-domain federation issue

LysetskyyS · ‎04-08-2009

Good day! I'm testing in lab inter-domain federation functionality. When I'm using transport udp/tcp every thing works fine (user from one domain can subscribe and sent IM to user at another domain). But when I'm using transport tls between domains issue occur.

Problem that presence subscription fails.

From logs I found that TLS connection establishes and no error with certificates but suddenlty Proxy recives message â€œProxy Authentication Requiredâ€ witch is forwarded to Presence engine.

May be someone had this problem?

htluo · ‎04-09-2009

If TCP works but TLS doesn't, it has to be with the certificate.

Could you do the following?

1) Set SIP Proxy trace level to debug and choose the following options:

Enable SIP TLS Trace

Enable SIP Message and State Machine Trace

Enable SIP TCP Trace

Enable Authentication Trace

2) Start packet capture from the CUPS. The command is:

utils network capture file cups count 100000 size all host all 192.168.1.100

Where 192.168.1.100 is the IP address of OCS.

3) Restart SIP Proxy after you started packet capture.

4) Try to recreate the problem.

5) Press Ctrl-C to stop the packet capture.

6) Use RTMT to get "SIP Proxy Logs" and "Packet Capture Logs"

Thanks!

Michael

http://htluo.blogspot.com

LysetskyyS · ‎04-12-2009

Here you go. In txt file are logs from CUPS(10.152.15.217, cips7.voice.local) and remote CUPS(10.152.15.228, cips7.preved.local). In cap file - packet capture from 10.152.15.217 side.

User from voice.local domain tries to subscribe to user from preved.local

htluo · ‎04-13-2009

When was the sip proxy restarted?

Michael

LysetskyyS · ‎04-13-2009

today, in the morning(my local time), before I've enabled traces.

You want that I restated sip proxy fter enabled trace? I need to restart sip proxy service only or the whole server?

LysetskyyS · ‎04-16-2009

Good day! In attach new logs and cap. Proxy was reseted approximetly:

UTC is : Fri Apr 17 06:49:03 UTC 2009

Europe/Kiev is : Fri Apr 17 09:49:03 EEST 2009

At this logs user from domain preved.local tries to subscribe to user lsy@voice.local.

Logs were taken from voice.local proxy. It's very strange that no SSL errors but suddenly proxy set:

04/17/2009 09:53:08.902 ESP|PID(29997) sip_sm.c(4425)

Auth_state is AUTHEN_PENDING for connid 2:

and sends to proxy preved.local(10.152.15.228)

SIP/2.0 407 Proxy Authentication Required

htluo · ‎04-17-2009

Looking at packet capture,

TLS handshake happened at 09:53:08 (Client Hello at packet #412, #425).

TLS Alert (packet #438, #440) usually means handshake failed. TLS not set up.

Are you using IP address as TLS peers? You need to use the CN (Common Name) in the certificate as TLS peers. e.g. "cips7.voice.local".

Michael

LysetskyyS · ‎04-17-2009

Yes, I'm using Common Name in cips7.voice.local server TLS peer is cips7.preved.local and on cips7.preved.local server TLS peer is cips7.voice.local.

It's very strange that in proxy_voice_local traces there is no certificate verification.

htluo · ‎04-17-2009

Encrypted Alert means TLS can't be set up because of digital signature doesn't match. You'd better open a TAC case and attach the files.

Michael