Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1561
Views
0
Helpful
1
Replies

ISR 4000 encrypted sip trunk

quevedo_lopez
Level 1
Level 1

‎08-23-2020 02:57 PM

Hi everyone,

 

I'm trying to setup correctly a encrypted sip trunk between a CUCM (12.5.1.11900-146) and a ISR4331.  I have configured a PKI structure with a SUB and ROOT CA.  The dial-peer on the router side brings up almost intermediately but on the CUCM side the sip trunk takes 6 hours and 30 minutes approximately, after this time if i reset the trunk, ups almost immediately, if i reset the router also the trunk ups very fast.  I had the same scenario with a couple with ISRG2 but no trouble to up at the first time.

 

This is the config for more info.

 

crypto pki trustpoint SUBCA
enrollment mode ra
enrollment url http://192.168.2.3:80/certsrv/mscep/mscep.dll
fqdn none
ip-address none
subject-name CN=ISR-4K
revocation-check none
source interface GigabitEthernet0/0/0
rsakeypair ISR-4K

 

crypto pki trustpoint ROOTCA
enrollment mode ra
enrollment url http://192.168.2.6:80/certsrv/mscep/mscep.dll
revocation-check none
source interface GigabitEthernet0/0/0

 

voice service voip
ip address trusted list
ipv4 192.168.2.0 255.255.255.0
ipv4 192.168.100.0 255.255.255.0
mode border-element
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
early-offer forced

 

dial-peer voice 1000 voip
description CUCM - PUBLISHER
destination-pattern [1-9]...
session protocol sipv2
session target dns:cucm125lab.labtest.local
session transport tcp tls
voice-class codec 1
voice-class sip options-keepalive
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte
srtp fallback
no vad

 

dial-peer voice 1001 voip
description CUCM - SUBSCRIBER
preference 1
destination-pattern [1-9]...
session protocol sipv2
session target dns:cucm125sub.labtest.local
session transport tcp tls
voice-class codec 1
voice-class sip options-keepalive
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte
srtp fallback
no vad

 

sip-ua
transport tcp tls v1.2
crypto signaling remote-addr 192.168.2.0 255.255.255.0 trustpoint SUBCA

 

Thanks in advanced.

Preview file
19 KB
Preview file
27 KB
Preview file
33 KB
Preview file
20 KB
Preview file
14 KB
Preview file
29 KB
0 Helpful
1 Reply 1

quevedo_lopez
Level 1
Level 1

‎08-24-2020 06:25 PM

Update in this case!

I've just do this

Change the trustpoint on SIP-UA configuration to

sip-ua
transport tcp tls v1.2
crypto signaling remote-addr 192.168.2.0 255.255.255.0 trustpoint ROOTCA

 

Then i got this msg error "CRYPTO_OPSSL: Can't find router cert"

 

Then go back and config back the previous trustpoint

crypto signaling remote-addr 192.168.2.0 255.255.255.0 trustpoint SUBCA

 

And the SIP TRUNK goes up on the CUCM side.

 

I've tested this condition changing the IP and hostname DNS a regenerating a new certificate and get the same results every time.  Could this be associate to a IOS or CUCM bug ? The Router version is 16.12.04.

 

Thanks in advanced.

0 Helpful
Customers Also Viewed These Support Documents