cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7751
Views
15
Helpful
15
Replies

MS Direct routing with CUBE - not working any direction

Lubo1
Level 1
Level 1

Hi,

I am trying to setup voice connection between Microsoft Teams (Direct Routing) and Cisco (CUBE + CUCM).

Scenario 1: Call from CUCM to Teams: CUBE send INVITE to all three MS servers, but we get no response

Scenario 2: Call from Teams to CUCM: MS sends INVITE to CUBE > CUCM, the phone rings, it is picked up, but the MS Teams client is not connected and hears only ringing tone.

The MS portal shows the SBC connection as active (TLS connectivity status + SIP Options):

SBC.JPG

The trunk between CUCM and CUBE is OK as well:

trunk.JPG

Details:

Cisco phone (7841): 172.24.34.164, Extension 1888 (+421 2 58 222 888)

CUCM (12.5.1): 172.24.34.71 (route pattern 3XXX is pointing to SIP trunk, translated on CUBE to MS number)

CUBE (CSR 1000V): sbc.gram.sk: inside: 172.24.34.162, outside: 102.119.228.9

MS Teams client: +421 2 58 222 156

Has anyone managed to get this setup working? Please help. Thank you.

Debug and some show commands are attached for both scenarios.

CUBE config:

sbc.gram.sk#sh run
Building configuration...

Current configuration : 21987 bytes
!
! Last configuration change at 16:47:09 CEDT Fri Aug 26 2022 by root
! NVRAM config last updated at 16:54:48 CEDT Fri Aug 26 2022 by root
!
version 17.3
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname sbc.gram.sk
!
boot-start-marker
boot system flash bootflash:csr1000v-universalk9.17.03.05.SPA.bin
boot-end-marker
!
!
logging buffered 2000000
enable secret 9 $9$9u860rCMPrdZQ.$7AiMc071TzkDnWCL9.Lokp6Ru9g1Sw3WoFYXVrT3/Xo
!
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
server name RADIUS-SERVER-1
!
aaa authentication login default local group RADIUS-SERVERS
aaa authentication login use_line line
aaa authentication dot1x default group RADIUS-SERVERS
aaa authorization exec default local group RADIUS-SERVERS
aaa authorization network default local group RADIUS-SERVERS if-authenticated
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
!
!
!
!
!
ip host cucm.cucm.sk 172.24.34.71
ip host sbc.gram.sk 172.24.34.162
ip name-server 172.24.31.10 172.24.34.160
ip domain name gram.sk
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
voice service voip
ip address trusted list
ipv4 172.24.34.71
ipv4 52.0.0.0 255.0.0.0
rtcp keepalive
address-hiding
mode border-element
allow-connections sip to sip
no supplementary-service sip refer
supplementary-service media-renegotiate
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
h323
trace
sip
session refresh
header-passing
error-passthru
pass-thru headers 290
sip-profiles inbound
!
!
voice class uri 50 sip
host dns:sip.pstnhub.microsoft.com
host dns:sip2.pstnhub.microsoft.com
host dns:sip3.pstnhub.microsoft.com
!
voice class uri 290 sip
host sbc.gram.com
!
voice class uri 190 sip
pattern 172.24.34.71
voice class codec 1
codec preference 1 g711ulaw
!
voice class stun-usage 1
stun usage ice lite
!
!
voice class sip-profiles 200
rule 10 request ANY sip-header Contact modify "@.*:" "@sbc.gram.sk:"
rule 20 response ANY sip-header Contact modify "@.*:" "@sbc.gram.sk:"
rule 30 request ANY sip-header SIP-Req-URI modify "sip:(.*):5061 (.*)" "sip:\1:5061;user=phone \2"
rule 40 request ANY sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX MS SBC: Cisco UBE/ISR4321/\1"
rule 50 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX MS SBC: Cisco UBE/ISR4321/\1"
rule 60 request ANY sdp-header Audio-Attribute modify "a=sendonly" "a=inactive"
rule 70 response 200 sdp-header Audio-Connection-Info modify "0.0.0.0" "102.119.228.9"
rule 80 request ANY sdp-header Audio-Attribute modify "(a=crypto:.*inline:[A-Za-z0-9+/=]+)" "\1|2^31"
rule 90 response ANY sdp-header Audio-Attribute modify "(a=crypto:.*inline:[A-Za-z0-9+/=]+)" "\1|2^31"
rule 100 request ANY sdp-header Audio-Attribute modify "a=candidate.*" "a=label:main audio"
rule 110 response ANY sdp-header Audio-Attribute modify "a=candidate.*" "a=label:main audio"
rule 260 response 486 sip-header Reason modify "cause=34;" "cause=17;"
!
voice class sip-profiles 290
rule 10 request REFER sip-header From copy "@(.*com)" u05
rule 15 request REFER sip-header From copy "sip:(sip.*com)" u05
rule 20 request REFER sip-header Refer-To modify "sip:\+(.*)@.*:5061" "sip:+AAA\1@\u05:5061"
rule 30 request REFER sip-header Refer-To modify "<sip:sip.*:5061" "<sip:+AAA@\u05:5061"
rule 40 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
rule 50 request ANY sdp-header Audio-Attribute modify "a=ice-.*" "a=label:main-audio"
rule 60 request ANY sdp-header Attribute modify "a=ice-.*" "a=label:main-audio"
!
voice class sip-profiles 299
rule 10 request OPTIONS sip-header From modify "<sip:.*:5061" "<sip:sbc.gram.sk"
rule 20 request OPTIONS sip-header Contact modify "<sip:.*:5061" "<sip:sbc.gram.sk"
rule 30 request OPTIONS sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
!
voice class sip-profiles 10
request INVITE sip-header To modify "<sip:3" "<sip:+421258222"
!
voice class sip-profiles 280
rule 10 request ANY sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
rule 20 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
rule 30 request INVITE sip-header SIP-Req-URI copy "@(.*:5061)" u01
rule 40 request INVITE sip-header From copy "@(.*)>" u02
rule 71 request INVITE sip-header SIP-Req-URI modify "sip:\+AAA@" "sip:"
rule 80 request INVITE sip-header SIP-Req-URI modify "sip:\+AAA" "sip:+"
rule 90 request INVITE sip-header History-Info modify "<sip:\+AAA@" "<sip:"
rule 100 request INVITE sip-header History-Info modify "<sip:\+AAA" "<sip:+"
rule 110 request INVITE sip-header To modify "<sip:\+AAA@(.*)>" "<sip:\u01>"
rule 120 request INVITE sip-header To modify "<sip:\+AAA(.*)@.*>" "<sip:+\1@\u01>"
rule 130 request ANY sip-header Contact modify "@.*:" "@\u02:"
rule 140 response ANY sip-header Contact modify "@.*:" "@\u02:"
rule 150 request ANY sdp-header Audio-Attribute modify "a=sendonly" "a=inactive"
rule 160 response 200 sdp-header Session-Owner copy "IN IP4 (.*)" u04
rule 170 response 200 sdp-header Audio-Connection-Info modify "0.0.0.0" "\u04"
rule 180 response 486 sip-header Reason modify "cause=34;" "cause=17;"
!
voice class sip-event-list 1
event message-summary
!
!
voice class sip-hdr-passthrulist 290
passthru-hdr Referred-By
!
!
voice class e164-pattern-map 200
e164 +421258222...
!
!
voice class sip-options-keepalive 200
transport tcp tls
sip-profiles 299
!
voice class tenant 200
handle-replaces
srtp-crypto 1
localhost dns:sbc.gram.sk
session transport tcp tls
no referto-passing
bind control source-interface GigabitEthernet3
bind media source-interface GigabitEthernet3
pass-thru headers 290
no pass-thru content custom-sdp
no conn-reuse
sip-profiles 200
sip-profiles 290 inbound
early-offer forced
block 183 sdp present
!
voice class tenant 100
srtp-crypto 1
localhost dns:sbc.gram.sk
session transport tcp tls
bind control source-interface GigabitEthernet1
bind media source-interface GigabitEthernet1
no pass-thru content custom-sdp
no conn-reuse
sip-profiles 200
early-offer forced
!
voice class srtp-crypto 1
crypto 1 AES_CM_128_HMAC_SHA1_80
!
!
!
!
voice translation-rule 10
rule 1 /^3\(...\)/ /+421258222\1/
!
voice translation-rule 11
rule 1 /^1\(...\)/ /+421258222\1/
!
voice translation-rule 290
rule 1 /^\+421258222/ /1/
!
!
!
voice translation-profile FromTEAMS
translate called 290
!
voice translation-profile OutgoingToTEAMS
translate calling 11
translate called 10
!
!
!
!
crypto pki trustpoint sbc
enrollment terminal
fqdn sbc.gram.sk
subject-name cn=sbc.gram.sk
subject-alt-name sbc.gram.sk
revocation-check none
rsakeypair sbc
!
crypto pki trustpoint cucm
enrollment terminal
revocation-check none
!
!
crypto pki certificate chain sbc
certificate 0383A3FDFE9698111ED87126D4294E712010
30820522 3082040A A0030201 02021203 83A3FDFE 9698111E D87126D4 294E7120
10300D06 092A8648 86F70D01 010B0500 3032310B 30090603 55040613 02555331
6E27160B 32E0BFCD AA92F1D0 6CC08120 F5B461EA C90B9788 18900B46 7BCEF2EC
D6DD783F 00E5F124 23275990 9938EA52 016E4D35 07388A6E A05C4012 793A7A81
6CCB65C8 8ADB
quit
certificate ca 00912B084ACF0C18A753F6D62E25A75F5A
30820516 308202FE A0030201 02021100 912B084A CF0C18A7 53F6D62E 25A75F5A
300D0609 2A864886 F70D0101 0B050030 4F310B30 09060355 04061302 55533129
30270603 55040A13 20496E74 65726E65 74205365 63757269 74792052 65736561
A2094746 3FF0E9B0 B7FF284D 6832D667 5E1E69A3 93B8F59D 8B2F0BD2 5243A66F
3257654D 3281DF38 53855D7E 5D6629EA B8DDE495 B5CDB556 1242CDC4 4EC62538
44506DEC CE005518 FEE94964 D44ECA97 9CB45BC0 73A8ABB8 47C2
quit
crypto pki certificate chain cucm
certificate ca 492BE52DDB502E198D5EB34FC4429D50
30820393 3082027B A0030201 02021049 2BE52DDB 502E198D 5EB34FC4 429D5030
0D06092A 864886F7 0D01010B 05003054 310B3009 06035504 06130253 4B310A30
08060355 040A0C01 6F310A30 08060355 040B0C01 75311530 13060355 04030C0C
6375636D 2E637563 6D2E736B 310A3008 06035504 080C0173 310A3008 06035504
070C016C 301E170D 32323038 31363230 32333535 5A170D32 37303831 35323032
2890363E AE17709C FB932EF7 72A3AE34 3D632167 47066EEA 166EBBB1 EC1AEC00
8C325424 A102F460 26A2AC9F FF5D0CF3 98B6A51C E666ECBA 9862E781 61174D24
0DF011E6 2DD17764 653F7472 53C46BCA A0A04961 99D6ED
quit
!
crypto pki certificate pool
cabundle nvram:ios.p7b
cabundle nvram:ios_core.p7b
!
license udi pid CSR1000V sn 99Q6DABCUUY
license boot level ax
diagnostic bootup level minimal
memory free low-watermark processor 72301
!
!
spanning-tree extend system-id
dial-control-mib retain-timer 720
!
username root privilege 15 secret XXX
!
redundancy
!
interface GigabitEthernet1
ip address 172.24.34.163 255.255.255.0 secondary
ip address 172.24.34.162 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 172.24.13.14 255.255.255.0
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 102.119.228.9 255.255.255.128
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3 102.119.228.126
ip route 172.24.0.0 255.255.0.0 GigabitEthernet2 172.24.13.1
ip route 172.24.0.0 255.255.0.0 172.24.34.1 200
ip route 192.168.0.0 255.255.0.0 172.24.34.1 200
ip route 192.168.212.0 255.255.254.0 GigabitEthernet2 172.24.13.1
ip ssh rsa keypair-name ssh-key
ip ssh version 2
!
ip access-list extended IPT
10 permit ip any host 172.24.11.14
20 permit ip host 172.24.11.14 any
30 permit ip any host 172.24.12.11
40 permit ip host 172.24.12.11 any
50 permit ip any host 172.24.13.14
60 permit ip host 172.24.13.14 any
70 permit ip any host 172.24.34.44
80 permit ip host 172.24.34.44 any
90 permit ip any 52.0.0.0 0.255.255.255
100 permit ip 52.0.0.0 0.255.255.255 any
ip access-list extended IPT2
10 permit ip any host 172.24.34.71
20 permit ip host 172.24.34.71 any
30 permit ip any host 172.24.34.164
40 permit ip host 172.24.34.164 any
!
ip radius source-interface GigabitEthernet1
logging trap debugging
logging facility local4
logging source-interface GigabitEthernet1
ip access-list standard 1
10 permit 192.168.0.0 0.0.255.255
20 permit 172.24.0.0 0.0.255.255
!
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
!
control-plane
!
!
!
!
dial-peer voice 10 voip
description incoming dial-peer from CUCM to CUBE
translation-profile incoming OutgoingToTEAMS
session protocol sipv2
session transport tcp tls
incoming called-number 3...
incoming uri from 190
voice-class codec 1
voice-class sip profiles 10 inbound
voice-class sip tenant 100
voice-class sip bind control source-interface GigabitEthernet1
voice-class sip bind media source-interface GigabitEthernet1
dtmf-relay rtp-nte
srtp
no vad
!
dial-peer voice 20 voip
description outgoing dial-peer from CUBE to CUCM
destination-pattern 1...
session protocol sipv2
session target dns:cucm.cucm.sk:5061
session transport tcp tls
voice-class codec 1
voice-class sip options-ping 60
voice-class sip tenant 100
voice-class sip options-keepalive
voice-class sip bind control source-interface GigabitEthernet1
voice-class sip bind media source-interface GigabitEthernet1
dtmf-relay rtp-nte
srtp
!
dial-peer voice 200 voip
description towards Phone System Proxy 1
preference 1
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip.pstnhub.microsoft.com:5061
destination e164-pattern-map 200
voice-class codec 1
voice-class sip options-ping 60
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
voice-class sip bind control source-interface GigabitEthernet3
voice-class sip bind media source-interface GigabitEthernet3
dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
dial-peer voice 201 voip
description towards Phone System Proxy 2
preference 2
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip2.pstnhub.microsoft.com:5061
destination e164-pattern-map 200
voice-class codec 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
voice-class sip bind control source-interface GigabitEthernet3
voice-class sip bind media source-interface GigabitEthernet3
dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
dial-peer voice 202 voip
description towards Phone System Proxy 3
huntstop
preference 3
rtp payload-type comfort-noise 13
session protocol sipv2
session target dns:sip3.pstnhub.microsoft.com:5061
destination e164-pattern-map 200
voice-class codec 1
voice-class sip tenant 200
voice-class sip options-keepalive profile 200
voice-class sip bind control source-interface GigabitEthernet3
voice-class sip bind media source-interface GigabitEthernet3
dtmf-relay rtp-nte
srtp
fax protocol none
no vad
!
dial-peer voice 280 voip
description Phone System REFER routing
destination-pattern +AAAT
rtp payload-type comfort-noise 13
session protocol sipv2
session target sip-uri
voice-class codec 1
voice-class sip profiles 280
voice-class sip tenant 200
voice-class sip requri-passing
dtmf-relay rtp-nte
srtp
no vad
!
dial-peer voice 290 voip
description inbounf from Microsoft Phone System
translation-profile incoming FromTEAMS
rtp payload-type comfort-noise 13
session protocol sipv2
session transport tcp tls
incoming called-number +421258222...
voice-class codec 1
voice-class sip tenant 200
voice-class sip bind control source-interface GigabitEthernet3
voice-class sip bind media source-interface GigabitEthernet3
dtmf-relay rtp-nte
srtp
no vad
!
!
sip-ua
no remote-party-id
retry invite 2
transport tcp tls v1.2
crypto signaling default trustpoint sbc
handle-replaces
!
!
line con 0
exec-timeout 30 0
password AAA
login authentication use_line
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 30 0
password AAA
history size 100
transport preferred none
transport input ssh
transport output telnet ssh
line vty 5 15
access-class 1 in
history size 100
transport input ssh
transport output telnet ssh
!
ntp server 172.24.95.1
!
!
!
!
!
end

sbc.gram.sk#
sbc.gram.sk#
sbc.gram.sk#sh ver
Cisco IOS XE Software, Version 17.03.05
Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 09-Feb-22 10:35 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

sbc.gram.sk uptime is 1 day, 4 hours, 38 minutes
Uptime for this control processor is 1 day, 4 hours, 39 minutes
System returned to ROM by reload at 12:15:01 CEDT Thu Aug 25 2022
System restarted at 12:17:13 CEDT Thu Aug 25 2022
System image file is "bootflash:csr1000v-universalk9.17.03.05.SPA.bin"
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type: N/A(Smart License Enabled)
Next reload license Level: ax

The current throughput level is 1000 kbps


Smart Licensing Status: UNREGISTERED/No Licenses in Use

cisco CSR1000V (VXE) processor (revision VXE) with 2070688K/3075K bytes of memory.
Processor board ID 99Q6DVY0UUY
Router operating mode: Autonomous
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3978236K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

sbc.gram.sk#
sbc.gram.sk#
sbc.gram.sk#sh dial-pee voi sum
dial-peer hunt 0
AD PRE PASS SESS-SER-GRP\ OUT
TAG TYPE MIN OPER PREFIX DEST-PATTERN FER THRU SESS-TARGET STAT PORT KEEPALIVE VRF
10 voip up up 0 syst NA
20 voip up up 1... 0 syst dns:cucm.cucm.sk:506 active NA
200 voip up up map:200 1 syst dns:sip.pstnhub.micr active NA
201 voip up up map:200 2 syst dns:sip2.pstnhub.mic active NA
202 voip up up map:200 3 syst dns:sip3.pstnhub.mic active NA
280 voip up up +AAAT 0 syst sip-uri NA
290 voip up up 0 syst NA
For server-grp details please execute command:show voice class server-group <tag_id>
To see complete session target for ipv6 use 'sh running-config | section dial-peer <tag>
sbc.gram.sk#
sbc.gram.sk#
sbc.gram.sk#sh tcp brie
TCB Local Address Foreign Address (state)
7FB06E270B90 sbc.gram.sk.5061 sip-du-a-euwe.westeurope.cl ESTAB
oudapp.azure.com.25792
7FB0DE3A2738 sbc.gram.sk.16666 52.114.132.46.5061 ESTAB
7FB0DE417A60 sbc.gram.sk.17107 sip-du-a-jaea.japaneast.clo ESTAB
udapp.azure.com.5061
7FB0DE3DC868 172.24.34.163.22 lan-bubomir.intra.ditec.sk ESTAB
.50154
7FB0D274E9F0 sbc.gram.sk.5061 52.114.132.46.33065 ESTAB
7FB0CF5FE3E0 sbc.gram.sk.5061 52.114.132.46.33064 ESTAB
7FB0DE3C6DE0 sbc.gram.sk.5061 sip-du-a-jaea.japaneast.clo ESTAB
udapp.azure.com.52608
7FB0CF5F6F78 sbc.gram.sk.5061 cucm.cucm.sk.38512 ESTAB
7FB0DDF15118 sbc.gram.sk.21330 cucm.cucm.sk.5061 ESTAB
7FB0DDDD8420 sbc.gram.sk.35381 52.114.76.76.5061 ESTAB
7FB0CF639610 sbc.gram.sk.42713 sip-du-a-euwe.westeurope.cl ESTAB
oudapp.azure.com.5061
7FB0D274B7F8 sbc.gram.sk.5061 sip-du-a-jaea.japaneast.clo ESTAB
udapp.azure.com.52609
7FB0D26F79A8 sbc.gram.sk.5061 52.114.76.76.21056 ESTAB
7FB0D7D64250 sbc.gram.sk.5061 sip-du-a-euwe.westeurope.cl ESTAB
oudapp.azure.com.26240
7FB0DDF3E660 sbc.gram.sk.5061 52.114.76.76.21057 ESTAB
sbc.gram.sk#

1 Accepted Solution

Accepted Solutions

Lubo1
Level 1
Level 1

Hi everyone,

finally, the root cause of the issue was, that Cisco CUBE was configured to add a sip header field of "X MS SBC" (I do not know, if this was a copy-paste error, or the typo in previous version of Cisco config guide). However, the correct field should have no spaces and read: "X-MS-SBC". Microsoft, rather than sending an error when parsing the header fails, seems to drop it, giving the appearance to the CUBE as if they have not received it.

So the lines 40 and 50 in sip profile 200 should look like:

voice class sip-profiles 200
...
rule 40 request ANY sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
rule 50 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
...

I am attaching full CUBE config for reference. The calls now work both ways. Thanks everyone for your help!

 

View solution in original post

15 Replies 15

Scott Leport
Level 7
Level 7

Hi,

You have a typo in rules 100 & 110 in SIP profile 200. It should be this:

rule 100 request ANY sdp-header Audio-Attribute modify "a=candidate.*"
"a=label:main-audio"
rule 110 response ANY sdp-header Audio-Attribute modify "a=candidate.*"
"a=label:main-audio"

Can you correct that and test again please?

Not likely to be a direct answer, but more a series of recommendations in line with the direct routing doc:

  • Remove incoming called-number from dial-peer 10. As you have incoming uri-via, incoming called-number is redundant.
  • Disabled vad on dial-peer 20
  • Dial-peer voice 290. Reconfigure it as incoming uri to similar to what is described in the direct routing document. 

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/direct-routing-with-cube.pdf

 

 

Hi Scott,

thank you for your fast reply, typos corrected, but the result is the same = not working.

When I modify DP 290:

voice class uri 290 sip
 host sbc.gram.com

dial-peer voice 290 voip
 description inbound from Microsoft Phone System
 translation-profile incoming FromTEAMS
 rtp payload-type comfort-noise 13
 session protocol sipv2
 incoming uri to 290
 voice-class codec 1
 voice-class sip tenant 200
 voice-class sip bind control source-interface GigabitEthernet3
 voice-class sip bind media source-interface GigabitEthernet3
 dtmf-relay rtp-nte
 srtp
 no vad
!

... there is no dial-peer match - see attached log. (Your recommended actions 1+2 also configured)

Thanks.

 

 

Hi,

 

1783: Sep  5 13:23:56.934: //126125/D4515960ACE5/CUBE_VT/SIP/MISC/Matched Dialpeer: Dir:Inbound, Peer-Tag:  0

Did you mean to say "sbc.gram.sk"? The config above suggests you've configured "sbc.gram.com". If you can correct that first and try the call in scenario 1 again please that would be great. Please provide debug ccsip messages. 

Do you also have media bypass disabled in Teams? It needs to be enabled or disabled end-to-end. 

 

 

 

Good point - that was a mistake. Corrected to sbc.gram.sk - dial-peer is now selected. (I am attaching only debug for scenario 2, because I am now away from physical Cisco phone. But it is configured for auto-answer, so calls from Teams to CUCM can be tested remotely. I can add the debug for scenario 1 tomorrow.) As you can see, there are multiple INVITES from Teams to CUBE - is that OK? Shouldn't CUBE send to Microsoft some clear/different message stating the call has been answered on Cisco Phone?

Yes, media bypass is disabled on MS side:

sbc2.JPG

Just a few other observations from your config:

  • Where is the Baltimore cert? I didn't see it in your config. 
  • You have SIP profiles 200 in voice class-tenant 100, which is then applied to your dial-peers 10 & 20. Given that is typically used for communications between CUBE and Teams, is that what you want? 

 

Hi, according to the latest version of the config guide (the same link you sent me: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/interoperability-portal/direct-routing-with-cube.pdf), the Baltimore certificate itself is no longer needed and has been replaced by trustpool, containing bunch of certs, including Baltimore. I have already configured that, so you can not see the Baltimore cert in the config. But the TLS+SIP connections between MS and our CUBE are OK, so this is not the problem.

Regarding "voice class tenant 100" - it is used for connection between CUBE and CUCM (dial-peers 10 and 20). Couple of its settings differ from tenant 200 (used on MS side), that's why I have two. And again: TLS+SIP between CUBE and CUCM seem to be working.

Thank you.

As I promised yesterday, I am attaching the new "debug ccsip messages" output for scenario 1 (call from Cisco phone to MS Teams). Thank you.

Hi, 

Apologies, I haven't done one of these deployments recently, so missed the part about the Baltimore cert. I figured there would be a good reason for it not being there. 

According to the debug, there would appear to be some connectivity issue between your CUBE and the Microsoft SIP proxies. The CUBE is sending an INVITE to the first, but receives nothing back. It then tries to send to the secondary and then the tertiary and eventually times out when no response is received:

ScottLeport_0-1662457140016.png

Is there a firewall in the path at all? If so, are you allowing the following ports:

https://docs.microsoft.com/en-us/microsoftteams/direct-routing-plan#sip-signaling-ports 

Is SIP Inspection / ALG enabled / disabled if there is a firewall? 

Hi, formerly, we opened only ports specified by MS through firewall. Later, I asked our admin to allow complete communication from/to our CUBE's public IP. He did that and confirmed the "allow all" rule at the end of ACL does not have any hits. As the TLS connection is UP and SIP connection between CUBE and MS is also OK (OPTION messages are exchanged), I assume there is no firewall problem.

Yes, as you see, we are sending INVITES to all three MS SIP servers, without any reply from them. I mentioned it also in my first post. I am curious, if these messages are in proper format. Could you please compare them with your own messages, if you have a working setup available?

I have also opened the ticket with MS support, but I got no response from them for over 8 days...

I would recommend you make a few changes to your CUBE config, but ultimately I doubt it'll resolve your issue:

  • In SIP Profiles 299, change rules 10 & 20 to look like this
    rule 10 request OPTIONS sip-header From modify "<sip:.*:5061" "<sip:sbc.gram.sk:5061"
    rule 20 request OPTIONS sip-header Contact modify "<sip:.*:5061" "<sip:sbc.gram.sk:5061"​
     
  • Remove the "voice-class sip options-ping 60" from dial-peer 200. You only need keepalive profile 200 and I am unsure what effect that causes if you have two profiles assigned. Given it doesn't work after using DPs 201 & 202, probably not related. 
  • Remove the interface binding from DPs 200, 201 & 202. Not required since your binding at the tenant level and that's applied to the DPs anyway. 

Apart from this, not sure what else to suggest at this stage and someone else might be better off chipping in if they have time. 

Unfortunately, the issue persists even after applying your hints. I would appreciate, if you can compare our INVITE (Scenario 1) or OK (Scenario 2) message format with yours that work. I am suspicious if we send them properly to be accepted by Microsoft. Thank you very much for your effort!

Lubo1
Level 1
Level 1

A question regarding TLS. We are using LetsEncrypt certificate on our SBC. Although not officially supported by Microsoft, the Teams portal shows TLS connectivity status as Active. SIP Option messages are exchanged. Has anybody successfuly configured Teams<>CUBE connection using LE cert? Or this is what causes problems?



I haven't seen it used in CUBE, but searching the Internet suggests that it's possible to use it in other vendors SBCs. However, as I understand it LetsEncrypt certs don't last very long, so I am not sure if using that is the best solution for a production environment.

Re your previous post, I didn't see anything wrong with the messaging, but my config would have been based on whatever was the latest revision of the Direct Routing doc at the time, e.g. I didn't have the no conn-reuse config applied, I had the Baltimore cert and customer owned root CA's too.

Lubo1
Level 1
Level 1

Hi everyone,

finally, the root cause of the issue was, that Cisco CUBE was configured to add a sip header field of "X MS SBC" (I do not know, if this was a copy-paste error, or the typo in previous version of Cisco config guide). However, the correct field should have no spaces and read: "X-MS-SBC". Microsoft, rather than sending an error when parsing the header fails, seems to drop it, giving the appearance to the CUBE as if they have not received it.

So the lines 40 and 50 in sip profile 200 should look like:

voice class sip-profiles 200
...
rule 40 request ANY sip-header User-Agent modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
rule 50 response ANY sip-header Server modify "(IOS.*)" "\1\x0D\x0AX-MS-SBC: Cisco UBE/ISR4321/\1"
...

I am attaching full CUBE config for reference. The calls now work both ways. Thanks everyone for your help!