01-07-2016 12:17 PM - edited 03-19-2019 10:34 AM
Hi,
I am trying to get CUCM 11.0 and Microsoft Lync 2013 working with direct SIP trunk over TLS and sRTP. it's working fine without the TLS configuration but as soon as i try to secure the signalling and media i get certificate error in wireshark from CUCM to Lync "unsupported certificate" and they are both from same enterprise CA using SHA256 hash (not SHA1).
just wondering if anyone has successfully got this configuration working?
CUCM -------------(SIP TRUNK-TLS)----------LYNC_2013
Thanks in advance :)
01-07-2016 02:35 PM
Please check in the wireshark about ciphersuit from Lync and from CUCM. It might to something is different between the two servers and could point to the 'issue'
Below is the security guide, based on what was found in wireshark can be matched if any information of support on those cipher suit.
02-12-2016 01:53 AM
Thanks Md,
Resolved the issue, I was missing an attribute on the CUCM Certificate, once i requested a new cert with the right attribute, everything started working ok :)
Thanks for your reply.
Regards,
B
03-01-2016 11:49 PM
Hello!
I have a similar problem. When you configure trunk between CUCM 11.0.1.21900-11 and Skype for business I get the following error:
Microsoft.Rtc.Signaling.TlsFailureException:An unknown error occurred while processing the certificate ---> Microsoft.Rtc.Internal.Sip.TLSException: outgoing TLS negotiation failed; HRESULT=-2146893017
I'm using certificate from my corporate CA RSA with SHA 384
what are the attributes you added in the certificate?
03-02-2016 12:25 AM
Hi Alekov,
in my case I was missing the Client / Server authentication attribute. I have attached the image, hope it will help. if you can send me the certificate attributes I can check to see if they are correct.
Hope this helps,
Regards,
B
03-02-2016 02:12 AM
Thank you for your reply.
I added an Application Certificate Policy: Client Authentication in my certificate template and create csr form CUCM, but the problem persists. I get the error in event viewer:
Log name: Lync Server
Source: LS Mediation Server
Event ID: 25051
The Trunk, cucm-test-city.domain.local;trunk=cucm-test-city.domain.local, is not responding to an OPTIONS request sent by the Mediation Server service.
DNS Resolution Failure: False
Exception: ErrorCode=-2146893017
FailureReason=Other
LocalEndpoint=10.200.2.51:50164
RemoteEndpoint=10.50.251.7:5061
RemoteCertificate=<null>
Microsoft.Rtc.Signaling.TlsFailureException:An unknown error occurred while processing the certificate ---> Microsoft.Rtc.Internal.Sip.TLSException: outgoing TLS negotiation failed; HRESULT=-2146893017
03-06-2016 03:39 PM
Hi Alekov,
sounds to me like there is no Root certificate on the Lync machine. have you uploaded the root cert on the Lync computer store aswell as CallManager-trust ??
Can you upload your root cert? and the certificate you have used on the Lync and CUCM?
03-18-2016 12:41 AM
Hello b.paik, thank you for your reply.
I just added the Application Certificate Policy: Client Authentication in the certificate template for Skype for business (and for CUCM), not sure is correct, but it works for me.
BUT I have another problem - the calls are held, but voice communication no. As I understand it, doesn't work SRTP. Errors in the log Skype for business:
If call form CUCM tot SfB:
SDP negotiation failed with the Trunk.
Trunk FQDN cucm-test-city.domain.local;trunk=cucm-test-city.domain.local, Reason Gateway did not offer SRTP keys which is required by Mediation Server.
Cause: The Trunk is either not configured correctly, incompatible with Mediation Server, or not certified.
Resolution:
Check that the Mediation server and Trunk are configured correctly.
If call from SfB to CUCM:
SDP negotiation failed with the Trunk.
Trunk FQDN cucm-test-city.domain.local;trunk=cucm-test-city.domain.local, Reason RTP/SRTP mismatch between transport profiles
Cause: The Trunk is either not configured correctly, incompatible with Mediation Server, or not certified.
Resolution:
Check that the Mediation server and Trunk are configured correctly.
what settings SRTP may not be the same?
08-07-2018 06:44 AM
I have the same issue when i called from CUCM to Skype for Business 2015.
I get the error message :
gateway did not offer srtp keys which is required by mediation server
Any new
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide