We have successfully implemented a Cisco 2911 running CUBE to connect to Exchange Online Unified Messaging. The only thing that we cannot get to work is play on phone. During the testing done it seems that when Exchange Online places the call to CUBE TLS Negotiation does not complete and then the SIPTLS signalling does not complete to process the call. It was throught that the CUBE does not have the required certificates to verify. However we have installed the required certificates provided my Microsoft as their Root Authority for their side of the SIPTLS Link. I have also updated all the Root Cert Authorities on the Cisco Router.
Below is an extract of the 'debug ccapi info'.
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake: Created a child process 255 for TLS handshake
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake: Socket: 4 handed off to child socket 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake: SIPSCTX passed to the child process 255
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc: child proc: Local socket fd 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc: Associated socket 0 in child proc
Aug 30 11:11:26.975: CRYPTO_PKI: (A005D) Session started - identity selected (Trustpool)
Aug 30 11:11:26.975: CRYPTO_PKI: Rcvd request to end PKI session A005D.
Aug 30 11:11:26.975: CRYPTO_PKI: PKI session A005D has ended. Freeing all resources.
Aug 30 11:11:26.975: CRYPTO_PKI: unlocked trustpoint Trustpool, refcount is 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tcp_tls_handshake_failure: In sip_tcp_tls_handshake_failure
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tcp_tls_handshake_failure: Server Failure: Closing child socket fd: 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_purge_entry: Socket fd: 4 closed for connid 6 with address: 188.8.131.52, remote port: 45779
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_purge_entry: TLS Handshake child process killed
Does anyone have any ideas on how to troubleshoot SIP TLS Certificate issues further? The CallManager - Cube SIPTLS documentation has been used so far - but not really helping.
CoetzerJ, were you able to work through this issue? I am hoping so because I am working on implementing Exchange Online UM and I find little information on the Cisco side on how to connect to it. I see that CUBE is not supported by Microsoft for Office 365 so I was going to purchase a separate AudioCodes SBC for the secure SIP trunk between Call Manager and O365. I am curious if you were able to get CUBE working successfully in your setup. I really think Cisco need to provide some info about these setups. Just because they pretend that there are no other companies out there, does not mean that their customers aren't using them. We are considering moving to Lync Voice just because the documentation and partner network is so much better. Please let me know if you have your CUBE config to O365 up and running. I will explore that option if you were able to get it working successfully.
We are implementing an AudioCodes Mediant 1000 to get our phone system to securly talk to Exchange Online in Office 365. Only solution that I can find that is supported and that others are also doing. I just ordered the device yesterday so I do not have any additional information yet on implementation. I ordered AudioCodes installation servcies for the initial setup. I am told that it is not complicated and a pretty simple setup if you already have Cisco connecting to an Exchange server on premise. It is just another trunk to the SBC about the exact same as the trunk to Exchange.
Hope this helps some.
Mark DeRosia, now three years later did you get this solution working? I have CUCM 11 with on-prem Exchange 2013 UM and am working on moving the Exchange portion to Office 365. I'm hearing AudioCodes and Sonus for the SBC portion rather than CUBE, too. Thank you for your input.
Hi Mark & David,
After my initial post on this issue I did in fact get it working and we have been successfully running it with Office365 UM for the past 3 years. Sorry for nonresponse over the past years -- I am not really active on forums like these so do not monitor my account..
Things to look out for:
* Make sure you have the most current IOS and review it frequently. Microsoft keep adjusting the minimum accepted encryption levels on their side for the SRTP which will cause the solution to stop working when you least expect it. Having a most current IOS ensures that at least crypto will be supported.
* Public Certs ... Make sure you properly understand cryptography and encryption, and that all the public certs of Microsoft UM services are loaded into the keystores on the router.
* Hacking -- put ACLs on the router to restrict comms and connections only to the UM services dedicated to you. People love trying to run SIP exploits against the router.
Hope these pointers help.