UCM62xx peer trunk works some times and then it fails


#1

Hello, I’ve already configured the peer trunk between Site A and Site B. I’m capable of making calls and even making call transfer between the extensions from A to B, but the problem is that this only works sometimes. Suddenly when I try to call from A to B it rings, but when B picks the call up it doesn’t listen anything, and in the phone of A it keeps ringing. In site B I’ve made successful calls ands transfers too but then the calls stop going out with the message “All circuits are busy”. It’s just the peer trunk between the UCMs and I’m using the public IP from both places. Also, I’ve followed the guide to make this connection and forwarded the ports needed in both routers.
In site A I have: 1xx extensions
In site B I have: 2xx extensions


I made the packet capture and the results of the call flow in the left are when I can complete the call.
The image from the right is when the call from A to B keeps ringing even when B has already picked up. I would appreciate if you can give me a hand since I’m still new to GS technologies.

Thanks in advance.


#2

Are you taking advantage of IAX or just using SIP ?


#3

Just using SIP currently


#4

Which routers do you have ?

What technology is your internet connectivity at both ends?


#5

I’m using an ARRIS TG862 in one side and an UBEE from the DVW series if I remember correctly. And I think both are Cable internet.


#6

Bridge the standard cable modems and place commercial grade firewall routers behind them because it sounds like your connections are going up and down because of SIP attacks.
The Arris can be bridged here - https://arris.secure.force.com/consumers/articles/General_FAQs/TG862G-NA-Bridge-Mode-Setup/?l=en_US&fs=RelatedArticle

The UBEE DVW modem can be bridged here - http://sharpeespace.blogspot.com/2011/09/bride-mode-on-timer-warner-docsis.html

The reasons for bridging the modems is that they are just basic residential routers not designed for in reality, business applications where you are using a server behind them as in this case with the UCM’s.

Use Mikrotik/Draytek/insert business name brand here… and make them the focal point of IP to IP access and Geo IP blocking, firewalling, NAT Translation etc…

Even the likes of an old shelved computer running opensense and 2 x network interfaces will provide better firewall capability and connectivity than a residential modem.


#7

As far i can say, 200 OK is not transmitted correctly to Caller.
As this tables have removed IP i have no idea where it stop but i guess trunk between UCM.
Go with Syslog (+ pjsip and channel on debug) to see what is wrong.


#8

I agree with Marcin, but …on the surface it appears to be a NAT issue.

On the left side, it appears to be a normal call. The right side appears to be a phone calling into a PBX(a) and then from PBX(a) to PBX(b). As we cannot see what PBX(b) does with the call in its attempt to deliver the call to the desired detination as well as the IP, this is an educated guess on my part.

As you can see on the right side, the remote PBX is sending back a 200OK, but doing so multiple times. The session (call) is not complete until the other side PBX(a) see the 200OK and responds with an ACK (which can be seen on the left). As a result of not seeing the ACK back at PBX(b), PBX(b) retries and continues to do so to no avail.

If you look at the contact and connect headers within the SIP messaging you will likely see the issue. As this appears to be a capture taken from only one UCM (the same both time), you should also repeat the same testing at both sides so that you can see if what was sent is what was received and vice versa.

I am assuming that the connection between the two UCM is being conducted using nothing more than the cable modems. It is unknown if both side have static or dynamic public IPs, if the modems (Kev suggestions) are bridged and if SIP ALG is disabled. Using the cable modems as a router is a recipe for disaster as they do not offer the firewall, bandwidth management and routing capabilities that are needed to insure proper operation. DO NOT have the cable company bridge the modems until such time as you have a router/firewall in place at both sites. Bridging effectively eliminates the router function of the modem such that your device will not see what the router sees at the Internet directly,. There will be no protection; hence the reason you nee a decent firewall.


#9

Use a VPN to link the sites, more effective and secure. No issues with peer trunks i have using this method.


#10

Thanks, it actually makes a lot of sense, I’ll try to get some FW and make the test again

@Telefonix If I have also a GWN7000 can I take advantage of the VPN server that it has? So I just place it in site A and add both as clients?


#11

My bad sorry, I didn’t notice. This is the picture with the IP
This one is from the UCM on site A

I’m going to try also the Syslog to check, thanks


#12

I got the capture from the site B as well, but I didn’t upload it because of the restriction for new users, sorry. That’s why I also need to reply separately.
This is the capture from site B


#13

Rasov, Sure use 2 x GWN 7000’s to set up an IPSEC VPN. That’s what I have done also.


#14

I agree with @lpneblett; cable modems are NOT routers! You need decent firewalls at each location and you should have a site-to-site VPN in place between them. Then run your peer trunk over the VPN. If you have no remote extensions (eg extensions living outside the LAN’s) then your UCM’s can be 100% on the LAN and only expose connections to your external SIP provider through the firewall. Remote extensions can be set up via OpenVPN.

I have a couple of non-profits that have cable modem service but they are both “commercial” services from a Canadian ISP (Shaw) and the ISP put the modems in bridged mode. There is a small Meraki firewall between the modem and the UCM.

In my work we have three peered UCM’s, all sitting behind Meraki firewalls, two are on fibre, one on a cable modem service and again all are bridged. We have a three way mesh site-to-site VPN and the UCM’s peered trunks all run out over the site-to-site. And it all just works. The Merakis make the VPN simple but it really isn’t a big deal regardless of the firewall you use. Any half decent commercial firewall will do the trick. My only advice here would be to always use the same manufacturer firewalls rather than mix and match. It is always a pain to set up VPN between different firewall manufacturers because they all do things slightly differently from each other.


#15

Here i see problem
0.150 receive 200OK but it is not transported to 0.137
image

But 0.100 sent it multiple times
image

What i can say that we 200 OK SDP sent but 2 UCM receive only 200 OK
As no real packets to see then:
Routers mess SDP ? and 2 UCM do not receive correct 200 ok, but that is speculation.

Compare this 200 OK packets from both UCM (sent/received) and see if they were changed.


#16

I had already sent the same answer as he had sent me the pcap files. I did this 3 or 4 days ago and have not heard back. Oh, well.


#17

I believe that the residential routers are the one that are messing the SDP. I followed all of your suggestions and I’m currently working on a VPN between both sites, using the routers as bridge modes and installing GWN series routers on both sides.

@lpneblett My bad I’m really sorry, I didn’t see your mail, it was on the spam folder.