[cisco-voip] SIP session timer in IOS gateway

Norton, Mike mikenorton at pwsd76.ab.ca
Tue Oct 4 16:43:46 EDT 2016 

Thanks Brian. I appreciate the insight into what I’m up against. So far I’ve avoided bringing up the L-word and have been getting away with calling it “third-party PBX,” but depending on how closely TAC looks at my config they’ll see clues. ;-) I suspect this is probably going to end up with me just accepting the workaround. At least the workaround works.

Unfortunately most people in the Microsoft ecosystem using Cisco gateways seem to just resort to turning off the session timer altogether. Forums/blogs/etc. are full of bad advice from so-called Lync telephony experts to “just run this PowerShell command to turn off the session timer, and pay no attention to the big yellow warning it pops up telling you that turning off the timer is a bad idea.” Le sigh.


So, I might as well post for the archives, the better alternative for using SIP session timer with IOS gateways and Lync:

On the voip dialpeer(s), apply both an inbound sip-profile[*] and an outbound sip-profile. You need both in order to ensure that the refresher roles don’t accidentally get swapped by mid-call messages (e.g. during hold/resume/transfer/etc.).

voice service voip
sip
  session refresh
  sip-profiles inbound[*]
!

In the inbound sip-profile[*]:
request ANY sip-header Session-Expires modify "([0-9]+)$" "\1;refresher=uas"

In the outbound sip-profile:
request ANY sip-header Session-Expires modify "([0-9]+)$" "\1;refresher=uac"

If you do the above then the refresher will always be the IOS gateway, which performs its refreshes at around 800-900 seconds, which is early enough to bypass any problems of premature timer expiration.

[*] Note that inbound sip-profiles requires at least IOS 15.4, which is not officially sanctioned by Microsoft, but too bad for them. IMO it is worthwhile to ignore MS on that. The one and only IOS release that MS officially supports is officially disavowed by Cisco due to known major issues (CCO makes you acknowledge big scary disclaimers before even letting you download it), so MS can go stuff their unrealistic version requirement somewhere unpleasant.


Have I mentioned how much fun this journey into SIP interop is?

-mn


From: bmeade90 at gmail.com [mailto:bmeade90 at gmail.com] On Behalf Of Brian Meade
Sent: October-03-16 3:51 PM
To: Norton, Mike <mikenorton at pwsd76.ab.ca>
Cc: cisco-voip at puck.nether.net; Daniel Pagan <dpagan at fidelus.com>
Subject: Re: [cisco-voip] SIP session timer in IOS gateway

I think the magic passphrase is "shibboleet"- https://xkcd.com/806/

To get past this point on the TAC side, it really depends on where you are in the process.  If it's a developer pushing back, there's not a ton that you can do outside of the TAC engineer having the BU engineer yell out the developer.

If the TAC engineer hasn't even gone to the BU, you could contact their team lead and/or direct manager and then a duty manager if that doesn't work.

There's probably somewhere in the code where a random offset is subtracted from the timer to try to help with glare issues.  That code is probably fixing SIP interop issues for a lot of customers so I'm not sure if the developers would really be motivated to change that in any scenario.

Unfortunately, I think this is one of those issues where the SIP RFCs fell short and you're stuck with some sort of workaround in place.

I think best case the developers add a new feature to have more configuration options around these internal timers but I don't see that happening with a workaround in place unless you can show your account team a lot of $$$ associated with this so they can lean on the product marketing team.  I don't see them wanting to help too much though since you went to Lync.

On Mon, Oct 3, 2016 at 4:29 PM, Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>> wrote:
So after some more debugging, it appears that the IOS gateway actually “thinks” it is waiting for the recommended 1768 seconds, even though in reality it isn’t waiting the full duration. Debug of sip info/events shows that the gateway is setting its timer for 1768000 ms, but the timestamps on the debugs show that this timer is expiring 1658 seconds later. The exact time is not consistent and varies unpredictably on each call, even though it always “thinks” it’s counting 1768000 ms.

Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Event/Session-Timer/sipSTSLMain: Event: E_STSL_SESSION_REFRESH_RESP
Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Event/Session-Timer/sipSTSLMain: dir:1, method:102, resp_code:200, container:3EEA97C0
Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Info/info/8192/Session-Timer/sipSTSLSRRespSend: Session expires header is received in the request, starting the session timer
Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Info/info/8192/Session-Timer/sipSTSLStartSessionTimer: Started Session Expiry Timer with duration:1768000
Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Info/info/8192/Session-Timer/sipSTSLMain:
Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Event/Session-Timer/sipSTSLMain: Event: E_STSL_SPI_EVENT
Sep 27 20:40:20.999: //101750/6E4A64A79824/SIP/Info/info/8192/Session-Timer/sipSTSLMain:
Sep 27 21:07:58.121: //101750/6E4A64A79824/SIP/Event/Session-Timer/sipSTSLMain: Event: E_STSL_SESSION_TIMER_EXPIRED
Sep 27 21:07:58.121: //101750/6E4A64A79824/SIP/Info/critical/8192/Session-Timer/sipSTSLHandleSessionTimerExpiryEvent: Session Expiry timer expired, Disconnecting the call

IMO this is obviously a bug on the IOS gateway, so I have a case open with Cisco TAC. They are trying to deny it is a bug though. TAC is trying to push me to use Brian’s suggested workaround of forcing the IOS side to be the refresher by modifying SIP headers. That does seem to be a working workaround but IMO does not actually solve the root issue, which is that the timer on the IOS side is counting down too fast.

I’ve tried IOS 15.3(3)M1, 15.4(3)M5, 15.4(3)M6, and 15.6(3)M, on a 2901 and a 2911, and they all have the problem. TAC is trying to say that the fact that it happens in so many different versions points to it not being a bug.

This does seem like a bug, right? Does anyone know the magic passphrase I can use to convince Cisco TAC to acknowledge that this is a bug? ;-)

-mn



From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Norton, Mike
Sent: September-23-16 3:19 PM
To: Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

Subject: Re: [cisco-voip] SIP session timer in IOS gateway

Oh yeah, good call. The other side isn’t specifying a refresher choice when it sends INVITEs, so the RFC would permit me to force my own choice. From what I have seen so far though, the other side seems to have misbehaviours when it’s not the refresher. I’ll play with that some more.

As for what the other side is... well, it’s a whole ‘nother ball of fun: Lync 2013. I miss CUCM + MGCP!!!

-mn


From: bmeade90 at gmail.com<mailto:bmeade90 at gmail.com> [mailto:bmeade90 at gmail.com] On Behalf Of Brian Meade
Sent: September-23-16 3:09 PM
To: Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>>
Cc: Daniel Pagan <dpagan at fidelus.com<mailto:dpagan at fidelus.com>>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] SIP session timer in IOS gateway

Your other option is trying to force CUBE to be the refresher but your other side may not support it and you get some glare conditions.

I don't think I've ever seen a SIP stack that didn't refresh at half the interval.  What's the other vendor/device?

On Fri, Sep 23, 2016 at 4:54 PM, Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>> wrote:
Hmm, good idea. But oh man, what a hack that would be. I might play around with this on my desk but not sure I’d feel comfortable with it in production. I’ll have to ponder if there could be weird edge cases when the timers get restarted by hold/resume, caller ID updates, etc.

At the rate I’m going, eventually I’ll have so much SIP header hacking that I might as well have just written my own SIP stack! Some of the SIP interop baloney I’m encountering makes FXO disconnect signaling look like a rock-solid worldwide standard in comparison! And this is with SIP on only one side of my gateways. I guess the fun is really going to start when we replace the PRIs with SIP trunks. Arrrrrrrrrrrgggggh.

-mn

From: bmeade90 at gmail.com<mailto:bmeade90 at gmail.com> [mailto:bmeade90 at gmail.com<mailto:bmeade90 at gmail.com>] On Behalf Of Brian Meade
Sent: September-23-16 2:38 PM
To: Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>>
Cc: Daniel Pagan <dpagan at fidelus.com<mailto:dpagan at fidelus.com>>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

Subject: Re: [cisco-voip] SIP session timer in IOS gateway

Maybe an outbound sip-profile to modify the Session-Expires header to advertise to the other side a smaller SE value while CUBE still thinks it has 1800 seconds to wait?

I don't think the CUBE would change it's internal timer based on adjusting the SIP header via sip-profiles.

On Fri, Sep 23, 2016 at 4:30 PM, Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>> wrote:
No that’s not the problem. The length of the SE timer isn’t what I’m talking about.

(BTW it is possible to adjust the SE. They added that as an additional parameter to the “min-se” command in 15.something.)

In my case I’m using 1800 and that is getting negotiated successfully. If I use something else, that also gets negotiated successfully. Cranking up the min-se causes the proper 422 response and second INVITE attempt, etc. Everything is occurring exactly as the RFC says it should. But the RFC is too vague!

For example, with SE=1800, the IOS gateway sends the BYE “slightly before” 1800 seconds, around 1665 seconds - which is perfectly valid according to the RFC. The other side is doing the refreshes. It does the refresh “before” 1800 seconds, around 1688 seconds - which is perfectly valid according to the RFC (halfway, i.e. 900, is recommended but not required; the only requirement is “before” 1800).

My problem is that IOS’s “slightly before” occurs around 1665 seconds and the other side’s “before” occurs around 1688 seconds. Neither side is in the wrong but the RFC has a stupid hole here. I need IOS to wait until closer to 1800.

-mn


From: Daniel Pagan [mailto:dpagan at fidelus.com<mailto:dpagan at fidelus.com>]
Sent: September-23-16 2:23 PM
To: Daniel Pagan <dpagan at fidelus.com<mailto:dpagan at fidelus.com>>; Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: SIP session timer in IOS gateway

I should be more specific… the min-SE specifies the minimum value the UAS is willing to accept from the Session-Expires header sent by the UAC. If your INVITE has an SE if 1800, and the incoming dial-peer has a min-SE of 3600, then CUBE will reply back to the UAC with a 422 final response - this 422 will contain its own min-SE header with value of 3600. The UAC should ACK the 422 and *should* follow-up with another INVITE where the Session-Expires timer value is 3600. This is one way to force CUBE to manipulate the incoming SE. I felt my previous explanation was missing some information and might have been a bit too vague.


“If the response to a session refresh request is a 422 (Session Interval Too Small) response message, then the UAC MAY retry the request.”



CUCM, if it’s the UAC, will retry the INVITE. I can’t speak to other call-agents though. But I still suggest, if possible, to address the main problem of your session expiration.



Hope this helps.

- Dan


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Daniel Pagan
Sent: Friday, September 23, 2016 4:12 PM
To: Norton, Mike <mikenorton at pwsd76.ab.ca<mailto:mikenorton at pwsd76.ab.ca>>; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] SIP session timer in IOS gateway

Adjusting the SE on standard CUBE is not possible from what I’ve experienced and tested. One way around it though is to set your Min-SE timer on the incoming dial-peer on CUBE. The UAC sending the INVITE will receive a 422 response back, from CUBE, and will include an updated min-se timer. The new min-SE value in the 422 will then be copied, by the UAC, into the Session-Expires header within a second INVITE. The question I feel I should ask though… is why try manipulating the SE/minSE timers to get around a failed session refresh instead of addressing the session refresh itself? Of course this is only masking another problem.

--------end attach---------

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Norton, Mike
Sent: Friday, September 23, 2016 4:01 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] SIP session timer in IOS gateway

I’d like to adjust IOS’s behavior around the SIP session-expires timer. Wondering if anybody knows if the command I need exists...

According to RFC 4028:

“If the side not performing refreshes does not receive a session refresh request before the session expiration, it SHOULD send a BYE to terminate the session, slightly before the session expiration.”

My problem stems from the fact that “slightly before” is left open to the imagination. The RFC “recommends” not more than 32 seconds but does not have any specific “requirement.” The default behaviour of IOS seems to use a longer value. I.e., it sends the BYE a little too prematurely for my situation. I need IOS to let the timer get closer to expiring before it issues the BYE.

I know it’s a long-shot, but someone please tell me there is a command for adjusting this! Not finding anything in the docs. Hoping to avoid having to disable the session timer or crank it up to 11. I love SIP interop, it’s so much fun! :-(

-mn


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161004/3dc125f1/attachment.html>

More information about the cisco-voip mailing list