[cisco-voip] Outbound Video Calls to Webex fail with 481

Ryan Huff ryanhuff at outlook.com
Fri Aug 25 11:33:17 EDT 2017 

In the case of WebEx / CMR Cloud; I believe WebEx will only support TLS for certificate verification when a CA signed certificate (TLS verify) is used, hence the base need for 5061 with a CA signed certificate even if the call is unencrypted.


In the WebEx Meeting Center Video Conferencing Enterprise Deployment guide for WBS30 (https://help.webex.com/docs/DOC-5355), it does appear to suggest on page 7 that self-signed certificates can be used on the edge for signaling and media purposes with WebEx; although I have no experience with this as I have only ever participated in edge scenarios with CA signed certificates.


I suppose as long as the WebEx Meeting Center has the self-signed certificate in the trust it would work; although getting Cisco WebEx cloud to do this for the customer; I do not know but my suspicion would be no and valid CA certs may be required, hence TLS verify/port 5061 required.


That's my guess anyway,


-RH


________________________________
From: bmeade90 at gmail.com <bmeade90 at gmail.com> on behalf of Brian Meade <bmeade90 at vt.edu>
Sent: Thursday, August 24, 2017 4:37 PM
To: Anthony Holloway
Cc: Jonathan Charles; Ryan Huff; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Outbound Video Calls to Webex fail with 481

That's not the normal way that TLS call setup works which tries to connect at 5061 from the start and does the TLS handshake.  WebEx might do some non-standard things though to try to force TLS.

On Thu, Aug 24, 2017 at 2:34 PM, Anthony Holloway <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>> wrote:
Wait, explain that to me.  So, your original call setup was over port 5060, where you received the 481, but then mid-call something tried to switch to port 5061?  Is that how escalation to encrypted SIP happens?  Starts on 5060 as clear text, then switches over to 5061 for encryption?  I'm obviously showing my ignorance with this, but willing to learn in spite of it.

On Thu, Aug 24, 2017 at 1:19 PM Jonathan Charles <jonvoip at gmail.com<mailto:jonvoip at gmail.com>> wrote:
Just an FYI, I did get this fixed... the firewall guy told me all rules were implemented... and nothing was being blocked.

Turned out he did a permit for sip on the ACL, which did not include 5061...

Added 5061 and it works.



Thanks!


Jonathan

On Sun, Aug 20, 2017 at 7:53 PM, Jonathan Charles <jonvoip at gmail.com<mailto:jonvoip at gmail.com>> wrote:
Ok, let me poke around a bit... I assume every problem is because of the firewall...


Jonathan

On Sun, Aug 20, 2017 at 7:36 PM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:
To expand on this; it really sounds like where your trouble happens is during a re-invite event. If that is the case, it could very well be DNS as mentioned OR less likely (but plausible), a TCP timeout mismatch on a firewall.

The codec logs and CCM trace will tell the tale for sure though.

Thanks,

Ryan

On Aug 20, 2017, at 6:36 PM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:

This might have to do with DNS. I would review all your internal/external SRV/A records for EXP/CUCM and your DNS zone in EXP.

It sounds like the call is traversing expressway, but call manager may be having trouble finding the call leg via DNS, to connect the codec to.

Pulling CCM traces and debug logs on the codec for a failed call will tell you for sure.

Thanks,

Ryan

On Aug 20, 2017, at 6:30 PM, Jonathan Charles <jonvoip at gmail.com<mailto:jonvoip at gmail.com>> wrote:

Just a single VCSC and VCSE.... single CUCM 11.5... this is just a proof of concept...



Jonathan

On Sun, Aug 20, 2017 at 5:27 PM, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:
Do you have EXP clusters or is this a single C/E pair?

Sent from my iPhone

> On Aug 20, 2017, at 6:26 PM, Jonathan Charles <jonvoip at gmail.com<mailto:jonvoip at gmail.com>> wrote:
>
> We have an SX80 connected to CUCM 11.5 and VCSC 8.10  to a VCSE 8.10...
>
> Outbound calls route to Webex, you see them enter the meeting and then after 4 seconds, they drop, the VCS E shows
>
> 481 Call/Transaction Does Not Exist
>
> Does anyone have any ideas?
>
>
>
>
> Jonathan
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170825/d2de19b9/attachment.html>

More information about the cisco-voip mailing list