[VoiceOps] Cisco 7941 SIP

Rob Dawson rdawson at force3.com
Thu Oct 8 10:28:16 EDT 2015


Important thing to bear in mind is that the Cisco best practice for remote endpoints was and still is to use VPN Phone via AnyConnect licensing, or in the newer endpoints via the Collaboration Edge architecture and Expressway. The phone determines if it can communicate directly to CUCM and if not it tries to establish an SSLVPN connection back to an ASA located at the provider edge, or in newer endpoints (8800 series for example) it establishes a session with Expressway just like a mobile device or tablet would. NAT across a WAN was never really a ‘thing’.

That being said, there are three config options related to NAT that you can try -

<natEnabled>true</natEnabled>
<natAddress>xx.xx.xx.xx</natAddress>
<natReceivedProcessing>true</natReceivedProcessing>

natAddress would be the phones local WAN IP address. Enabling natReceivedProcessing causes the phone to look at the 'received' tag in the via header of the 200 OK registration response for it's NAT address.

I am not sure if natEnabled actually forces symmetrical NAT or not. Would be easy enough to test and find out I guess.

If you think that the phone is requiring the reply to 5060 then you could also try rewriting the port on the outbound packets. Since the traffic didn’t originate from 5060 on the phone that would probably not be considered stateful and may require a static NAT on the firewall though.

WRT to the SOHO router ALG issue, you can try running an alternate SIP listening port. it breaks most of the ALGs and lets your SBC handle far-end NAT traversal as it should. It also allows for some security through obscurity. Guarantee your SIP scans will go down. Just make sure that you don’t select another well-known port.

I've almost never dealt with an instance where large deployments of unsupported endpoints turned out well. I realize that the usual tendency is for engineering to push back on a lot of requests, but there is good rationale for it in these cases. Allowing sales to force adoption of unsupported devices just so they can book revenue will usually result in a less than stellar onboarding experience, painful day one and beyond support issues, and a customer that leaves after a few months anyway wasting all of the dollars spent in engineering and operations to support the effort in the first place.

One way to get around these issues is to tie your product offering to your selected endpoints. Probably 70% of the folks on this board sell Polycom phones, why? Is there any functionality that you deliver with your whizzbang VVX600 that a customer can't get on a 15 year old 79xx?  Or a 2600 set with CENTREX features for that matter? OK, maybe BLF, but other than that probably not . . . If you develop a bespoke product offering that requires specific endpoints for delivery (presence integration, content delivery, video and collaboration features, integration with business systems) and train your sales force to sell based on value and using your unique feature set to wow and delight your customers, instead of selling on price point, then no customer will be able to build a strong business case for keeping their legacy endpoints. Not to mention that you have differentiated yourself from the other 10,000 guys selling Broadworks and Polycom and elevated yourself above the commodity vendors.

Rob


From: VoiceOps [mailto:voiceops-bounces at voiceops.org] On Behalf Of Mark Lindsey
Sent: Tuesday, October 06, 2015 10:52 PM
To: Pete E
Cc: voiceops at voiceops.org
Subject: Re: [VoiceOps] Cisco 7941 SIP

1. In Hosted PBX, accommodating new, non-productized devices that the customer just has to keep is the price you pay to enjoy slow growth (because the engineering effort for the customer is immense), poor reliability (because you can test much less), and an unsupportable customer deployments (because the support team isn't equipped to support this "product").

2. In Hosted PBX, the demarc is the audible voice on the speaker and the input to the microphone. Supporting random devices the customer brings you makes it impossible for you to fulfill your end of the bargain: make this voice stuff work every time for every call.

3. The best thing to do with a customer's old device is trade in credit then liquidate.

4. Cisco 79xx SIP has gone back and forth on symmetric sip signaling over the past few decades. But generally, when nat is involved, the sip phone has to do symmetric sip ports -- I.e., it must use the same port numbers for both sending sip and receiving sip. (And when carrier SBCs are involved, it needs to use the same port number for all sip transactions, not just those related to direct call control).

But I remember Cisco 79xx configs having a "nat_enable" or similar flag that actually enable the symmetric sip.

mailto:mark at ecg.co
tel:+1-229-316-0013 http://ecg.co/lindsey

On Oct 6, 2015, at 17:10, Pete E <peeip989 at gmail.com<mailto:peeip989 at gmail.com>> wrote:
Greetings Voice Operators,


We have an interesting (code word for annoying) challenge that we've never dealt with before, probably because we don't do much with Cisco phones. We have a new customer coming on who wants to keep their very old Cisco 7941 phones. They have a few offices and the phones work as expected behind an Edgemarc. However, they also have 100+ home users, and that's where the issue comes in.

Apparently Cisco introduced a security "feature" where they create the session using a random high numbered port (e.g. 49123) but in the Via header, they say to respond to private IP, port 5060. So when the SBC sees the private address it assumes it is being NAT'd through a firewall and replies back to public IP, port 49123. What we're seeing is that the home router passes the response back to private IP, port 49123, which the phone doesn't accept (because it wants it on 5060) and the REGISTER fails.

As you know most home routers are poor at handling ALG (and we've tested and found they are equally bad at handling this scenario). We (and the customer) don't want to troubleshoot 100+ individual home routers.

We haven't found a way to turn off this really awesome "feature" so we're trying to find other solutions. Anyone been through this and have any suggestions?


Thanks,
Pete
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org>
https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20151008/e6bceed9/attachment-0001.html>


More information about the VoiceOps mailing list