4 Replies Latest reply on May 18, 2015 9:16 AM by david

    SBC SIP Trunking Help

    brentn New Member

      Hey all,

       

      I tend to type a lot, so this post will be kind of long. But it should include all information necessary.

       

      I already have a ticket open with support regarding this, and they were very very helpful with my first call to them. However I have updated the ticket a couple times today, and called in, and I haven't had anyone reach back out to me in about 6 hours. I realize that's not very long, but this is a critical issue for us so I'm hoping to get some help from the community.

       

      Long story short, I am using an AdTran 908e 2nd Gen basically as an SBC. Eth 0/1 is plugged in to the internet with a public IP (nothing else in front of it), and Eth 0/2 is going to be the private network which will go through a switch but ultimately only needs to talk to 1 computer: a fax server running Biscom FAXCOM. The planned setup is essentially back to back user agents, if I'm understanding it correctly. The Biscom FAXCOM server supports SIP trunking. We are pointing it to the inside interface of the AdTran, and then the outside interface of the AdTran has the information for a Level 3 SIP trunk (provided via VoIP Innovations).

       

      AdTran support was extremely helpful and provided me two things.

      1: Linked me to this document, which I followed almost exactly. - SBC SIP Trunking Sample Configuration

      2: Provided some additional configuration examples for the firewall options required for letting the two talk to each other.

       

      If I plug my computer directly in to the internet (no firewall or anything) then I can get out to Level 3's SIP Trunk and fax just fine. If I go in to Eth 0/2 like I want, I can't. Packet captures show that the connection goes out, and returns. So it *seems* like the NAT/firewall issues are good. But during the negotiation it ultimately stops responding so the SIP Trunk times out and hangs up. So that makes me think it *is* a NAT/firewall issue. I can definitely reach out and get a response, but it just won't complete.

       

      I have packet captures that I can provide, but I will start with screen shots and my configuration as it may be something obvious in there.

      Here is a flow diagram of when I plugged my computer directly to the outside internet, with no AdTran. You can see my IP (204.x.x.x) reaches out to VoIP Innovations (64.136.174.30) as a SIP trunk, which in turn negotiates with Level 3 (4.55.2.2) for us.

      worked.png

       

      And here is one when plugged in behind the AdTran, which does not work. Note that at this time my internal IP was on the 192.168.x.x network. I have since changed it though, so ignore that difference in my config vs this screenshot. For some reason VoIP Innovations is transparent in this one. You only see my computer's IP (192.168.90.10) talk to the inside interface of the AdTran (192.168.90.254, now changed) and Level 3 (4.55.2.2). However, this did go through VoIP Innovations still, as we don't have a SIP trunk directly with Level 3. You see the initial couple of invites and 200 OK. But then it sends several packets trying to do the T.38 handshake over to Level 3, and they never make it back. So it just hangs up. It definitely seems like NAT or firewall.

       

      broken.png

       

      Here is my config. It has been somewhat "sanitized." I have removed sensitive information, as well as unecessary info (like all of the shut ports).

      ! ADTRAN, Inc. OS version R10.10.0.E

      ! Boot ROM version 14.05.00.SA

      ! Platform: Total Access 908e (2nd Gen), part number 4242908L1

      ! Serial number x

      !

      hostname "TA908e"

      enable password encrypted x

      !

      ip subnet-zero

      ip classless

      ip default-gateway 204.x.x.x

      ip routing

      ipv6 unicast-routing

      !

      name-server 8.8.8.8

      !

      no auto-config

      auto-config authname adtran encrypted password x

      !

      event-history on

      no logging forwarding

      no logging email

      !

      service password-encryption

      !

      username "x" password encrypted "x"

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      aaa on

      ftp authentication LoginUseLocalUsers

      !

      aaa authentication login LoginUseTacacs group tacacs+

      aaa authentication login LoginUseRadius group radius

      aaa authentication login LoginUseLocalUsers local

      aaa authentication login LoginUseLinePass line

      !

      aaa authentication enable default enable

      !

      no dot11ap access-point-control

      !

      interface eth 0/1

        ip address  204.x.x.x  255.255.255.252

        ip access-policy Public

        media-gateway ip primary

        no shutdown

      !

      interface eth 0/2

        ip address  10.10.80.254  255.255.255.252

        ip access-policy Private

        media-gateway ip primary

        no shutdown

      !

      ip access-list extended Admin

        permit tcp any  any eq ssh

        permit tcp any  any eq https

      !

      ip access-list extended MatchAll

        permit ip any  any  

      !

      ip access-list extended SIP

        permit udp any  any eq 5060

      !

      ip policy-class Private

        allow list self self

        nat source list MatchAll interface eth 0/1 overload

      !

      ip policy-class Public

        allow list SIP self

        allow list Admin self

      !

      ssh-server pubkey-chain

      !

      no tftp server

      no tftp server overwrite

      http authentication LoginUseLocalUsers

      http server

      no http secure-server

      no snmp agent

      no ip ftp server

      no ip scp server

      no ip sntp server

      !

      sip

      sip udp 5060

      no sip tcp

      !

      voice feature-mode network

      voice transfer-mode local

      voice forward-mode local

      !

      voice trunk T01 type sip

        description "VI SIP Trunk"

        sip-server primary 64.136.174.30

      !

      voice trunk T11 type sip

        description "FAXCOM"

        sip-server primary 10.10.80.158

        grammar from host local

        transfer-mode network

      !

      voice grouped-trunk PROVIDER

        trunk T01

        accept NXX-NXX-XXXX cost 0

        accept 1-NXX-NXX-XXXX cost 0

        accept 011-$ cost 0

        accept 411 cost 0

        accept 611 cost 0

        accept 911 cost 0

      !

      !

      voice grouped-trunk FAXCOM

        trunk T11

        accept $ cost 0

      !

      ip rtp symmetric-filter

      !

      line con 0

        login authentication LoginUseLinePass

      !

      line telnet 0 4

        login authentication LoginUseLinePass

        no shutdown

      line ssh 0 4

        login authentication LoginUseLocalUsers

        no shutdown

      !

      end

       

      Thanks in advance for any and all help!

        • Re: SBC SIP Trunking Help
          jwable Frequent Visitor

          Bretn,

              You have to have the SBC model Adtran to do this.  You will notice in the sample configuration the key command:

          ip rtp media-anchoring

           

          This command forces the Adtran to stay in the middle of the call otherwise the endpoints will try to connect directly together which is not possible since one is private and the other is public.  However it cannot be entered on Non SBC Adtrans.  Since you Adtran does not have the command and it does not have the SBC key I would guess it is not an SBC model and therefore not possible to do this setup with.

           

          John Wable

          • Re: SBC SIP Trunking Help
            david Employee

            Brent,

             

            I went back and looked up the ticket with ADTRAN.  The SBC media-anchoring option mentioned by others would likely have worked as well, but it appears we resolved the issue by adding a static route for the far end T.38 endpoint to the local fax server.  If there was some other resolution, feel free to add that to this post.

             

            Thanks!

            David