Exclusive Media Partner

Cannot Call Outbound on Encrypted SIP Trunks from Ribbon SWe-Lite

Mark Vale
Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

This issue is a bit niche, but it will serve to remind me the next time I come across it.

Recently I needed to connect a few Ribbon SWe-Lite SBCs to a SIP service provider over the internet using encryption. Connectivity was fine and inbound calls from the service provider were successfully routed and connected.

However, placing outbound calls to the service provider from the SBC failed with a 481 – Not Acceptable Here response.

After going through the usual troubleshooting steps such as blaming the security person and the firewall :), the problem seemed to be more down to the configuration supported by the provider.

Looking through an incoming INVITE from the provider, the crypto suite offered in SDP looked to be an acceptable match on the SBC, but I noticed that they didn’t send the key lifetime in the initial crypto offer.

You can find out if the lifetime is present in the a=crypto line in SDP at the end of the salt and after the first | break, as follows:

Example of Key Lifetime present in SDP with Crypto

On INVITES initiated from the SBC to the provider I was sending the lifetime in SDP to them.

Logic dictates that I should try to remove that and try again and SUCCESS! Outbound calling is now working!

How to remove this on a Ribbon SWe-Lite

To remove the lifetime from being sent in SDP, go to the SDES profile attached to the media list for the trunk and set the Key Identifier Length to 0.

Removing the Master Key Lifetime on a Ribbon SWe-Lite

Now, when outbound calls are sent, the crypto includes just the algorithm and the salt needed to validate the encryption

Results of the removal

Potential Bug?

Even though this resolved the issue, is did observe another behaviour that continued after this change (and probably was there before). I am not sure if it is a bug with the Ribbon code or not.

However, on response to inbound INVITES the SBC sends a 200 OK with SDP. Inside that response, the crypto line includes the key lifetime, even though the profile is set to not!

To remove that required a SIP Message Manipulation Rule applied to the outbound rules on the service provider Signaling Group

Create a new Message Rule Table

The create a Raw Message Rule

Use Match Regex: (a=crypto:(.*))\|(.*)

Replace: \1

Remove Crypto Lifetime from SDP using SMM

Then apply that message table to the outbound rules on the Service provider signalling group

Applying SMM to Signaling Group

Now the 200OK with SDP response looks consistent

200OK with SDP

Calls were working in both directions even without this rule in place, so the impact of this seems to be a non-event, but at least it makes it easier to troubleshoot other issues when your call flows are consistently presented.

Share
Share on facebook
Share on twitter
Share on linkedin

Register for Commsverse 2021

June 29th & 30th at Mercedes-Benz World, Weybridge, United Kingdom

Reserve your ticket today for FREE. Pay only when event is confirmed

Other Articles

Keep in touch

If you would like to be notified when we announce new events, please enter your details below.

We don’t share your email address with anyone. We don’t send you spam. We don’t try and sell to you.

You might get an email once every 60 days informing you of an upcoming event you may be interested in. That’s it.

The Microsoft Teams Conference Made By The Community, for the Community

© 2021 All rights reserved - Commsverse Ltd, Registered Company in England & Wales 12068652

Invite & Earn

X
Signup to start sharing your link
Signup