CUP 7.0.3 - CUP 7.0.3 Inter-domain federation issue

Unanswered Question
Apr 8th, 2009

Good day! I'm testing in lab inter-domain federation functionality. When I'm using transport udp/tcp every thing works fine (user from one domain can subscribe and sent IM to user at another domain). But when I'm using transport tls between domains issue occur.

Problem that presence subscription fails.

From logs I found that TLS connection establishes and no error with certificates but suddenlty Proxy recives message “Proxy Authentication Required” witch is forwarded to Presence engine.

May be someone had this problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
htluo Thu, 04/09/2009 - 07:33

If TCP works but TLS doesn't, it has to be with the certificate.

Could you do the following?

1) Set SIP Proxy trace level to debug and choose the following options:

Enable SIP TLS Trace

Enable SIP Message and State Machine Trace

Enable SIP TCP Trace

Enable Authentication Trace

2) Start packet capture from the CUPS. The command is:

utils network capture file cups count 100000 size all host all

Where is the IP address of OCS.

3) Restart SIP Proxy after you started packet capture.

4) Try to recreate the problem.

5) Press Ctrl-C to stop the packet capture.

6) Use RTMT to get "SIP Proxy Logs" and "Packet Capture Logs"



LysetskyyS Sun, 04/12/2009 - 23:12

Here you go. In txt file are logs from CUPS(, cips7.voice.local) and remote CUPS(, cips7.preved.local). In cap file - packet capture from side.

User from voice.local domain tries to subscribe to user from preved.local

LysetskyyS Mon, 04/13/2009 - 08:51

today, in the morning(my local time), before I've enabled traces.

You want that I restated sip proxy fter enabled trace? I need to restart sip proxy service only or the whole server?

LysetskyyS Thu, 04/16/2009 - 23:08

Good day! In attach new logs and cap. Proxy was reseted approximetly:

UTC is : Fri Apr 17 06:49:03 UTC 2009

Europe/Kiev is : Fri Apr 17 09:49:03 EEST 2009

At this logs user from domain preved.local tries to subscribe to user [email protected].

Logs were taken from voice.local proxy. It's very strange that no SSL errors but suddenly proxy set:

04/17/2009 09:53:08.902 ESP|PID(29997) sip_sm.c(4425)

Auth_state is AUTHEN_PENDING for connid 2:

and sends to proxy preved.local(

SIP/2.0 407 Proxy Authentication Required

htluo Fri, 04/17/2009 - 05:36

Looking at packet capture,

TLS handshake happened at 09:53:08 (Client Hello at packet #412, #425).

TLS Alert (packet #438, #440) usually means handshake failed. TLS not set up.

Are you using IP address as TLS peers? You need to use the CN (Common Name) in the certificate as TLS peers. e.g. "cips7.voice.local".


LysetskyyS Fri, 04/17/2009 - 07:05

Yes, I'm using Common Name in cips7.voice.local server TLS peer is cips7.preved.local and on cips7.preved.local server TLS peer is cips7.voice.local.

It's very strange that in proxy_voice_local traces there is no certificate verification.

htluo Fri, 04/17/2009 - 07:50

Encrypted Alert means TLS can't be set up because of digital signature doesn't match. You'd better open a TAC case and attach the files.



This Discussion