I'm trying to get 2 phones (analog phones connected to a Linksys PAP2-NA) to register on CCME. These phones are located in a remote network and they are able to reach our CCME over a L2L IPsec VPN. Site-to-site connectivity is fine, router configs are working as well since I can get the PAP to register on CCME if I put it on my local network, the problem is happening now that I placed the PAP in the remote lan, it just can't register with CCME. I'm also sure that user id and passwords are configured correctly on both sides...
I believe it's IP related but can't find out exactly what I'm missing...
Thanks in advice.
This is an intricacy with SIP CME. If phones register over the directly connected subnet they do not require a username and password configuration. If they register on a different subnet, it is required.
In the SIP messaging we're sending 401 unauthorized, which after the phone receives it, it should be sending another register with authentication, but it's not.
Make sure that under each of the ephones you have the username and password defined, and I'm not sure exactly how you're supposed to put this into the Linksys phones but they should have a format for inputting this information.
Actually the phone does send another register request after the ccme sends that 401 unauthorized, I just didn't copy it to notepad, sorry.
Edit: I forgot to say it's a Linksys PAP2 (ATA) with 2 FXS, so I have 2 analog phones attached to it. I know where to put the username and password information into the Linksys and I'm sure it's correct (because it authenticates normally if connected to same lan as the cme).
Initially I thought it was related to mac id authentication but even setting the mac auth to zeros it still doesn't work.
I would change the MAC address to the correct MAC address, see if that helps. You can also try a different form of ID in that command.
We should be sending a 200 OK to the register, do you see that in the logs?
3rd party phones aren't officially supported for CME, so it's hard to say if they'll register remotely correctly.
Changing to the correct mac address doesn't works either. I tried changing the ID to network and IP address but the router says only mac address ID is supported in CME mode...
No, no "200 OK" at all. All I got in the logs are those messages I attached to my first post.
I'm stuck at this point right now, don't know what else I can try but it's really weird, the ATA can register normally when connected to CME's lan (even if it's not in the same VLAN).
If you post the full ccsip message debugs when the phone tries to register with the password I'll take a look.
my best guess is that the phone isn't doing something correctly in the re-register to the 401
This is as I said earlier - the phone never sends a re-register with authentication information. This is a phone configuration / interop issue.
CME doesn't officially support third party phones, so you would want to look at this from the Linksys phone.
It should be sending an authentication header in the register and it never does.
Have you got Cisco phones registered to CME on a different subnet?
I'm trying with 7960/7962 and having no luck. I'm getting the same as Guilherme in that a 401 Unauth message is being returned to the SIP phone. I am using IOS 12.22T and P0S-08-6-00 on the 7960.
Locally attached phones register fine.
I have username for authentication set to Extn number defined in Voice register pool. Password defined in the pool matches that defined on the phone. The realm is something that I cannot change on the actual phone so it is set to an arbitary value (cisco).
Yes, I do.
I don't have any 7960's currently, but I have before.
The phone will download the authentication data in the .cnf.xml file it downloads via TFTP. I have found that the CNF auto-update doesn't work as well for SIP CME as it does for SCCP. If you have configured your phone, tried to register, and added the authentication without manually doing a 'create profile' in voice register global, I would start there.
I would then check 'debug tftp events' to make sure you're downloading the file.
Thanks for your response.
I'm 100% sure the 7960 phone is receiving the cnf file via TFTP- I even deleted the cnf file of the phone. I can see it downloaded using deb tftp ev. It shows the correct DN on the Line1 setting.
The problem is as follows.
debug ccsip message is showing the router sending back a 401 Unauthorized. In the second REGISTER coming in from the 7960 phone there is no username being returned. In fact there is no authorization header in the REGISTER message.
So this goes into an endless loop- 401 Unauth is return and the phone returns a REGISTER with no authorization details.
Seems to be a firmware issue on the 7960- can you tell me which firmware you have used?
Well, the next step then would be to make sure that the configuration file has the authorization information.
I believe you'll be doing something like this:
debug tftp events will have the full name. Don't let the DN trick you - SIP phones are much different from SCCP. They will show the last DN they registered with, even if they aren't registered. They have more of a memory than SCCP phones do.
You should see something similar to this:
If you can confirm the .cnf.xml file has that in there, and the phone downloads it, then it's a phone firmware issue. 8.6.0 is pretty recent, and I don't think this is the case.
The phone downloads a SIP
Take a look below and it has the necessary authorization information:
Thanks for your any light you may be able to shed.
What IOS version are you on?
My 22T router shows this:
Directory of system:/cme/sipphone/
249 -rw- 175
237 -rw- 0
250 -rw- 2809
235 -rw- 1880
238 -rw- 3613
239 -rw- 3579
236 -rw- 69
This is the configuration file it downloads as well.
I'm using 22T.
The voice register creates SIPxxx.cnf files for the 7960 and SEPxxx.cnf.xml files for the 7962.
Neither the 7960 nor the 7962 re-registers with the authorization header in reponse to a 401 unauthorized msg from the CME.
I have a 3rd party software client that does include the authorization header and registers fine.
Within the Cisco phones is there a flag within the cnf file that need to be set? Or should the phones be setup with authentication and encryption before it can register using the digest authorization within SIP...
I've found that if you have a pre-existing DN on the IP phone, it helps if you either delete that on the phone, or change it to the DN you're trying to register.
The same goes for any passwords you have configured on the phones.
There isn't a flag, other than the field existing that I know of.