Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VCS-E Local Authentication - failed for H323

Hi,

We have enabled Local DB authentication in our VCS-E and could not succeed in authenticating H323 endpoints behind firewall. SIP devices register without issues.

Auth Source on VCS - Local

VCS says "Request received from unauthenticated source"

Below settings are pushed to Endpoint.

Eg) EX60 running TC4.X

H323 Profile H323Alias ID: abc@example.com

H323 Profile H323Alias E164: 654321

H323 Profile PortAllocation: Dynamic

H323 Profile CallSetup Mode: Gatekeeper

H323 Profile Gatekeeper Address: XX.YY.ZZ.AA

H323 Profile Gatekeeper Discovery: Manual

H323 Profile Authentication LoginName: username

H323 Profile Authentication Password: password

H323 Profile Authentication Mode: On

Below is the registration request from Endpoint. anid VCS sends back a Reject stating Security Denial.

NotW1.PNG

NotW2.PNG

I do have a capture from working scenario, where i see the Credentials going to VCS as part of Registration Request.

Eg) C40 running TC4.X

W1.PNG

and VCS confirms the request.

W2.PNG

So, i want to know what is stopping the Endpoint from being authenticated.

One more thing to be noticed in the above capture is.....

For the Working Scenario the RAS has the Discovery complete set to true. Whereas it is false for the other.

a1.PNG

Could that be a problem of Capability sets not exchanged properly.

Regards // Rameez

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

VCS-E Local Authentication - failed for H323

Hi Rameez,

a couple of things you can try:

- Make sure that the endpoint has a working NTP server configured

- On the endpoint, try switching call setup mode to 'Direct' and save and then set it back to 'Gatekeeper' and save again.

This should hopefully make the endpoint start sending out RRQ's with crypto tokens.

Optionally you could try rebooting the endpoint.

- Andreas

6 REPLIES
Gold

VCS-E Local Authentication - failed for H323

Hi Rameez,

a couple of things you can try:

- Make sure that the endpoint has a working NTP server configured

- On the endpoint, try switching call setup mode to 'Direct' and save and then set it back to 'Gatekeeper' and save again.

This should hopefully make the endpoint start sending out RRQ's with crypto tokens.

Optionally you could try rebooting the endpoint.

- Andreas

New Member

VCS-E Local Authentication - failed for H323

Hi Andreas,

That sounds good. But toggling "call setup" is quite tough - since the EP is behind FW and are many.

Any other option that a Reboot.....

Gold

VCS-E Local Authentication - failed for H323

Rameez,

if these systems are managed by TMS you could perform this configuration change toggle via there.

This is at least the first thing I would try, so try this on one endpoint first and see if it helps.

-Andreas

New Member

VCS-E Local Authentication - failed for H323

Hi Andreas,

That cant be instantaneous right.

The TMS has to wait for EP heartbeat message to push the settings - one more wait to revert back the change.

If there is no other hope - I will try that...

Cisco Employee

VCS-E Local Authentication - failed for H323

> could not succeed in authenticating H323 endpoints behind firewall. SIP devices register without issues.

This typical case we see time mismatch between Endpoint and VCS.

As Andreas suggest, please make sure Endpoint and VCS has same NTP server configured or each NTP server (on Endpoint and VCS) provide same time information as H.235 authentication will be encrypted and decrypted by using time on device.

However SIP doesn’t use this method for credential exchange that is reason SIP UA and H323 Endpoint registration may see different result even using same credential account information.

New Member

VCS-E Local Authentication - failed for H323

Hi Andreas/TOM,

If i have a time mismatch, i should get a log stating that right.

Jul 9 11:40:26tvcs: Event="Registration Rejected" Reason="Time difference too large for authentication" Service="H323" Src-ip="10.45.118.236" Src-port="1719" Dst-alias-type="H323"

I didn't get it here.

1672
Views
0
Helpful
6
Replies
CreatePlease login to create content