We have successfully implemented a Cisco 2911 running CUBE to connect to Exchange Online Unified Messaging. The only thing that we cannot get to work is play on phone. During the testing done it seems that when Exchange Online places the call to CUBE TLS Negotiation does not complete and then the SIPTLS signalling does not complete to process the call. It was throught that the CUBE does not have the required certificates to verify. However we have installed the required certificates provided my Microsoft as their Root Authority for their side of the SIPTLS Link. I have also updated all the Root Cert Authorities on the Cisco Router.
Below is an extract of the 'debug ccapi info'.
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake: Created a child process 255 for TLS handshake
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake: Socket: 4 handed off to child socket 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake: SIPSCTX passed to the child process 255
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc: child proc: Local socket fd 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc: Associated socket 0 in child proc
Aug 30 11:11:26.975: CRYPTO_PKI: (A005D) Session started - identity selected (Trustpool)
Aug 30 11:11:26.975: CRYPTO_PKI: Rcvd request to end PKI session A005D.
Aug 30 11:11:26.975: CRYPTO_PKI: PKI session A005D has ended. Freeing all resources.
Aug 30 11:11:26.975: CRYPTO_PKI: unlocked trustpoint Trustpool, refcount is 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tcp_tls_handshake_failure: In sip_tcp_tls_handshake_failure
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tcp_tls_handshake_failure: Server Failure: Closing child socket fd: 0
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_purge_entry: Socket fd: 4 closed for connid 6 with address: 22.214.171.124, remote port: 45779
Aug 30 11:11:26.975: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_purge_entry: TLS Handshake child process killed
Does anyone have any ideas on how to troubleshoot SIP TLS Certificate issues further? The CallManager - Cube SIPTLS documentation has been used so far - but not really helping.
CoetzerJ, were you able to work through this issue? I am hoping so because I am working on implementing Exchange Online UM and I find little information on the Cisco side on how to connect to it. I see that CUBE is not supported by Microsoft for Office 365 so I was going to purchase a separate AudioCodes SBC for the secure SIP trunk between Call Manager and O365. I am curious if you were able to get CUBE working successfully in your setup. I really think Cisco need to provide some info about these setups. Just because they pretend that there are no other companies out there, does not mean that their customers aren't using them. We are considering moving to Lync Voice just because the documentation and partner network is so much better. Please let me know if you have your CUBE config to O365 up and running. I will explore that option if you were able to get it working successfully.
We are implementing an AudioCodes Mediant 1000 to get our phone system to securly talk to Exchange Online in Office 365. Only solution that I can find that is supported and that others are also doing. I just ordered the device yesterday so I do not have any additional information yet on implementation. I ordered AudioCodes installation servcies for the initial setup. I am told that it is not complicated and a pretty simple setup if you already have Cisco connecting to an Exchange server on premise. It is just another trunk to the SBC about the exact same as the trunk to Exchange.
Mark DeRosia, now three years later did you get this solution working? I have CUCM 11 with on-prem Exchange 2013 UM and am working on moving the Exchange portion to Office 365. I'm hearing AudioCodes and Sonus for the SBC portion rather than CUBE, too. Thank you for your input.
After my initial post on this issue I did in fact get it working and we have been successfully running it with Office365 UM for the past 3 years. Sorry for nonresponse over the past years -- I am not really active on forums like these so do not monitor my account..
Things to look out for:
* Make sure you have the most current IOS and review it frequently. Microsoft keep adjusting the minimum accepted encryption levels on their side for the SRTP which will cause the solution to stop working when you least expect it. Having a most current IOS ensures that at least crypto will be supported.
* Public Certs ... Make sure you properly understand cryptography and encryption, and that all the public certs of Microsoft UM services are loaded into the keystores on the router.
* Hacking -- put ACLs on the router to restrict comms and connections only to the UM services dedicated to you. People love trying to run SIP exploits against the router.
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...
This document describe how DST changes and how time changes are
implemented in DST. Daylight Saving Time (DST) is the practice of
setting the clocks forward 1 hour from standard time during the summer
months, and back again in the fall, in order to make b...