Wednesday, July 17, 2019

SIP: P-Asserted-Identity SIP Header mondification

ShoreTel/Mitel allows users to move their extension from one location to another as long as they are configured on the ShoreTel/Mitel system. This not only gives the users the ability to travel between sites with the same extension but also the same DID and Caller ID. This is a really cool feature but it also can create a issue with making cretin calls.

For example you have two sites, we will call them Site A and Site B, and each site has their own external SIP trunks for outbound dialing. We have a user name Jeremy, Jeremy usually works from Site B, and that is also where his DID resides on Sites B SIP trunks. Today Jeremy needs to go to Site A for the day to work. Once there he logs in to a phone and is able to make local and long distance calls like normal going out the Site A SIP trunks with his caller ID even though it does not belong to the Site A SIP trunks. He needs to dial a 800 number to join conference bridge but the call is unable to connect.

This issue is something I have run into a lot. This call is being blocked by the carrier because the caller ID does not match any of the caller ID's that resides on those external trunks. There are a lot of hacks out there that allow people to spoof calls to dial 800 numbers and this is know as toll fraud. One way the carriers combat this is only allowing caller IDs that reside on that circuit to make 800 number calls. There are a number of ways to resolve this by modifying the SIP header to include the Billing Telephone Number (BTN) of that circuit. The way I have resolved it is by configuring P-Asserted-Identity (PAI) on the Ingate SIParator.

The way to do this is, on the SIP Trunk group page in the SIParator, you need to modify the User Name in the Outgoing Calls under the PBX Lines. It normally just has a $1 in the User Name field to pass through the caller ID that it is being presented with from the PBX.




We need to modify it so that it adds the sites BTN to it also. So to do that you would enter in something like this in to the User Name field.

$1?P-Asserted-Identity=%3csip%3a2625555555%401.1.2.1%3e

The green highlight of the line above enables PAI in the SIP header, the blue highlight is the BTN to use and the purple highlight is the IP address of the carrier device. Below is what it looks like when it is in the SIParator.



Now, when Jeremy makes a 800 number call from Site A the carrier accepts the call as he is presenting them with the BTN for authentication that he is allowed to use the circuit, as well as his caller ID even though it does not belong to that circuit.


There are a lot of ways to do this, but this is the way that I have found that works best for most of the deployments I am involved in


Cisco: Track default route when Outside IP address is assigned VIA DHCP


Sometimes you need to to apply a tracking statement to a route so that if a cretin condition is met that route gets removed. In this case I needed to have the default route fail over to a second internet connection if the primary internet went down. Except, we receive a DHCP IP address on the primary connection so I can not just track reach ability to the next hop as that IP address changes. So here is a way to do tracking statements with a DHCP default route. We just set the default route to the interface instead of a IP address.


track 1 ip sla 10 reachability
 delay down 30 up 30 (This makes it so that when there is a failure on the IP SLA it waits 30 seconds to make the change, this is so that it doesn't flap up/down)

ip sla auto discovery
ip sla 10
 icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
 tag Ping Google
 threshold 1000
 timeout 2000
 frequency 3
ip sla schedule 10 life forever start-time now

(The above section is where you configure an IP address that you want to monitor, the router will send out a ping packet to that IP address to determine readability up/down)

interface GigabitEthernet0/1
ip dhcp client default-router distance 1
ip dhcp client route track 1

ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/1 (Always forces this traffic out this interface so we dont end up sending over the backup)

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 1 (Primary internet connection default route with a tracking statement)

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 200 (Back up internet connection default route)



Cisco: DMVPN commands and configuration


DMVPN debugs


Debugs on both sides at the same time:
Debug crypto condition peer ipv4 (public ip of peer)
Debug crypto isakmp
Debug crypto ipsec

Clear DMVPN session and Crypto
Interface tunnel0
Shut
Clear dmvpn sesssion interface tunnel0
Clear crypto isa

DMVPN Sample Scripts

These scripts assume that you have the router base configuration already done. They just give you some of the base info to create a DMVPN configuration and are not anything more than base. For the ACL on the inbound interface the script has "any any" on it but should be locked down to the remote IP address of the other spokes and hub.

DMVPN HUB Sample Script

crypto keyring dmvpnspokes
  description For DMVPN Tunnel
  pre-shared-key address 0.0.0.0 0.0.0.0 key "PRE_SHARED_KEY" (This should be a strong key)

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 hash md5

crypto isakmp profile DMVPNIsakmpProfile
   keyring dmvpnspokes
   match identity address 0.0.0.0

crypto ipsec transform-set ESP-AES-MD5 esp-aes 256 esp-md5-hmac
 mode transport

crypto ipsec profile DMVPNIpsecProfile
 set transform-set dmvpn-aes-sha
 set isakmp-profile DMVPNIsakmpProfile

interface Tunnel0
 description DMVPN_HUB
 ip address "IP_ADDRESS" 255.255.255.255
 ip mtu 1400
 ip nhrp authentication "NHRP_PASSWORD"(This password is configured all Tunnel interfaces i.e.)
 ip nhrp map multicast dynamic
 ip nhrp network-id "NETWORK_ID"(i.e. 10010100)
 ip nhrp holdtime 600
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 load-interval 30
 no shutdown
 qos pre-classify
 tunnel source "INTERFACE"(Interface that will be making the DMVPN Connection)
 tunnel mode gre multipoint
 tunnel key "KEY"(i.e 10010100)
 tunnel protection ipsec profile DMVPNIpsecProfile

ip access-list extended inbound
 permit gre any any
 permit icmp any any
 permit udp any any eq isakmp
 permit udp any eq isakmp any
 permit udp any any eq non500-isakmp
 permit esp any any
 permit tcp any any established




DMVPN Spoke Script

crypto keyring dmvpnspokes
  description For DMVPN Tunnel
  pre-shared-key address 0.0.0.0 0.0.0.0 key "PRE_SHARED_KEY" (This should be a strong key)

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 hash md5

crypto isakmp profile DMVPNIsakmpProfile
   keyring dmvpnspokes
   match identity address 0.0.0.0

crypto ipsec transform-set ESP-AES-MD5 esp-aes 256 esp-md5-hmac
 mode transport

crypto ipsec profile DMVPNIpsecProfile
 set transform-set dmvpn-aes-sha
 set isakmp-profile DMVPNIsakmpProfile

interface Tunnel0
 description DMVPN_SPOKE
 ip address "IP_ADDRESS" 255.255.255.255
 ip mtu 1400
 ip nhrp authentication "NHRP_PASSWORD"(This password is configured all Tunnel interfaces i.e.)
 ip nhrp map multicast "HUB_EXTERNAL_IP"
 ip nhrp map "HUB_TUNNEL_IP" "HUB_EXTERNAL_IP"(i.e. 10.10.10.10 8.8.8.8)
 ip nhrp network-id "NETWORK_ID"(i.e. 10010100)
 ip nhrp holdtime 600
 ip nhrp shortcut
 ip nhrp redirect
 ip tcp adjust-mss 1360
 load-interval 30
 no shutdown
 qos pre-classify
 tunnel source "INTERFACE"(Interface that will be making the DMVPN Connection)
 tunnel mode gre multipoint
 tunnel key "KEY"(i.e 10010100)
 tunnel protection ipsec profile DMVPNIpsecProfile

ip access-list extended inbound
 permit gre any any
 permit icmp any any
 permit udp any any eq isakmp
 permit udp any eq isakmp any
 permit udp any any eq non500-isakmp
 permit esp any any
 permit tcp any any established

SIP: SIP Response Codes

Here is a list of Sip Response Codes very useful with trouble shooting sip in Wire Shark.

1xx - Informational Responses

  • 100 Trying Extended search being performed may take a significant time so a forking proxy must send a 100 Trying response
  • 180 Ringing
  • 181 Call Is Being Forwarded
  • 182 Queued
  • 183 Session Progress

2xx - Successful Responses

  • 200 OK
  • 202 accepted: It Indicates that the request has been understood but actually can't be processed

3xx - Redirection Responses

  • 300 Multiple Choices
  • 301 Moved Permanently
  • 302 Moved Temporarily
  • 305 Use Proxy
  • 380 Alternative Service

4xx - Client Failure Responses

  • 400 Bad Request
  • 401 Unauthorized (Used only by registrars or user agents. Proxies should use proxy authorization 407)
  • 402 Payment Required (Reserved for future use)
  • 403 Forbidden
  • 404 Not Found (User not found)
  • 405 Method Not Allowed
  • 406 Not Acceptable
  • 407 Proxy Authentication Required
  • 408 Request Timeout (Couldn't find the user in time)
  • 410 Gone (The user existed once, but is not available here any more.)
  • 412 Conditional Request Failed
  • 413 Request Entity Too Large
  • 414 Request-URI Too Long
  • 415 Unsupported Media Type
  • 416 Unsupported URI Scheme
  • 417 Unknown Resource-Priority
  • 420 Bad Extension (Bad SIP Protocol Extension used, not understood by the server)
  • 421 Extension Required
  • 422 Session Interval Too Small
  • 423 Interval Too Brief
  • 428 Use Identity Header
  • 429 Provide Referrer Identity
  • 433 Anonymity Disallowed
  • 436 Bad Identity-Info
  • 437 Unsupported Certificate
  • 438 Invalid Identity Header
  • 480 Temporarily Unavailable
  • 481 Call/Transaction Does Not Exist
  • 482 Loop Detected
  • 483 Too Many Hops
  • 484 Address Incomplete
  • 485 Ambiguous
  • 486 Busy Here
  • 487 Request Terminated
  • 488 Not Acceptable Here
  • 489 Bad Event
  • 491 Request Pending
  • 493 Undecipherable (Could not decrypt S/MIME body part)
  • 494 Security Agreement Required 

5xx - Server Failure Responses

  • 500 Server Internal Error
  • 501 Not Implemented: The SIP request method is not implemented here
  • 502 Bad Gateway
  • 503 Service Unavailable
  • 504 Server Time-out
  • 505 Version Not Supported: The server does not support this version of the SIP protocol
  • 513 Message Too Large
  • 580 Precondition Failure

6xx - Global Failure Responses

  • 600 Busy Everywhere
  • 603 Decline
  • 604 Does Not Exist Anywhere
  • 606 Not Acceptable

SIP: SIP Profile Parameters and their usage



DontFwdRefer Usage: DontFwdRefer=[0|1]
When this parameter is set to 1, it inhibits the use of REFER for transfer on the trunk.  It also inhibits sending INVITE with Replaces header.  Peer must support INVITE without SDP for certain transfer call- flows

SendMacIn911CallSetup Usage: SendMacIn911CallSetup=[0|1] 
This parameter is used in conjunction with SIP based emergency gateways, such as those provided by 911 Enable.  It appends the MAC address of the IP phone in the From tag of an outgoing emergency call. From: "Dizzy Gillespie ;tag=shorUA_1077733456- 103455277-EPID-001049042E4A  
This only applies to ShoreTel IP Phones, excluding the IP-8000 conference room phone

StripVideoCodec Usage: StripVideoCodec=[0|1]
This parameter should be set to 1 if the trunk does not support video properly.  When set to 1, it strips video codecs from SDP in INVITE’s being sent to the trunk and properly restores and rejects the video media lines in the 200 response from the trunk.  It also strips video codecs from INVITE’s coming from the trunk and properly restores and rejects the video media lines in the 200 response to the trunk

AddG729AnnexB_NO Usage: AddG729AnnexB_NO=[0|1] 
This parameter should be set to 1 if the trunk does not support G729 Annex B properly.  When this is set, any outgoing INVITE with G729 in the SDP will have the attribute "a=fmtp:18 annexb=no" added to the SDP.

HistoryInfo Usage: HistoryInfo=[none|diversion|history] 
This parameter controls how information is presented when an external incoming call is forwarded out this trunk.  In this case, the "From" header will indicate the actual caller, which may not be a valid number to present to the trunk.  The Diversion or History-Info header will be used to indicate the DID number of the user on who’s behalf the call was forwarded.
If set to 'none' or omitted, then no indication of the forwarding number is presented.  If set to 'diversion', the SIP Diversion header is supplied, as dictated by RFC 5806.  If set to 'history', the SIP History-Info header is supplied, as dictated by RFC 4244.

EnableP-AssertedIdentity Usage: EnableP-AssertedIdentity=[0|1]
This profile parameter controls how Caller-ID is presented on outbound calls.  If it is set to 0 or not pre- sent, then the old style or presenting caller-ID in From header is used when sending outgoing calls.  Note that the style of presenting blocked caller-ID has changed in ShoreTel 12.
When set to 1, the Caller-ID is placed in the P-Asserted-Identity header.  If privacy is indicated for the call (User dials *67, or trunk group is configured to not send Caller-ID), then a Privacy header is inserted with value “id”, and the From header is anonymous

Port Usage: Port=[5060|1-65535]
This profile parameter changes the remote port used for the SIP trunk.  Currently, there is no way to con- figure the port number for SIP trunks in ShoreWare Director.  Only port 5060 is supported.  This profile parameter allows the port number for a trunk group to be configured

HairPin Usage: HairPin=[0|1] 
This profile parameter controls if hairpin is allowed on SIP trunk calls, when enabled and available, features like Barge-in, silent monitoring, whisper-page, whisper-coach, call-record will be supported on the SIP trunks.

OptionsPing Usage: OptionsPing=[0|1] 
This profile parameter controls if OPTIONS message should be sent to remote party for detecting connectivity

OptionsPeriod Usage: OptionsPeriod=[180|60-3600] 
This profile parameter is used to control the time interval between SIP OPTIONS messages

OverWriteFromUser Usage: OverWriteFromUser=[none|UserID|BTN] 
This profile parameter is used to choose either user’s id or billing phone number in the FROM header when making calls

DontAdvertiseUpdate Usage: DontAdvertiseUpdate=[0|1]
This profile parameter is used to decide if UPDATE should be sent in the SUPPORTED header

RFC2543Hold Usage: RFC2543Hold=[0|1]
This profile parameter is used to decide if connection field should be set to 0.0.0.0 in case of sending out- going INVITE for hold

AlwaysSend180 Usage: alwaysSend180=[0|1]
This profile parameter is used to decide if a 180 will be sent out right away after receiving an incoming INVITE

IgnoreEarlyMedia Usage: IgnoreEarlyMedia=[0|1]
This profile parameter is used to decide if early media should be forwarded to the caller, when a SIP de- vice doesn’t wish to accept early media, this parameter should be set to be 1

Register Usage: Register=[0|1]
This profile parameter is used to decide if outgoing REGISTER messages should be sent

RegisterUser Usage: RegisterUser=[BTN|UserID|DID] 
This profile parameter is used to decide in what to use in FROM header in the outgoing REGISTER messages

RegisterExpiration Usage: RegisterExpiration=[3600|60-86400]
This profile parameter is used to decide the time interval between outgoing REGISTER messages

1CodecAnswer Usage: 1CodecAnswer=[0|1]
This profile parameter is used to decide if the SDP should contain only 1 codec for an outgoing answer.



SIP Extension Profile Parameters:


1CodecAnswer Usage: 1CodecAnswer=[0|1]
Some devices do not honor the codec order specified in a 200 OK response to an INVITE.  This causes several problems.  First, some endpoints in the system do not support asymmetric codecs during a session.  Second, any bandwidth calculations based on observing the offer/answer exchange will likely be wrong.  When set to 1, only 1 audio codec is sent in a 200 OK response.

AddGracePeriod Usage: AddGracePeriod=[0-1800] 
Some SIP devices re-register too close to the expiration time, introducing a race condition where the sys- tem is in the process of deleting the record from the system when the re-register is received.  This parameter adds a grace period to the expiration received in the REGISTER request.

AllowedCodecs Usage: AllowedCodecs=[any|[codec[,codec]*] 
Valid values are ‘any’ (default) or a comma separated list of codec names.  The codec name must be for- matted as shown on the Supported Codecs page (Administration, Call Control, Supported Codecs).  For example: 'PCMU/8000'.  This should be used if the SIP device cannot follow the normal rules of codec negotiation for all codecs supported in the installation.  For example, one particular implementation would rejected requests containing some codecs it didn’t understand.
This only applies to audio codecs.  Video codecs and RFC 2833 'telephony-event' is not affected by this parameter.

DelayUnregister Usage: DelayUnregister=[0-20]
Some devices, under certain circumstances, un-register, then immediately register again.  This introduces a race condition similar to the one discussed in section 0.  Usage of this parameter mitigates this problem.

FakeDeclineAsRedirect Usage: FakeDeclineAsRedirect=[0|1|400-606]
Some SIP devices present an option to decline a call.  When invoked, various different response codes have been used by various implementations.  If set to 0, only a 3xx class response will cause the call to be diverted to the busy destination.  If set to 1, 603 will be sent to busy destination as well.  If set to a value from 400 to 606, the selected response code will be used to send the call to the busy destination.

MWI Usage: MWI=[none|subscribe|notify] 
This parameter defines how RFC 3842 Message Waiting Indication is handled.  When set to "subscribe", an explicit subscription is required.  If set to "notify", the NOTIFY messages are sent without requiring a SUBSCRIBE.  If set to "none", then MWI is not supported.

OptionsPing Usage: OptionsPing=[0|1] 
ShoreGear switches can send a periodic OPTIONS message to SIP devices, and mark them Out-Of- Service if they don’t respond.  There are 2 benefits to this: Calls are diverted immediately to the busy destination, and there is logging of the event on the server.
The OPTIONS ping occurs periodically between 3 and 4.5 minutes.

OptionsResponse Usage: OptionsResponse=[200-699]
Some devices reject OPTIONS requests, such as with a 405 "Not Supported" response.  This can still be used to determine if the device is alive and on the network by using this parameter.  Otherwise, a 405 response would put the device Out-Of-Service.

SendEarlyMedia Usage: SendEarlyMedia=[0|1] 
When set to 1, the device will be sent 183 response with SDP for certain call-flows.  Currently, this is only used in error conditions when an announcement is played.

StripVideoCodec Usage: StripVideoCodec=[0|1] 
This parameter should be set to 1 if the device does not support video properly.  When set to 1, it strips video codecs from SDP in INVITE’s being sent to the device and properly restores and rejects the video media lines in the 200 response from the device.  It also strips video codecs from INVITE’s coming from the device and properly restores and rejects the video media lines in the 200 response to the device.

XferFailureNotSupported Usage: XferFailureNotSupported=[0|1]
For scalability reasons, there are a few call-flows that use REFER as a means for the caller to hear ringback tone.  These call-flows rely on the device’s capability to recover from a transfer failure and keep the original call alive.  If the device cannot do this, then this parameter should be set to 1, and an alternative means of providing ringback is used.

Tuesday, July 16, 2019

Routing: Administrative Distance Values

I don't always remember even though I should, what the AD values are of the different routing protocols.


  • Connected Interface = 0
  • Static route = 1
  • Summary route (EIGRP) = 5
  • External Border Gateway Protocol (BGP) = 20
  • Internal EIGRP = 90
  • IGRP = 100
  • OSPF = 110
  • Intermediate System to Intermediate System (IS-IS) = 11
  • Routing Information Protocol (RIP = 120
  • Exterior Gateway Protocol (EGP) = 140
  • On Demand Routing (ODR) = 160
  • External EIGRP = 170
  • Internal BGP = 200
  • Unknown = 255

General IT: Crossover, Straight through and Loopback cables

When ever I am installing a new PRI or connecting two PBX's together I always need to make a cross over cable and I always end up having to look up the pin out. So I thought I would just add it here and make it easy on myself for future reference.

Straight Through patch cable



T1 Crossover Cable



T1 Loop-back


General IT: Common TCP/UDP Port Numbers

General IT: IP Network Subnets

ShoreTel: Konftel 300IP and ShoreTel/Mitel Configuration

This will provide you with some detail on how to intergrate a Konftel 300IP conference phone in to a ShoreTel/Mitel phone system.

Call Control Settings

In SWD navigate to Administration=> Features=>Call Control=>Options and make sure that the parameters (default values) are configured in the SIP section.


Switch Settings

In SWD navigate to Administration=>Appliances/Servers=>Platform Equipment. ShoreTel Voice switches can support IP phones and SIP phones in a various methods, either as a physical port, DSP resource or built in capacity. From this page you can look to see if you have any switches that are already configured with SIP Proxy resources, by looking under the SIP proxy column.



If you do not have a switch at a site that has any SIP Proxy resources enabled you will need to find a switch at that site that has an available resource and set it to SIP Proxy.



Navigate to Administration=>Sites=> then the site you are looking to add the phone to. Scroll down to the SIP proxy switch for that site and under Proxy Switch 1 click the drop down and select the phone switch that you would like to use that already has the SIP Proxy resource enabled on it. If you are using more than one switch for SIP Proxy resources then you can add the 2nd switch in the Proxy Switch 2 field and then enter in a IP address into the Virtual IP address box.



SIP Profile

To be able to optimize the Konftel phone interoperability a new SIP profile must be created. Navigate to Administration=>Telephones=>SIP Profiles and click new. Name the new SIP profile Konftel 300IP and set the User Agent to "Konftel300IP.*" Then in the Custom Parameter add "XferFailureNotSupported=1" Make sure the Enable check box is checked and click Save.



User Setup

Navigate to Administration=>Users=>Users and then find the user you wish to set up for the Konftel phone. Scroll down to the SIP password and enter a SIP password for this users. Also make not of the users Client Username, and Extension number.



Konftel 300IP Configuration

The best way to configure the Konftel phone is from the web interface. Find the IP address of the phone Menu=>Status=>Network in Konftel User interface on the phone. Navigate to that address using a web browser and log in as ADMIN and the default password of 1234




Navigate to Settings=>SIP to configure the user account that was created on the ShoreTel/Mitel system.

  1. Account name is displayed on the idle screen of the phone
  2. Users is the Users extension number
  3. Registrar is the IP address of the SIP Proxy 
  4. Authentication name is the ShoreTel Client Username
  5. Password is the ShoreTel SIP password


In SWD navigate to Maintenance=>Status and Maintenance=>IP Phones, then click the Name column to sort by phone names. You should see the Konftel phone in the list, which means the phone has resisted with the ShoreTel/Mitel system and is ready to be used.