Solved 503 Certificate Validation Failure - Outbound Calls

Discussion in '3CX Phone System - General' started by brianoakes, Feb 13, 2018.

Thread Status:
Not open for further replies.
  1. brianoakes

    Joined:
    May 12, 2012
    Messages:
    87
    Likes Received:
    0
    Howdy!

    Yesterday around 4:45pm we started getting this message on all outbound calls. Inbound works great. Internal to internal work great, incoming from the outside are fine.

    0.0.0.0 replied: 503 Certificate Validation Failure; warning: No other DNS entries to try (11,0); internal

    We have rebooted the PBX etc. We are using Fusion Connect IP Register. No configuration changes ocurred and we are able to do an NSLOOKUP and resolve the server name in our configuration to 2 IPs.

    3CX 15.5.8801.3

    Name: ln01-05.fs.broadvox.net
    Addresses: 208.93.226.216
    208.93.227.216

    Any ideas?
     
  2. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,349
    Likes Received:
    274
    Hello @brianoakes

    Are you using an IP based trunk or a register based trunk? Can you run the firewall checker and let us know of the results?
     
  3. brianoakes

    Joined:
    May 12, 2012
    Messages:
    87
    Likes Received:
    0
    This is an IP based trunk. I ran the firewall checker last night, everything was green.

    I have a ticket open, waiting from Fusion to call me back.
     
  4. brianoakes

    Joined:
    May 12, 2012
    Messages:
    87
    Likes Received:
    0
    I just got off the phone with Fusion. They don't see any traffic making it from our IP to their end. Looking at a local wireshark, I don't see any SIP traffic leaving the server to either one of their IPs. I do see lots of activity from extensions etc.

    Going back over the logs I noticed this when I rebooted the server last night. When a user tries to dial out, they get a busy signal, could these events be a factor? If so... any ideas where to look?

    02/12/2018 7:58:18 PM - Failed to add outbound CID reformating rule for DN:10000: <Rules />
    02/12/2018 7:58:18 PM - Failed to add outbound CID reformating rule for DN:10000: <Rules />
     
  5. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,349
    Likes Received:
    274
    Please note that since SP3 we support sips for providers that have SRV records pointing to sips. Fusion seems to have such SRV records so you are trying to connect using sips. However they do not seem to be using a public trusted certificate and that is why it probably fails.
    Try using transport-tcp.ln01-05.fs.broadvox.net as registrar for the trunk and let me know if that works
     
  6. brianoakes

    Joined:
    May 12, 2012
    Messages:
    87
    Likes Received:
    0
    Changing from ln01-05.fs.broadvox.net to transport-tcp.ln01-05.fs.broadvox.net now allows outbound calls.

    Do you have the technical details as to the difference. I want to provide the details to Fusion when we get on a call in a few mins.
     
  7. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,349
    Likes Received:
    274
    In SP3 we have started implementing Sip TLS with providers and we auto select this if the provider offers it in the SRV records.

    Since Fusion has such SRV records we try to connect using Sip TLS but since the certificate they are using does not seem to be trusted by your OS the TLS handshake failed causing the problem.

    The full implementation for SIP TLS is coming to a future service pack.

    For the time being you have 2 options to force a provider not to use TLS even if they have an SRV for it:

    • If they support SIP over TCP you can prepend transport-tcp. to your registrar and force the PBX to use TCP to communicate to the provider.
    • If this is not an option you can go to settings / Security and disable SIP TLS globally for the whole PBX.
     
  8. brianoakes

    Joined:
    May 12, 2012
    Messages:
    87
    Likes Received:
    0
    Thank you very much. That did the trick, and I have provided the information to Fusion. They said they will make a note of it.
     
  9. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    4,349
    Likes Received:
    274
    Glad to see the issue has been resolved.
     
Thread Status:
Not open for further replies.