Secure-SIP TLS error + hundreds of extra phone instances

Discussion in '3CX Phone System - General' started by nienunb, Apr 9, 2010.

Thread Status:
Not open for further replies.
  1. nienunb

    Joined:
    Mar 10, 2009
    Messages:
    15
    Likes Received:
    0
    Hello everyone,

    After following the exact directions from the 3CX blog regarding Secure-SIP (http://www.3cx.com/blog/voip-howto/secure-sip), we've been experiencing some weird things.

    We're running ver. 8.0.10824.716 of the phone system, using Snom 320 phones (fimware 7.3.14).

    Every time a phone registers, this messages is generated in the server activity log (there are 3 extensions registering in the snippet below, ext. 201, 208 and 216):

    Kindly place all logs in code and /code tags - MFM
    Code:
    09:26:53.061  Got TLS read ret=0 error=5 error:00000005:lib(0):func(0):DH lib
    09:26:44.967  [CM504001]: Ext.208: new contact is registered. Contact(s): 
    [sip:208@192.168.2.67:2936;transport=tls;line=pclz0ezg/208,sip:208@192.168.2.67:2935;transport=tls;line=pclz0ezg/208,
    sip:208@192.168.2.67:2932;transport=tls;line=pclz0ezg/208,sip:208@192.168.2.67:2934;transport=tls;line=pclz0ezg/208,
    sip:208@192.168.2.67:2933;transport=tls;line=pclz0ezg/208,sip:208@192.168.2.67:2930;transport=tls;line=pclz0ezg/208,
    sip:208@192.168.2.67:2931;transport=tls;line=pclz0ezg/208]
    09:26:16.935  Got TLS read ret=0 error=5 error:00000005:lib(0):func(0):DH lib
    09:26:14.154  [CM504001]: Ext.216: new contact is registered. Contact(s): 
    [sip:216@192.168.2.73:2866;transport=tls;line=v9i7uj4n/216,sip:216@192.168.2.73:2865;transport=tls;
    line=v9i7uj4n/216]
    09:26:03.435  Got TLS read ret=0 error=5 error:00000005:lib(0):func(0):DH lib
    09:25:52.810  [CM504001]: Ext.201: new contact is registered. Contact(s): 
    [sip:201@192.168.2.72:2058;transport=tls;line=beps9t51/201,sip:201@192.168.2.72:2056;transport=tls;
    line=beps9t51/201]
    
    Also, before enabling SecureSIP/TLS per the blog post, each Snom phone was shown ONCE in the Phones section. Now, there are literally HUNDREDS of instances of EACH PHONE in the Phones section.

    We are thinking of rolling back to UDP without using TLS, but would rather not.
    If anyone has any suggestions, or comments, please let me know! I appreaciate your help.

    Nienunb.
     
  2. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    First step is to connect 3CX Phone using TLS and verify environment/functionality. Next step is to connect Snom phones.

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nienunb

    Joined:
    Mar 10, 2009
    Messages:
    15
    Likes Received:
    0
    When connecting/registering the 3CX phone using TLS (again, following the exact instructions from the blog post - http://www.3cx.com/blog/voip-howto/secure-sip), here's what I get from the server activity log:

    Code:
    11:41:46.001  [CM504001]: Ext.206: new contact is registered. Contact(s): [sip:206@192.168.2.20:1636;rinstance=c97f5e8cb9fa87b9;transport=TLS/206]
    11:41:45.798  [CM504002]: Ext.206: a contact is unregistered. Contact(s): []
    11:41:45.282  TLS handshake failed 
    11:41:45.282  socket error 10053
    11:41:45.079  [CM504001]: Ext.206: new contact is registered. Contact(s): [sip:206@192.168.2.20:1635;rinstance=0e5076d90dbd7add;transport=TLS/206]
    11:41:44.313  Got TLS read ret=0 error=6 error:00000006:lib(0):func(0):EVP lib
    11:41:39.390  [CM504002]: Ext.206: a contact is unregistered. Contact(s): []
    
    Thank you for responding!
    Nienunb
     
  4. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    11:41:45.282 TLS handshake failed
    means that certificates has been incorrectly generated/signed, or doesn't provide correct information about server.
    I can be wrong, don't accept my comment as a pointer to the source of problems. TLS is quite "delicate". It is very easy to make a mistake.

    By the way, do you have numerous devices in case of 3CX Phone?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nienunb

    Joined:
    Mar 10, 2009
    Messages:
    15
    Likes Received:
    0
    Thank you for your insight, Stepan.
    We have (3) 3CX phones and (11) Snom phones connected to the server at this time.

    Nienunb.
     
  6. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Sorry for my English.

    My question
    Was about following thing:
    You have defined a problem in your previous post:
    The question was: Does it happen if you are trying to connect 3CX Phone using TLS transport?

    Thanks
    P.S. Again, excuse me for "fuzzy" questions :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. nienunb

    Joined:
    Mar 10, 2009
    Messages:
    15
    Likes Received:
    0
    Sorry to be posting an answer so late....

    The multiple phone issue does NOT happen with the 3CXPhone. I am running version 4.0.10858.
    However, the 3CXPhone simply does not connect. It says "Connecting" until I change the settings back to use UDP as the transport protocol.

    Also, every time I try to register the 3CXPhone using TLS and the certificate I created, this message is logged in the server activity log:

    Code:
    10:00:10.725  Exception thrown from Transportprocess: ParseException .\ParseBuffer.cxx:79, Parse failed skipped over eof in context: 
      ****_***[**K**zkR***$m*r\***S*0****B**>**j%**4*****9*5*8*****3*/*2***
                                                                           ^
       @ .\ParseBuffer.cxx:79
    
    Any additional ideas?

    Thank you,
    Nienunb
     
  8. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    I'm having the same issue with the 3CX Phone. I've been trying to figure it out for a little over a month now but can't seem to find the answer in the forums.

    Without TLS enabled, I can connect a 3CX Phone to the 3CX Phone System (free edition) within a LAN and over the Internet. But when I follow the instructions from the blog, the 3CX phone says it's connecting but never does. I get the following error from the server activity logs.


    Has anyone followed the instructions from the blog successfully and could provide some insight? http://www.3cx.com/blog/voip-howto/secure-sip/
     
  9. nienunb

    Joined:
    Mar 10, 2009
    Messages:
    15
    Likes Received:
    0
    Dukejames - thank you for posting your message. I'm glad to hear that I'm not the only one with this issue!

    It's strange to me that this happens right "out of the box" when configuring TLS with the 3CXPhone. It's almost like something in the blog instructions http://www.3cx.com/blog/voip-howto/secure-sip/ are incorrect.
     
  10. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    Nienunb

    I agree. From what I've seen, I'm following the instructions properly. I've tried following the instructions several times, behind a firewall using NAT and 3 different networks. Each time, the firewall checker passes and my 3cx Phones registers with the phone system. But I can never get TLS supported.

    Either today or tomorrow, I'm going give the 3cx phone system a public IP address, in this way it will only be behind a modem and the router provided by the ISP. I will disable the Windows Firewall and allow all inbound/outbound traffic. I will reconfigure the 3cx to use the external IP address, register phones to it through the internet using 2 ISP's and again see if TLS will work.

    Again, if someone does have this working I'd love some feedback. My solution requires that the users of 3cx not depend on VPN for encrypted communications.

    Thanks!
     
  11. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    Alright, I gave it a static IP address and tried it out all over agin. It didn't work................. :cry:

    This is so frustrating.

    No wait, I forgot to start off from scratch.

    No, it still doesn't work! Auggh! :x

    I receive the same error in the server activity log. Please help!
     
  12. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    specify server address as serverIP:5061 in phone configuration.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    Unfreaking believable! Thanks so much Stephan! Let me know where to send the fruit basket! :p

    I'm putting the system back behind my firewall to confirm everything is still working.
     
  14. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    The other option is to leave everything as was before but tick "Use Outbound proxy server" and set it to serverIP:5061. This option at the bottom of "Connection settings" dialog.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    When I placed the 3cx infront of my firewall, and followed the directions of adding 'server:5061' to the "I am out of the office - external IP" line, it connects. I'm able to dial '999' and hear the automated message.

    When I put the 3cx system behind the firewall, I added a port forwarding rule for '5061' to the 3cx server. Next, I recreated the certificate so it would apply to the correct IP address. I then followed the same 3cx phone instructions and it connects.

    However, when I dial 999, the 3CX Phone displays 'Forbidden'. The server activity log displays
    I then decided to follow the alternate instructions which was to add 'server:5061' in the Outbound Proxy server instead; the 3cx phone connects. However the server activity log shows:

    After that, I dialed 999 but I can't hear anything. The server activity log shows:

    So now I'm even more confused. Was I supposed to port forward 2707 or 40600?

    Am I having a source identification issue and need to refer to ( http://www.3cx.com/blog/docs/source-identification-issues/ )

    Are you having any luck Nienunb?

    Thanks again for the help SY! I realized the 5061 entry within the blog for the Xlite and Snom phones but kept focusing on the 3cx instructions. I wish there was a way I could suggest a rewrite but I can't write a comment on the blog.
     
  16. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,110
    Likes Received:
    143
    try the new phone we released today - available from blog.
    Basically you need to follow the instructions on the how to configure 3CXPhone with tls and in the ip address field put the IP:port which is 5061
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    I drove to another network and tried it again with 3cx ver. 4.0.10858.0. Instead of connecting, it said 'Server Unreachable' and eventually 'Not Connected. The 3cx log stated

    After downloading the newest version of the 3cx phone ver 4.0.12857.0, I'm experiencing the same error messages.

    I can connect to it using udp but not tls.

    James
     
  18. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,110
    Likes Received:
    143
    What version of 3CX Are you using?
    Did you ever get this working? probably there is a problem with the certificate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. dukejames

    Joined:
    May 22, 2010
    Messages:
    11
    Likes Received:
    0
    As an update:

    When I'm at the office (locations of the 3cx server) I'm able to connect via port 5061 and receive audio from the voice mail.

    When I'm outside of the office, I'm able to connect via port 5061 but I do not receive audio from voice mail.

    The PhoneSystem version is 8.0.10824.716 and I've tried both 3cxPhones 4.0.10858 and 4.0.12857.

    Yes Nickybrg, you are correct, I was having trouble with the certificate. I simply had to re-import the correct one.

    I've went through my firewall settings and have the following

    External to PhoneSystem (TCP 5061 and UDP 5060, 7000-7500)
    Phonesystem to External (TCP: 5090 and UDP: 3478, 40000-40019, 9000-9049)

    The only thing I see in the server activity log which appears to be bad is

    I'm lost here. Are my firewall rules wrong? I did test these rules in another scenario using a different firewall and it worked. The only thing is, I couldn't use an external IP address. I just had a LAN and DMZ.

    Any thoughts?
     
  20. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,110
    Likes Received:
    143
    I don't understand what you mean by this

    You need to open these ports on the firewall OUTSIDE -> IN (port forward to Phone System ip address)

    UDP TCP 5060 SIP (normally udp is enough but you might have sip on tcp)
    TCP 5061 TLS
    udp and tcp 5090
    UDP 9000-9049 (audio rtp udp)
    UDP: 3478

    7000-7500 - this is wrong - range must start Even - end odd - therefore 7000-7499.
    You do not need to open this on the firewall outside in. )These are ports for int use only. Int calls only.

    let me know.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.