SIP authorization by IP address appears broken with Cisco FXO ports

Discussion in '3CX Phone System - General' started by Ted Mittelstaedt, Jul 23, 2017.

Thread Status:
Not open for further replies.
  1. Ted Mittelstaedt

    Joined:
    Jul 16, 2017
    Messages:
    14
    Likes Received:
    0
    The setup is follows:

    Cisco 2600 series model 2620 router running Cisco IOS version 12.3 or earlier, with 2 first generation FXO VWIXCs installed, setup as a POTS to SIP trunk gateway.

    The latest 3CX running in a virtual host on ESXi and one of the free 3CX softphones on a PC registered into 3CX.

    The latest FreePBX 13 running in another virtual host on the same ESXi system and the free x-lite softphone running on a PC registered into FreePBX.

    The short summary:

    FreePBX works, 3CX does not.

    The long explanation - and request for further things to investigate:

    Cisco voice version IOS 12.3 and earlier DO NOT support sip authentication with a userID/password. They ALSO do not support SIP registration. This feature was first introduced in IOS version 12.3T (technology release) In short, every "cisco config for Asterisk" you see floating around out there on the Internet that lacks an authorization statement under the sip grouping is probably from IOS 12.2 or earlier. (IOS 12.3 was a very limited release and it's main interest to Asterisk is that it added in RFC2388 compliance for dtmf relaying) Unfortunately, Cisco dropped support for the Cisco 2600 series hardware in IOS 12.4 and every newer Cisco router (2800, etc.) in that line requires a next generation version 2 VWIC hardware card with the exception of the 1760.

    Now getting back to the problem. Asterisk has available 2 channel drivers named chan_sip and chan_pjsip. chan_pjsip was introduced in Asterisk version 12. UNFORTUNATELY it appears that "authentication-less" SIP connections DO NOT WORK with chan_pjsip due either to bugs or configuration issues.

    3CX certainly used chan_sip in the past. I do not know if it uses chan_pjsip now but if it does, then Cisco IOS version 12.3 and earlier CANNOT initiate a SIP connection to it. (3CX can initiate a connection to IOS 12.3 and earlier for outbound calling, however) This is true even if the trunk is specifically defined as a "Generic with authentication determined by IP address"

    FreePBX by contrast allows the user to run BOTH the channel drivers. BY default pjsip listens on the traditional 5060 port. chan_sip listens on port 5160. So, it is possible to manually define a trunk in FreePBX that will connect to these devices that will work for both in and outbound calls.

    But, it is not possible (not that I can see) to define one in 3CX that functions. You can define it - but it still expects to have registration coming in from the device. This limits 3CX pretty significantly in my view. FreePBXs Linux .iso distribution includes a driver for a hardware voice card, the idea I suppose is you can install it on a PC and install a card in that and plug your trunks in there. But, 3CX is very much optimized for running in a virtual host. Thus, trunks can only be connected via SIP in that configuration, thus a FXO gateway is a requirement unless you are going full SIP trunks (which people may not want to for call quality reasons)

    Obviously, a solution is to update to newer Cisco gear, or newer firmware or whatever on that side. And possibly there is a buried configuration option in 3CX that will allow register-less and authorization-based-on-IP-address to work. If so, I would greatly appreciate someone posting this. Otherwise, I would ask the 3CX developers to review the distro and make whatever fixes are needed - whether this is additional configuration options in 3CX or a fix of the pjsip driver.
     
    #1 Ted Mittelstaedt, Jul 23, 2017
    Last edited: Jul 23, 2017
  2. Brad Cann

    Brad Cann New Member

    Joined:
    May 5, 2017
    Messages:
    109
    Likes Received:
    15
    why not make your life easier and just update the cisco firmware, and fix umpteen dozen security issues and make it work with just about every other product out there that requires auth on SIP calls?

    Cisco even gives updates out for free if you can link them to a cisco security update that qualifies for the free update and give them the cisco S/N of the device.
     
    Nick Galea likes this.
  3. Ted Mittelstaedt

    Joined:
    Jul 16, 2017
    Messages:
    14
    Likes Received:
    0
    "why not make your life easier and just update the cisco firmware"

    As I said, Cisco dropped support for the Cisco 2600 series hardware in IOS 12.4 and every newer Cisco router (2800, etc.) in that line requires a next generation version 2 VWIC hardware card. Upgrading firmware only is an option for different Cisco router models (like the 36xx and 17xx or the later series) in which case you have to upgrade both the router and the VWICs. (in short, buy another router)

    "Cisco even gives updates out for free if you can link them to a cisco security update that qualifies for the free update"

    That policy only applies to mainline releases and it does not allow for jumping versions. For example you can get a free update from 12.1.1 to 12.1.24 or a free update from 12.2.1 to 12.2.24 but you cannot get an update from 12.1 to 12.2. 12.3 is an interim release and isn't eligible for this, I'd have to back-rev to 12.2. In addition, you can only get this "freebie" by opening a TAC case and you can only open a TAC case with a valid contract on the hardware, so the "free update" in practice doesn't really work out all that well. Anyway, it's not necessary to put your own FXO gateway outside of the firewall.

    Also, I have a working config with FreePBX and my 2600 but since this isn't a FreePBX forum it's not really appropriate to post details here. I don't KNOW if 12.4 on ANY Cisco gear will work with 3CX at all at this time.

    Lastly, .there is likely other stuff out there (older sip phones, older FXO gateways, etc.) that may also lack the ability to register in. The point of the post was to document all of this stuff in case someone else ran into it or in case the 3CX developers were unaware of the issue.
     
  4. Brad Cann

    Brad Cann New Member

    Joined:
    May 5, 2017
    Messages:
    109
    Likes Received:
    15
    Incorrect on ALL accounts, cisco can and do give our free IOS upgrades as part of its security practices, even without a valid hardware contract, even between mainline releases. all you need is a valid cisco login and a link to the security release, log a TAC case and wait a bit and you'll get your download. a hardware service account is NOT necessary.

    http://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html

    And

    https://damn.technology/free-cisco-ios-updates
     
  5. Ted Mittelstaedt

    Joined:
    Jul 16, 2017
    Messages:
    14
    Likes Received:
    0
    Read the URL you linked to. Here are the relevant bits:

    "noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described"

    If you do not have a hardware contract you cannot get access to open a TAC case online. If you don't believe that then post the current URL for opening a TAC case and I'll login to Cisco and try it but I'm betting it will not work. The last hardware device I had under warranty expired a few years back and the customer declined to renew it.

    "To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the update."

    This is another problem because you cannot browse security notifications without an active contract, they have restricted that part of the website. You cannot look up Cisco defect numbers anymore without an active contract on your login ID. These vulnerabilities are very specific and it is common for them to be present in one feature set but not another.

    "Customers may only install and expect support for software versions and feature sets for which they have purchased a license"

    In short, if you have bought IP base you can get an update to IP base only. If you have bought 12.2 you can only get an update to 12.2

    "customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades"

    In other words, if you get some used Cisco router off Ebay that is past the End of Sale date, then you cannot buy an IOS license for it and since you never bought a license for it originally, you aren't eligible.

    I have actually used this policy once years back to get a "free upgrade". I had to "climb the chain" throughout the Cisco tech support voice tree until I finally got a manager 3 hours later and being on hold after speaking to at least a dozen lower level techs, who opened a "courtesy" TAC case. But, I know Cisco thoroughly since I used to sell a lot of it. Someone unfamiliar with it won't get through the first fence.

    Cisco today is NOT the same Cisco as 15 years ago. They have applied a lot of additional security within the Cisco website and very much control where it is that you can go. It used to be that people could get used Cisco routers cheaply off Ebay then browse through the CSDs until they found a security hole that matched up with whatever IOS release train they wanted, then contact Cisco and use this policy to get firmware for it. That loophole has been closed now.

    They also have tremendously restricted IOS releases. It used to be that when a customer needed a particular feature I would be able to download multiple IOS releases and test them to see if the feature was fully implemented or restricted in some way before making a recommendation to the customer on which one to buy. It also used to be that when Cisco released new IOS versions I could test releases to see if they would fit in the flash and ram of the router. Many times for example I would find that just downgrading the release feature set - running a more limited feature set than what the customer had - would allow a version upgrade to fit within the flash and ram the router came with so we didn't have to go buy more flash and ram for the router if they were on service we could just update to the newer release.

    But nowadays to be safe you either tell them to "just order Enterprise" or you run the risk of having them order it and then finding out that it won't work and then returning the order and re-ordering. And that is a nightmare let me tell you, I have a customer going through that right now with an ISR (fortunately, they insisted on ordering it from their distributor instead of ordering it through me so I don't have to deal with that mess)

    I get why Cisco is doing all of this, but philosophically I have huge problems with it. Cisco wails about their stuff being counterfeited all over the place which is why they have got really into the serial number thing - but darn it, they are the ones manufacturing in China and everyone knows that China is the source of all the counterfeited routers out there. Cisco has always hated that when people buy and use their stuff for a few years then don't need it anymore they want to sell it to get the residual value out of it, but they used to allow resellers to sell new feature set licenses so we could "get customers legal" as it were, but they stopped doing that. They also used to let people sell licenses for older gear that was no longer manufactured once more so we could "get customers legal" but they stopped doing that also. They seem unaware that they already got paid a LOT to sell their gear and the license on it a couple years earlier, and there is no difference between a 4 year old router that has been owned by one organization the entire 4 years or a 4 year old router that was owned for 3 years by the original owner then sold to someone else, other than they think that they should get paid twice for the second one.

    And this is all due to pure greed, they just want to do whatever they can to get older devices into the trash. They run an "authorized Cisco refurb" program but when I sold gear off of that I quickly discovered that I had to tell customers "I can get it Cisco refurb but I have to order it -immediately- as in right this second, right here in the conference room, right now" - because an hour later their inventory would change and the part would be gone, they make no attempt at all to have reliable inventory in that program, once more due to greed to try and discourage resellers from quoting off of it.

    They really have made themselves a royal PIA to sell their products. That's why I'm not even considering ever getting near CME. 3CX may be restricted and they may support few devices officially but they cannot hold a candle to Cisco in terms of making their product difficult to sell. And unlike Cisco 3CX understands that many customers start out very small with maybe 1 or 2 employees and without much money, and if you get your gear in front of them when they are small, they will buy more of it later on when they get larger. So nowadays more of the smaller customers get Netgear stuff and in another generation Cisco will have some serious trouble from that company.

    Anyway, I didn't mean to turn this into a rant, but now maybe you see why so many Cisco shops have such a love-hate relationship with them. Their stuff is great - very solid - works for years and all of that - once it's configured and once you find a solid firmware version for it - but they are effing greedy buggers and unless you have more than 5000 nodes under control and a fat budget, they have zero interest in you.
     
Thread Status:
Not open for further replies.