none
Strange issue to some federation partners RRS feed

  • Question

  • Hi,

    i have a really strange issue - in the past 3 weeks I have tried to fix the problem, but now Iam at the end of my skills.

    I've setup a new EDGE Transport Server with Public IP and trusted certificate with Open Federation. I can contact some companys that also had an open federation - that works fine; but to other companys it dont work (e.g. hp.com).

    Lync Frontend Server

    NIC 1 192.168.15.111
    NIC 1 192.168.16.111 - (Routing to EDGE)
    GW 192.168.15.1

    NIC1
    EDGE Internal IP
    192.168.16.201
    NO GW

    NIC 2
    Edge External IP
    62.26.159.xxx
    GW 62.26.159.xxx

    These routes are set on EDGE Server:

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
          192.168.0.0    255.255.255.0    62.26.159.xxx       1
          62.26.159.0  255.255.255.248     192.168.15.1       1
              0.0.0.0          0.0.0.0    62.26.159.xxx  Default

    Ive checked the certificates on all machines.

    Thats our srv entrys on public dns:

    _sipfederationtls._tcp       IN SRV     100 1 5061 sip.b-s-s.de.
    _sipinternal._tcp        IN SRV     1 100 5061 sip.b-s-s.de.
    _sip._tcp                IN SRV     20 20 5061 sip.b-s-s.de.
    _sip._tls                IN SRV     20 20 443  sip.b-s-s.de.
    _sip._udp                IN SRV     20 20 5060 sip.b-s-s.de.

    When I try to send a message to the federation partner:

    TL_WARN(TF_DIAG) [0]0604.05C0::03/26/2012-07:01:35.775.0000a121 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(145))$$begin_record
    LogType: diagnostic
    Severity: warning
    Text: Routing error occurred; check Result-Code field for more information
    Result-Code: 0xc3e93c7f SIPPROXY_E_ROUTING_MSG_SEND_CLOSED
    SIP-Start-Line: SUBSCRIBE sip:alexander.schoenwald@hp.com SIP/2.0
    SIP-Call-ID: fb9db7a7bd9e4b0086df7beabc0bd05c
    SIP-CSeq: 1 SUBSCRIBE
    Peer: sipfederation.hp.com:5061
    $$end_record

    TL_INFO(TF_PROTOCOL) [0]0604.05C0::03/26/2012-07:01:35.775.0000a0d2 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
    Trace-Correlation-Id: 1785763597
    Instance-Id: 000000BB
    Direction: outgoing;source="local";destination="internal edge"
    Peer: lync.b-s-s.de:63652
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "Michél Picker"<sip:michel.picker@b-s-s.de>;tag=d433e78506;epid=6d512828de
    To: <sip:alexander.schoenwald@hp.com>;tag=2067C0F8638E0474FD4A050720B18C42
    CSeq: 1 SUBSCRIBE
    Call-ID: fb9db7a7bd9e4b0086df7beabc0bd05c
    Via: SIP/2.0/TLS 192.168.16.111:63652;branch=z9hG4bK0378498B.747D4C764D46E05F;branched=FALSE;ms-received-port=63652;ms-received-cid=C00
    Via: SIP/2.0/TLS 192.168.15.73:59168;ms-received-port=59168;ms-received-cid=900
    ms-diagnostics: 1047;reason="Failed to complete TLS negotiation with a federated peer server";WinsockFailureCode="10054(WSAECONNRESET)";WinsockFailureDescription="The peer forced closure of the connection";Peer="sipfederation.hp.com";Port="5061";source="sip.b-s-s.de"
    Server: RTC/4.0
    Content-Length: 0
    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=sip.b-s-s.de;ms-source-verified-user=verified
    Message-Body: –
    $$end_record

    TL_INFO(TF_DIAG) [0]0604.05C0::03/26/2012-07:01:35.774.0000a08b (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(147))$$begin_record
    LogType: diagnostic
    Severity: information
    Text: Response successfully routed
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: fb9db7a7bd9e4b0086df7beabc0bd05c
    SIP-CSeq: 1 SUBSCRIBE
    Peer: lync.b-s-s.de:63652
    Data: destination="lync.b-s-s.de"
    $$end_record

    TL_ERROR(TF_DIAG) [0]0604.05C0::03/26/2012-07:01:35.770.00009de6 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(143))$$begin_record
    LogType: diagnostic
    Severity: error
    Text: Message was not sent because the connection was closed
    SIP-Start-Line: SUBSCRIBE sip:alexander.schoenwald@hp.com SIP/2.0
    SIP-Call-ID: fb9db7a7bd9e4b0086df7beabc0bd05c
    SIP-CSeq: 1 SUBSCRIBE
    Peer: sipfederation.hp.com:5061
    $$end_record

    TL_ERROR(TF_CONNECTION) [0]0604.05C0::03/26/2012-07:01:35.770.00009db0 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_record
    LogType: connection
    Severity: error
    Text: Receive operation on the connection failed
    Local-IP: 62.26.159.190:49173
    Peer-IP: 15.217.8.251:5061
    Peer-FQDN: sipfederation.hp.com
    Peer-Name: sipr2federation2.austin.hp.com
    Connection-ID: 0xF00
    Transport: M-TLS
    Result-Code: 0x80072746 WSAECONNRESET
    Data: fqdn="sipfederation.hp.com";peer-type="FederatedPartner";winsock-code="10054"
    $$end_record

    TL_INFO(TF_PROTOCOL) [0]0604.0778::03/26/2012-07:01:35.768.00009d25 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
    Trace-Correlation-Id: 2731235558
    Instance-Id: 000000BA
    Direction: outgoing;source="local";destination="external edge"
    Peer: sipfederation.hp.com:5061
    Message-Type: request
    Start-Line: NEGOTIATE sip:127.0.0.1:5061 SIP/2.0
    From: sip:sip.b-s-s.de;tag=2067C0F8638E0474FD4A050720B18C42
    To: sip:sipfederation.hp.com
    CSeq: 1 NEGOTIATE
    Call-ID: 3388A1077C2F7A5AD02B
    Via: SIP/2.0/TLS 62.26.159.190:49173;branch=z9hG4bK66450AD1.E8A8CDA6A798205F;branched=FALSE
    Max-Forwards: 0
    Compression: LZ77-64K
    Supported: NewNegotiate,OCSNative,ECC
    Server: RTC/4.0
    Content-Length: 0
    Message-Body: –
    $$end_record

    If you need more information - just post a reply.

    Thx for help.

    *EDIT:

    NTLM 128 Bit authentification has been removed - so there's no minumum required.
    CIPHER has been set to

    set-itemproperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -name "Functions" -value "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5, SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD" -type string

    Monday, March 26, 2012 7:05 AM

All replies

  • No i have changed my routes on edge and I get some other errors.

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
          192.168.0.0    255.255.255.0   62.126.159.xx 1
              0.0.0.0          0.0.0.0    62.26.159.xxx Default
              0.0.0.0          0.0.0.0     192.168.15.1  Default


    First a 403 later a 404.

    TL_INFO(TF_PROTOCOL) [3]0964.0BAC::03/26/2012-11:19:49.727.0003d18a (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
    Trace-Correlation-Id: 2064596144
    Instance-Id: 00000CA9
    Direction: incoming
    Peer: sip.b-s-s.de:5061
    Message-Type: response
    Start-Line: SIP/2.0 403 Forbidden
    From: "Michél Picker"<sip:michel.picker@b-s-s.de>;tag=ceb5665dd0;epid=6d512828de
    To: <sip:alexander.schoenwald@hp.com>;tag=C8D950B8358435E69981C9C388D5AF50
    CSeq: 1 SUBSCRIBE
    Call-ID: 6c6bd6b6ad784e59b9d71756787874d9
    Via: SIP/2.0/TLS 192.168.16.111:55808;branch=z9hG4bKF83D9D94.8355603FE52B14A5;branched=FALSE;ms-received-port=55808;ms-received-cid=2100
    Via: SIP/2.0/TLS 192.168.15.73:49266;ms-received-port=49266;ms-received-cid=2C00
    ms-diagnostics: 1027;reason="Cannot route this type of SIP request to or from federated partners";source="sip.b-s-s.de"
    Server: RTC/4.0
    Content-Length: 0
    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=sip.b-s-s.de;ms-source-verified-user=verified
    Message-Body: –
    $$end_record

    TL_INFO(TF_PROTOCOL) [0]0964.0BAC::03/26/2012-11:19:50.705.00040993 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
    Trace-Correlation-Id: 2095421373
    Instance-Id: 00000CB2
    Direction: incoming
    Peer: sip.b-s-s.de:5061
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "Michél Picker"<sip:michel.picker@b-s-s.de>;tag=3ef35eb135;epid=6d512828de
    To: <sip:alexander.schoenwald@hp.com>;tag=C8D950B8358435E69981C9C388D5AF50
    CSeq: 1 SUBSCRIBE
    Call-ID: f24364be13324769947852ece0fc953a
    Via: SIP/2.0/TLS 192.168.16.111:55808;branch=z9hG4bK595B61CF.F779D684E52F04A5;branched=FALSE;ms-received-port=55808;ms-received-cid=2100
    Via: SIP/2.0/TLS 192.168.15.73:49266;ms-received-port=49266;ms-received-cid=2C00
    ms-diagnostics: 1047;reason="Failed to complete TLS negotiation with a federated peer server";WinsockFailureCode="10054(WSAECONNRESET)";WinsockFailureDescription="The peer forced closure of the connection";Peer="sipfederation.hp.com";Port="5061";source="sip.b-s-s.de"
    Server: RTC/4.0
    Content-Length: 0
    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=sip.b-s-s.de;ms-source-verified-user=verified
    Message-Body: –
    $$end_record

    Monday, March 26, 2012 11:28 AM
  • Now I have completely renewed and reconfigured the deployment...but...the same issue :(.
    Wednesday, March 28, 2012 5:18 PM
  • Hi,

    Looks like the connection was closed by the sipfederation.hp.com. Please verify the federated partner has added your domain to his federation partner allow list.

    You get help from your federated partner, let he get logs in their edge server and find why their edge server blocks the message from your domain.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, March 31, 2012 2:11 AM
    Moderator
  • This issue can send you down a deep rabbit hole. Check to see if your router/firewall is performing Deep Packet Inspection or has SIP ALG enabled. If it's on, turn it OFF. This breaks the TLS protocol, leading to this error on Edge servers and external federation.

    https://blog.valeconsulting.co.uk/2016/03/21/skype-for-business-the-effects-of-packet-inspection/

    Wednesday, September 11, 2019 4:12 PM