Wrong port number used for SIP with TLS transport

MHF_inf
Frequent Visitor

Wrong port number used for SIP with TLS transport

Hello,

 

We are facing the following issue with the Polycom VVX501, VVX311 and VVX601 phones:

 

When the Polycom phone is configured to use TLS transport for SIP signalling, the port number value configured as the "SIP receive port" is not being used.
The phone is using a random high port number instead, which is different every time the phone is rebooted.

 

For example, the phone is configured to use TLS transport and port 5061:

 

voIpProt.server.1.transport="TLS"
voIpProt.SIP.local.port="5061"

 

 

But the SIP URI in the Contact header of the SIP REGISTER request sent by the phone contains the port number 45887, as it is visible in the packet capture taken on the switch the phone is connected to (see screenshot attached).

Also the source port for sending the request is not the configured one (5061), but 45887:

 

MHF_inf_1-1643047180953.png

 

 

 

 

This statement is contained in the phone log file, which suggests that this port number is set before sending the REGISTER request:

“1216071002|sip  |3|00|SetRemoteAddress OK on try 1 nPort 45887 0xb565d268”

 

If the phone is rebooted, the new REGISTER request uses another different port number in the high range > 32000. It never uses the configured port number.

 

The expectation is that the phone would always send the configured port number (5061) for the SIP communication.

When TCP is configured as transport protocol for SIP, it works as expected. The problem occurs only for TLS transport.

 

The phone log files as well as the packet capture of the test on 16/12/2021 (including the private key needed by wireshark to decrypt the TLS communication) are attached.

The IP addresses in the packet capture are:

Phone: 10.187.25.68

Registrar: 10.91.56.150

The phone is using the firmware version 5.9.6.2327.

 

Any idea why the phone does not use the configured port number in the TLS case?

What can be done in order that the expected behavior is achieved?

 

Thanks and regards,

Marcelo

Message 1 of 7
6 REPLIES 6
SteffenBaierUK
Polycom Employee & Community Manager

Re: Wrong port number used for SIP with TLS transport

Hello @MHF_inf ,

 

Welcome to the Poly Community.

 

1st of all nothing was attached for any volunteer to look at. For myself, as a Poly employee, this would be out of scope anyway.

 

From our FAQ:

 

Apr 17, 2013 QuestionHow can I setup a TLS connection for SIP signaling and / or troubleshoot this?

Resolution: Please check => here <=

 

The above explained how the phones can use TLS in the example with an Asterisk SIP server.

 

Logs examples are also provided but log analysis is usually only a task for trained Poly support.

 

The Message in my own test:

0125115419|sip  |3|00|SetRemoteAddress OK on try 1 nPort 32856 0xb2afb950

Indicates that this is the port used by the phone(10.252.149.61):

SteffenBaierUK_0-1643112551943.png

The actual REGISTER shows it goes to Port 5061 from Port 32856:

0125115420|sip  |0|00|TLS Data Send to 172.21.177.17:5061
0125115420|sip  |0|00|    REGISTER sip:172.21.177.17;transport=tls SIP/2.0
0125115420|sip  |0|00|    Via: SIP/2.0/TLS 10.252.149.61:32856;branch=z9hG4bK388fd183B12C1BD3

 

I can see from your credentials that you are some sort of service provider so I can only suggest you update to a currently supported software version. If you still have issues please work with 
Genesys Cloud Services Inc. on PPI/Pay Per Incident support as they sold the phone back in November 2016.

 

Via PPI you can get access to Poly support.

 

This and many other troubleshooting steps are outlined in the FAQ. Please familiarize yourself with these as they are in my signature and can be found using the community search.

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

 

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 2 of 7
MHF_inf
Frequent Visitor

Re: Wrong port number used for SIP with TLS transport

Hi @SteffenBaierUK,

 

Thanks for the feedback and all the hints (I also opened now an SR in the support portal) and the reference to the FAQ. I forgot to upload the logs mentioned in the text, but the screenshot provided actually shows the issue.

 

Indeed the configuration of the phone to use TLS as SIP transport is clear and it is working in our case. The point is that the phone is not using/announcing the expected (configured) port for the SIP communication over TLS.

 

The expectation is that the phone would always send the configured port number (5061) in the Contact header of the REGISTER, so that incoming calls would reach the phone on this port.

If we configure the phone to use TCP (no TLS), it behaves as expected.

We see this behavior on different phone models (VVX301, VVX501 and VVX60).

 

The question is whether this is a known issue or whether there is a way to obtain the expected behavior (despite of setting "voIpProt.SIP.local.port" and "voIpProt.server.1.transport" accordingly).

Maybe someone in the community also faced this before.

 

Thanks and regards,

Marcelo

 

 

Message 3 of 7
SteffenBaierUK
Polycom Employee & Community Manager

Re: Wrong port number used for SIP with TLS transport

Hello @MHF_inf ,

 

Welcome back to the Poly Community.

 

As already stated out of warranty units can only use PPI so your ticket 33941811 was closed with this notification as the serial used was also not in warranty.

 

As I had some time I checked this internally and can confirm it works if the configuration described >here< is being used.

<?xml version="1.0" standalone="yes"?>
<!-- https://community.polycom.com/t5/VoIP-SIP-Phones/Wrong-port-number-used-for-SIP-with-TLS-transport/m-p/117505#M29892 -->
<!-- voIpProt.SIP.local.port -->
<!-- The local port for sending and receiving SIP signaling packets. -->
<!-- 5060 - The value is used for the local port but is not advertised in the SIP signaling. -->
<!-- 0 to 65535 - If set to 0,the 5060 value is used for the local port but is not advertised in the SIP signaling. For other values, that value is used for the local port and it is advertised in the SIP signaling -->
<!-- voIpProt.SIP.looseContact Default 0 -->
<!-- If the value is 0, the ephemeral port is added to the contact header in the Transport Layer Security connection (TLS) case. -->
<!-- If the value is set to 1, the port parameter will not be added to the contact header message or SIP messages. -->
<web voIpProt.SIP.local.port="5061" voIpProt.SIP.looseContact="1" />

 

If you still have issues, and no other volunteer comes forward, please follow the PPI route as explained by our support team and myself.

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

 

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 4 of 7
MHF_inf
Frequent Visitor

Re: Wrong port number used for SIP with TLS transport

Hi @SteffenBaierUK,

 

Yes, the serial number I provided for the SR was from a phone which is out of warranty. We did purchase other phones more recently and I would need to locate one of them and gather the serial number.

 

But anyway I believe the KB article you provided shows the solution for the issue. I was not aware of it and of the parameter "voIpProt.SIP.looseContact". This setting will be the right one to achieve the wished behavior.

We will try to test it and I will post the result here.

 

Thanks a lot and regards,

Marcelo

Message 5 of 7
MHF_inf
Frequent Visitor

Re: Wrong port number used for SIP with TLS transport

 

Hello,

 

We tested the parameter setting as suggested in the KB article mentioned above (voIpProt.SIP.looseContact="1").

(There is apparently a new link for it:

https://support.poly.com/support/s/article/Sip-registration-using-TLS-not-sending-the-port-5061-in-t... )

 

Indeed it results in the phone sending the configured port number (e. g. voIpProt.SIP.local.port="5061") in the Contact header, as expected, and the registration is successful.

The phone should then accept incoming calls on port 5061.

But unfortunately this is not working. The incoming call setup runs into a timeout on the calling endpoint (UAC), as the phone does not answer to the TLS connection setup on port 5061.

Outgoing calls from the phone work fine.

 

When the parameter voIpProt.SIP.looseContact is not configured or set to “0”, the problem does not occur. But then we have the previous situation, in which the phone does not register with the configured port (5061) but with a random high port number.

 

The attached packet capture file contains the incoming call setup from the UAC (10.91.56.150:55352) to the phone (10.187.25.86:5061).

The TCP connection setup at 07:02:06 is shown in frames 1, 2, 3.

In frame 4 the TLS “Client Hello” message is sent by the UAC to the phone.

In frame 5 the phone acknowledges the receipt of the last TCP segment (“Client Hello” message).

But after that, nothing happens anymore. The phone does not send a “Server Hello” message to complete the TLS connection setup.

 

MHF_inf_0-1648114000102.png

 

 

In the phone log file attached there are the following related messages:

0217070206|sip  |3|00|New Connection Accepted
0217070206|sip  |1|00|socket accepted 224
0217070206|sip  |3|00|Waiting for a  New Connection 0xb3f21cf4 0xb3f21c68
0217070206|sip  |1|00|Task name tTCPListen224
0217070206|sip  |1|00|MsgSipTcpAccept
0217070206|sip  |3|00|Creating recv Thread
0217070206|sip  |3|00|Waiting on recv Thread
0217070206|sip  |1|00|MsgSipTcpPacket
0217070206|sip  |3|00|Waiting on recv Thread

 

Has someone experienced this issue?

Why does the phone does not proceed with the TLS connection setup?

What can be done to fix it?

 

Thanks and regards,

Marcelo

SteffenBaierUK
Polycom Employee & Community Manager

Re: Wrong port number used for SIP with TLS transport

Hello @MHF_inf ,

 

Welcome back to the Poly Community.

 

As this community is run by volunteers (who may be Poly employees) we are most likely unable to help as we would need to look at the configuration used and a Wireshark trace.

 

At least for me, this is out of scope as a Poly employee.

 

I can only suggest, if you want an official answer, to get this into our official support organisation.

 

Please ensure to provide some feedback if this reply has helped you so other users can profit from your experience.

Best Regards

Steffen Baier

 

----------------

If official support is required please check how to phone or open a case here

----------------
The title Poly Employee & Community Manager is a community setting and does not reflect my role. I am just a simple volunteer in the community like everybody else. All posts and words are my own & do not represent the views of Employer.

----------------

Notice: This community forum is not an official Poly support resource, thus responses from Poly employees, partners, and customers alike are best-effort in attempts to share learned knowledge. If you need immediate and/or official assistance please open a service ticket through your proper support channels.
Please also ensure you always check the VoIP , Video Endpoint , Skype for Business , PSTN or RPM FAQ's
Message 7 of 7