Options Ping Contact Needs FQDN Instead of IP Address

Asterisk Asterisk SIP
1

We are attempting to set up a TLS connection to Cisco WebEx. It appears the certificates are working fine, but WebEx does not like the Contact portion of the Options ping. It is showing IP address instead of FQDN which I guess they are validating that against the certificate or the trunk configuration on their service.

We respond to their Options ping just fine though.

We have been trying to modify the Contact header of the Options ping but not having any luck.
The /etc/hosts file has been updated with the FQDN.

How do we modify this Contact field?

Bad:
[May 19 09:59:57] <— Transmitting SIP request (467 bytes) to TLS:23.89.40.10:5062 —>
[May 19 09:59:57] OPTIONS sip:us18.sipconnect.bcld.webex.com SIP/2.0
[May 19 09:59:57] Via: SIP/2.0/TLS :5061;rport;branch=z9hG4bKPjfd58c245-cd0c-4442-960d-ba10dae556f3;alias
[May 19 09:59:57] From: <sip:ping@>;tag=0a155241-dd1b-4bfb-b80d-702bdd681f4f
[May 19 09:59:57] To: sip:us18.sipconnect.bcld.webex.com
[May 19 09:59:57] Contact: <sip:ping@:5061;transport=TLS>
[May 19 09:59:57] Call-ID: dd8e6d52-f8ed-4dac-9f94-d119224b4b7c
[May 19 09:59:57] CSeq: 4319 OPTIONS
[May 19 09:59:57] Max-Forwards: 70
[May 19 09:59:57] User-Agent: Spok 12.5.6
[May 19 09:59:57] Content-Length: 0

Good:
[May 19 10:29:34] <— Received SIP request (378 bytes) from TLS:23.89.1.195:8934 —>
[May 19 10:29:34] OPTIONS sip:>:5061;transport=tls SIP/2.0
[May 19 10:29:34] Via:SIP/2.0/TLS 23.89.1.195:5062;branch=z9hG4bKBroadworksSSE.-V5061-0-100-162972701-1747668574086-
[May 19 10:29:34] From:sip:23.89.1.195;tag=162972701-1747668574086-
[May 19 10:29:34] To:<sip:>
[May 19 10:29:34] Call-ID:SSE152934086190525739170426@23.89.1.195
[May 19 10:29:34] CSeq:100 OPTIONS
[May 19 10:29:34] Max-Forwards:0
[May 19 10:29:34] Content-Length:0
[May 19 10:29:34]
[May 19 10:29:34]
[May 19 10:29:34] <— Transmitting SIP response (880 bytes) to TLS:23.89.1.195:8934 —>
[May 19 10:29:34] SIP/2.0 200 OK
[May 19 10:29:34] Via: SIP/2.0/TLS 23.89.1.195:5062;rport=8934;received=23.89.1.195;branch=z9hG4bKBroadworksSSE.-V5061-0-100-162972701-1747668574086-
[May 19 10:29:34] Call-ID: SSE152934086190525739170426@23.89.1.195
[May 19 10:29:34] From: sip:23.89.1.195;tag=162972701-1747668574086-
[May 19 10:29:34] To: <sip:>;tag=z9hG4bKBroadworksSSE.-V5061-0-100-162972701-1747668574086-
[May 19 10:29:34] CSeq: 100 OPTIONS
[May 19 10:29:34] Accept: application/dialog-info+xml, application/xpidf+xml, application/cpim-pidf+xml, application/pidf+xml, application/simple-message-summary, application/simple-message-summary, application/sdp, message/sipfrag;version=2.0
[May 19 10:29:34] Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
[May 19 10:29:34] Supported: 100rel, timer, replaces, norefersub
[May 19 10:29:34] Accept-Encoding: identity
[May 19 10:29:34] Accept-Language: en
[May 19 10:29:34] Server: Spok 12.5.6
[May 19 10:29:34] Content-Length: 0
[May 19 10:29:34]

SIPtrunk
type = wizard
accepts_registrations = no
has_phoneprov = no
has_hint = yes
transport = SIP-udp
endpoint/dtmf_mode = rfc4733
endpoint/allow = !all,ulaw
endpoint/sdp_session =
endpoint/context=sipcall
endpoint/direct_media=no

wxcc
endpoint/context=WxCC
endpoint/from_domain=
endpoint/from_user=ping
remote_hosts = us18.sipconnect.bcld.webex.com
transport = SIP-tls
rewrite_contact=no
endpoint/media_encryption=sdes
endpoint/send_pai=true
endpoint/set_var=CDR(dahdigroup)=s
endpoint/set_var=CDR(TLMTGID)=wxcc
endpoint/set_var=PBXID=wxcc
aor/qualify_frequency = 30

*CLI> pjsip show endpoint wxcc

Endpoint: <Endpoint/CID…> <State…> <Channels.>
I/OAuth: <AuthId/UserName…>
Aor: <Aor…>
Contact: <Aor/ContactUri…> <Hash…> <RTT(ms)..>
Transport: <TransportId…> <BindAddress…>
Identify: <Identify/Endpoint…>
Match: <criteria…>
Channel: <ChannelId…> <State…> <Time…>
Exten: <DialedExten…> CLCID: <ConnectedLineCID…>

Endpoint: wxcc Unavailable 0 of inf
Aor: wxcc 0
Contact: wxcc/sip:us18.sipconnect.bcld.webex.com 4bde43bc7b Unavail nan
Transport: SIP-tls tls 0 0 0.0.0.0:5061
Identify: wxcc-identify/wxcc
Match: 23.89.40.10/32
Match: 2607:fcf0:9000:1::6/128
Match: 23.89.40.51/32
Match: 23.89.1.195/32
Match: 2a05:4200::5bc:10a/128
Match: 23.89.1.168/32

ParameterName : ParameterValue

100rel : yes
@pjsip_wizard : wxcc
CDR(TLMTGID) : wxcc
CDR(dahdigroup) : s
PBXID : wxcc
accept_multiple_sdp_answers : false
accountcode :
acl :
aggregate_mwi : true
allow : (ulaw)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : wxcc
asymmetric_rtp_codec : false
auth :
bind_rtp_to_media_address : false
bundle : false
call_group :
callerid :
callerid_privacy : allowed_not_screened
callerid_tag :
codec_prefs_incoming_answer : prefer:pending, operation:intersect, keep:all, transcode:allow
codec_prefs_incoming_offer : prefer:pending, operation:intersect, keep:all, transcode:allow
codec_prefs_outgoing_answer : prefer:pending, operation:intersect, keep:all, transcode:allow
codec_prefs_outgoing_offer : prefer:pending, operation:union, keep:all, transcode:allow
connected_line_method : invite
contact_acl :
context : WxCC
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_auto_generate_cert : No
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
follow_early_media_fork : true
force_avp : false
force_rport : true
from_domain :
from_user : ping
g726_non_standard : false
ice_support : false
identify_by : username,ip
ignore_183_without_sdp : false
inband_progress : false
incoming_call_offer_pref : local
incoming_mwi_mailbox :
language :
mailboxes :
max_audio_streams : 1
max_video_streams : 1
media_address :
media_encryption : sdes
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_passthrough : false
moh_suggest : default
mwi_from_user :
mwi_subscribe_replaces_unsolicited : no
named_call_group :
named_pickup_group :
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth :
outbound_proxy :
outgoing_call_offer_pref : remote_merge
pickup_group :
preferred_codec_only : false
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : false
rpid_immediate : false
rtcp_mux : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : false
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session :
send_connected_line : yes
send_diversion : true
send_history_info : false
send_pai : true
send_rpid : false
srtp_tag_32 : false
stir_shaken : false
sub_min_expiry : 0
subscribe_context :
suppress_q850_reason_headers : false
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport : SIP-tls
trust_connected_line : yes
trust_id_inbound : false
trust_id_outbound : false
use_avpf : false
use_ptime : false
user_eq_phone : false
voicemail_extension :
webrtc : no

2

There is no support in configuration for doing such a thing. It would require code modifications, which I believe some people have patches doing so for interfacing with Microsoft Teams - but those have never been contributed back.

3 
Bad:
[May 19 09:59:57] <--- Transmitting SIP request (467 bytes) to TLS:23.89.40.10:5062 --->
[May 19 09:59:57] OPTIONS sip:us18.sipconnect.bcld.webex.com SIP/2.0
[May 19 09:59:57] Via: SIP/2.0/TLS <Our Public
 Address>:5061;rport;branch=z9hG4bKPjfd58c245-cd0c-4442-960d-ba10dae556f3;alias
[May 19 09:59:57] From: <sip:ping@<Our FQDN>>;tag=0a155241-dd1b-4bfb-b80d-702bdd681f4f
[May 19 09:59:57] To: <sip:us18.sipconnect.bcld.webex.com>
[May 19 09:59:57] Contact: <sip:ping@**<IP Address>**:5061;transport=TLS>
[May 19 09:59:57] Call-ID: dd8e6d52-f8ed-4dac-9f94-d119224b4b7c
[May 19 09:59:57] CSeq: 4319 OPTIONS
[May 19 09:59:57] Max-Forwards: 70
[May 19 09:59:57] User-Agent: Spok 12.5.6
[May 19 09:59:57] Content-Length:  0

Good:
[May 19 10:29:34] <--- Received SIP request (378 bytes) from TLS:23.89.1.195:8934 --->
[May 19 10:29:34] OPTIONS sip:<Our SRV record FQDN>>:5061;transport=tls SIP/2.0
[May 19 10:29:34] Via:SIP/2.0/TLS 23.89.1.195:5062;branch=z9hG4bKBroadworksSSE.-<Public IP>V5061-0-100-162972701-1747668574086-
[May 19 10:29:34] From:<sip:23.89.1.195>;tag=162972701-1747668574086-
[May 19 10:29:34] To:<sip:<Our SRV record FQDN>>
[May 19 10:29:34] Call-ID:SSE152934086190525739170426@23.89.1.195
[May 19 10:29:34] CSeq:100 OPTIONS
[May 19 10:29:34] Max-Forwards:0
[May 19 10:29:34] Content-Length:0
[May 19 10:29:34]
[May 19 10:29:34]
[May 19 10:29:34] <--- Transmitting SIP response (880 bytes) to TLS:23.89.1.195:8934 --->
[May 19 10:29:34] SIP/2.0 200 OK
[May 19 10:29:34] Via: SIP/2.0/TLS 23.89.1.195:5062;rport=8934;received=23.89.1.195;branch=z9hG4bKBroadworksSSE.-<Public IP>V5061-0-100-162972701-1747668574086-
[May 19 10:29:34] Call-ID: SSE152934086190525739170426@23.89.1.195
[May 19 10:29:34] From: <sip:23.89.1.195>;tag=162972701-1747668574086-
[May 19 10:29:34] To: <sip:<Our SRV record FQDN>>;tag=z9hG4bKBroadworksSSE.-<Public IP>V5061-0-100-162972701-1747668574086-
[May 19 10:29:34] CSeq: 100 OPTIONS
[May 19 10:29:34] Accept: application/dialog-info+xml, application/xpidf+xml, application/cpim-pidf+xml, application/pidf+xml, application/simple-message-summary, application/simple-message-summary, application/sdp, message/sipfrag;version=2.0
[May 19 10:29:34] Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
[May 19 10:29:34] Supported: 100rel, timer, replaces, norefersub
[May 19 10:29:34] Accept-Encoding: identity
[May 19 10:29:34] Accept-Language: en
[May 19 10:29:34] Server: Spok 12.5.6
[May 19 10:29:34] Content-Length:  0
[May 19 10:29:34]



[SIPtrunk](!)
type = wizard
accepts_registrations = no
has_phoneprov = no
has_hint = yes
transport = SIP-udp
endpoint/dtmf_mode = rfc4733
endpoint/allow = !all,ulaw
endpoint/sdp_session = <Company Name>
endpoint/context=sipcall
endpoint/direct_media=no

[wxcc](SIPtrunk)
endpoint/context=WxCC
endpoint/from_domain=<FQDN>
endpoint/from_user=ping
remote_hosts = us18.sipconnect.bcld.webex.com
transport = SIP-tls
rewrite_contact=no
endpoint/media_encryption=sdes
endpoint/send_pai=true
endpoint/set_var=CDR(dahdigroup)=s
endpoint/set_var=CDR(TLMTGID)=wxcc
endpoint/set_var=PBXID=wxcc
aor/qualify_frequency = 30

<hostname>*CLI> pjsip show endpoint wxcc

 Endpoint:  <Endpoint/CID.....................................>  <State.....>  <Channels.>
    I/OAuth:  <AuthId/UserName...........................................................>
        Aor:  <Aor............................................>  <MaxContact>
      Contact:  <Aor/ContactUri..........................> <Hash....> <Status> <RTT(ms)..>
  Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress..................>
   Identify:  <Identify/Endpoint.........................................................>
        Match:  <criteria.........................>
    Channel:  <ChannelId......................................>  <State.....>  <Time.....>
        Exten: <DialedExten...........>  CLCID: <ConnectedLineCID.......>
==========================================================================================

 Endpoint:  wxcc                                                 Unavailable   0 of inf
        Aor:  wxcc                                               0
      Contact:  wxcc/sip:us18.sipconnect.bcld.webex.com    4bde43bc7b Unavail         nan
  Transport:  SIP-tls                   tls      0      0  0.0.0.0:5061
   Identify:  wxcc-identify/wxcc
        Match: 23.89.40.10/32
        Match: 2607:fcf0:9000:1::6/128
        Match: 23.89.40.51/32
        Match: 23.89.1.195/32
        Match: 2a05:4200::5bc:10a/128
        Match: 23.89.1.168/32


 ParameterName                      : ParameterValue
 ===================================================================================================
 100rel                             : yes
 @pjsip_wizard                      : wxcc
 CDR(TLMTGID)                       : wxcc
 CDR(dahdigroup)                    : s
 PBXID                              : wxcc
 accept_multiple_sdp_answers        : false
 accountcode                        :
 acl                                :
 aggregate_mwi                      : true
 allow                              : (ulaw)
 allow_overlap                      : true
 allow_subscribe                    : true
 allow_transfer                     : true
 aors                               : wxcc
 asymmetric_rtp_codec               : false
 auth                               :
 bind_rtp_to_media_address          : false
 bundle                             : false
 call_group                         :
 callerid                           : <unknown>
 callerid_privacy                   : allowed_not_screened
 callerid_tag                       :
 codec_prefs_incoming_answer        : prefer:pending, operation:intersect, keep:all, transcode:allow
 codec_prefs_incoming_offer         : prefer:pending, operation:intersect, keep:all, transcode:allow
 codec_prefs_outgoing_answer        : prefer:pending, operation:intersect, keep:all, transcode:allow
 codec_prefs_outgoing_offer         : prefer:pending, operation:union, keep:all, transcode:allow
 connected_line_method              : invite
 contact_acl                        :
 context                            : WxCC
 cos_audio                          : 0
 cos_video                          : 0
 device_state_busy_at               : 0
 direct_media                       : false
 direct_media_glare_mitigation      : none
 direct_media_method                : invite
 disable_direct_media_on_nat        : false
 dtls_auto_generate_cert            : No
 dtls_ca_file                       :
 dtls_ca_path                       :
 dtls_cert_file                     :
 dtls_cipher                        :
 dtls_fingerprint                   : SHA-256
 dtls_private_key                   :
 dtls_rekey                         : 0
 dtls_setup                         : active
 dtls_verify                        : No
 dtmf_mode                          : rfc4733
 fax_detect                         : false
 fax_detect_timeout                 : 0
 follow_early_media_fork            : true
 force_avp                          : false
 force_rport                        : true
 from_domain                        : <Our FQDN>
 from_user                          : ping
 g726_non_standard                  : false
 ice_support                        : false
 identify_by                        : username,ip
 ignore_183_without_sdp             : false
 inband_progress                    : false
 incoming_call_offer_pref           : local
 incoming_mwi_mailbox               :
 language                           :
 mailboxes                          :
 max_audio_streams                  : 1
 max_video_streams                  : 1
 media_address                      :
 media_encryption                   : sdes
 media_encryption_optimistic        : false
 media_use_received_transport       : false
 message_context                    :
 moh_passthrough                    : false
 moh_suggest                        : default
 mwi_from_user                      :
 mwi_subscribe_replaces_unsolicited : no
 named_call_group                   :
 named_pickup_group                 :
 notify_early_inuse_ringing         : false
 one_touch_recording                : false
 outbound_auth                      :
 outbound_proxy                     :
 outgoing_call_offer_pref           : remote_merge
 pickup_group                       :
 preferred_codec_only               : false
 record_off_feature                 : automixmon
 record_on_feature                  : automixmon
 refer_blind_progress               : true
 rewrite_contact                    : false
 rpid_immediate                     : false
 rtcp_mux                           : false
 rtp_engine                         : asterisk
 rtp_ipv6                           : false
 rtp_keepalive                      : 0
 rtp_symmetric                      : false
 rtp_timeout                        : 0
 rtp_timeout_hold                   : 0
 sdp_owner                          : -
 sdp_session                        : <Company Info>
 send_connected_line                : yes
 send_diversion                     : true
 send_history_info                  : false
 send_pai                           : true
 send_rpid                          : false
 srtp_tag_32                        : false
 stir_shaken                        : false
 sub_min_expiry                     : 0
 subscribe_context                  :
 suppress_q850_reason_headers       : false
 t38_udptl                          : false
 t38_udptl_ec                       : none
 t38_udptl_ipv6                     : false
 t38_udptl_maxdatagram              : 0
 t38_udptl_nat                      : false
 timers                             : yes
 timers_min_se                      : 90
 timers_sess_expires                : 1800
 tone_zone                          :
 tos_audio                          : 0
 tos_video                          : 0
 transport                          : SIP-tls
 trust_connected_line               : yes
 trust_id_inbound                   : false
 trust_id_outbound                  : false
 use_avpf                           : false
 use_ptime                          : false
 user_eq_phone                      : false
 voicemail_extension                :
 webrtc                             : no
4

Why are they checking the certificate against the Contact address? If anything, in the SIP, it should be the From address, although I seem to remember that the subject is actually sent at the TLS level, rather than in the SIP.

5

Thanks, we have some experience there.
Will try to report back in a week or so when our devs get to it.

6

Cisco being Cisco I guess. They only “support” a handful of SBCs, but there should be no technical reason why any SBC can’t connect TLS. At least the Cisco TAC was responsive on the matter and spotted this issue fairly quickly.

7

I didn’t see this post while looking but is similar if not exactly what @jcolp was referring to.

8

We were able to get it working by modifying the following:
Add the following variable in res_pjsip.h
AST_STRING_FIELD(external_fqdn)
This will be configured in the tls transport section in pjsip.conf.
Add the following structure in res_pjsip/config_transport.c
ast_sorcery_object_field_register(sorcery,“transport”, “external_fqdn”,“”,OPT_STRINGFIELD_T,
0, STRFLDSET(struct ast_si_transport, external_fqdn))
Add logic in res_pjsip_nat.c to use external_fqdn if it exists under the “Update the Via header if relevant” section.

Note: You must also specify something for external_signaling_address in the pjsip.conf transport config to reach that piece of code.

We also had to acquire res_srtp.so and compile that in.
This was on asterisk version 18.3.0 on RedhHat 8.