SRTP failing towards Cisco WEBEX

garci66 · May 31, 2017, 6:13pm

Hi,

Im running asterisk Asterisk 13.9.1 with PJSIP and was trying to let our users dial onto cisco Webex conferences directly over SIP. The connection works well (had some issues with SRV records not being used so had to setup some entries in /etc/hosts) and the connection to the conference room works until a web client connects when the Webex server sends a request to move the call to SRTP.

The connection is not using TLS but only SRTP with SDES. I have the full log including the SDP and the debug trace which shows that only one of the keys sent in the SDP is accepted. (the rest are in unsupported formats). The SDP includes multiple video streams and audio (I am only joining the audio part) and the SDP describes it as RTP/AVP when, as far as I understand, it should be RTP/SAVP (if requesting SRTP).

It then errors out as follows

[2017-05-31 14:18:38] WARNING[1557][C-0000000f]: chan_sip.c:10715 process_sdp: Failed to receive SDP offer/answer with required SRTP crypto attributes for audio

The full log is attached. Any ideas

jcolp · May 31, 2017, 6:15pm

That message is from chan_sip, not chan_pjsip.

garci66 · May 31, 2017, 6:17pm

Thanks… That’s true! I am using Asterisk inside freepbx and configured pjsip as the endpoint. But basically i am dialling a full sip URI so it seems chan_sip is bein used. I still can’t upload the full file (I’m new on the forum)

garci66 · May 31, 2017, 6:27pm

The interesting parts of the SDP and log are here:
DEBUG[1557]: chan_sip.c:9838 parse_request: Body 6 [ 88]: m=audio 55910 RTP/AVP 113 108 109 110 98 116 117 118 100 102 103 9 104 105 0 101 8 15 18 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 7 [ 28]: a=rtpmap:113 MP4A-LATM/90000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 8 [ 54]: a=fmtp:113 profile-level-id=24;object=23;bitrate=96000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 9 [ 28]: a=rtpmap:108 MP4A-LATM/90000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 10 [ 54]: a=fmtp:108 profile-level-id=24;object=23;bitrate=64000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 11 [ 28]: a=rtpmap:109 MP4A-LATM/90000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 12 [ 54]: a=fmtp:109 profile-level-id=24;object=23;bitrate=56000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 13 [ 28]: a=rtpmap:110 MP4A-LATM/90000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 14 [ 54]: a=fmtp:110 profile-level-id=24;object=23;bitrate=48000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 15 [ 27]: a=rtpmap:98 MP4A-LATM/32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 16 [ 51]: a=fmtp:98 profile-level-id=2;object=2;bitrate=96000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 17 [ 26]: a=rtpmap:116 SIREN14/16000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 18 [ 24]: a=fmtp:116 bitrate=48000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 19 [ 26]: a=rtpmap:117 SIREN14/16000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 20 [ 24]: a=fmtp:117 bitrate=32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 21 [ 26]: a=rtpmap:118 SIREN14/16000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 22 [ 24]: a=fmtp:118 bitrate=24000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 23 [ 24]: a=rtpmap:100 G7221/32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 24 [ 24]: a=fmtp:100 bitrate=48000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 25 [ 24]: a=rtpmap:102 G7221/32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 26 [ 24]: a=fmtp:102 bitrate=32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 27 [ 24]: a=rtpmap:103 G7221/32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 28 [ 24]: a=fmtp:103 bitrate=24000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 29 [ 20]: a=rtpmap:9 G722/8000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 30 [ 24]: a=rtpmap:104 G7221/16000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 31 [ 24]: a=fmtp:104 bitrate=32000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 32 [ 24]: a=rtpmap:105 G7221/16000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 33 [ 24]: a=fmtp:105 bitrate=24000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 34 [ 20]: a=rtpmap:0 PCMU/8000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 35 [ 33]: a=rtpmap:101 telephone-event/8000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 36 [ 15]: a=fmtp:101 0-15 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 37 [ 20]: a=rtpmap:8 PCMA/8000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 38 [ 21]: a=rtpmap:15 G728/8000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 39 [ 21]: a=rtpmap:18 G729/8000 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 40 [ 19]: a=fmtp:18 annexb=no [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 41 [ 87]: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:csaT6q7mo+ADZnbHX2g5eJtj2emtfVbllVieIuSY|2^48 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 42 [105]: a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:FV7k1XCUEwrPw44j78SGm9nZSBq6FOcL4EkLXJt+|2^48 UNENCRYPTED_SRTCP [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 43 [ 87]: a=crypto:3 AES_CM_128_HMAC_SHA1_32 inline:Qf0R3r8jayoOpHFblki47IAgTMTgtk6pdgazeobN|2^48 [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 44 [105]: a=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:CPZANDhj3ip6usAnJWAc6Ob8tzV4TfcAK1Kd7SLf|2^48 UNENCRYPTED_SRTCP [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 45 [ 10]: a=sendrecv [2017-05-31 14:18:38] DEBUG[1557]: chan_sip.c:9838 parse_request: Body 46 [ 32]: a=rtcp:55911 IN IP4 62.109.221.9
and this
DEBUG[1557][C-0000000f]: sdp_srtp.c:122 ast_sdp_crypto_alloc: local_key64 ifr1xmTSBms1AMBCpIRiIdtSKD+qkk6USf9sYS0G len 40 [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: sdp_srtp.c:333 ast_sdp_crypto_process: Crypto attribute '1 AES_CM_128_HMAC_SHA1_80 inline:csaT6q7mo+ADZnbHX2g5eJtj2emtfVbllVieIuSY|2^48' accepted with lifetime '281474976710656.000000', MKI '-' [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: res_srtp.c:508 ast_srtp_add_stream: Adding new policy for SSRC 1664971098 [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: sdp_srtp.c:191 crypto_activate: SRTP policy activated [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: sdp_srtp.c:384 ast_sdp_crypto_build_offer: Crypto line: a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ifr1xmTSBms1AMBCpIRiIdtSKD+qkk6USf9sYS0G [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: chan_sip.c:10671 process_sdp: Processing media-level (audio) SDP a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:csaT6q7mo+ADZnbHX2g5eJtj2emtfVbllVieIuSY|2^48... OK. [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: chan_sip.c:10671 process_sdp: Processing media-level (audio) SDP a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:FV7k1XCUEwrPw44j78SGm9nZSBq6FOcL4EkLXJt+|2^48 UNENCRYPTED_SRTCP... UNSUPPORTED OR FAILED. [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: chan_sip.c:10671 process_sdp: Processing media-level (audio) SDP a=crypto:3 AES_CM_128_HMAC_SHA1_32 inline:Qf0R3r8jayoOpHFblki47IAgTMTgtk6pdgazeobN|2^48... UNSUPPORTED OR FAILED. [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: chan_sip.c:10671 process_sdp: Processing media-level (audio) SDP a=crypto:4 AES_CM_128_HMAC_SHA1_32 inline:CPZANDhj3ip6usAnJWAc6Ob8tzV4TfcAK1Kd7SLf|2^48 UNENCRYPTED_SRTCP... UNSUPPORTED OR FAILED. [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: chan_sip.c:10671 process_sdp: Processing media-level (audio) SDP a=sendrecv... OK. [2017-05-31 14:18:38] DEBUG[1557][C-0000000f]: chan_sip.c:10671 process_sdp: Processing media-level (audio) SDP a=rtcp:55911 IN IP4 62.109.221.9... UNSUPPORTED OR FAILED.
Thanks a million!

garci66 · May 31, 2017, 8:11pm

So… with the hint of using chan_sip instead of pjsip, I changed my trunk (which was dialing a SIP URI) to the using PJSIP as the uri. With this option it seems to work, although encryption might not be in use.

This seems to have made it work for webex.

daniels · April 28, 2022, 5:11pm

Hi guys,

Did you have any guide step to sip trunk integration with WebEx Services?