How to solve outbound calls authentication issues with Ribbon SBC EDGE and Teams Direct Routing

Hi All,

sometimes you have to establish an Authenticated SIP Trunk between your Ribbon SBC EDGE (1K/2K/SWe Lite) and your ITSP.

This is a quite easy task, described here “Configuring SBC Edge with ITSP that Requires Digest Authentication with 401 Unauthorized Challenge” and summarized in these three steps:

  1. Add a Remote Authorization Table
  2. Add a Remote Authorization entry
  3. Assign the Remote Authorization Table to the SIP Server Table

Standard Behaviour

The call flow below depicts a standard outbound call from Teams to ITSP via Ribbon SBC 1000/2000 with Digest Authentication with 401 Unauthorized Challenge

  • After the initial INVITE from Microsoft Phone System, SBC Edge (UA) sends an INVITE request to the ITSP proxy server (UAS)
  • SBC Edge then receives 401 Unauthorized request from the ITSP proxy server
  • SBC Edge, acting as a UA, then re-sends the request and authenticates itself by including an Authorization header field with the request
  • The Authorization field value consists of credentials containing the authentication information of the UA for the realm of the resource being requested as well as parameters required in support of authentication and replay protection.
  • The Realm, Username and Password information are taken from the Remote Authorization Table entry based on the username that is provided by the realm provided by the UAS.

On the right an example of Remote Authorization Table

Authentication Issues

In case of Authentication Issues, it’s common to see a SIP Ladder like this one:

  • After the initial INVITE from Microsoft Phone System, SBC Edge (UA) sends an INVITE request to the ITSP proxy server (UAS)
  • SBC Edge then receives 401 Unauthorized request from the ITSP proxy server
  • SBC EDGE answer with an ACK then send a 503 Service Unavailable to Teams

What happens?
Why the SBC do not answer to the 401 Unauthorized with a new request including an Authorization header field?

Troubleshooting

You have to collect Syslogs with Ribbon LX.

In End to End Calls you should see the calls pair (Teams-SBC and SBC-ITSP)

To search this issue, we have to use the Debug Subsystems.
Select sip as Subsystems and DEBUG, INFO and WARN as Level, then hit Search (if you flag Autosearch on log load this filter will be applied on next calls too)

Select the filtered logs and copy to Notepad/Notepad++

Search for matchCredentialsAndComputeResponse, you should find something like this

Below the meaningful part for better reference, take a look on the bold text

HandleFailureResponse:401 in CallSession.  Attempting INVITE with challenge info
createCredentials:From.UserName (04381895216)
matchCredentialsAndComputeResponse:Credential Table count(1)/SequenceList count=1
matchCredentialsAndComputeResponse:Session::createCredentials searching for realm(asterisk)
matchCredentialsAndComputeResponse:SeqList position(0)/item (1)
matchCredentialsAndComputeResponse:Session::config realm(asterisk) user(1358)
matchCredentialsAndComputeResponse:Realm match.  UriUserMatch=0
matchCredentialsAndComputeResponse:Try authentication ID match
matchCredentialsAndComputeResponse:Session::no matching realm
respondToChallenge:Session::respondToChallenge failed
HandleFailureResponse:no authen headers for resp=401; end sess
clientTranFailed:Client Transaction failed.
clientTranFailed:no cancel sent, clean up the call.

In this case the hint to find the issue and to solve it is UriUserMatch=0
The SBC is unable to correctly identify the user in the 401 Challenge and cannot answer with a new request including an Authorization header field.

URI User Match

Now that we know the problem, we can try to solve it!
It’s a UriUserMatch issue, so go to the Remote Authorization Table used to Authenticate to the ITSP and change the From URI User Match field from Authentication ID to Regex, then enter (.*) in Match Regex field.
This RegEx expression means “Everything”

Now the Syslog show a better result, the SBC could find a User to use to answer to the 401 Challenge

matchCredentialsAndComputeResponse:Session::createCredentials searching for realm(asterisk)
matchCredentialsAndComputeResponse:SeqList position(0)/item (1)
matchCredentialsAndComputeResponse:Session::config realm(asterisk) user(1358)
matchCredentialsAndComputeResponse:Realm match.  UriUserMatch=1
matchCredentialsAndComputeResponse:Try regex match: (.*)
matchCredentialsAndComputeResponse:MatchRegex success
matchCredentialsAndComputeResponse:Session::creating credentials user(1358)
respondToChallenge:Session::created credentials WWWAuthenticate
HandleFailureResponse:resend INVITE with authorization info

As always, I hope this article could help some of you.
Luca

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: