Another question popped up.

Each edge has a SIP trunk attached.

Edge 1 -> Trunk 1

Edge 2 -> Trunk 2

We had an issue where edge 2 went offline and in the meantime the tie trunk between those two edges was missing (from previous incident). There were no inbound and outbound calls during the time period the second edge was offline.

The outbound route we use, uses trunk 1 and trunk 2 in sequential distribution pattern.

My questions are:

Shouldn't all users be able to make outbound calls using trunk 1, through edge 1?

Shouldn't incoming calls coming from trunk 1, be routed to the CC? (edge 1 was sending a 404-no available trunks.Support claimed it was due to the tie-trunk missing)

I mean, how does the tie-trunk affect call routing?

Regards

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions

Original Message:
Sent: 12-08-2020 11:55
From: Phil Whitener
Subject: Intra-edge communication

It sounds like you are on the right path.  Edges being on separate networks is fine; in addition to the media ports you listed also see that the Ports and services page you referenced also have TLS/8063 (TLS used TCP).  The TLS/8063 connection is used for SIP signaling and the SRTP range is used for media.  It is also important to note that although Edges can be on separate networks you cannot have a NAT between Edges.  When you say "this communication will go though the Cloud"... can you provide more clarification?  Does that mean you will be using an Internet connection between Edges -- or possibly an MPLS cloud used for your internal corporate network.  As long as they are communicating with real IPs with each other; that can be private IPs or public IPs, but the IP must be applied directly to the Edge's network interface - however, a NAT applied at a firewall is not acceptable and will cause media to fail.

You can use a third port for inter-Edge communication if you want; however, it is not required.  Whenever you use multiple network interfaces you have to deal with routing and you often introduce more constraints with more active interfaces.  By default the Edge uses a single routing table - so only one default route should be assigned.  Static Routes can be used, as you brought up, to control routing on various interfaces.  However, you can work with Care to enable source based routing on your org (this is a per org setting, not per Edge) which allows you to use multiple default gateways.  Multiple default gateways are more advantageous for inbound client connections on various interfaces more than it is for inter-Edge communication where the source and destination IPs are known.

Configuration for setting up default routes are listed here: https://help.mypurecloud.com/articles/configure-network-interface-edge/

------------------------------
Phil Whitener
Genesys - Employees

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

Yes, you should be able to build it in a way that as long as you have one viable Edge that the calls will still route successfully.  This is hard to analyze through this forum as it leads into a lot of questions about your setup.  For example, I would not normally expect you to have a dedicated trunk per Edge; however, this may be a requirement of your service provider.  Are you able to reproduce this issue by taking Edges out of service?  I would suggest doing some simulated tests to ensure your trunking is operating as expected.

There are various segments to each call - when a call is delivered to an Edge for the Contact Center, it is often going to go to IVR first - the Edge that receives the call is likely going to be selected to perform the IVR.  Once the call is agent assigned the call needs to be extended to the agent.  The agent's active station contributes to how this is performed.  If you are using a managed station or WebRTC the station should have connections to two Edges.  When both Edges are operational the Edge that handles the IVR will likely extend the call through the intra-edge trunk to the Edge that is the primary Edge for the station.  When an Edge is offline or taken out of service you would expect the stations to rebalance so that only active and online Edges are assigned to stations - in which case in a two Edge scenario where one Edge is offline all stations and all inbound calls should be managed by the same singular Edge.

My questions are:

Shouldn't all users be able to make outbound calls using trunk 1, through edge 1?  Assuming that the station was also rebalanced to the viable Edge - yes.

Shouldn't incoming calls coming from trunk 1, be routed to the CC? (edge 1 was sending a 404-no available trunks.Support claimed it was due to the tie-trunk missing)  Yes, did the call get an IVR or did it fail on the initial INVITE or fail when it transfered to an station/agent?

I mean, how does the tie-trunk affect call routing?   The tie trunk is used to extend calls between Edges as mentioned above.  The carrier will select and inbound Edge based on their routing logic but will often perform the IVR locally, but can use the intra-edge trunk to extend the call to the agent's station.

Another question popped up.

Each edge has a SIP trunk attached.

Edge 1 -> Trunk 1

Edge 2 -> Trunk 2

We had an issue where edge 2 went offline and in the meantime the tie trunk between those two edges was missing (from previous incident). There were no inbound and outbound calls during the time period the second edge was offline.

The outbound route we use, uses trunk 1 and trunk 2 in sequential distribution pattern.

My questions are:

Shouldn't all users be able to make outbound calls using trunk 1, through edge 1?

Shouldn't incoming calls coming from trunk 1, be routed to the CC? (edge 1 was sending a 404-no available trunks.Support claimed it was due to the tie-trunk missing)

I mean, how does the tie-trunk affect call routing?

Regards

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions

Original Message:
Sent: 12-08-2020 11:55
From: Phil Whitener
Subject: Intra-edge communication

It sounds like you are on the right path.  Edges being on separate networks is fine; in addition to the media ports you listed also see that the Ports and services page you referenced also have TLS/8063 (TLS used TCP).  The TLS/8063 connection is used for SIP signaling and the SRTP range is used for media.  It is also important to note that although Edges can be on separate networks you cannot have a NAT between Edges.  When you say "this communication will go though the Cloud"... can you provide more clarification?  Does that mean you will be using an Internet connection between Edges -- or possibly an MPLS cloud used for your internal corporate network.  As long as they are communicating with real IPs with each other; that can be private IPs or public IPs, but the IP must be applied directly to the Edge's network interface - however, a NAT applied at a firewall is not acceptable and will cause media to fail.

You can use a third port for inter-Edge communication if you want; however, it is not required.  Whenever you use multiple network interfaces you have to deal with routing and you often introduce more constraints with more active interfaces.  By default the Edge uses a single routing table - so only one default route should be assigned.  Static Routes can be used, as you brought up, to control routing on various interfaces.  However, you can work with Care to enable source based routing on your org (this is a per org setting, not per Edge) which allows you to use multiple default gateways.  Multiple default gateways are more advantageous for inbound client connections on various interfaces more than it is for inter-Edge communication where the source and destination IPs are known.

Configuration for setting up default routes are listed here: https://help.mypurecloud.com/articles/configure-network-interface-edge/

------------------------------
Phil Whitener
Genesys - Employees

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

Thanks Phil for your time,

It is still not clear to me concerning the outbound flows. In our case, a WebRTC ( having edge 1 as primary connection) could not make a call at all. The other edge as mentioned before, was offline. I presume the call flow would be:

Agent A ---->Edge 1---->Trunk 1----->Outside world

That didn't happen. Anyway, thanks again for your time.

Yes, you should be able to build it in a way that as long as you have one viable Edge that the calls will still route successfully.  This is hard to analyze through this forum as it leads into a lot of questions about your setup.  For example, I would not normally expect you to have a dedicated trunk per Edge; however, this may be a requirement of your service provider.  Are you able to reproduce this issue by taking Edges out of service?  I would suggest doing some simulated tests to ensure your trunking is operating as expected.

There are various segments to each call - when a call is delivered to an Edge for the Contact Center, it is often going to go to IVR first - the Edge that receives the call is likely going to be selected to perform the IVR.  Once the call is agent assigned the call needs to be extended to the agent.  The agent's active station contributes to how this is performed.  If you are using a managed station or WebRTC the station should have connections to two Edges.  When both Edges are operational the Edge that handles the IVR will likely extend the call through the intra-edge trunk to the Edge that is the primary Edge for the station.  When an Edge is offline or taken out of service you would expect the stations to rebalance so that only active and online Edges are assigned to stations - in which case in a two Edge scenario where one Edge is offline all stations and all inbound calls should be managed by the same singular Edge.

My questions are:

Shouldn't all users be able to make outbound calls using trunk 1, through edge 1?  Assuming that the station was also rebalanced to the viable Edge - yes.

Shouldn't incoming calls coming from trunk 1, be routed to the CC? (edge 1 was sending a 404-no available trunks.Support claimed it was due to the tie-trunk missing)  Yes, did the call get an IVR or did it fail on the initial INVITE or fail when it transfered to an station/agent?

I mean, how does the tie-trunk affect call routing?   The tie trunk is used to extend calls between Edges as mentioned above.  The carrier will select and inbound Edge based on their routing logic but will often perform the IVR locally, but can use the intra-edge trunk to extend the call to the agent's station.

Another question popped up.

Each edge has a SIP trunk attached.

Edge 1 -> Trunk 1

Edge 2 -> Trunk 2

We had an issue where edge 2 went offline and in the meantime the tie trunk between those two edges was missing (from previous incident). There were no inbound and outbound calls during the time period the second edge was offline.

The outbound route we use, uses trunk 1 and trunk 2 in sequential distribution pattern.

My questions are:

Shouldn't all users be able to make outbound calls using trunk 1, through edge 1?

Shouldn't incoming calls coming from trunk 1, be routed to the CC? (edge 1 was sending a 404-no available trunks.Support claimed it was due to the tie-trunk missing)

I mean, how does the tie-trunk affect call routing?

Regards

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions

Original Message:
Sent: 12-08-2020 11:55
From: Phil Whitener
Subject: Intra-edge communication

It sounds like you are on the right path.  Edges being on separate networks is fine; in addition to the media ports you listed also see that the Ports and services page you referenced also have TLS/8063 (TLS used TCP).  The TLS/8063 connection is used for SIP signaling and the SRTP range is used for media.  It is also important to note that although Edges can be on separate networks you cannot have a NAT between Edges.  When you say "this communication will go though the Cloud"... can you provide more clarification?  Does that mean you will be using an Internet connection between Edges -- or possibly an MPLS cloud used for your internal corporate network.  As long as they are communicating with real IPs with each other; that can be private IPs or public IPs, but the IP must be applied directly to the Edge's network interface - however, a NAT applied at a firewall is not acceptable and will cause media to fail.

You can use a third port for inter-Edge communication if you want; however, it is not required.  Whenever you use multiple network interfaces you have to deal with routing and you often introduce more constraints with more active interfaces.  By default the Edge uses a single routing table - so only one default route should be assigned.  Static Routes can be used, as you brought up, to control routing on various interfaces.  However, you can work with Care to enable source based routing on your org (this is a per org setting, not per Edge) which allows you to use multiple default gateways.  Multiple default gateways are more advantageous for inbound client connections on various interfaces more than it is for inter-Edge communication where the source and destination IPs are known.

Configuration for setting up default routes are listed here: https://help.mypurecloud.com/articles/configure-network-interface-edge/

------------------------------
Phil Whitener
Genesys - Employees

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

I assumed those images where of two captures, one from each site -- I overlooked that each one only shows the egress Client Hellos and not the ingress of either.  

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

So it seems to be a firewall related, isn't it??? Thanks in advance 

Enviado desde Outlook para Android

 

David Fradejas

Genesys Consultant

T:
W: sabiogroup.com

 

Twitter   Youtube   LinkedIn

 

 

+++DESCARGO DE RESPONSABILIDAD+++ Este correo electrónico ha sido enviado desde una empresa del Grupo Sabio que figura en http://sabiogroup.com/privacy-policy. Este correo electrónico, incluido cualquier archivo transmitido con él, es privado y confidencial y está destinado únicamente a la persona a la que va dirigido. En caso de haber recibido este email por, notifique al autor de inmediato, destruya cualquier copia y elimínela de su sistema informático. Si usted no es el destinatario previsto, no debe utilizar, divulgar, imprimir ni confiar en este correo electrónico. Aunque Sabio examina todos los correos electrónicos y archivos adjuntos en busca de virus, usted debe realizar sus propias comprobaciones de virus antes de abrir este correo electrónico o cualquier archivo adjunto. Sabio no acepta responsabilidad por asuntos de esta naturaleza ni por sus consecuencias. Las opiniones, conclusiones y otra información contenida en este mensaje y archivos adjuntos que no se relacionan con los asuntos oficiales de Sabio no son proporcionadas ni respaldadas por esta empresa. Sabio puede monitorear los correos electrónicos entrantes y salientes y otras telecomunicaciones en sus sistemas de correo electrónico y telecomunicaciones para detectar usos no autorizados.

I assumed those images where of two captures, one from each site -- I overlooked that each one only shows the egress Client Hellos and not the ingress of either.  

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

So it seems to be a firewall related, isn't it??? Thanks in advance 

Enviado desde Outlook para Android

 

David Fradejas

Genesys Consultant

T:
W: sabiogroup.com

 

Twitter   Youtube   LinkedIn

 

 

+++DESCARGO DE RESPONSABILIDAD+++ Este correo electrónico ha sido enviado desde una empresa del Grupo Sabio que figura en http://sabiogroup.com/privacy-policy. Este correo electrónico, incluido cualquier archivo transmitido con él, es privado y confidencial y está destinado únicamente a la persona a la que va dirigido. En caso de haber recibido este email por, notifique al autor de inmediato, destruya cualquier copia y elimínela de su sistema informático. Si usted no es el destinatario previsto, no debe utilizar, divulgar, imprimir ni confiar en este correo electrónico. Aunque Sabio examina todos los correos electrónicos y archivos adjuntos en busca de virus, usted debe realizar sus propias comprobaciones de virus antes de abrir este correo electrónico o cualquier archivo adjunto. Sabio no acepta responsabilidad por asuntos de esta naturaleza ni por sus consecuencias. Las opiniones, conclusiones y otra información contenida en este mensaje y archivos adjuntos que no se relacionan con los asuntos oficiales de Sabio no son proporcionadas ni respaldadas por esta empresa. Sabio puede monitorear los correos electrónicos entrantes y salientes y otras telecomunicaciones en sus sistemas de correo electrónico y telecomunicaciones para detectar usos no autorizados.

I assumed those images where of two captures, one from each site -- I overlooked that each one only shows the egress Client Hellos and not the ingress of either.  

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

Thanks a lot Phil!!!!👍

So it seems to be a firewall related, isn't it??? Thanks in advance 

Enviado desde Outlook para Android

 

David Fradejas

Genesys Consultant

T:
W: sabiogroup.com

 

Twitter   Youtube   LinkedIn

 

 

+++DESCARGO DE RESPONSABILIDAD+++ Este correo electrónico ha sido enviado desde una empresa del Grupo Sabio que figura en http://sabiogroup.com/privacy-policy. Este correo electrónico, incluido cualquier archivo transmitido con él, es privado y confidencial y está destinado únicamente a la persona a la que va dirigido. En caso de haber recibido este email por, notifique al autor de inmediato, destruya cualquier copia y elimínela de su sistema informático. Si usted no es el destinatario previsto, no debe utilizar, divulgar, imprimir ni confiar en este correo electrónico. Aunque Sabio examina todos los correos electrónicos y archivos adjuntos en busca de virus, usted debe realizar sus propias comprobaciones de virus antes de abrir este correo electrónico o cualquier archivo adjunto. Sabio no acepta responsabilidad por asuntos de esta naturaleza ni por sus consecuencias. Las opiniones, conclusiones y otra información contenida en este mensaje y archivos adjuntos que no se relacionan con los asuntos oficiales de Sabio no son proporcionadas ni respaldadas por esta empresa. Sabio puede monitorear los correos electrónicos entrantes y salientes y otras telecomunicaciones en sus sistemas de correo electrónico y telecomunicaciones para detectar usos no autorizados.

I assumed those images where of two captures, one from each site -- I overlooked that each one only shows the egress Client Hellos and not the ingress of either.  

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

Hi @Phil Whitener

Now we have all edges in service, 

The communication between edges is via WAN port.

As soon as we put in service the rest of the Edges, we started to having problem with the provisioning.

We started to recieve HTTP 404 Not Found, and HTTP 500 server errors, so the Softphone was unable to provisioning.

We have some doubts regarding this:

1) do we need the 8088 and 8089 provisioning ports opened between intra- edges?

2) Should the Softphones's provisioning file (.i3sipcfg) be created in ALL the Edges?

3) How many phones per Edge could be registered simultaniously?

Thanks in advance.

Thanks a lot Phil!!!!👍

So it seems to be a firewall related, isn't it??? Thanks in advance 

Enviado desde Outlook para Android

 

David Fradejas

Genesys Consultant

T:
W: sabiogroup.com

 

Twitter   Youtube   LinkedIn

 

 

+++DESCARGO DE RESPONSABILIDAD+++ Este correo electrónico ha sido enviado desde una empresa del Grupo Sabio que figura en http://sabiogroup.com/privacy-policy. Este correo electrónico, incluido cualquier archivo transmitido con él, es privado y confidencial y está destinado únicamente a la persona a la que va dirigido. En caso de haber recibido este email por, notifique al autor de inmediato, destruya cualquier copia y elimínela de su sistema informático. Si usted no es el destinatario previsto, no debe utilizar, divulgar, imprimir ni confiar en este correo electrónico. Aunque Sabio examina todos los correos electrónicos y archivos adjuntos en busca de virus, usted debe realizar sus propias comprobaciones de virus antes de abrir este correo electrónico o cualquier archivo adjunto. Sabio no acepta responsabilidad por asuntos de esta naturaleza ni por sus consecuencias. Las opiniones, conclusiones y otra información contenida en este mensaje y archivos adjuntos que no se relacionan con los asuntos oficiales de Sabio no son proporcionadas ni respaldadas por esta empresa. Sabio puede monitorear los correos electrónicos entrantes y salientes y otras telecomunicaciones en sus sistemas de correo electrónico y telecomunicaciones para detectar usos no autorizados.

I assumed those images where of two captures, one from each site -- I overlooked that each one only shows the egress Client Hellos and not the ingress of either.  

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------

1.... There are a few variables including how your Phone or Phone Base is configured for "Provision Source" https://help.mypurecloud.com/articles/use-genesys-cloud-provisioning-service-phone-configuration/, in your configuration check Phone Base > Network > Provisioning > Provision Source on whether you use "From Edges within Site" or "From the Genesys Cloud provisioning service".  You can still direct provisioning requests at your Edges, but they will choose to proxy either the Phone's primary Edge assignment (tcp/8088, tcp/8089) or the cloud provisioning service.  Depending on if you have phones provision across Edges within one core site or across Core sites will depend on how this traffic is routed.  

2....  Any Edge should accept the provisioning request but will either proxy or redirect that request to the responsible party -- either the primary or secondary assigned Edge (which can change due to Edges in service) or the cloud provisioning service.

3....  The Edge phone service manages assigning phones (stations) with primary and secondary Edge assignments based on Site (Core Site and Branch Site) configuration.  All phones will be given Edge assignments (primary and secondary if enabled or supported by the phone type).  The phones will then try to register to one or both of its assigned Edges.  The number of phones per Edge is determined by the resources of the Edge, but I think we will give all phones requested Edge assignments even if that oversubscribes an Edge -- there are further factors, such as active calls and call rate that may imped the Edges ability to handle volume besides just the number of phones.

Hi @Phil Whitener

Now we have all edges in service, 

The communication between edges is via WAN port.

As soon as we put in service the rest of the Edges, we started to having problem with the provisioning.

We started to recieve HTTP 404 Not Found, and HTTP 500 server errors, so the Softphone was unable to provisioning.

We have some doubts regarding this:

1) do we need the 8088 and 8089 provisioning ports opened between intra- edges?

2) Should the Softphones's provisioning file (.i3sipcfg) be created in ALL the Edges?

3) How many phones per Edge could be registered simultaniously?

Thanks in advance.

Thanks a lot Phil!!!!👍

So it seems to be a firewall related, isn't it??? Thanks in advance 

Enviado desde Outlook para Android

 

David Fradejas

Genesys Consultant

T:
W: sabiogroup.com

 

Twitter   Youtube   LinkedIn

 

 

+++DESCARGO DE RESPONSABILIDAD+++ Este correo electrónico ha sido enviado desde una empresa del Grupo Sabio que figura en http://sabiogroup.com/privacy-policy. Este correo electrónico, incluido cualquier archivo transmitido con él, es privado y confidencial y está destinado únicamente a la persona a la que va dirigido. En caso de haber recibido este email por, notifique al autor de inmediato, destruya cualquier copia y elimínela de su sistema informático. Si usted no es el destinatario previsto, no debe utilizar, divulgar, imprimir ni confiar en este correo electrónico. Aunque Sabio examina todos los correos electrónicos y archivos adjuntos en busca de virus, usted debe realizar sus propias comprobaciones de virus antes de abrir este correo electrónico o cualquier archivo adjunto. Sabio no acepta responsabilidad por asuntos de esta naturaleza ni por sus consecuencias. Las opiniones, conclusiones y otra información contenida en este mensaje y archivos adjuntos que no se relacionan con los asuntos oficiales de Sabio no son proporcionadas ni respaldadas por esta empresa. Sabio puede monitorear los correos electrónicos entrantes y salientes y otras telecomunicaciones en sus sistemas de correo electrónico y telecomunicaciones para detectar usos no autorizados.

I assumed those images where of two captures, one from each site -- I overlooked that each one only shows the egress Client Hellos and not the ingress of either.  

Hi Phil,

Thank you very much for your quick response.
I have my doubts that it is not a firewall problem, because I don't see the "Client Hello" packet reaching the other server.

For "Direct" communication between Core sites, SIP-TLS over tcp/8063 and SRTP over ephemeral media ports (16384+) is used.  Note that since the release of Hybrid Media configurations (those that allow adding Cloud Media and Premise Media within the same org) you can also select different peering types between premise Core sites using Site Link configuration (Direct, Indirect, and Cloud Proxy).  https://help.mypurecloud.com/faqs/what-are-site-links/.  I assume for this model you want to use Direct connections on Site Links using SIP-TLS using tcp/8063.

In the screenshot I see the 10.154.6.195 "154" Edge reaching out to the 10.26.6.195 "26" Edge on tcp/8063 and the connection appears to at least be open and we see sending and receiving packets confirming communication -- however there is a reset immediately following the attempt to negotiate the TLS handshake.  Similar is seen when the "26" Edge attempts the same to the "154" Edge.  I can't deduce much more because I can't see the details of the "Client Hello" - I would suggest comparing the messages sent from each Edge to see if they are each attempting a compatible handshake (same TLS version, compatible ciphers, etc).  

I would definitely be curious if any level of Hybrid Media is enabled, ensure both Edges are in the same Edge Group, ensure the expected Edge interfaces are selected for your interlinks, ensure the Sites have the Direct Site Interconnect selected.  Your issue does not appear to be firewall related at this point.

Hi @Phil Whitener,

Could you confim me only 8063 TLS and UDP (sRTP) ports are need for intra edge communication?

I try to update all the info and give you context.

Note that we have 8 Edges. 4 Edges in CPD1 and the other 4 edges in CPD2(other location).

all edges in CPD1 are in same VLAN and same location

all edges in CPD2 are in same VLAN and same location.

there is a firewall between CPD1 and CPD2. Port 8063 and UDP ports (sRTP) are bidirectional opened in the firewall between locations.

Now we only have 2 edges in service, Edge1(CPD1) and egde5(CPD2). rest of them are out of service, we expect to put them on service next monday evening.

CD1 PRO 10.26.6.195 --> In service

CD1 PRO 10.26.6.198

CD1 PRO 10.26.6.201

CD1 PRO 10.26.8.204

CD2 PRO 10.154.6.195 --> In service

CD2 PRO 10.154.6.198

CD2 PRO 10.154.6.201

CD2 PRO 10.154.6.204

the communication between edges is via WAN port.

We suspect the comunication between edges in different locations IS NOT OK as per traces we get.

Upload the traces and evidences of the WAN port of Edge 1 and Edge5. we see same problem in both.

we see the RESET ACK after the TLS "client hello" packet.

Thanks in advance.

------------------------------
David Fradejas Tomás
Sabio Ibérica, S.A.

Original Message:
Sent: 12-08-2020 04:29
From: Charis Sideridis
Subject: Intra-edge communication

Hello,

We have 2 edges within a Site and each edge has a separate SIP trunk. The WAN ports are used for communication with the Cloud and Port 2 for SIP trunking. WAN port is the Network Interface for Internal Edge Communication too. We had some issues recently with inbound calls ( one edge offline and the other edge sending 404 no trunks available, SIP error messages towards the provider) and I would like some clarification concerning the intra-edge communication.


In order to have both edges, that belong to different networks, communicating with each other, what is needed?

According to Ports and services to configure on your company firewall - Genesys Cloud Resource Center

The port range 16384-32768 (SRTP) must be available for incoming requests at each edge in order to have intra-edge communication. Since they do not belong to the same network, this communication will go through the Cloud. Is it possible to add a static route at each WAN interface in order to bypass the cloud? Will that work?

Moreover, is it possible to use the third port of each edge for intra-edge communication only, lying on the same network?

Thanks

#Implementation
#Telephony

------------------------------
Charis Sideridis
Intracom S.A. Telecom Solutions
------------------------------