Troubleshooting SIP trunks and voice traffic requires being able to view traffic at many different points in the total path. Two of the main points to view and validate traffic are on the inside and outside of the voice gateway or Session Border Controller (SBC).
Typically, we are looking at troubleshooting traffic on the outside of the voice gateway, and typically we setup a span port on the switch that the SBC is connected into. Many times, this is unavailable or difficult due to the remote location of the SBC. So being able to packet capture off the voice gateway would be useful.
To start off capturing the Mediant 1000B, you will need web access and command line access to the device. If SSH/Telnet access is not set up, go to the Administration Tab (top tab)> Web & CLI > CLI Settings (left hand side bar). Ensure that the “Enable SSH Server” is set to “Enable”. The below screen shot is from a Mediant 1000B running the 7.2 code.
Hit the “Apply” button on the bottom.
You should then be able to SSH into the voice gateway.
Next, we need to verify the VLAN that the WAN, or outside link, is attached to. To do this, we will go to the “IP Network” tab. Then on the left-hand menu, go to the Core Entities > IP Interfaces. Highlight the interface you want to capture off of. Now down on the page, you should see the “Ethernet Device” with the “View” link next to it. Click that “View” link.
This will bring you to the “Ethernet Devices” page, where you can see the VLAN ID. In my example, it is 3.
Now armed with the knowledge of the proper VLAN ID of 3, we can SSH into the voice gateway and run the debug command. After you ssh into the voice gateway (typically via the inside interface), go to the “Enable” mode (the default password of “Admin” is required and cannot be changed). When in “Enable” mode, use the command
- debug capture voip interface vlan <VLAN-ID> proto all host <Remote-System-IP>
Since we know that the VLAN ID is 3, I will run with my temporary firewall IP.
- debug capture voip interface vlan 3 proto all host 65.113.254
I ran a test telnet (port 5060) to the outside of the SBC just to validate that TCP traffic was getting to the SIP port, and it worked. Below is the output from my test. I can now see the traffic even if it doesn’t show up on the syslog view.
Welcome to AudioCodes CLI
Admin@10.292.199.10’s password:
Last login: Mon Sep 16 2019 at 09:59:25
Mediant 1000> en
Password:
Mediant 1000# debug capture voip interface vlan 3 proto all host 65.222.8.19910:33:01.168252 b4:fb:e4:29:ef:53 > 00:90:8f:ac:2b:40, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 32465, offset 0, flags [DF], proto: TCP (6), le ngth: 52) 65.222.8.199.56750 > 65.113.8.240.5060: S, cksum 0xeaa6 (correct), 299 3367995:2993367995(0) win 8192
10:33:01.168580 00:90:8f:ac:2b:40 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), l ength 42: arp who-has 65.222.8.199 tell 65.113.8.240
10:33:01.168760 b4:fb:e4:29:ef:53 > 00:90:8f:ac:2b:40, ethertype ARP (0x0806), l ength 60: arp reply 65.222.8.199 is-at b4:fb:e4:29:ef:53
10:33:01.168803 00:90:8f:ac:2b:40 > b4:fb:e4:29:ef:53, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length : 40) 65.113.8.240.5060 > 65.222.8.199.56750: R, cksum 0x4b66 (correct), 0:0(0) ack 2993367996 win 0
10:33:01.667472 b4:fb:e4:29:ef:53 > 00:90:8f:ac:2b:40, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 32466, offset 0, flags [DF], proto: TCP (6), le ngth: 52) 65.222.8.199.56750 > 65.113.8.240.5060: S, cksum 0xeaa6 (correct), 299 3367995:2993367995(0) win 8192
10:33:01.667555 00:90:8f:ac:2b:40 > b4:fb:e4:29:ef:53, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length : 40) 65.113.8.240.5060 > 65.222.8.199.56750: R, cksum 0x4b66 (correct), 0:0(0) ack 1 win 0
10:33:02.168563 b4:fb:e4:29:ef:53 > 00:90:8f:ac:2b:40, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 32467, offset 0, flags [DF], proto: TCP (6), le ngth: 48) 65.222.8.199.56750 > 65.113.8.240.5060: S, cksum 0xfeb5 (correct), 299 3367995:2993367995(0) win 8192
10:33:02.168637 00:90:8f:ac:2b:40 > b4:fb:e4:29:ef:53, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length : 40) 65.113.8.240.5060 > 65.222.8.199.56750: R, cksum 0x4b66 (correct), 0:0(0) ack 1 win 0
10:33:06.674543 b4:fb:e4:29:ef:53 > 00:90:8f:ac:2b:40, ethertype ARP (0x0806), l ength 60: arp wh
Jason Howe, PEI