locked
Edge server validation error - Security association encoded into the route set has not yet been fully established RRS feed

  • Question

  • In a lab environment I have 4 servers:

    exchange.adrd.domain.com -  Running as DC and Exchange 2007
    ocs.adrd.domain.com - OCS Standard Edition
    ocsmediation.adrd.domain.com - OCS Mediation
    ocsedge.adrd.domain.com - OCS Edge

    The setup was working fine. This week, I decided to use a OpenSer box to integrate an Asterisk server (previously I was using Sipx). The only config change done is on OCSMediation. But when I started the Office Communicator, it started to complain about downloading address book and limited external calling. As a first thing I checked was the certificates and they are all fine. The next item was validating the OCS. Web, A/V Conferencing and Web Components all validate fine.

    However, with Front End validation, I got:
    -------------------------------------
    Attempting to establish SIP dialog from test1@adrd.domain.com to test2@adrd.domain.com using ocs.adrd.domain.com

    Maximum hops: 3
    Received a failure SIP response: User sip:test2@adrd.domain.com @ Server ocs.adrd.domain.com
    Received a failure SIP response: [
    SIP/2.0 500 The server encountered an unexpected internal error
    FROM: "Remzi Semsettin Turer"<sip:test1@adrd.domain.com>;tag=a860efefe3d3737ea4ab;epid=epid01
    TO: <sip:test2@adrd.domain.com>;epid=epid11;tag=07CCDACEF0FA1F5D2005039482077631
    CSEQ: 13 INVITE
    CALL-ID: cc4f15a905324ce18ec1a2627e7ff90f
    VIA: SIP/2.0/TLS 10.4.21.2:1391;branch=z9hG4bKe6bd159d;ms-received-port=1391;ms-received-cid=2AC00
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000000000000C67A4BFF286F9399", srand="E7BD6CAC", snum="3", opaque="5F03F445", qop="auth", targetname="ocs.adrd.domain.com", realm="SIP Communications Service"
    ms-diagnostics: 1;reason="Service Unavailable";source="ocs.adrd.domain.com";ErrorType="Security association encoded into the route set has not yet been fully established";HRESULT="C3E93C2F(SIPPROXY_E_UNKNOWN_USER_OR_EPID)"

    ]

    Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. Check whether the target user is a valid user and that the target user domain is trusted by the source user's pool. Check the connectivity between the source and target pools.
    Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
    -------------------------------------
    Similarly, on the Edge Server, validation results:
    -------------------------------------
    Attempting to establish SIP dialog from test1@adrd.domain.com to test2@adrd.domain.com using ocs.adrd.domain.com

    Maximum hops: 3
    Received a failure SIP response: User sip:test2@adrd.domain.com @ Server ocs.adrd.domain.com
    Received a failure SIP response: [
    SIP/2.0 500 The server encountered an unexpected internal error
    FROM: "test1"<sip:test1@adrd.domain.com>;tag=d66dce40cd38eda02d36;epid=epid01
    TO: <sip:test2@adrd.domain.com>;epid=epid11;tag=07CCDACEF0FA1F5D2005039482077631
    CSEQ: 7 INVITE
    CALL-ID: 77927cd1db874bf89e005093ef4e89a4
    VIA: SIP/2.0/TLS 10.4.21.5:1687;branch=z9hG4bKa8272466;ms-received-port=1687;ms-received-cid=29100
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="0100000000000000D563C4E36E2C6765", srand="97F8F236", snum="3", opaque="8926F38C", qop="auth", targetname="ocs.adrd.domain.com", realm="SIP Communications Service"
    ms-diagnostics: 1;reason="Service Unavailable";source="ocs.adrd.domain.com";ErrorType="Security association encoded into the route set has not yet been fully established";HRESULT="C3E93C2F(SIPPROXY_E_UNKNOWN_USER_OR_EPID)"
    -------------------------------------

    The users are valid users and they are on the same domain. All machines are in same network class (10.4.21.x), so there is connectivity issues.

    I haven't seen "
    Security association encoded into the route set has not yet been fully established" error before. Does anyone know what it exactly means and how it can be resolved? I tried removing users from OCS and readding them, it did not help.

    Any ideas on how to fix this?

    Friday, May 2, 2008 2:17 PM

All replies

  • I do see two issues here....

     

    Address book download error has nothing to do with the Mediation server. I assume that you would have made sure that setting is fine as per http://www.ocspedia.com/ABS/Steps.htm

     

    and "limited external calling" comes when the mediation server is not termintating properly.

     

     

     

     

     

    Regards,
    Ram K Ojha,
    MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com
    http://www.itcentrics.com

     

    Saturday, May 3, 2008 2:01 PM
  • I'll double check the steps. I have already reverted the settings on mediation server as well, I'll double check there as well.

    However, what you said does not explain the error during the validation, or does it? I am yet to find an explanation to the security association error. Do you know what can cause this error?
    Saturday, May 3, 2008 2:45 PM
  •  

    IIRC OCS and Asterisk don't play well together. OCS supports SIP over TCP and Asterisk only supports SIP over UDP. You'll need something to translate in the middle. Mike Dunn over at GotSpeech has covered this but I can't seem to find the link.

     

    In looking through my links, more info from Ryan's blog here: http://blog.lithiumblue.com/2007/12/ocsasterisk-integration-update.html He tried to do an OCS/Asterisk integration and ran into some similiar issues.  The hack he did may work for you as well.

    Monday, May 5, 2008 10:47 PM
  • Thanks for the insight Alex, yes you are right about OCS using TCP, while Asterisk using UDP (Asterisk 1.6, which is about to be released actually supports TCP and UDP). If you read my original post, I already used Sipx, similar to Ryan and was trying to use OpenSer. But I don't think the validation error I am receiving is related to this. Do you know what the error message I am receiving means?
    Tuesday, May 6, 2008 2:12 AM
  • Did you ever get this resolved?  I'm getting the same "Security association encoded into the route set error" between my two pools -- no media server is implemented and I'm not using an asterick server.  I'm coming up empty

    Thursday, August 7, 2008 2:04 PM
  • Nope, still no luck on this end.
    Monday, August 11, 2008 11:27 PM
  • Hi

    Sorry for revive the post but im having the same issue, someone knows how to solve??

    Thanks
    Monday, June 1, 2009 3:07 PM