Mark Holloway

The Acme Packet SBC has an optional parameter that may be added under sip-config that allows the SBC to gracefully handle traffic in the event the SBC’s main processor reaches a certain threshold. There are several reasons as to why this may occur, but at the most basic level it’s a good idea to draw a line in the sand and define at what point to you want to start gracefully rejecting calls if the CPU reaches a certain threshold. Every SIP appliance should have this option but unfortunately most do not.

What separates the Acme Packet SBC from others is that when this threshold is reached the SBC will reply with a SIP 503 Service Unavailable message which tells the originator to try an alternate destination.  In most other SIP appliances once the CPU threshold reaches a certain point the traffic is disrupted by means of calls dropping, loss of RTP (if media is flowing through), or registrations becoming corrupted.

It is worth mentioning that the purpose of setting the load-limit is to avoid an unforeseen event that would cause any network device to experience excessive utilization and effect production traffic.  This is not a replacement for proper SROP (SIP Registration Overload Protection) and DDoS (Distributed Denial of Service) configuration on the SBC.  With the proper SROP and DDoS settings you are ensuring the Acme Packet SBC is running optimally and protecting your network while gracefully shedding unwanted or dangerous traffic.

The following is a shortened output of my sip-config with no options applied.  Adding the load-limit option is a matter of entering the following command.

At this point the Acme Packet SBC will gracefully reject incoming calls if the CPU reaches or exceeds 90%. Of course this value may be set higher or lower.  More than likely more options will be applied in your sip-config. If you follow the same process to add another option it will overwrite the option that already exists.  Prepending the + symbol in front of the option will add it in addition to any existing options.

In this example the load-limit is the first configured option. In addition, the max-udp-length is going to be set to 0 which allows the SBC to fragment UDP packets. Otherwise the maximum size a UDP packet may be is 1500 bytes before having to use SIP TCP.  Setting this in sip-config applies globally on the SBC but it is possible to configure this on a per sip-interface basis if desired.  The last option is reg-cache-mode=none which tells the SBC to retain the userinfo (post NAT) in the Contact. In most environments (such as Broadsoft BroadWorks) none is the value to use. This is also required when configuring SIP Registration Overload Protection (this will be a separate blog post in the near future).

Based on applying the load-limit to the sip-config this provides one additional line of defense that safeguards your platform from suffering a total outage. There have been many occasions noted in the past where other platforms do not employee this method and the end result is a complete and total network outage.  Once the outage starts it becomes very difficult to recover because endpoints will begin retransmitting. Using this feature in combination with alarm-thresholds plus the appropriate SROP and DDoS settings, there is always awareness of what’s occurring on the network while at the same time gracefully handling any overflow.

SIP TLS (Transport Layer Security) is used to encrypt SIP signaling between SIP endpoints.  In order for this to function properly it is required that certain devices in the network import an SSL certificate.  Before importing the certificate into a device such as an Acme Packet SBC it is important to know if the certificate is from a CA (Certificate Authority) or perhaps self-generated in which case it would be considered a non-CA certificate.  Occasionally users have indicated the certificate is from a CA when in fact it is not.  This may generate an error if importing a non-CA certificate as a CA certificate.  Below is a quick procedure to verify the certificate using Mac OS X (or Linux).

$ openssl verify -verbose CertFile.crt
server.crt: OK

If the output is anything other than server.crt: OK then the provided certificate is not from a valid Certificate Authority.  For example:

$ openssl verify -verbose CertFile.crt
CallManagerAug22.crt: /CN=TESTCCM/OU=CISCOMCS7800/O=FPI/L=MANILA/ST=MAKATI/C=PH
error 18 at 0 depth lookup:self signed certificate
OK

Another alternative to verify a certificate is using Mac OS X’s Keychain Access application. Simply import the certificate and you will see something like this:

If using a CA based certificate here are the steps to generate a certificate request and load the certificate on the Acme Packet SBC

PHOENIX# configure terminal
PHOENIX(configure)# security
PHOENIX(security)# certificate-record

PHOENIX# generate-certificate-request markholloway

Generating Certificate Signing Request. This can take several
minutes…
—–BEGIN CERTIFICATE REQUEST—–
MIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
—–END CERTIFICATE REQUEST—–;

PHOENIX# save-config
PHOENIX# activate-config

Once the certificate is received by the CA it needs to be imported on the Acme Packet SBC

PHOENIX# import-certificate [try-all|pkcs7|x509] [cert-file-name]

PHOENIX# import-certificate try-all markholloway

Please enter the certificate in the PEM format.
Terminate the certificate with “;” to exit…….
—–BEGIN CERTIFICATE—–
MIIDHzCCAoigAwIBAgIIAhMCUACEAHEwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDUwNDEzMjEzNzQzWhcNMDgwNDEyMjEzNzQzWjBUMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEzARBgNVBAcTCkJ1cmxpbmd0b24xFDASBgNV
BAoTC0VuZ2luZWVyaW5nMQ0wCwYDVQQDEwRhY21lMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCXjIeOyFKAUB3rKkKK/+59LT+rlGuW7Lgc1V6+hfTSr0co+ZsQ
bHFUWAA15qXUUBTLJG13QN5VfG96f7gGAbWayfOS9Uymold3JPCUDoGgb2E7m8iu
vtq7gwjSeKNXAw/y7yWy/c04FmUD2U0pZX0CNIR3Mns5OAxQmq0bNYDhawIDAQAB
o4HdMIHaMBEGA1UdEQQKMAiCBnBrdW1hcjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTG
tpodxa6Kmmn04L3Kg62t8BZJHTCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU
2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
ETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lw
aXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDQYJKoZIhvcNAQEFBQAD
gYEAbEs8nUCi+cA2hC/lM49Sitvh8QmpL81KONApsoC4Em24L+DZwz3uInoWjbjJ
QhefcUfteNYkbuMH7LAK0hnDPvW+St4rQGVK6LJhZj7/yeLXmYWIPUY3Ux4OGVrd
2UgV/B2SOqH9Nf+FQ+mNZOlL7EuF4IxSz9/69LuYlXqKsG4=
—–END CERTIFICATE—–;

PHOENIX# save-config
PHOENIX# activate-config

From here there are quite a number of steps to perform in order to support SIP TLS and sRTP. The following example shows how to create a TLS profile for encrypted SIP signaling.

PHOENIX# config t
PHOENIX(configure)# security
PHOENIX(security)# tls-profile

Enter a name for the profile, name of the trust CA certificate record, and the tls-version (TLSv1 or SSLv3)

PHOENIX(tls-profile)# exit
PHOENIX(security)# exit

Now apply the TLS profile to the sip-interface that will be used.

PHOENIX(configure)# session-router
PHOENIX(session-router)# sip-interface
PHOENIX(sip-interface)# select

<SIP INTERFACE>

PHOENIX(session-interface)# sip-ports
PHOENIX(sip-port)# <ENTER>
PHOENIX(sip-interface)# transport-protocol tls
PHOENIX(sip-interface)# tls-profile <profile>

To view information about certificates loaded in the Acme Packet SBC:

PHOENIX# show security certificates [ brief | detailed ] <CERT>

certificate-record:markholloway
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
04:55:32:55:50:84:45:71
Issuer:
C=US
ST=Arizona
L=Phoenix
O=sipit
OU=STCA
Subject:
C=US
ST=AZ
L=Phoenix
O=Engineering
CN=mh

Gathering metrics on a VoIP network is crucial and the Acme Packet Session Director (SBC) has a feature that comes standard with the platform called Historical Data Recording (HDR).  The purpose of HDR is to enable a set (or sets) of categories ranging from CPU and Memory utilization to SIP errors, enum statistics,  ACL status, etc., and have the SBC create CSV files which are then sent off to an external FTP/SFTP server where the data can be mined.  This provides the convenience and ability to measure network performance, plan for additional capacity before reaching a critical state, or aid in troubleshooting customer related issues.

Historical Data Recording covers a wide range of collection objects and multiple HDR groups may exist in the SBC where data may be sent to different servers or broken out by different groups. The following is a list of groups available for data collection. Each group contains dozens of element statistics that will be gathered. The element list is very long so it is not posted here, but the complete element list for each group is available in the ACLI Configuration Guide.

The place to configure HDR is system > system-config > collect

The group-settings command allows the SBC to only report on specific data rather than everything. If no group-settings are defined then the SBC automatically provides data for all elements (as shown below).

Data is being sent to 172.16.24.4 using FTP.  The server resides on the same subnet as the Management interface of the SBC. The FTP username is ossadmin since this is also the same server CDR’s are delivered to from the SBC. A folder named hdr was created in the ossadmin home directory which is the destination FTP folder for the SBC to send HDR files to. Within that directory the SBC automatically creates a new directory PHOENIX which is the hostname of the SBC.  If additional SBC’s exist on the network and they are sending to the same destination FTP hdr folder then each SBC creates its own directory based on its hostname. Within the SBC directory the SBC creates sub-directories for each of the categories the HDR send reports on.

From this point we navigate to a folder and see the CSV files that have been uploaded to the server.  The sample-interval within the system > system-config > collect menu context is set to 5 minutes and the push-interval set to 15 minutes. This means a new file is sent every 15 minutes with three sampled intervals of data in each CSV.

In this example we navigate to the space folder which tells us how much space is used and how much is available in the SBC’s localized storage.

Notice there are three sampled intervals contained in one file. This correlates to the sample-interval and push-interval mentioned earlier.

It is worth noting that HDR typically consumes less than 1% of total CPU Utilization. It also has the ability to support redundancy so files may be sent to additional FTP/SFTP servers if necessary in the event the primary FTP server is unreachable.