Thursday, 13 July 2017

How to find Unassigned Media Resource (No MRG)


To look at media resources and the allocated MRGs, use the sql query

run sql select mrg.name as mrg,d.name as resource from mediaresourcegroup mrg inner join mediaresourcegroupmember mgm on mgm.fkmediaresourcegroup=mrg.pkid   inner join device d on mgm.fkdevice=d.pkid

To filter specific site

run sql select mrg.name as mrg,d.name as resource from mediaresourcegroup mrg inner join mediaresourcegroupmember mgm on mgm.fkmediaresourcegroup=mrg.pkid   inner join device d on mgm.fkdevice=d.pkid where d.name like '%AD1%' or mrg.name like '%A01%'


Use this CLI command to find media resources in the default MRG (no assigned to any created MRG).


admin:run sql select d.name as resource from device as d full outer join mediaresourcegroupmember as mgm on mgm.fkdevice=d.pkid where and mgm.pkid is NULL
resource   
===========
AD1MTP-G711 
AD1XCODER
 

You look for specific device type such as MTP

admin:run sql select d.name as resource from device as d full outer join mediaresourcegroupmember as mgm on mgm.fkdevice=d.pkid where d.name like '%MTP%' and mgm.pkid is NULL
resource   
===========
AD1MTP-G711

Monday, 10 April 2017

Bandwidth and Storage Requirements for Voice and Screen Recording in a Contact Center

We have recently been asked by a contact center to calculate the local network bandwidth and the HDD storage needed for implementing the PhoneUP Voice and Screen Recording solution for 300 agent seats.

Imagine 300 simultaneous audio/video streams recorded 18 hours a day (the agent utilization rate is 75%) 7 days a week and then stored for 1 year. Let’s neglect the voice part as the major load on both the LAN and the HDD storage is produced by the video (screen) recording.

Well... the most used screen resolution is 1366x768 (by w3schools) which is (roughly) corresponds to 720p movie format. And as we all know the file size per hour of 720p movie is about 2Gb. With this in mind thinking about 300 video streams recorded 18x7 could make your hair stand on end. But it’s not that bad.

Let’s examine parameters which influence the size of a screen recording video and how they can be optimized in the case of agent screen recording.

1.       The codec.
PhoneUP uses H.264 and here’s the first major saving. The movie we mentioned above is whole dynamic – every part of it constantly changes throughout the film. But contact center agents usually don’t watch Youtube when talking to customers. They work with CRM instead and that means that 95% of the screen is static, the only part that changes is where the agent, say, types the customer complaint (or selects an item from the drop-down list, or pushes a button etc). So, when compressed with H.264, such “static” nature of the video makes the file size 3-4 times less.

2.       The quality.
The agent screen recording is hardly the type of video you need to be of the highest quality. If you can read what agent typed when on phone – that’s enough. In our projects the quality setting of H.264 codec is usually 0,5-0,7.

3.       The FPS (frame per second) rate.

Most movies are shot at 24 FPS, but then again, this is not the case for screen recording in a contact center. You don’t need a smooth movie of the agent screen to understand what text is entered and which button is clicked. FPS 5-7 could be enough for recording the screen with CRM.

Thursday, 15 December 2016

AnyConnect VPN DTLS vs TLS


Difference

DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based
DTLS is supported for AnyConnect VPN not in IKEv2

How it works?

  • SSLTunnel is the TCP tunnel that is first created to the ASA
  • When it is fully established, the client will then try to negotiate a UDP DTLSTunnel
  • During DTLS negotiation, traffic will be passing over TLS tunnel
  • When the DTLSTunnel is fully established, all data now moves to the DTLStunnel and the SSLtunnel is only used for occasional control channel traffic
  • In case of failures in establishing DTLS Tunnel, traffic will continue passing over TLS tunnel
  • After establishing DTLS, in the event of failure in DTLS Tunnel, traffic will pass over TLS tunnel until DTLS tunnel is reestablished

How Data is Forwarded?

  • For each packet there is a part in AnyConnect client code which decides whether to send the packet over TLS or DTLS
  • If the DTLS tunnel is established, the code will decide to forward the packet over DTLS and start encryption
  • If the DTLS is dead, the code will decide to forward the packet over TLS and start encryption

  • The key point is the performance of DTLS tunnel
  • Since DTLS is based on UDP, it is unreliable and there is no flow control to decide its performance
  • Performance can be determined using DPD packets
    • When DPD is triggered and no response received, AnyConnect client will start forwarding packets over TLS (assuming TLS is up and DTLS is unhealthy)
    • Therefore, there is a packet drop period between DTLS failing and DPD triggering/detection. During this time, AnyConnect client will be forwarding packets over DTLS but they will be lost because DTLS is unhealthy
    • In case DTLS is established again, AnyConncect client will forward packets over DTLS
  • For receiving ASA with healthy DTLS and TLS, it will reply based on the receiving tunnel, i.e. if packets received over TLS, the response will be over TLS even if DTLS is healthy

What about Idle timeout?

  • When a DTLSTunnel is active, that is the only tunnel where idle timeout matters. Because very little control channel traffic passes over the SSLTunnel, it is almost always idle so it is exempt while there is an active DTLSTunnel. If something happened to UDP and the DTLSTunnel was torn down, then idle timeout would apply to the SSLTunnel

Configuration

DTLS is enabled by default but you can enable it or distable using CLI.

It can be enabled/disable per interface terminating AnyConnect VPN

webvpn
 enable if-name tls-only

Also, you can enable/disable DTLS at Group Policy level

webvpn
 dtls port 443
!
group-policy custom_group_policy attributes
 wins-server none
 dns-server value 10.170.7.99 10.170.7.100
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value sslvpn_split_tunnel
 default-domain value shelfdrilling.com
 split-dns none
 split-tunnel-all-dns enable
 webvpn
  anyconnect ssl dtls enable
  anyconnect mtu 1420
  anyconnect profiles value sslvpnfromrdpprofile type user
  customization value ShelfDrilling-Customization
  always-on-vpn profile-setting

The Importance of Understanding MTU value in AnyConnect VPN


Why do we need it?

During encryption, additional overhead will be added to the packets made by new headers and features. This means that the actual size of the unencrypted TCP segment or UDP datagram which holds the application will be reduced because the MTU of the adapter is still same.

For example with Ethernet and MTU of 1500-bytes, the unencrypted TCP segment can't be more than 1460-bytes. With encryption, for Ethernet and MTU of 1500, the unencrypted TCP segment can't be more 1380 (can be different value). The 80-bytes difference are utilized by encryption overhead.

Now the value of unencrypted TCP segment can be more which leads to MTU more than 1500-bytes but this will cause the networking devices to fragment the packet which is bad and should be avoided.

AnyConnect client builds Virtual Adapter (VA) during installation on the clients machine. This VA will receive unencrypted traffic and emulates Ethernet to forward traffic after encryption. The actual traffic then goes over the physical adapter.

Therefore, we need to know what is the MTU value of the VA and what is the max allowed size of unencrypted traffic to avoid fragmentation. Later the applications need to make sure that they don't create segments and datagrams larger else they will be fragmented.

How it works?

AnyConnect VA gets its MTU value from SSL Server (ASA or IOS. We will focus more on ASA). The default value is 1406-bytes. It can be configured as follow:

group-policy custom_group_policy attributes
 webvpn
  anyconnect mtu 1420

Now the actual MTU used by the VA will be selected based on the smaller between physical NIC MTU and VA configured MTU. This is to avoid scenarios where the VA has MTU configured more than physical NIC which will trigger fragmentation.

Next we need to find out the max value of unencrypted payload. Two values will be calculated, one for TLS Tunnel and one for DTLS tunnel. This can be viewed in ASA using the command debug webvpn anyconnect 1

…… ……

Iphdr=20 base-mtu=1300 def-mtu=1500 conf-mtu=1420
tcp-mss = 1260
path-mtu = 1260(mss)
TLS Block size = 16, version = 0x301
mtu = 1260(path-mtu) - 0(opts) - 5(ssl) = 1255
mod-mtu = 1255(mtu) & 0xfff0(complement) = 1248
tls-mtu = 1248(mod-mtu) - 8(cstp) - 20(mac) - 1(pad) = 1219
DTLS Block size = 16
mtu = 1300(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1243
mod-mtu = 1243(mtu) & 0xfff0(complement) = 1232
dtls-mtu = 1232(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1210
computed tls-mtu=1219 dtls-mtu=1210 conf-mtu=1420
DTLS enabled for intf=2 (CORP)
tls-mtu=1219 dtls-mtu=1210

…… ……

Let's examine the debugs

Iphdr=20 base-mtu=1300 def-mtu=1500 conf-mtu=1420

!!!... Iphdr is 20 bytes, Physical NIC MTU is 1300, configured MTU value for AnyConnect VA is 1420. Conclusion, Physical NIC MTU is used for VA.

!!!... Now will start TLS Tunnel calculations

tcp-mss = 1260
path-mtu = 1260(mss)

!!!... Since TLS is TCP based, the TLS payload size is MTU - 40. 40-bytes is 20-bytes IP Header + 20-bytes TCP Header

TLS Block size = 16, version = 0x301
mtu = 1260(path-mtu) - 0(opts) - 5(ssl) = 1255
mod-mtu = 1255(mtu) & 0xfff0(complement) = 1248
tls-mtu = 1248(mod-mtu) - 8(cstp) - 20(mac) - 1(pad) = 1219

!!!... Subtracting headers (5-bytes ssl header, 1-byte padding, 8-bytes Cisco SSL Tunneling Protocol (CSTP) header, 20-bytes MAC), we will get the size of unencrypted payload. This will be communicated back from ASA to AnyConnect client so that applications shouldn't cross this value else fragmentation will be triggered

!!!... Note: ANDing MSS value will complement 0xfff0 is to make sure that MSS value is power of 2

!!!... Now will start DTLS MTU calculations

DTLS Block size = 16
mtu = 1300(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1243
mod-mtu = 1243(mtu) & 0xfff0(complement) = 1232
dtls-mtu = 1232(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1210

!!!... Subtracting headers (20-bytes IP header, 8-bytes UDP header, 13-bytes DTLS header, 8- or 16- bytes for encryption [depending DES or AES], 1-byte Cisco DTLS Tunneling Protocol [CDTP] header, 20-bytes MAC, 1-byte pad), we will get the size of unencrypted payload. This will be communicated back from ASA to AnyConnect client so that applications shouldn't cross this value else fragmentation will be triggered

computed tls-mtu=1219 dtls-mtu=1210 conf-mtu=1420
DTLS enabled for intf=2 (CORP)
tls-mtu=1219 dtls-mtu=1210

Message Authentication Code (MAC)
A Message Authentication Code is a one-way hash computed from a message and some secret data.  It is difficult to forge without knowing the secret data.  Its purpose is to detect if the message has been altered.

Thursday, 3 November 2016

QoS Enhacements in CUCM 11.X

  • These were added in CUCM v11
  • The main enhancements are:
    • Separating UDP Port Ranges for Audio and Video
    • Separating DSCP Markings for Audio and Video streams in Video Calls
      • You can have separate markings for audio in Telepresence video call than Fixed video call
  • Navigate to Device > Device Settings > SIP Profile.
  • Current endpoints which support this enhancement (03/11/2016)
Video Endpoint
DSCP for Audio Portion of Video Calls
DSCP for Audio Portion of TelePresence Calls
8800 Series
Yes
N/A
8900 Series
No
N/A
9900 Series
No
N/A
Jabber
Yes (Jabber for Windows uses Group Policy Objects to mark traffic on the PC else DSCP will be set to '0'. All other Jabber clients are able to mark DSCP natively)
No
DX Series
Yes
Yes
TX Series
N/A
Yes
IX Series
N/A
No
CE 8.x Software Series (SX Series, MX Series G2, MX700, MX800)
N/A
Yes
TC 7.1.4 Software Series (C Series, Profile Series, EX Series, MX Series G1)
N/A
Yes
EX Series (TC Software)
N/A
Yes

  • Restrictions
    • These features are supported on SIP endpoints Only
    • For Jabber Softphones, only separate UDP ports can be used. This is because Windows OS doesn’t allow DSCP markings natively (can be fixed by registry tweak or using GPO)
    • Prior to this feature, Jabber Client will divide the RTP Port Range received in TFTP File into two splits. Lower half will be used for audio and upper half will be used for video

Enable DSCP Markings on Windows OS (7, 8, 10)

By default windows OS will set DSCP markings to '0' ignoring the marking settings on the client. This can be good and bad.

A good scenario is to make sure that torrent clients aren't getting priority (while ideally your enterprise network qos policies should overcome this problem as well)

A bad scenario is overriding DSCP markings from Jabber Client which marks packets genuinely  for seperating audio and video streams treatment.

While you can still overcome the problem of Jabber Client using network QoS policies, you can allow QoS marking on windows OS as follow:

1. Go to HKLM\System\CurrentControlSet\Services\Tcpip\QoS. If "QoS" folder doesn't exist there - create it.
2. Add a DWORD parameter named "Do not use NLA" and assign "1" as its value.
3. Reboot.



Tuesday, 1 November 2016

Notes on Self-Service ID


  • The Self-Service User ID is generate automatically once the primary extension is assigned to the End User
    • The Primary extension can be assigned manually, using LDAP or using BAT
    • For LDAP Self-Service IDs it will be generated during the 1st LDAP sync (not on LDAP update)
  • Self-Service ID will be generated only if the user doesn't have one
  • For upgrades from Pre-10.x to 10.x, Self-Service ID will be generated for users with Primary Extensions
  • When same DN is assigned to multiple partitions and to multiple users as primary extension, Self-Service ID will be made unique by prefixing a code of *01, *02, etc
  • You can change the Self-Service ID, manually from End User configuration page