Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


P-Av-Transport and Remote Host is Not Trusted.

P-Av-Transport and Remote Host is Not Trusted.

P-Av-Transport and Remote Host is Not Trusted.

thread690-1746822: Remote Host Not Trusted
When using traceSM, and having enabled the option to display Call Processing, administrators frequently see the message Remote Host is Not Trusted.

The message is not unique to any type of SIP Request, meaning it is observed after INVITE, SUBSCRIBE, REGISTER, etc.

Digging into the ASM Call Processing message provides this explanation: "The remote host is not trusted. This could indicate P-AV-Transport header does not contain th."

This is behavior is expected & desirable, and (usually) does not indicate a problem.

To state the obvious, this message indicates the SIP request came from a User Agent that ASM does not trust.

SIP Requests from a SIP Entity across a Entity Link that is flagged (by default) as "trusted" never experience this. Similarly, requests sent to a SIP telephone are trusted (presumably because ASM trusts itself?)

For security reasons, ASM does not trust any request that comes from a SIP endpoints.

Notice that the request was rejected with a 407 Proxy Authentication Required. Within that rejection, ASM provides the information the untrusted UA needs to properly resubmit the request. See the header: www-Authenticate and Proxy-Authenticate

The SIP telephone will repeat the SIP request, this time including the the phone's credentials, namely its extension number (e.g. 1001@training.com) and its password (e.g. 123456) but in an encrypted format. See the header: Proxy-Authentication

Assuming the credential are valid this repeated request will be accepted by ASM and processed.

Geeky Detail
Built into Aura Session Manager (ASM) is the security module (SM-100) (sometime referred to as the "Asset"). The SM-100 is responsible for: 1) decrypting TLS packets into TCP for hand off to the ASM's Application Server module (and vice versa for outgoing packets), 2) providing a firewall to protect ASM, and 3) validating communication.

If the SM-100 validates the communication, it injects the header P-AV-Transport header into the request, and includes the parameter "th" that means the request is from a "Trusted Host." Then the SM-100 forwards the request off to the Application Server module within ASM.

Troubleshooting Detail
The SM-100 will not validate the communication from a SIP Entity (e.g. CM or SBC) if there is a mis-match between the configured transport protocol (TLS/TCP/UDP) on the Entity Link versus what is actually received.

RE: P-Av-Transport and Remote Host is Not Trusted.

I've always wondered what that meant. Thanks for sharing.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close