An Azure communication platform for deploying applications across devices and platforms.
ACS Direct Routing SBC Status Stuck on "Unknown"
Session Border Controller (SBC) registered in Azure Communication Services (ACS) Direct Routing remains in "Unknown" status (Status / TLS Status / Ping all show Unknown) despite the SBC (anynode) successfully completing TCP and TLS handshakes with the ACS signaling hub. No SIP response is observed at the application layer, though raw packet captures show bidirectional data exchange and clean connection closure.
How can we investigate and troubleshoot this further ?
Regards,
Chris
Azure Communication Services
-
Venkatesan S • 9,575 Reputation points • Microsoft External Staff • Moderator
2026-07-01T17:38:38.3766667+00:00 Hi @Support Engineer .
Thanks for reaching out in Microsoft Q&A forum,
From the information you've shared, we can see that the TCP connection and TLS handshake between your Session Border Controller (AnyNode) and Azure Communication Services (ACS) are completing successfully. However, because the SBC remains in an Unknown state and no SIP OPTIONS or other SIP signaling is observed after the TLS session is established, this may indicate that the SIP OPTIONS health check required for Direct Routing is not completing successfully. In other words, transport-level connectivity appears to be working, but Direct Routing is not progressing to normal SIP communication.
We recommend reviewing the following configuration and connectivity points:
- Verify that the SBC FQDN configured in ACS exactly matches the FQDN in the SBC’s TLS certificate (in the CN or SAN entries).
- Confirm that the domain associated with the SBC FQDN is verified in the Microsoft Entra ID tenant linked to your ACS resource.
- Ensure the certificate chain is complete and valid, and that it is issued by a public Certificate Authority trusted by Microsoft.
- Verify that the listening port configured in ACS is the same port on which the SBC is actually listening for TLS (for example, 5061).
- Confirm that the SBC is configured to use TLS 1.2 with supported cipher suites for ACS Direct Routing.
- Make sure the SBC FQDN is not already associated with another ACS or Microsoft Teams Direct Routing deployment, as each deployment requires a unique FQDN binding.
- Check that no firewall, NAT device, SIP ALG, or TLS inspection is modifying or blocking the encrypted SIP traffic between ACS and the SBC.
Because the SBC status in ACS is determined by successful SIP OPTIONS exchanges, it is important to confirm whether those messages are actually flowing after TLS is established. We recommend:
- Capturing simultaneous network traces (PCAPs) on the SBC and any intermediate firewall or network device to see:
- Whether ACS is sending SIP OPTIONS requests to the SBC after the TLS handshake.
- Whether the SBC is returning a valid 200 OK (or other appropriate SIP response).
- If no SIP messages are visible after TLS is established, please review the AnyNode SIP/TLS diagnostic logs to verify that:
- The inbound TLS connection is correctly mapped to the intended Direct Routing profile / trunk.
- SIP messages from ACS, if present, are being parsed at the application layer and not treated as generic TCP only.
Reference:
- Use direct routing to connect existing telephony service | Microsoft Learn
- Azure direct routing known limitations - Azure Communication Services | Microsoft Learn
- Azure Communication Services direct routing: SIP protocol details | Microsoft Learn
Kindly let us know if the above helps or you need further assistance on this issue.
Please “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Support Engineer • 0 Reputation points
2026-07-01T18:03:59.5733333+00:00 Hi @Venkatesan S thank you for your response.
We have positively confirmed all connectivity points you raised.
Our additional observations as follows:
TLS-level trace (anynode Trace Analyzer, INS_TLS_CHANNEL stream)
A successful TLS session was captured:
insTlsHandshakeSucceeded: true [ins__TlsChannelImpHandshakeValidate()] certificate validation succeeded [ins__TlsChannelImpSend()] byteCount: 508 [ins__TlsChannelImpOpensslRun()] TCP channel closedi.e., TLS completes, ~508 bytes are sent, then the channel closes — with no corresponding SIP response logged by anynode's SIP transaction layer.
Decrypted/analyzed packet capture — TLS handshake completes with full mutual authentication (NEW, strongest evidence)
A packet capture covering three separate connection attempts to three different ACS/Direct Routing frontend IPs (
52.114.132.46,52.114.75.24,52.114.32.169) was analyzed withtshark. All three connections show an identical pattern:- TCP three-way handshake completes normally.
- Full TLS 1.2 handshake completes, including mutual TLS authentication:
- Microsoft's server explicitly sends a Certificate Request (confirmed in one capture where Server Hello/Certificate/Server Key Exchange/Certificate Request/Server Hello Done are all visible before the client responds).
- anynode responds with Certificate, Client Key Exchange, Certificate Verify,
Change Cipher Spec, Encrypted Handshake Message — i.e. it presents its full
client certificate chain (
CN=*.OUR_DOMAIN→CN=Sectigo Public Server Authentication CA DV R36→CN=Sectigo Public Server Authentication Root R46). - Microsoft's server responds with
Change Cipher Spec, Encrypted Handshake Message— i.e. it accepts the handshake and the client certificate. - Zero TLS alert records appear anywhere in the capture.
- anynode sends exactly one Application Data record (~660–662 bytes — consistent with an encrypted SIP OPTIONS request) immediately after the handshake completes.
- Microsoft's server sends a FIN within 14–237 ms of receiving that Application Data record. No Application Data is ever sent back from Microsoft's side in any of the three connections. Timeline example (connection to 52.114.75.24):
t=9.222371 Microsoft → anynode: Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message t=9.237554 anynode → Microsoft: Change Cipher Spec, Encrypted Handshake Message t=9.241977 anynode → Microsoft: Application Data (660 bytes) <-- encrypted OPTIONS t=9.256276 anynode → Microsoft: FIN, ACK t=9.256662 Microsoft → anynode: FIN, ACK <-- connection closes ~15ms after OPTIONS sent, no response data ever receivedConclusion: this rules out TLS/certificate trust as the cause. The mutual TLS handshake — including client certificate presentation and validation — succeeds cleanly and consistently against at least three different Microsoft Direct Routing frontend IPs. The connection is being closed by Microsoft's side immediately after receiving the encrypted OPTIONS payload, with no SIP-layer response and no TLS-layer error. This points to either (a) a provisioning gap where Microsoft's SIP routing layer does not yet recognize this SBC/domain as active even though the TLS edge accepts the connection, or (b) silent rejection of the decrypted SIP content rather than a proper SIP error response.
Raw packet capture (tcpdump on anynode host, port 5061 to 52.114.75.24)
Captured a complete, clean TCP exchange for multiple connection attempts, e.g.:
11:21:16.402904 IP OUR_IP.12601 > 52.114.75.24.5061: Flags [S] ... 11:21:16.419566 IP 52.114.75.24.5061 > OUR_IP.12601: Flags [S.] ... 11:21:16.419939 IP ...12601 > ...5061: Flags [.], ack 1 ... 11:21:16.434299 IP ...12601 > ...5061: Flags [P.], seq 1:518 ... length 517 11:21:16.434299 IP 52.114.75.24.5061 > ...12601: Flags [.], seq 1:2697 ... length 2696 11:21:16.434299 IP 52.114.75.24.5061 > ...12601: Flags [P.], seq 4045:4534 ... length 489 ... (further PSH/ACK data exchange in both directions) ... 11:21:16.504885 IP 52.114.75.24.5061 > ...12601: Flags [F.] ... 11:21:16.505036 IP ...12601 > ...5061: Flags [F.] ... 11:21:16.517989 IP 52.114.75.24.5061 > ...12601: Flags [.], ack ...Both TCP handshake and connection teardown (FIN/FIN/ACK) complete cleanly with data exchanged both directions — i.e., this is not a network/firewall-level block or a TCP RST rejection. The ACS-side IP (52.114.75.24) is actively participating in a full TLS session and returning meaningful amounts of data (2000+ bytes in some packets) — consistent with at least a TLS handshake and possibly more, yet anynode's SIP layer never records a matching SIP response.
Key question for support
Given:
- Domain is verified in ACS Direct Routing and Entra ID
- TCP/TLS completes cleanly with the correct ACS signaling IP on port 5061
- anynode's own TLS logs show handshake success and certificate validation success
- Yet SBC status remains "Unknown" and no SIP response is ever logged by anynode
Questions for Microsoft ACS support:
- Packet capture analysis conclusively shows the TLS handshake — including mutual TLS client certificate presentation and validation — completes successfully against three different Direct Routing frontend IPs (52.114.132.46, 52.114.75.24, 52.114.32.169), with zero TLS alerts. Immediately after anynode sends the encrypted SIP OPTIONS as a single Application Data record, the Microsoft-side frontend closes the TCP connection with FIN within 14–237ms, with no Application Data (i.e. no SIP response of any kind) ever sent back. Can Microsoft check server-side logs for these three IPs around the given timestamps to determine what happened to the decrypted OPTIONS request and why no SIP response was generated?
- Since the TLS/mTLS layer is confirmed working, is there a known provisioning delay or backend step between adding an SBC + verifying a domain and ACS's SIP routing layer beginning to actually process (rather than silently drop) requests from that SBC?
- Is it expected behaviour for Microsoft's Direct Routing edge to closethe TCP connection without any SIP response (not even a SIP-level error) when it decides not to process a request, rather than returning an error response before closing?
Regards, Chris
Sign in to comment