Showing results for 
Search instead for 
Did you mean: 

SIP Phones Unauthorized to Register in CME across ASA Site to Site VPN



I have a customer that is running CME 12 and all of his phones located at the office where the CME resides work just fine.  We just connected a satellite office to it using a ASA to ASA Site to Site VPN Tunnel.  The remote site is working great except none of the phones at that site are allowed to register with CME.  All of the phones have their proper IPs from DHCP with their required Option 150 and proper Gateway.

In fact when I run a debug ccsip all I see all of the phones trying to register with CME.  But they are all being rejected.


I have both networks defined to CME as Trusted.  All of the voice register pools are fine because if I bring the phones over to the main office they register and work just fine.


voice service voip
 ip address trusted list


I am allowing all protocols and ports both ways across the tunnel with the ACLs.

I have no-proxy-arp route-lookup on my NAT statements on both ASA's.

I have tried it with both

policy-map global_policy
 class inspection_default

  inspect sip


and no inspect sip


Still getting this message when the phones at the remote site try and register...


092673: *Feb 11 09:53:41.539 CST: //1577/07D93A6682DB/SIP/Msg/ccsipDisplayMsg:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP;branch=z9hG4bK51fac813
From: <sip:13@>;tag=0cd0f84a9a7e00121754f809-09250a68
To: <sip:13@>;tag=AD238C-2618
Date: Mon, 11 Feb 2019 15:53:41 GMT
Call-ID: 0cd0f84a-9a7e0011-4d2da414-78742b53@
Server: Cisco-SIPGateway/IOS-15.7.3.M1
WWW-Authenticate: Digest realm="",nonce="E0C8D8B50011508C",algorithm=MD5,qop="auth"Content-Length: 0


What am I doing wrong?




Cisco Employee

Can you please share the show run from the CME router? Also please collect 

debug ccsip message

debug voice register events

debug voice register error


Can you please try configuring the authenticate realm as well under the voice register global?

Rising star

Hi There,


It sounds like you are hitting the issue that occurs when SIP phones are not on the same subnet as the CME gateway. The phones need to be configured to authenticate using a SIP digest username and password.


This would explain why when you have the phone in the local office it works, and when it is in the remote office it does not work.


Example configuration is below:

voice service voip
allow-connections sip to sip
bind control source-interface GigabitEthernet0/1
bind media source-interface GigabitEthernet0/1
voice register global
mode cme
source-address port 5060
max-dn 50
max-pool 50
authenticate register
voice register dn 1
number 2000
voice register pool 1
id mac 0011.2233.4455
type 8845
number 1 dn 1
dtmf-relay sip-notify
username 2000 password mypassword
codec g711ulaw

Below is a link to the full CME guide:


Keep in mind that the configuration referenced is GLOBAL, you will need to configure all voice register pools (phones) with a user/pass after adding "authenticate  register". You will not need to punch in the credentials on the phones themselves, the credentials are passed to the phones through their configuration files. 


Please let us know how it goes!


*** Please mark posts as helpful and/or correct if appropriate



CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards