Showing results for 
Search instead for 
Did you mean: 

Can't make phone call to CME over SAF.

Level 1
Level 1

Hi Guys,

We have a plan to deploy SAF in our company, so I did some test in the past a few weeks.

The result list below: (CME 8.1, CCM 8.0.3)

1. CME --> SAF FW --> CCM.                        Call from CME to CCM is successful.

2. CCM --> SAF FW --> CME.                        Can't call from CCM to CME. CME router can receive H323 or SIP signaling, but call reject.

3. CME --> SAF FW --> SAF FW --> CME.     Can't call between CME. CME router can receive H323 or SIP signaling, but call reject.

I thougt it is the CME router SAF inbond dial peer problem. I can't set up the SAF inbond dial peer cause it is the dynamic incoming dial peer.

From Cisco document, "Voice Service Advertisement Framework Feature":


The patterns you configure are prepended with a site code before being advertised, creating an incoming
dynamic dial peer with the translation rule to remove the site code from the dialed number.

For example:
site-code : 333
voice translation-rule 2000000001
rule 1 /^333\(...\)/ /\1/

A block of dial-peer tags in the range of 1073741824–2147483647 are used by Voice SAF. The static
dial-peer tag range is lowered to 1–1073741823. The dynamic incoming dial peers described in the
previous example are created using a tag in the Voice SAF range.
Only one incoming dial peer is created for a trunk route advertising SIP and H.323 signaling. Similarly,
translation rule tags in the range of 1073741824–2147483647 are used for Voice SAF.


Someone can help me?

Many thanks,


3 Replies 3

Level 1
Level 1


Did you ever find a solution?

I am doing a proof of concept and I am experiencing the same behavior..

try this command on IOS..In IOS 15.X its a security feature to prevent fraud...

voice service voip
no ip address trusted authenticate

or if u wanna keep router secured..then something like this ...depending on the IP used in your network..

voice service voip

ip address trusted list


I hope this helps...


I had similar experience until I allowed CUCM ip under my trusted authenticated list

voice service voip

ip address trusted list ipv4: x.x.x.x y.y.y.y

x.x.x.x.=cumc ip address..

If you do a debug voip ccapi and ccsip messages you should get a disconnect cause of 21. That will confirm that its the ip address trust list issue

Please rate useful posts

"I am complete in God, God completes me"

Please rate all useful posts