Solved: Re: Facing issue with authenticated STC Sip Trunk - Page 2

mohd abdul malik · ‎07-22-2023

Greetings Community Members,

I am facing this strange issue where i am working for the first time on an authenticated SIP Trunk from STC.

Need your help to solve this issue as even TAC is struggling on this case since 1 week.

They have provided only with Username and password upon further inquiry they provided with the following message saying the registration message should look like this:

Sent:
REGISTER sip:fmc.stc.com.sa SIP/2.0
Via: SIP/2.0/UDP 10.228.56.90:5060;branch=z9hG4bK14AE55
From: <sip:+9661110141198@fmc.stc.com.sa >;tag=4AEC7EF-D4F
To: <sip:+9661110141198@fmc.stc.com.sa >
Date: Tue, 18 Jul 2023 08:14:22 GMT

Although i did know how to do this configuration I tried my best checking all the guides but my registration was going like below

Sent:
REGISTER sip:10.154.15.25:5060 SIP/2.0
Via: SIP/2.0/UDP 10.228.56.90:5060;branch=z9hG4bK32222DF
From: <sip:+9661110141198@10.154.15.25>;tag=A90D606-C54
To: <sip:+9661110141198@10.154.15.25>
Date: Wed, 19 Jul 2023 11:39:00 GMT
Call-ID: FFFFFFFFD862BB79-23E011EE-FFFFFFFF807DBF43-164D5B82
User-Agent: Cisco-SIPGateway/IOS-15.5.2.S3
Max-Forwards: 6
Timestamp: 1689766740
CSeq: 765 REGISTER
Contact: <sip:+9661110141198@10.228.56.90:5060>
Expires: 3600
Supported: path
Content-Length: 0

I opened a case with Cisco Tac a week back they responded it needs SIP profiles to be configured and now after 1 week we are still struggling to send the register message in the required format.

I have attached my current configuraiton.

After all Cisco TAC did we could send the register message as below and we recieved 403 Forbidden message

Jul 20 14:12:21.905: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sip:10.154.15.25:5060 SIP/2.0
Via: SIP/2.0/UDP 10.189.133.50:5060;branch=z9hG4bK21A24
From: <sip:+9661110141198@10.154.15.25>;tag=6E79F-392
To: <sip:+9661110141198@10.154.15.25>
Date: Thu, 20 Jul 2023 14:12:21 GMT
Call-ID: 6DFA5FA3-263D11EE-FFFFFFFF8002C517-FFFFFFFFA5150B52
User-Agent: Cisco-SIPGateway/IOS-15.5.2.S3
Max-Forwards: 70
Timestamp: 1689862341
CSeq: 4 REGISTER
Contact: <sip:+9661110141198@10.189.133.50:5060>
Expires: 3600
Supported: path
Content-Length: 0

Jul 20 14:12:22.026: //5/000000000000/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 10.189.133.50:5060;branch=z9hG4bK21A24
Call-ID: 6DFA5FA3-263D11EE-FFFFFFFF8002C517-FFFFFFFFA5150B52
From: <sip:+9661110141198@10.154.15.25>;tag=6E79F-392
To: <sip:+9661110141198@10.154.15.25>;tag=eed7nn3e
CSeq: 4 REGISTER
Warning: 399 5133.1261.I.260.12.165.4.7.5134.0.0.fmc.stc.com.sa "Invalid User"
Content-Length: 0

Need your support.

Thanks.

Roger Kallberg · ‎07-28-2023

Any update on this?

Roger Kallberg · ‎07-26-2023

Try with adding this to correct what I mentioned in my prior post.

voice service voip
 ip address trusted list !Security for your SBC so that it can't be used for toll-fraud
 ipv4 10.228.56.96
 ipv4 10.228.56.95
 ipv4 10.154.15.25
 mode border-element license capacity X !Turns on CUBE functionality. Put what you need to handle the maximum simultaneous calls or use a newer IOS version that does not need the capacity to be set as part of this command
 sip
  bind control source-interface GigabitEthernet0/0/1
  bind media source-interface GigabitEthernet0/0/1
!
voice class uri CM
 host ipv4:10.228.56.96
 host ipv4:10.228.56.95
!
voice class uri ITSP
 host ipv4:10.154.15.25
!
voice class sip-options-keepalive 1
 description Used for SIP option ping with a server group
!
voice class server-group 1
 ipv4 10.228.56.96 preference 1
 ipv4 10.228.56.95 preference 2
!
dial-peer voice 3 voip
 description ***Outbound calls to ITSP***
 no codec g711alaw
 voice-class codec 1
!
dial-peer voice 4 voip
 description ***Inbound calls from ITSP***
 no incoming called-number +966.T
 incoming uri via ITSP
!
dial-peer voice 11 voip
 no  preference 1
 no session transport udp
 no session target ipv4:10.228.56.96
 voice-class sip options-keepalive profile 1
 session server-group 1
 dtmf-relay rtp-nte sip-notify sip-kpml
!
no dial-peer voice 12 voip
!
dial-peer voice 10 voip
 description ***Outbound calls from CUCM***
 session protocol sipv2
 incoming uri via CM
 voice-class codec 1
 dtmf-relay rtp-nte sip-notify sip-kpml
 no vad
!
sip-ua
 no registrar dns:fmc.stc.com.sa expires 3600
 no sip-server dns:fmc.stc.com.sa
 registrar ipv4:10.228.56.90 expires 3600
!
voice class tenant 1
 sip-server dns:fmc.stc.com.sa
!
no ip route 10.154.15.25 255.255.255.255 10.189.133.49
ip route 0.0.0.0 0.0.0.0 10.189.133.49
!
ip domain lookup
domain name-server interface GigabitEthernet0/0/1
ip name-server X ! your DNS server that the gateway can reach on the inside interface

Also I would when you get this working advise you to create an access list that you set on the outside interface, is the one facing your ITSP, so that you only allow the needed traffic coming from the known entitie(s) at your ITSP. Normally that would be allow SIP signaling and RTP traffic for the media of the call.

kashif2401 · ‎11-27-2023

Hi Abdul Malik,

@mohd abdul malik

Hope your issue is resolved by now, is it possible for you to share your final working configuration here with us, as I am also going to implement the new stc sip trunk. Highly appreciate your help.