Thank you for your response.  I have been cramming to get this right, and from what I see, our hardware is good (ISR4431), IOS is good (IOS XE Everest 16.6.2), Image is good (isr4400-universalk9.16.06.02.SPA.bin), we have UC and security Licenses loaded, and we are running CUCM 11.5.1.

If I change our Long Distance Port (0/2/0) Media Resource Group List from 'SITE-MAIN' to 'V.150' and check the v150 (subset) box as the guide directs, Will non-V.150 devices still be able to make successful calls over that port?

thank you for your time.

Thank you again for the reply.  I thought I posted this earlier in the week, but looking now. it didn't seem to post, which explains why there was no response lol.

Currently, our ports on the 4431s have the MRG list set to SITE-MAIN and have the following Media resources selected in the following MRGs:

SITE-MAIN_HW

                MAIN-4431-1-CFB

                MAIN-4431-1-MTP

                MAIN-4431-1-XC

                MAIN-4431-2-CFB

                MAIN-4431-2-MTP

                MAIN-4431-2-XC

AFRL-MAIN_SW

                ANN_7

                ANN_9

                CFB_7

                CFB_9

                IVR_7

                IVR_9

                MOH_7

                MOH_9

                MTP_7

                MTP_9

 *-from what I can tell the 7 & 9 refer to my TFTP servers

The Cisco configure V.150 with CUCM guide wants me to create 2 new MRG's (V.150 & non-V.150) and 2 new MRG Lists (V.150 & Non-V.150).  Cool, I did that easily enough. 

But, now it wants me to create the gateways, which you helped me deduce that I do not do as we already have operational gateways, and then in "Configure V.150 MGCP Gateway Port Interface", set the MRG List on the ports to "V.150"

I am thinking that if I change it from SITE-MAIN to V.150, won't I lose all the above Media Resources for that port?  I am thinking I just add the V.150 MRG to the AFRL-MAIN MRG List.  Is this incorrect?  From what I understand, the V.150 would only kick in when it hears certain tones as you say, and I can just have this listed in the SITE-MAIN.

I was just called in on a Saturday to get all this up and running for the CEO by Monday.

Rob

That's a bit of a relief to hear.  this is the guide I am following:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/10_5_2/cucm_b_configure-v150-with-cisco-unified.html

One other thing of note, all our Sectera vIPer phones are currently on the Avaya PBX that passes through our Voice gateways over 4 t1 links on their way out to PSTN.  With no V.150 configured yet, they are stating that they make secure calls and they last 30 seconds to 2 minutes before becoming garbled or being disconnected.  I was under the assumption that V.150 had to be configured before the calls would even go secure.

Page 11 of the Sectera Admin Guide states: "A Cisco router used as a gateway must support V.150 protocol in order for the vIPer to place secure off-net calls.  To enable the V.150 protocol, the following package must be added to the Cisco router configuration: 'mgcp package-capability mdste-package' "

rob

Ahh okay. Yeah so MTP do not support V.150. That is true for regular fax/modem as well. When we say not supported, we need that the RTP packets should not terminate and re-generate from an MTP/Xcoder. Fax/modem calls break because of this. Somtimes when using H.323 or SIP, there is a need for MTP allocation due to FS or EO on either leg. On a IOS resource codec passthrough takes care of the bypass and still allow the faxes/modems to work even with a media resource in picture.

The document is advising to not have MTP at all so that CUCM does not accidentally invoke one in case of a DTMF mismatch. So you can have your existing MRG/MRGL's and remove MTP's from them all together. You can limit the use of resources by carefully planning the DTMF/codec negotiation to avoid CUCM from invoking any resource.

Thank you.

     On Saturday I ran through the configuration of the ISR and the CUCM.  for Reference, I attached a lame diagram of our situation.

     All 'Secure' phones are on the old legacy PBX (vIPer A, vIPer B).  None exist on the CUCM at all.  We have 4 T1's that connect to our 4431's off of the PBX.  On the other side, we have 4 Local, 2 long distance and 2 DSN T1's connecting to the Verizon POP.

     Today, when Phone A calls Phone B, they can go secure and talk for days (with new keying material loaded today)  When Phones A or B calls Phone C, or Phone C calls Phone A&B, the initial call goes through fine, but when they go secure the call lasts another 30-90 seconds before becoming garbled.  I feel like I have to tweak some settings in my ISR's but don't know which settings would apply to a call from one FXO port out to another FXO port.

Currently, we have pulled one of the 4 local T1's off of my ISR and put it back on the PBX.  this in theory should help to eliminate or isolate the 4431's as being the issue.  Hopefully we can get some test calls out this afternoon.

Rob

Hello,

So I am in sorta same boat equipment string setup. However I run two ISR one for commercial and one for DSN(offline). My commercial one is setup with only voice service voip and a SIP trunk to the CUCM(11.5.1). My ISRs(16.6.5) are only T-1's and I have 3 VG350's as my voice gateways; one for fire alarms and the other two for( ste, faxes, modem, and phones). I cannot get my STE's to rekey which are on analog, and secure calls on them last for maybe two minutes. I can not get my vipers to rekey they are voip, and I cannot get my one of my modems to dial up from outside. I followed the MER requirement document except that I do not have MGCP configured as its not clear from the previous installers as they had issues with fire alarms not working properly. They got them to work eventually and just had no chance to go and tacklet the secure voip issue. So my question is after that ramble:

1. Is MGCP required for v.150 MER to work? Because not sure why then my analog ste still work through the VG then out.

2. If I roll to MGCP I have to shut off the SIP binding for control source and media source? But the SIP is still required per the documentation.

3. Is it required to build the ISR router MGCP through the CUCM config or can it just be done via CLI?

Below is the orginal configs as I arrived. I did make one of my voip dial peers to have modem relay sse v150mer even though it was already in the global config.

voice service voip
no ip address trusted authenticate
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
modem relay sse v150mer
h323
sip
bind control source-interface GigabitEthernet0/0/0.252
bind media source-interface GigabitEthernet0/0/0.252
registrar server expires max 600 min 60
!
voice class h323 1
h225 timeout tcp establish 3
h225 timeout setup 3

This thread appears to be quite old but I am hoping I would get some response. 

I am also struggling with getting my viper phone to work in my CUCM environment. I have registered the phone to CUCM 12.5 cluster as advanced third party sip phone and able to make/receive calls fine. I haven't tested if calls disconnect after certain time though. Now, as we try to update the phone's security settings by accessing an external entity, we realized the phone is not responding to modem tones.

Then I went over the cisco documentation regarding MRGL configuration and I did that part. The MRGL that I have assigned to the phone does not contain MTP. Our voice gateway is CUBE but use PRIs to access PSTN. There is SIP trunk between CUCM and CUBE.

Can anyone help me get around this issue? What should I be doing in order to make the phone to support the v.150 or modem tones.

Thanks,

Khanal

Hello,

I am running cucm 14 and sip trunks to CUBE SIP-SIP and viper phones seem to work fine both normal and in secure mode. My understanding is that viper phones work in cucm 12.5 SU6 or perhaps it was SU8. There is a filter for v.150 on the SIP Trunk Security Profile as well but I leave that set for Use Default Filter. Vipers need to be VOIP using 7960 emulation and not Analog STE. Hope that helps.

Hi, Thanks for responding. Does that mean I need to setup viper as if it is 7960 phone? as for the sip trunk security profile, I can't change the filter as per the documentation because doing that could affect calls from 99 % phones that are Cisco. Have only a few vipers in our environment. 

you set them up in CUCM as 7961G-GE, and set the emulation on the phone to match. As for the SIP Trunk security profile, I am still on TDM here so that is not configured here on this site and mine work fine.