SIP Trunking to PSTN - 403 Forbidden / Cause Code 57

Keith Joel · ‎03-13-2017

Hi All,

Hoping maybe somebody can shed some light on whether I'm missing something here, I've scoured online but can't seem to find a solution. I am receiving a reorder tone when trying to dial outbound and getting SIP/2.0 403 Forbidden-Source Endpoint Lookup Failed with Cause Code 57 in response. The one thing I did notice is that the response is being show VIA the outside CUBE interface (10.0.1.1) and not the provider IP. Neither inbound or outbound work. I do not see a registration under sh sip-ua register status is none, although I've read that this isn't necessarily indicative of sip trunk operation. All dial-peers for inbound/outbound look to be up and active. The provider tested the circuit with a JDSU unit so I know the routing and in theory credentials / number programming is good (this is private network). The SIP trunk is requiring registration and I've included the credentials and authentication parameters under the SIP-UA. I've included some debugs in a text file. Here's a truncated config.

voice service voip
no ip address trusted authenticate
mode border-element
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
options-ping 60
early-offer forced
midcall-signaling passthru
privacy-policy passthru
g729 annexb-all

dial-peer voice 1 voip
description INBOUND SIP calls from SP
max-conn 50
session protocol sipv2
session target sip-server
incoming called-number [2-9].........
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 2 voip
description OUTBOUND to SP **Local Calls**
translation-profile outgoing DIGITSTRIP-9
destination-pattern 9[2-9]..[2-9]......
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 3 voip
description OUTBOUND to SP **LD Calls**
translation-profile outgoing DIGITSTRIP-9
destination-pattern 91[2-9]..[2-9]......
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 4 voip
description OUTBOUND to SP **INTL Calls**
translation-profile outgoing DIGITSTRIP-9
destination-pattern 9011.T
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 5 voip
description OUTBOUND to SP **Service Calls**
translation-profile outgoing DIGITSTRIP-9
destination-pattern 9[2-8]11
session protocol sipv2
session target sip-server
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
no vad
!
dial-peer voice 100 voip
description **Incoming to SUB**
preference 2
destination-pattern 204.......
session protocol sipv2
session target ipv4:10.25.16.11
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte
no vad
!
dial-peer voice 101 voip
description **Incoming to PUB**
preference 5
destination-pattern 204.......
session protocol sipv2
session target ipv4:10.25.16.10
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte
no vad
!
dial-peer voice 103 voip
description **Inbound from CUCM**
session protocol sipv2
session target sip-server
incoming called-number 9T
incoming uri via 1
voice-class codec 1
voice-class sip options-keepalive up-interval 30 down-interval 60
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte
no vad
!
!
sip-ua
credentials username customer1 password 7 XXXXXXXXXX realm sip.domain.ca
keepalive target ipv4:10.214.97.133
authentication username customer1 password 7 XXXXXXXXXX realm sip.domain.ca
no remote-party-id
retry invite 2
retry response 3
retry bye 3
retry prack 6
registrar ipv4:10.214.97.133 expires 3600 auth-realm sip.domain.ca
sip-server ipv4:10.214.97.133:5060
host-registrar

Ayodeji Okanlawon · ‎03-13-2017

It looks like your provider is saying that they do not recognize the IP address the call is originating from. "source end-point look up failure"

Since you have configured your SIP bind statements correctly you need to troubleshoot why cube is not using the correct interface to route the call.

Are you using uri to match on inbound leg? do you have a voice class referenced by the config under the dial-peer. if you dont then remove that line.

Next is the interface gig0/1 up?

if the answe to both is yes then we need to look at debig ccsip all to see why the correct interface is not used to route the call

service sequence-numbers
service timestamps debug datetime localtime msec
logging buffered 10000000 debug
no logging console
no logging monitor
default logging rate-limit
default logging queue-limit

Then..

debug ccsip all

<Enable session capture to txt file in terminal program.> (such as Putty)

then do the ff:

terminal length 0
show logging

NB: My response will be delayed as my eyes are weary now and shutting down.

Please rate all useful posts

Keith Joel · ‎03-14-2017

Hi Ayodeji/Mohammed,

Thanks for the responses, I have been trying a number of things so I may not have reverted back my config. I had tried SIP profiles to change the IP to the realm on the invite but that didn't work. The config is a work in progress.

Gig0/0 is inside, Gig0/1 is outside. URI matching was only for inbound from CUCM although I may collapse those into a single peer.

Ayodeji Okanlawon · ‎03-14-2017

Keith,

The outbound INVITE is going via the correct interface GIG0/1 as you have configured. The question is, is there a firewall or NAT somewhere that needs to make that address one that is recognized by your ITSP. I doubt if your ITSP recognizes the IP (10.0.1.1)

Cube is sending the call correctly to the provider IP (10.214.97.133) and I do see a static route to this IP via 10.0.1.2.

You need to ask your provider what IP address they are expecting the call from and why they are rejecting your call.

Please rate all useful posts

Mohammed al Baqari · ‎03-13-2017

Hi,

I think your provider is failing to lookup the domain name 'blsd.mtssip.ca' which is the host portion of your FROM header. By default CUBE will use IP in the host portion unless you configure it not to or used SIP Profiles. Can you paste your full config to see what is triggering this?

If you have host entry in the CUBE for blsd.mtssip.ca with DNS configured as local CUBE then it will trigger this.