Hi David,

Could you share this CPL script?

Maciek

I have the same thing.  I Reject asterisk@.* to any destination .*.  This does not actually stop the call attempt, but it does Reject the call as Forbidden when one comes in.

Sure, here it is...

xmlns:taa="http://www.tandberg.net/cpl-extensions"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

Martin,

thanks for a thorough answer.

I know I cannot block a call atempt or a search but what I was surprised to see was that even having the call policy reject rule - the same that Anthony has did not stop the calls. The status was not Forbidded but Loop detected (but the call actually did not loop).

How are your settings, how did you try to apply the rule, as your own CPL or via the web based "call policy rules"?

Things might be have different in different VCS releases, I always try to base it on the latest, in this case X6.1

Check that your call policy is actually turned on.

On the "Call Policy configuration"-Page, "Call Policy mode" shall be set to "Local CPL"

On the same page you can also display your CPL, could you paste the output of the option:

If it shows a call loop it will most likely have happened :-)

Most loops I have seen were towards other VCSs or DNS zones, often caused transforms or rewriting search rules.

You should be able to see in the search details what actually caused the loop.

To be honest, if I would be you, I would ask my Cisco partner or Cisco TAC to help me here. What in general

should at least be in place is the CPL, a xconfig xstatus of the VCS and a netlog 2 of a call that makes the problem.

Btw, please use the vote feature (the little star) on answers which you think are helpful.

Martin,

Ofcourse I have the call policy mode set to "Local CPL". I wouldn't have posted a thread if I didn't check the obviuos first I have created a rule with the web-based call policy rules. It results in a CPL file like this:

The search rule identtifies the loop detected status based on calls to unknown ip addresses:

• SubSearch (1)
• • Type: Search Rules
• • CallsToUnknownIPAddresses (3)
  • • Mode: Direct
  • • Found: True
  • • Zone (1)
    • • Name: DefaultZone
    • • Type: Default
    • • Protocol: SIP
    • • Found: False
    • • Reason: Loop Detected
    • • Gatekeeper (1)
      • • Alias (1)
        • • Type: Url
        • • Origin: Unknown
        • • Value: 011442035193347@ip address of vcs-e/

And I want to leave the setting to "Direct". So what could resolve this issue?

like I said, to fully debug it a xconf, xstatus and a netlog 2 of the failing call would be interesting to see.

For now, could you try to create a cpl with the xml lines I posted above and see if this changes your behavior.

The search history you posted did not show the top part, expecially transforms and used aliases can be interesting here.

We use x6.1, from what I see in our call logs it seems to work.

2011-07-17 12:49:44 sip:asterisk@w.x.y.z sip:902342342341000@ SIP <-> 0 seconds 403 / Forbidden 1 View

Hi Martin,

it's really hard to get a netlog 2 for such a call attempt as you never know when it will occur

As for the VCS we are also using X6.1.

I actually get 2 attempts in the search history:

The first (the bottom one) is:

So nothing special before the fragment I have posted before.

Another search is just:

Any clues?

The part I wanted to see was:

SubSearch (1)
 

Type: Admin Policy


 

Action: Proxy


 

ResultAlias (1)
 

Type: Url


 

Origin: Unknown


 

Value: 900442070661000@

I would have expected to see:

• Search (4)
• • State: Completed
• • Found: False
• • Reason: Forbidden

...

• • SubSearch (1)
  • • Type: Admin Policy
  • • Action: Reject

So my magic glass ball tells me there is something not matching where it shall match on the cpl

(or for example that you have a rule upfront which allows the call so the reject would not hit anymore).

So check on the order. Anyhow:

Please try to upload the cpl I made (you can add additional lines if you need customization)

instead of using the vcs call policy wizard and see if it changes the behavior.

Btw, you can use the Locate feature under Maintenance / Tools to simulate the call.

The intended behavior is that the search stops with the above shown "Action: Reject"

Please vote answers if you think they are helpful and mark a thread as answered if it is.

Hi Martin,

The call attempt was actually made after implementing your CPL so it doesn't make a difference if I create the rules using the web interface or I upload a CPL script.

When using the Locate tool it returns Reject when Authenticated is set to Yes. When set to No the result is Loop detected so exactly what I am experiencing.

Now this indicates the setting on the default zone, which in my case is Do not check credentials. I do not want to treat incoming requests as authenticated as this would cause Movi users being able to login with any passwords.

So it seems to be a problem, or am I missing something?

Hei Andreas!

You are correct, as well as the admin guide describes it (I was just reading up on it

and trying it when you already had answered ,-) but I do not agree that the behavior is correct.

If I see it right the CPL the VCS is using is based on RFC3880 which defines some basics

and also allows "extensions". origin is part of the basic definition:

The CPL_EXTENSIONS_XSD_FILE on the VCS describes:

So wouldn't it be more suitable to use "origin" on no matter how the message hit the vcs,

and then have the two optional attributes handling if or if not it was authenticated?

to all:

On the system where I tested the CPL the "default zone" was set to treat as authenticated,

I should have seen that directly on the search listed here (for the ones interested, you can see that in

the listed search on the field: "Authenticated: False"

Here is an updated version of the CPL, I added both origin and the unauthenticated-orign to it.

You might be able to remove one of them, but you can also just keep it like it is.

If you use an ISDN or telephony GW you also want to block that from the outside!

If you have an IPGW or a Video switchboard and you do not want to loose calls the redirect

David posted is a good way to integrate as well.

http://www.tandberg.net/cpl-extensions"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

And to make it more easy here a downloadable version of the cpl: http://pastebin.com/AAcgjNk4