Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

Cannot seem to get VCS local policy service rules to work

I want to restrict both incoming and outgoing calls to only specific devices.  I have created call policies that seem to work as long as the end point is registered with the VCS, however if the endpoint is not registered, it simply passes the call despite the call policy.  What am I doing wrong?  I can't list my rules as the source and destination names are confidential, however I did attempt to create a generic catch all policy like this.

Source: .*               Destination: .*.               Reject

If I understand this correctly, that should mean that any source trying to call any destination would be rejected if not specifically covered by a higher priority rule correct?

Marino Maiorino

Did you check in the configuration - dial plan - configuration if it is off ?

Sent from Cisco Technical Support iPad App

Rising star


you shouldn't have a second dot in your destination regex (You have .*.), you should simply use .* for both source and destination in your catch-all reject (Which should be the bottom rule on your VCS).

- Andreas

Pinkesh Patel

Hi Norm,

I've seen this issue before.... well on X6.1 if you put .* for the source it doesn't match everything all the time.

If you leave the source blank (represents an unauthenticated user) this usually works.





I have corrected the destination string and made it (.*) however I am still able to call my endpoints from an unregistered device at my desk.


I added another rule with source being blank, and destination being (.*), this also has not solved the problem.

In addition to these rules, I have specific rules in place allowing calls between the specific endpoint and rules rejecting all unauthenticated endpoints from calling each of these endpoints meaning Source is blank, and Destination is the specific alias of every endpoint I want isolated.  What else could I be missing?

Hi Norm,

what alias are you calling from the unregistered device?

Are calls from this device to said endpoints hitting the Default Zone on your VCS?

What is the authentication setting for the Default Zone on your VCS?

If you take a diagnostics log on the VCS (With Network Log level = DEBUG) and place a test call, you will see the CPL logic and decision-making in the diagnostic log, this should help you pinpoint the issue if you are able to interpret the contents of the log.

- Andreas

I am calling one of my registered alias's.  Unfortunately, I can't post the actual name of it.

How can I tell if the calls are hitting the default zone?

The authentication policy is set to "Do not check credentials"  Is this where it should be set?

I started a new log and placed a test call and then stopped the log.  What am I looking for in the log?


if you are calling a registered alias from an unregistered endpoint, I'm curious to know how the call actually makes it from the unregistered endpoint to the VCS. In what format is the alias which you are calling?

'Do not check credentials' is the recommended setting for the Default Zone, and means that the Source of this call will be blank as far as the CPL rule generator is concerned (Since the rule generator uses authenticated-origin for source).

In the log you are looking for lines containing 'network.cpl'. Perhaps you can send me the log via PM?

- Andreas


First of all it is not that hard to write a CPL file yourself. You can also check how the cpl file looks

like after you created entries with the wizzard.

But I just tried it with x7 and it worked fine:

The CPL for this looks like:



Be aware that there is also an order of the rules, the first rule matching wins.

Regards the question how to check which zone the call came from, if you look at the search details in call history of a call

you will see it under "zone":

  • Search (148)
    • State: Completed
    • Found: False
    • Reason: Forbidden
    • Type: SIP (INVITE)
    • CallSerial Number: 405438c0-a7e2-11e1-8ee6-0010f31fb154
    • Tag: 4054399c-a7e2-11e1-b5dc-0010f31fb154
    • StartTime: 2012-05-27 11:56:38
    • Duration: 0.01
    • Source (1)
      • Authenticated: True
      • Aliases (1)
        • Alias (1)
          • Type: Url
          • Origin: Unknown
          • Value: test@invalid
      • Zone (1)
        • Name: DefaultZone
        • Type: Default
      • Path (1)
        • Hop (1)


Please remember to rate helpful responses and identify

If you are looking for call control on unregister Endpoint, you may use CPL with “” parameter.

Below is example of call process for call from unregister Endpoint/MCU.



xsi:schemaLocation="urn:ietf:params:xml:ns:cpl cpl.xsd">

< address-switch field="registered-origin">

! reject the call from non-register device to destination alias starting 8

! redirect call to call reception Endpoint (alias 0000) if call from non-register device to destination alias starting 9

Content for Community-Ad

Spotlight Awards 2021