CME trunk FreePBX

u013828 · ‎10-27-2024

Hello Cisco Community,

I'm working on setting up a SIP trunk between a Cisco CUBE router and a FreePBX server in the cloud. The trunk was working when the router initially booted and I successfully tested for inbound calls to the FreePBX server, but then after a around 40 mins or so seems to no longer registering or passing calls, and I haven’t changed any configuration.

Network Environment Overview:

The Cisco CUBE router is running IOS version 15.7.
The FreePBX server is hosted in the cloud.

SIP communication uses standard SIP registration with authentication credentials.

Problem Description: When the router boots up, it appears to initially form a SIP trunk connection to the FreePBX server but fails shortly afterward.

Now I may be have tunnel vision here but, in the FreePBX logs, it seems that the router sends an initial SIP REGISTER or INVITE request and receives a 401 Unauthorized response from FreePBX, which is expected as part of the challenge-response authentication. However, the router does not seem to follow up to complete the authentication.

Key Symptoms:

FreePBX is sending a 401 Unauthorized challenge in response to the router’s SIP requests.
The router fails to respond with credentials after receiving the 401 Unauthorized challenge.
No changes have been made to the configuration between the time it was working and now.
Debugging SIP on FreePBX shows the initial request from the router and the 401 Unauthorized response, but nothing further.
I’ve confirmed that the username, password, and realm configurations have not changed on either the router or FreePBX.

Questions:

Why might the router fail to send the credentials in response to the 401 Unauthorized challenge?
Is there a specific setting or feature in Cisco IOS that needs to be configured to handle SIP authentication retries or responses correctly?

Are there additional debug commands or checks I should perform to pinpoint why the credentials are not being sent?
Any insights or guidance would be greatly appreciated!
I may be way off in what I am focusing on but here is my router config:

Oct 27 13:29:14.382: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 3747 bytes
!
! Last configuration change at 13:29:14 UTC Sun Oct 27 2024
! NVRAM config last updated at 01:24:46 UTC Sun Oct 27 2024
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ODEN-VOICE-01
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name my.domain
ip name-server 192.168.99.10
ip name-server 8.8.8.8
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
!
!
!
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
no supplementary-service h450.7
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
redirect ip2ip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface GigabitEthernet0/0
bind media source-interface GigabitEthernet0/0
registrar server
nat auto
!
!
!
!
voice register global
mode cme
source-address 192.168.101.12 port 5060
max-dn 200
max-pool 42
timezone 21
date-format D/M/Y
create profile sync 0004392933613723
auto-register
!
!
voice register dn 1
number 2000
name Office Test
label Office - Test
!
voice register pool 1
busy-trigger-per-button 2
id mac 2C31.246A.E7A2
type 8841
number 1 dn 1
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2901/K9 sn Serial
license accept end user agreement
hw-module pvdm 0/0
!
!
!
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.101.12 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.101.1
!
!
!
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dspfarm profile 1 transcode
shutdown
!
dial-peer voice 1000 voip
destination-pattern 1...
session protocol sipv2
session target ipv4:IP
dtmf-relay rtp-nte
codec g711ulaw
!
dial-peer voice 2000 voip
description sip trunk to asterisk out
destination-pattern 2...
session protocol sipv2
session target ipv4:IP
incoming called-number 2...
dtmf-relay rtp-nte
codec g711ulaw
!
!
sip-ua
credentials username username password mypassword realm asterisk
keepalive target ipv4:IP
authentication username username password mypassword realm asterisk
retry invite 2
retry register 10
timers connect 100
timers keepalive active 100
sip-server ipv4:IP Removed
host-registrar
!
!
!
gatekeeper
shutdown
!
!
vstack
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 2.uk.pool.ntp.org
!
end

Thank you,

Roger Kallberg · ‎10-27-2024

A few things, first of all you have not enabled the Cube functionality in your router. You’ll do that by adding the command mode border-element under voice service voip. Secondly you look to be using CME to register phones. As CME acts as a registrar server for SIP phones you’ll need to use a tenant configuration for the SIP trunk. For information on how to enable Cube functionality and general configuration options for a Cisco router to act as a SBC see this document. Cisco Unified Border Element Configuration Guide Through Cisco IOS XE 17.5

u013828 · ‎10-27-2024

Hi Roger,

Thankyou for that, I am going through the documentation now.

The overall goal is to have the 8841 series enterprise firmware phones to register with CME but still be able to contact extns on FreePBX and vice versa. I have not used many Cisco voice routers so I hope I am going about it the right way.

I will let you know how I get on.

Thanks again,
Richard

Roger Kallberg · ‎10-27-2024

One thing more about your configuration that stands out. You only have one interface used on your router. Usually when you have an SBC you’d use two interfaces, one that acts as the inside interface and another that acts as the outside interface connected to the SIP trunk service. It is possible to run an SBC with one interface, but it’s not recommended or very common.

u013828 · ‎10-28-2024

Hi,
Yeah so the setup is as follows:

The router is in place as an intermediary so that Cisco enterprise firmware devices can be connected to freePBX with out having to change the firmware.

Kind Regards,
Richard

Roger Kallberg · ‎10-28-2024

As your using internet as the carrier of your SIP traffic there are a few things that you need to consider. For one you’d need to have one or more SIP profile(s) to handle rewriting the various fields in the SIP dialogue that NAT wouldn’t touch and you’d also should consider security as well as passing SIP over an unprotected media such as internet is not exactly best practices. For this you should look into using encryption with TLS and SRTP.

u013828 · ‎10-29-2024

Evening all,

Sorry its been a min.

I have done some further testing the main issue was occurring on the FreePBX side.

Secondly, I noticed that in FreePBX the trunk was showing unavailable, yet the router was showing as up.

Anyway I can make calls now. I will now enable media encryption etc.

Thanks so much for assisting.
Richard.