Outgoing call issue on sip trunk of deutsche telekom service provider 403 Forbidden (R403_REQUEST_NO...

SathishAnbu4286 · ‎10-22-2019

Setting up sip trunk with deutsche telekom service provider. Outgoing call is not working getting 403 Forbidden (R403_REQUEST_NOT_ALLOWED)..

Received:
SIP/2.0 403 Forbidden (R403_REQUEST_NOT_ALLOWED)
Via: SIP/2.0/TCP 192.168.178.2:5060;received=217.7.207.185;branch=z9hG4bK31DED3
To: <sip:00919739994990@sip-trunk.telekom.de>;tag=65cc6339
From: <sip:+49623797740@sip-trunk.telekom.de>;tag=2740564-1172
Call-ID: E2229D99-F3E911E9-903A9E36-290E7944@192.168.178.2
CSeq: 101 INVITE
Content-Length: 0

SIP config

voice service voip
ip address trusted list
ipv4 10.33.50.17
ipv4 10.33.50.18
ipv4 10.42.60.0 255.255.255.0
ipv4 217.10.79.9
ipv4 217.116.117.0 255.255.255.0
ipv4 10.43.32.0 255.255.255.0
ipv4 217.0.0.0 255.255.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
fax protocol t38 nse version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
modem passthrough nse codec g711alaw
sip
session refresh
asserted-id pai
outbound-proxy dns:reg.sip-trunk.telekom.de
asymmetric payload full
conn-reuse
privacy-policy passthru
sip-profiles inbound
sip-profiles 3000
!
!
voice class uri 1 sip
host ipv4:10.34.59.33
host ipv4:10.43.32.83
host ipv4:10.34.59.32
voice class codec 1
codec preference 1 g711alaw
!
!
voice class sip-profiles 3000
rule 1 request REGISTER sip-header Contact modify "<.*:.*@(.*)>" "<sip:\1;bnc>"
rule 2 request REGISTER sip-header Proxy-Require add "Proxy-Require: gin"
rule 3 request REGISTER sip-header Require add "Require: gin"
!
voice class sip-profiles 201
rule 1 request ANY sip-header P-Asserted-Identity modify "<sip:(.*)>" "<sip:+49623797740@sip-trunk.telekom.de>"
rule 2 request ANY sip-header Min-SE remove
rule 3 request ANY sip-header Diversion remove
rule 4 request ANY sdp-header Connection-Info remove
rule 5 response ANY sdp-header Connection-Info remove
!
!
voice class server-group 1
ipv4 10.34.59.33 preference 1
ipv4 10.43.32.83 preference 3
ipv4 10.34.59.32 preference 2

voice translation-rule 1
rule 6 // //
!
voice translation-rule 2
rule 2 /\(^.+\)/ /+\1/ type international international
rule 3 /\(^.+\)/ /0\1/ type any subscriber
!
voice translation-rule 3
rule 1 /^149/ /+49623797/
rule 2 /^9/ /*\1/
rule 3 /^.*/ /*\0/
!
voice translation-rule 4
rule 1 /^\*/ //
!
voice translation-rule 5
rule 1 /97744/ /149744/
!
voice translation-rule 6
rule 1 /\+496237977.../ /+49623797740/
!
voice translation-rule 14
rule 1 /9/ //
!
!
voice translation-profile Fax_in
translate called 5
!
voice translation-profile FromPSTN
translate calling 2
translate called 1
!
voice translation-profile SRST
translate called 3
!
voice translation-profile ToPSTN
translate calling 6
translate called 4

interface GigabitEthernet0/1
ip address 192.168.178.2 255.255.255.0
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 192.168.178.1

dial-peer voice 201 voip
description **SIP-TRUNK.TELEKOM.DE**
translation-profile outgoing ToPSTN
destination-pattern *T
session protocol sipv2
session target sip-server
session transport tcp
voice-class codec 1
voice-class sip outbound-proxy dns:reg.sip-trunk.telekom.de
voice-class sip profiles 201
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
fax-relay ecm disable
fax rate 14400
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
clid strip name
no vad
!
dial-peer voice 101 voip
translation-profile incoming FromPSTN
rtp payload-type nse 112
session protocol sipv2
session target sip-server
session transport tcp
incoming called-number +4962379774..
no voice-class sip outbound-proxy
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
codec g711alaw
fax-relay ecm disable
fax rate 14400
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
no vad
!
dial-peer voice 301 voip
preference 1
destination-pattern +4962379774..
session protocol sipv2
session target ipv4:10.34.59.33
voice-class codec 1
no voice-class sip outbound-proxy
no voice-class sip pass-thru content sdp
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte
no vad
!
dial-peer voice 302 voip
destination-pattern +4962379774..
session protocol sipv2
session target ipv4:10.43.32.83
session transport udp
voice-class codec 1
no voice-class sip outbound-proxy
no voice-class sip pass-thru content sdp
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte
no vad
!
dial-peer voice 303 voip
destination-pattern +4962379774..
session protocol sipv2
session target ipv4:10.34.59.32
voice-class codec 1
no voice-class sip outbound-proxy
voice-class sip bind control source-interface GigabitEthernet0/0
voice-class sip bind media source-interface GigabitEthernet0/0
dtmf-relay rtp-nte
no vad

sip-ua
credentials number +49623797740 username 5511351XXXX password 7 13152D450409537F12 realm sip-trunk.telekom.de
authentication username 5511351XXXX password 7 02163E0C0403587475 realm sip-trunk.telekom.de
no remote-party-id
timers expires 900000
timers register 100
timers dns registrar-cache ttl
registrar dns:sip-trunk.telekom.de expires 240 tcp auth-realm sip-trunk.telekom.de
sip-server dns:sip-trunk.telekom.de
connection-reuse

Vaijanath Sonvane · ‎10-23-2019

Hi,

Can you please post the logs for debug cccsip messages and debug ccapi inout? And also the calling number and called number information.

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

SathishAnbu4286 · ‎10-23-2019

Calling number:+49623797740

Called number: 00919739994990

Attached the debugs

Vaijanath Sonvane · ‎10-24-2019

Hi,

Can you try below configuration:

voice class sip-profiles 201
 rule 1 request INVITE sip-header From modify "sip-trunk.telekom.de" "192.168.178.2"
 rule 2 request INVITE sip-header P-Asserted-Identity modify "<sip:(.*)>" "<sip:+49623797740@192.168.178.2>"
 !
dial-peer voice 201 voip
  voice-class sip profiles 201
 !

Any reason you are removing below parameters in your configuration:

voice class sip-profiles 201
 rule 2 request ANY sip-header Min-SE remove
 rule 3 request ANY sip-header Diversion remove
 rule 4 request ANY sdp-header Connection-Info remove
 rule 5 response ANY sdp-header Connection-Info remove

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

SathishAnbu4286 · ‎10-24-2019

Hi,

Tried the profile which you shared still same issue.

The profile which i configured got from internet which is published by cisco for service provider Deutsche Telekom in germany.

Vaijanath Sonvane · ‎10-25-2019

Hi,

From the earlier logs:

When you are making outgoing calls you are sending G722, G711 and G729 codes. Which codes are supported by your service provider and what are they expecting?
You are sending +49623797740 as Calling Number and 0091973999499 as Called Number. Is this what your Service Provider is expecting?
Can you try outgoing calls without using outbound proxy.

dial-peer voice 201 voip
 no voice-class sip outbound-proxy dns:reg.sip-trunk.telekom.de

Check with your service provider about why they are rejecting the call.

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

SathishAnbu4286 · ‎10-26-2019

Hi,

They accept g711alaw and g722

Calling and called format is fine

I tried result is same..

No proper support from service provide and one thing we observed is we reset trunk in CUCM and also reconfigure SIP configuration in gateway it will fix issue for time being. After some time it will stop again. Service provider told TCP authentication is not working properly. During TCP authentication both VG and Service provider SIP-proxy agreed on one TCP port but VG sending traffic to on different port.

Vaijanath Sonvane · ‎10-28-2019

Can you please post working and non working call logs?

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.

SathishAnbu4286 · ‎11-04-2019

Guys thank you issue is fixed after remove bind control GE0/1.. Not sure how this created the issue

richardpierce · ‎04-16-2020

This worked for me too. I removed the binding from outbound interface and calls were successful.

nickkassel · ‎01-08-2021

Hi Richard, I hope your well, I have this same issue on DE Telekom SIP trunk but dont have any binding on the interfaces, what did you remove to get this working for you?

Regards

Nick

Roger Kallberg · ‎01-08-2021

The bind statements are either on the dial peers or in global configuration under voice service voip.

nickkassel · ‎01-08-2021

Yes, aware of that but it wasn't clear that it was the outbound dial-peer that it was removed from as it stated outbound interface.

Ali Amir · ‎03-04-2021

@nickkassel

We had a same issue with DE Telekom.

The problem was: in somehow our firewall sent a TCP-FIN packet to our CUBE so the SIP trunk with Telekom was dropped by our CUBE. Then the CUBE made a new registration/connection. At this point the CUBE connection was made with a new TCP source port. After this, the CUBE tried to send related SIP messages for the old active calls to provider with the new SIP trunk, but the provider rejected them, and we get "R403_REQUEST_NOT_ALLOWED".

The reason was: the source port of call signaling for a call must be remain during the call.

Troubleshooting:

- With "debug ip tcp transactions" we could see that the CUBE got a FIN.

2161522: Sep 3 12:24:35.470: TCP0: FIN processed
2161523: Sep 3 12:24:35.470: TCP0: state was ESTAB -> CLOSEWAIT [50896 -> 88.0.8.8(5060)]
(…)
2161544: Sep 3 12:24:35.486: TCP0: state was CLOSEWAIT -> LASTACK [50896 -> 88.0.8.8(5060)]
2161545: Sep 3 12:24:35.486: TCP0: sending FIN
2161546: Sep 3 12:24:35.486: TCB213E8AB4 getting property TCP_VRFTABLEID (20)
2161547: Sep 3 12:24:35.490: TCP0: Got ACK for our FIN
2161548: Sep 3 12:24:35.490: TCP0: state was LASTACK -> CLOSED [50896 -> 88.0.8.8(5060)]
2161549: Sep 3 12:24:35.490: Released port 50896 in Transport Port Agent for TCP IP type 1 delay 240000
2161550: Sep 3 12:24:35.490: TCB 0x21323FE4 destroyed

- With "debug ccsip messages" we could see the new trunk registration request.
- With the packet capture traces from the provider interface we could see the FIN packet and also the changing of source TCP port for the SIP messages.

TONY SMITH · ‎03-09-2021

You can keep the source port fixed with the following configuration, obviously in addition to anything you already have under "sip-ua". Personally I would change to UDP if the service provider accepts this, I've seen issues with TCP in terms of how retries are handled.

sip-ua
 connection-reuse

Outgoing call issue on sip trunk of deutsche telekom service provider 403 Forbidden (R403_REQUEST_NOT_ALLOWED)