I have owned a UC520 since CCA 2.1 and each time you factroy default the unit and re-enter the generic SIP providor the incomming SIP calls are rejected with 500 Internal error. Each time the fix was to remove a Voice Source Group Access list. TAC gave me this set of commands I have used for two years and though 5 upgrades and factory defualts.
voice source-group CCA_SIP_SOURCE_GROUP
no access-list 2
translation-profile incoming SIP_Incoming
I would have thought through 5 CCA/IOS upgrades this would have been resolved but it is still not and this latest Upgrade to 8.2/8.0.6 this is not working . I ran the commands and calles are still getting blocked. The ITSP said there is nothing they can do and provided this log showing how my UC520 is rejecting the incomming calls.
"Call attempts to your PBX are being rejected with the following error:
U 2011/08/11 02:12:54.667299 188.8.131.52:56006 -> 184.108.40.206:5060
SIP/2.0 500 Internal Server Error..Via: SIP/2.0/UDP 220.127.116.11:5060;bran
2-4e433aa6-cf91513f-52e9074b..From: "anonymous" <sip:firstname.lastname@example.org
18.104.22.168:5060>;tag=22DAAFC-4DE..Date: Thu, 11 Aug 2011 02:06:50 GMT..Ca
0..CSeq: 1 INVITE..Allow-Events: telephone-event..Reason: Q.850;cause=63..S
erver: Cisco-SIPGateway/IOS-12.x..Content-Length: 0....
Why does this happen, what is the fix now and how come CCA and the UC520 have made this so difficult for so many years.
Your problem is the external source group for incoming calls. Removing the ACL will get this to work, but is not the recommended solution. The ACL in question is the one used by the external source group.
voice source-group CCA_SIP_SOURCE_GROUP_EXTERNAL
You can just remove the access-list, but this does open you up to possible toll-fraud. I would suggest that you add permit statements to ACL 3 to allow incoming calls from your SIP provider. The issue is that you have to allow all of the IP addresses that your provider may send from. This can be done manually though CLI, or on the "advanced" tab when configuring the SIP trunk.
removed access-list 3 and calls are still getting rejected. Any other suggestions?
There is no way to create an IP allow list becouse the gateways our ITSP uses are many and SIP could come from any of them and change.
Removed access list 3 and calles are still getting rejected. Any other thoughts?
Our ITSP does have a list of SIP ip's but the RTP streams could come from anywhere and thst is what is getting bloccked. The SIP invite is getting though.
This does looks like SIP INIVTE is getting rejected since the IP address of the proxy is not allowed on the UC500.
Since you tried the above already, take a look at this tech note on changes to toll fraud protection in more recent versions of IOS/CME:
Did you perform software upgrade or configure SIP trunk with a more recent version of CCA? Toll-fraud protection is a requirement of CCA configurations, but since CCA continues to rely on voice source group and access-lists, you should see the following added to your configuration:
voice service voip ip address trusted list ipv4 0.0.0.0 0.0.0.0
If this is not present, trying adding it. And while this is not recommended, you may want to check the above tech note for how to disable the IOS/CME toll fraud application completely.
Tired adding, disabled toll fraud completly. Workign with TAC for a while now but they are stumped and tried same resolution. They ran debug on SIP and this was message:
002928: Aug 11 15:25:28.645: //1622/E33E81C4895E/SIP/Msg/ccsipDisplayMsg:
SIP/2.0 500 Internal Server Error
Via: SIP/2.0/UDP 10.1.10.1:5060;branch=z9hG4bK8w9oZbR3eUchEf4ZVnjueQ~~1240
Date: Thu, 11 Aug 2011 20:25:28 GMT
CSeq: 1 REGISTER
Not sure if you have tried it yet, but in CCA you can add multiple IP addresses into the ACL table for the SIP trunk, I have to do this with at least two of the ITSP's here in Australia as they have more than one SBC's and in more than one state, so it is done just incase the URI does not properly resolve, which would then cause the UC-500 to reject the call.
Since a spate of toll fraud last year I do not punch a whole in the firewall/ACL anymore, I do what I can to work with it and am quite pushy with the ITSP's with giving me additional IP's to add, if you can please push them for any other ones they may use the URI to resolve to.