Showing results for 
Search instead for 
Did you mean: 

Voice Source Group Blocking Incomming SIP 3.1/8.2


I have owned a UC520 since CCA 2.1   and each time you factroy default the unit and re-enter the generic SIP providor the incomming SIP calls are rejected with 500 Internal error.  Each time the fix was to remove a Voice Source Group Access list.  TAC gave me this set of commands I have used for two years and though 5 upgrades and factory defualts.

conf t

voice source-group CCA_SIP_SOURCE_GROUP

no access-list 2

translation-profile incoming SIP_Incoming


I would have thought through 5 CCA/IOS upgrades this would have been resolved but it is still not and this latest Upgrade to 8.2/8.0.6 this is not working .  I ran the commands and calles are still getting blocked.   The ITSP said there is nothing they can do and provided this log showing how my UC520 is rejecting the incomming calls.

"Call attempts to your PBX are being rejected with the following error:

U 2011/08/11 02:12:54.667299 ->
SIP/2.0 500 Internal Server Error..Via: SIP/2.0/UDP;bran
2-4e433aa6-cf91513f-52e9074b..From: "anonymous" <
>;tag=a9f5ed0-13c4-4e433aa6-cf91513f-1b4c601a..To: <sip:16125207500@6
>;tag=22DAAFC-4DE..Date: Thu, 11 Aug 2011 02:06:50 GMT..Ca
ll-ID: CXC-223-6b03ce30-a9f5ed0-13c4-4e433aa6-cf91513f-6d6313c@
0..CSeq: 1 INVITE..Allow-Events: telephone-event..Reason: Q.850;cause=63..S
erver: Cisco-SIPGateway/IOS-12.x..Content-Length: 0....

Why does this happen, what is the fix now and how come CCA and the UC520 have made this so difficult for so many years.  

6 Replies 6

Darren DeCroock

Hello David,

Your problem is the external source group for incoming calls.  Removing the ACL will get this to work, but is not the recommended solution.  The ACL in question is the one used by the external source group.


access-list 3

You can just remove the access-list, but this does open you up to possible toll-fraud.  I would suggest that you add permit statements to ACL 3 to allow incoming calls from your SIP provider.  The issue is that you have to allow all of the IP addresses that your provider may send from.  This can be done manually though CLI, or on the "advanced" tab when configuring the SIP trunk.

Thank you,


removed access-list 3 and calls are still getting rejected.  Any other suggestions?

There is no way to create an IP allow list becouse the gateways our ITSP uses are many and SIP could come from any of them and change.

Removed access list 3 and calles are still getting rejected.  Any other thoughts?

Our ITSP does have a list of SIP ip's but the RTP streams could come from anywhere and thst is what is getting bloccked.   The SIP invite is getting though.

This does looks like SIP INIVTE is getting rejected since the IP address of the proxy is not allowed on the UC500.

Since you tried the above already, take a look at this tech note on changes to toll fraud protection in more recent versions of IOS/CME:

Did you perform software upgrade or configure SIP trunk with a more recent version of CCA?  Toll-fraud protection is a requirement of CCA configurations, but since CCA continues to rely on voice source group and access-lists, you should see the following added to your configuration:

voice service voip
 ip address trusted list

If this is not present, trying adding it.  And while this is not recommended, you may want to check the above tech note for how to disable the IOS/CME toll fraud application completely.


Tired adding,  disabled toll fraud completly.  Workign with TAC for a while now but they are stumped and tried same resolution.  They ran debug on SIP and this was message:

002928: Aug 11 15:25:28.645: //1622/E33E81C4895E/SIP/Msg/ccsipDisplayMsg:


SIP/2.0 500 Internal Server Error

Via: SIP/2.0/UDP;branch=z9hG4bK8w9oZbR3eUchEf4ZVnjueQ~~1240

From: ;tag=ds1b761cf6

To: ;tag=61B7F60-469

Date: Thu, 11 Aug 2011 20:25:28 GMT



Server: Cisco-SIPGateway/IOS-12.x


Content-Length: 0

Hi David,

Not sure if you have tried it yet, but in CCA you can add multiple IP addresses into the ACL table for the SIP trunk, I have to do this with at least two of the ITSP's here in Australia as they have more than one SBC's and in more than one state, so it is done just incase the URI does not properly resolve, which would then cause the UC-500 to reject the call.

See Image:

Since a spate of toll fraud last year I do not punch a whole in the firewall/ACL anymore, I do what I can to work with it and am quite pushy with the ITSP's with giving me additional IP's to add, if you can please push them for any other ones they may use the URI to resolve to.



Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: