01-20-2012 05:02 AM - edited 03-21-2019 05:13 AM
Hi,
Can anyone help? I'm not incredibly technical but have a vague understanding... using the CCA to setup, I know how to telnet into CLI but not confident on the commands to use after that so don't generally touch it so I don't break anything.
I've set up a SIP trunk on a UC540 from VOIP-Unlimited. The outgoing calls work fine, and have even set up the outbound DID mapping.
However can't get incoming calls to connect. I've checked that the IP addresses from the ITSP are all set to be allowed, and I've mapped the inbound DID to an extension. The error log includes the number formatted as both +44845.... and 0845.... so I've tried both on the inbound mapping but neither work.
The error code is 127, but after reading the Cisco document on incoming call problems can't work out what else to do?
Oh and I do have a Dynamic Public IP address which is being changed to a Static IP in the next few weeks if that makes a difference - but the error log shows the correct public IP address for my connection.
The error log is (I've starred out my phone numbers and public IP address):
Frame 4 (624 bytes on wire, 624 bytes captured)
Arrival Time: Jan 20, 2012 12:18:40.027551000
Internet Protocol, Src: [MYPUBLICIP] ([MYPUBLICIP]), Dst: 91.151.2.130 (91.151.2.130)
User Datagram Protocol, Src Port: sip (5060), Dst Port: sip (5060)
Session Initiation Protocol
Status-Line: SIP/2.0 500 Internal Server Error
Status-Code: 500
[Resent Packet: False]
Message Header
Reason: Q.850;cause=127
Reason Protocols: Q.850
Cause: 127(0x7f)[Internetworking, unspecified]
Date: Fri, 20 Jan 2012 12:29:40 GMT
From: <sip:07525******@91.151.11.20>;tag=3536050719-942236
SIP from address: sip:07525******@91.151.11.20
SIP from address User Part: 07525******
SIP from address Host Part: 91.151.11.20
SIP tag: 3536050719-942236
Allow-Events: telephone-event
Content-Length: 0
To: +44845******* <sip:0845*******@91.151.2.130;user=phone>;tag=1E8224-1038
SIP Display info: +44845*******
SIP to address: sip:0845*******@91.151.2.130
SIP to address User Part: 0845*******
SIP to address Host Part: 91.151.2.130
SIP tag: 1E8224-1038
Call-ID:
14384647-3536050719-942229@msx1-voip-unlimited-net.mydomain.com
Via: SIP/2.0/UDP 91.151.2.130;branch=z9hG4bKf438.ad3a8dc1.0,SIP/2.0/UDP 91.151.11.20:5060;rport=5060;received=91.151.11.20;branch=z9hG4bK03c5a15cdfb692caf9f5d370fad8dd48
Transport: UDP
Sent-by Address: 91.151.2.130
Branch: z9hG4bKf438.ad3a8dc1.0
Transport: UDP
Sent-by Address: 91.151.11.20
Sent-by port: 5060
RPort: 5060
Received: 91.151.11.20
Branch: z9hG4bK03c5a15cdfb692caf9f5d370fad8dd48
CSeq: 1 INVITE
Sequence Number: 1
Method: INVITE
Server: Cisco-SIPGateway/IOS-12.x
01-20-2012 06:22 AM
Mr. Simpson,
In what is provided I see that you are getting a 500 internal server error. This is usually cause either by your current Access control lists by not allowing all IP address from your VOIP provider, or the provider is sending you information that the UC540 does not recognize.
What I would like to see as for debugs which you can run in CCA under Troubleshoot > General debugs. The commands are debug voip ccapi inout and debug ccsip message.
I will also like to see a current running configuration.
Please attach these as a file and remove/hide any private information you do not want known.
Thank you,
Mike D.
01-20-2012 07:58 AM
01-20-2012 04:37 PM
Hi Neil,
It looks like there is another IP Address in the INVITE (via header) that is not being allowed (91.151.2.130).
Also, make sure that your inbound DIDs reflect exactly what the ITSP sends in the request URI
(INVITE sip:0845*******@**.**.***.**:62768 SIP/2.0).
Laura
01-22-2012 05:55 AM
I noticed that myself - but in the CCA under SIP trunk - advanced options, it is listed as one of the additional allowed IP addresses. The weird thing is I didn't add it to the list, it appeared there after I set up the SIP trunk.
Is there a way to add that IP address to the Access list using the CLI?
01-22-2012 07:51 AM
Does it matter if the IP address concerned is in the Standard or Extended Access List and does it matter which acces list i.e. Access List 1,2,3 or 101, 102, 103 etc?
01-23-2012 01:10 AM
Hi Neil - Adding an IP address for the Service provider using CCA adjusts
1. WAN access list - typically Access-list 104
2. Access list used with a voice-source group - typically access list 3
I would imagine an extended access list would work with a source-group, with the first subnet being used to match the source.
You may find this link useful as it discusses the security techniques CCA uses for protecting a system - and covers source groups / wan access lists.
http://www.voip.co.uk/ciscoccatoolsecurity/
Adam
01-23-2012 03:11 AM
Checking the dial-peers - this is what I have set up. The numbers match what is being sent by the ITSP but do the rest of the settings make sense?
!
dial-peer voice 3000 voip
description 01422
translation-profile incoming 01422_Called_4
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
incoming called-number 01422******
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad
!
dial-peer voice 3001 voip
description +441422
translation-profile incoming +441422_Called_5
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
incoming called-number +441422******
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad
!
dial-peer voice 3002 voip
description 0845
translation-profile incoming 0845_Called_6
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
incoming called-number 08455******
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad
!
!
no dial-peer outbound status-check pots
sip-ua
credentials username 01422658*** password 7 *** realm sip.voip-unlimited.net
credentials username 08455240*** password 7 *** realm sip.voip-unlimited.net
authentication username 01422***** password 7 ***
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar dns:sip.voip-unlimited.net expires 3600
sip-server dns:sip.voip-unlimited.net
host-registrar
!
!
!
01-23-2012 03:21 AM
yes they look fine.
In your trace you have:
"
INVITE sip:0845*******@**.**.***.**:62768 SIP/2.0"
the **'s after the @ - is this the IP address of your UC500 ?
01-23-2012 03:17 AM
This is the ACL but I assume this is set up correctly also? IP's from the ITSP are 91.151.2.130 and 91.151.11.20
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 91.151.2.130
access-list 3 permit 91.151.11.20
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_5##
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 10.1.10.0 0.0.0.3 any
access-list 103 deny ip 10.0.1.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_22##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 91.151.2.130 eq 5060 any
access-list 104 permit udp host 91.151.2.130 any eq 5060
access-list 104 permit udp host 91.151.11.20 eq 5060 any
access-list 104 permit udp host 91.151.11.20 any eq 5060
access-list 104 permit udp host 10.0.1.1 eq 5060 any
access-list 104 permit udp host 10.0.1.1 any eq 5060
access-list 104 permit udp any any range 16384 32767
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 deny ip 10.0.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
01-23-2012 03:20 AM
Last thing from Adam's link to check was IP Address Trusted List, my config appears not to have any?
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip
registrar server expires max 3600 min 3600
localhost dns:sip.voip-unlimited.net
outbound-proxy dns:sip.voip-unlimited.net
no update-callerid
sip-profiles 1000
!
!
The example given in Adam's link shows this:
voice service voip ip address trusted list ipv4 0.0.0.0 0.0.0.0 ! allows all voip sources allow-connections h323 to h323 allow-connections h323 to sip allow-connections sip to h323 allow-connections sip to sip supplementary-service h450.12 no supplementary-service sip moved-temporarily no supplementary-service sip refer
OR THIS
voice service voip
ip address trusted list
ipv4 10.1.10.0 255.255.255.252 ! Subnet used by CUE
ipv4 10.1.1.0 255.255.255.0 ! Subnet used internally for voice sources
ipv4 193.203.210.0 255.255.254.0 ! Subnet for the Service Provider
allow-connections h323 to h323 allow-connections h323 to sip allow-connections sip to h323 allow-connections sip to sip supplementary-service h450.12 no supplementary-service sip moved-temporarily no supplementary-service sip refer
ANY HELP GREATLY APPRECIATED!!
01-23-2012 03:28 AM
Neil -
The IP address list trusted list part is valid in recent IOS images.
You can try to add this in.
conf t
voice service voip
ip address trusted listipv4 0.0.0.0 0.0.0.0
If the commands are not accepted then this is not a factor on your box.
Please can you answer the question:
In your SIP trace the Invite you received is in the format:
INVITE sip:0845*******@**.**.***.**:62768 SIP/2.0
the **.**.****.** after the @ sign - is this the IP address of your BOX ?
If not this is a possible cause of your problem.
Adam
01-23-2012 03:45 AM
Got this far but typing in IP ADDRESS TRUSTED LIST results in an error.
UC_540#config t
Enter configuration commands, one per line. End with CNTL/Z.
UC_540(config)#voice service voip
UC_540(conf-voi-serv)#ip ad
UC_540(conf-voi-serv)#ip address tr
UC_540(conf-voi-serv)#ip address trusted
UC_540(conf-voi-serv)#ip address trusted l
UC_540(conf-voi-serv)#ip address trusted list
^
% Invalid input detected at '^' marker.
UC_540(conf-voi-serv)# ip address trusted list
^
% Invalid input detected at '^' marker.
UC_540(conf-voi-serv)#?
VOICE SERVICE configuration commands:
address-hiding Address hiding (SIP-SIP)
allow-connections Allow call connection types
callmonitor Call Monitoring
cause-code Sets the internal cause code for SIP and H323
clid Caller ID option
cpa Enable Call Progress Analysis for voip calls
default Set a command to its defaults
dtmf-interworking Dtmf Interworking
exit Exit from voice service configuration mode
fax Global fax commands
fax-relay Global fax relay commands
gcid Enable Global Call Identifcation for voip
h323 Global H.323 configuration commands
media Global media setting for voip calls
modem Global modem commands
no Negate a command or set its defaults
notify send facility indication to application
qsig QSIG
redirect voip call redirect
rtp-ssrc Global setting to handle multiple RTP SSRC's
shutdown Stop VoIP services gracefully without dropping active calls
signaling Global setting for signaling payload handling
sip SIP configuration commands
srtp Allow Secure calls
supplementary-service Config supplementary service features
text Global text commands
UC_540(conf-voi-serv)#
01-23-2012 03:46 AM
And yes the IP address after the phone number does match our Public IP address. It's a Dynamic IP address though, will the box pick this up using DHCP?
01-23-2012 03:54 AM
Your configuration shows the router is setup for DHCP yes.
Please can you post the output of "show ip interface brief" ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide