Re: Incoming SIP not working Reason:127 - any help?

reclaimuk · ‎01-20-2012

Hi,

Can anyone help? I'm not incredibly technical but have a vague understanding... using the CCA to setup, I know how to telnet into CLI but not confident on the commands to use after that so don't generally touch it so I don't break anything.

I've set up a SIP trunk on a UC540 from VOIP-Unlimited. The outgoing calls work fine, and have even set up the outbound DID mapping.

However can't get incoming calls to connect. I've checked that the IP addresses from the ITSP are all set to be allowed, and I've mapped the inbound DID to an extension. The error log includes the number formatted as both +44845.... and 0845.... so I've tried both on the inbound mapping but neither work.

The error code is 127, but after reading the Cisco document on incoming call problems can't work out what else to do?

Oh and I do have a Dynamic Public IP address which is being changed to a Static IP in the next few weeks if that makes a difference - but the error log shows the correct public IP address for my connection.

The error log is (I've starred out my phone numbers and public IP address):

Frame 4 (624 bytes on wire, 624 bytes captured)

Arrival Time: Jan 20, 2012 12:18:40.027551000

Internet Protocol, Src: [MYPUBLICIP] ([MYPUBLICIP]), Dst: 91.151.2.130 (91.151.2.130)

User Datagram Protocol, Src Port: sip (5060), Dst Port: sip (5060)

Session Initiation Protocol

Status-Line: SIP/2.0 500 Internal Server Error

Status-Code: 500

[Resent Packet: False]

Message Header

Reason: Q.850;cause=127

Reason Protocols: Q.850

Cause: 127(0x7f)[Internetworking, unspecified]

Date: Fri, 20 Jan 2012 12:29:40 GMT

From: <sip:07525******@91.151.11.20>;tag=3536050719-942236

SIP from address: sip:07525******@91.151.11.20

SIP from address User Part: 07525******

SIP from address Host Part: 91.151.11.20

SIP tag: 3536050719-942236

Allow-Events: telephone-event

Content-Length: 0

To: +44845******* <sip:0845*******@91.151.2.130;user=phone>;tag=1E8224-1038

SIP Display info: +44845*******

SIP to address: sip:0845*******@91.151.2.130

SIP to address User Part: 0845*******

SIP to address Host Part: 91.151.2.130

SIP tag: 1E8224-1038

Call-ID:

14384647-3536050719-942229@msx1-voip-unlimited-net.mydomain.com

Via: SIP/2.0/UDP 91.151.2.130;branch=z9hG4bKf438.ad3a8dc1.0,SIP/2.0/UDP 91.151.11.20:5060;rport=5060;received=91.151.11.20;branch=z9hG4bK03c5a15cdfb692caf9f5d370fad8dd48

Transport: UDP

Sent-by Address: 91.151.2.130

Branch: z9hG4bKf438.ad3a8dc1.0

Transport: UDP

Sent-by Address: 91.151.11.20

Sent-by port: 5060

RPort: 5060

Received: 91.151.11.20

Branch: z9hG4bK03c5a15cdfb692caf9f5d370fad8dd48

CSeq: 1 INVITE

Sequence Number: 1

Method: INVITE

Server: Cisco-SIPGateway/IOS-12.x

mdobiac · ‎01-20-2012

Mr. Simpson,

In what is provided I see that you are getting a 500 internal server error. This is usually cause either by your current Access control lists by not allowing all IP address from your VOIP provider, or the provider is sending you information that the UC540 does not recognize.

What I would like to see as for debugs which you can run in CCA under Troubleshoot > General debugs. The commands are debug voip ccapi inout and debug ccsip message.

I will also like to see a current running configuration.

Please attach these as a file and remove/hide any private information you do not want known.

Thank you,

Mike D.

reclaimuk · ‎01-20-2012

Here is the information you requested.

Thanks,

lgaughan · ‎01-20-2012

Hi Neil,

It looks like there is another IP Address in the INVITE (via header) that is not being allowed (91.151.2.130).

Also, make sure that your inbound DIDs reflect exactly what the ITSP sends in the request URI

(INVITE sip:0845*******@**.**.***.**:62768 SIP/2.0).

Laura

reclaimuk · ‎01-22-2012

I noticed that myself - but in the CCA under SIP trunk - advanced options, it is listed as one of the additional allowed IP addresses. The weird thing is I didn't add it to the list, it appeared there after I set up the SIP trunk.

Is there a way to add that IP address to the Access list using the CLI?

reclaimuk · ‎01-22-2012

Does it matter if the IP address concerned is in the Standard or Extended Access List and does it matter which acces list i.e. Access List 1,2,3 or 101, 102, 103 etc?

ADAM CRISP · ‎01-23-2012

Hi Neil - Adding an IP address for the Service provider using CCA adjusts

1. WAN access list - typically Access-list 104

2. Access list used with a voice-source group - typically access list 3

I would imagine an extended access list would work with a source-group, with the first subnet being used to match the source.

You may find this link useful as it discusses the security techniques CCA uses for protecting a system - and covers source groups / wan access lists.

http://www.voip.co.uk/ciscoccatoolsecurity/

Adam

reclaimuk · ‎01-23-2012

Checking the dial-peers - this is what I have set up. The numbers match what is being sent by the ITSP but do the rest of the settings make sense?

!

dial-peer voice 3000 voip

description 01422

translation-profile incoming 01422_Called_4

voice-class codec 1

voice-class sip dtmf-relay force rtp-nte

session protocol sipv2

session target sip-server

incoming called-number 01422******

dtmf-relay rtp-nte

ip qos dscp cs5 media

ip qos dscp cs4 signaling

no vad

!

dial-peer voice 3001 voip

description +441422

translation-profile incoming +441422_Called_5

voice-class codec 1

voice-class sip dtmf-relay force rtp-nte

session protocol sipv2

session target sip-server

incoming called-number +441422******

dtmf-relay rtp-nte

ip qos dscp cs5 media

ip qos dscp cs4 signaling

no vad

!

dial-peer voice 3002 voip

description 0845

translation-profile incoming 0845_Called_6

voice-class codec 1

voice-class sip dtmf-relay force rtp-nte

session protocol sipv2

session target sip-server

incoming called-number 08455******

dtmf-relay rtp-nte

ip qos dscp cs5 media

ip qos dscp cs4 signaling

no vad

!

no dial-peer outbound status-check pots

sip-ua

credentials username 01422658*** password 7 *** realm sip.voip-unlimited.net

credentials username 08455240*** password 7 *** realm sip.voip-unlimited.net

authentication username 01422***** password 7 ***

no remote-party-id

retry invite 2

retry register 10

timers connect 100

registrar dns:sip.voip-unlimited.net expires 3600

sip-server dns:sip.voip-unlimited.net

host-registrar

!

ADAM CRISP · ‎01-23-2012

yes they look fine.

In your trace you have:

"

INVITE sip:0845*******@**.**.***.**:62768 SIP/2.0"

the **'s after the @ - is this the IP address of your UC500 ?

reclaimuk · ‎01-23-2012

This is the ACL but I assume this is set up correctly also? IP's from the ITSP are 91.151.2.130 and 91.151.11.20

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 10.0.1.0 0.0.0.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 2 permit 10.1.10.0 0.0.0.3

access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 91.151.2.130

access-list 3 permit 91.151.11.20

access-list 3 deny any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 192.168.10.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_7##

access-list 101 remark SDM_ACL Category=1

access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 deny ip 10.1.1.0 0.0.0.255 any

access-list 101 deny ip 10.0.1.0 0.0.0.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_5##

access-list 102 remark SDM_ACL Category=1

access-list 102 deny ip 10.1.10.0 0.0.0.3 any

access-list 102 deny ip 10.1.1.0 0.0.0.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##

access-list 103 remark SDM_ACL Category=1

access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 deny ip 10.1.10.0 0.0.0.3 any

access-list 103 deny ip 10.0.1.0 0.0.0.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_22##

access-list 104 remark SDM_ACL Category=1

access-list 104 permit udp host 91.151.2.130 eq 5060 any

access-list 104 permit udp host 91.151.2.130 any eq 5060

access-list 104 permit udp host 91.151.11.20 eq 5060 any

access-list 104 permit udp host 91.151.11.20 any eq 5060

access-list 104 permit udp host 10.0.1.1 eq 5060 any

access-list 104 permit udp host 10.0.1.1 any eq 5060

access-list 104 permit udp any any range 16384 32767

access-list 104 deny ip 10.1.10.0 0.0.0.3 any

access-list 104 deny ip 10.1.1.0 0.0.0.255 any

access-list 104 deny ip 10.0.1.0 0.0.0.255 any

access-list 104 permit udp any eq bootps any eq bootpc

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any unreachable

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip any any log

reclaimuk · ‎01-23-2012

Last thing from Adam's link to check was IP Address Trusted List, my config appears not to have any?

voice service voip

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

supplementary-service h450.12

no supplementary-service sip moved-temporarily

no supplementary-service sip refer

sip

registrar server expires max 3600 min 3600

localhost dns:sip.voip-unlimited.net

outbound-proxy dns:sip.voip-unlimited.net

no update-callerid

sip-profiles 1000

!

The example given in Adam's link shows this:

voice service voip
 ip address trusted list
 ipv4 0.0.0.0 0.0.0.0 ! allows all voip sources
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer

OR THIS

voice service voip

 ip address trusted list

 ipv4 10.1.10.0 255.255.255.252 ! Subnet used by CUE

 ipv4 10.1.1.0 255.255.255.0 ! Subnet used internally for voice sources

 ipv4 193.203.210.0 255.255.254.0 ! Subnet for the Service Provider

 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer

ANY HELP GREATLY APPRECIATED!!

ADAM CRISP · ‎01-23-2012

Neil -

The IP address list trusted list part is valid in recent IOS images.

You can try to add this in.

conf t

voice service voip

 ip address trusted list
 ipv4 0.0.0.0 0.0.0.0



If the commands are not accepted then this is not a factor on your box.

Please can you answer the question:
In your SIP trace the Invite you received is in the format:

INVITE sip:0845*******@**.**.***.**:62768 SIP/2.0

the **.**.****.** after the @ sign  - is this the IP address of your BOX ?
If not this is a possible cause of your problem.

Adam

reclaimuk · ‎01-23-2012

Got this far but typing in IP ADDRESS TRUSTED LIST results in an error.

UC_540#config t

Enter configuration commands, one per line. End with CNTL/Z.

UC_540(config)#voice service voip

UC_540(conf-voi-serv)#ip ad

UC_540(conf-voi-serv)#ip address tr

UC_540(conf-voi-serv)#ip address trusted

UC_540(conf-voi-serv)#ip address trusted l

UC_540(conf-voi-serv)#ip address trusted list

^

% Invalid input detected at '^' marker.

UC_540(conf-voi-serv)# ip address trusted list

^

% Invalid input detected at '^' marker.

UC_540(conf-voi-serv)#?

VOICE SERVICE configuration commands:

address-hiding Address hiding (SIP-SIP)

allow-connections Allow call connection types

callmonitor Call Monitoring

cause-code Sets the internal cause code for SIP and H323

clid Caller ID option

cpa Enable Call Progress Analysis for voip calls

default Set a command to its defaults

dtmf-interworking Dtmf Interworking

exit Exit from voice service configuration mode

fax Global fax commands

fax-relay Global fax relay commands

gcid Enable Global Call Identifcation for voip

h323 Global H.323 configuration commands

media Global media setting for voip calls

modem Global modem commands

no Negate a command or set its defaults

notify send facility indication to application

qsig QSIG

redirect voip call redirect

rtp-ssrc Global setting to handle multiple RTP SSRC's

shutdown Stop VoIP services gracefully without dropping active calls

signaling Global setting for signaling payload handling

sip SIP configuration commands

srtp Allow Secure calls

supplementary-service Config supplementary service features

text Global text commands

UC_540(conf-voi-serv)#

reclaimuk · ‎01-23-2012

And yes the IP address after the phone number does match our Public IP address. It's a Dynamic IP address though, will the box pick this up using DHCP?

ADAM CRISP · ‎01-23-2012

Your configuration shows the router is setup for DHCP yes.

Please can you post the output of "show ip interface brief" ?