Hi thanks for the reply,

I don't think it could be my router. There is no blocking on that whatsoever as it just is in routing mode with no firewall or NAT. Also when you look at the traffic counter you can see it counting up when trying to ring in suggesting incoming traffic from the trunk. There isn't any traffic when you don't try and phone in. I don't see anything in the logs.

Also this was working fine before the firmware update. My provider assures me they have not changed anything.

Sent from Cisco Technical Support iPad App

Mike - As Chris says above - have a look at your SIP trunk on the UC320. There's a field where you can tell the UC where it's allows to receive calls from. You need to ask Gradwell for the IP address they will use when sending you calls. Fill in the form with their IP address and I think your problem will be solved.

Alternatively if Gradwell supports this - you could get the UC to register with them. The UC will automatically allow inbound calls from IP sources with which it is registered.

Adam

Mike,

I'm really sorry but I.. have have just logged in to a 2.1.1 unit and seen I've been telling you something that's not correct. Sorry. I was confusing the allowed inbound DDI section with the source IP feature. I know that Cisco have implemented it, and assumed that it was on this page.

Given that we know that it exists, what IP address are you receiving calls from and is this the same IP address as you're sending calls to ?

If you're sending calls to IP address X.X.X.X, but receiving calls from Y.Y.Y.Y, then you could try creating a new additional sip trunk for inbound only but use Y.Y.Y.Y as the proxy, this would let the unit receive calls from Y.Y.Y.Y

Chris - is there a better way ?

Adam

Hi,

On the SIP/BRI page if the Outbound Proxy field is populated then we will only accept SIP messages from the IP configured in the field or from the IP(s) resolved from doing a DNS lookup of the hostname.  If the Outbound Proxy field is empty, then we look at the Proxy field and we will only accept SIP messages from the IP configured in the field or  from the IP(s) resolved from doing a DNS lookup of the hostname.  

As part of initializing the SIP trunk we do a DNS lookup to add the IPs to the allowed Source IP list for incoming SIP calls.  A regisitration is not required to allow this security feature to work.

If your SIP provider sends inbound SIP calls to your UC320 from a different hostname/IP than what is configured, this is causing the problems.

Chris

Hi Chris,

I've been in touch with my service provider and have got the IP address which their systems use to route the incoming calls and it's different to the proxy I have been using for the past few months. I have tried using a combination of the incoming proxy in the 'proxy' field and the outgoing in the 'outgoing proxy' field but not joy still. I can still make outgoing calls. I have tried it the other way around too and still it fails.

I'm still wondering if this is a newly introduced feature in the latest firmware?? If so, is there anyway around it as it won't work for me and I have now had no incoming calls on my trunk for over a week. Maybe a PMF file to disable this feature?

Still nothing in the logs either which seems madness as you would think there would be something to show it's at least rejecting it.

Please help!

Sent from Cisco Technical Support iPad App

Hi Mike,

I'm going to open a feature request to allow an additional white list for incoming SIP messages.  Secondly, I'll open a bug to generate log messages when incoming SIP messages are denied.  Thirdly,  attached is a PMF to disable the SIP security feature.  Please note that you may begin to see phantom incoming calls as people are constantly probing public IP addresses for SIP ports.  Recommend you implement a ACL on your router to limit where you will accept incoming SIP messages.

You will need to unZIP the file before installing.  Please see this PMF document page for installation instructions. 

Thanks,

Chris

Is there any update on this? We also use gradwell sip trunks and your PMF worked a treat to enable inbound SIP from a different host to the proxy. I am concerned about leaving the system open to anyone and we have the UC320 directly on the WAN used an ADSL bridge and PPPoE on the WAN interface.

On a UC500 we can simply edit the ACL on the WAN interface and permit gradwell subnets that host their sip proxies. A similar ACL whitelist gui would be great. What release of the firmware is this slated for? We are running 2.1.3 and I can't see it in there.

James

Hi James,

I just checked with engineering.  Apparently, they made a code change in the 2.1.5(0) Limited Deployment release:

https://supportforums.cisco.com/message/3519079#3519079

that will allow both the IP used in the proxy and the IP used in the Outbound Proxy field to be used in the Restrict SIP Source IP screening feature.

I believe this will remove the need for the PMF.  Let me know how it goes.

Cheers,

Chris

Hi Chris,

I loaded 2.1.5 and entered the host that delivers inbound calls from Gradwell (newsip.gradwell.net - I checked this on two asterisk boxes that I have with Gradwell SIP trunks) into the Outbound proxy but it didn't work. I have had to rollback firmware and reapply the PMF to allow any anonymous inbound SIP. This is a big problems because the business owner diverts  calls to mobile after business hours and is getting phantom calls in the middle of the night!!

Is a permanent fix to this in the pipeline or will we have to deploy a firewall infront of the UC320?

thanks,

James