Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2689
Views
0
Helpful
7
Replies

uc500-advipservicesk9-mz.151-2.T2 Inbound SIP calls forbidden (Urgent!)

Go to solution
mattkjohnson
Level 1
Level 1

‎01-10-2011 03:37 AM - edited ‎03-21-2019 03:30 AM

Hi all,

Just upgraded to latest UC560 software pack 8.1.0 to fix a voicemail sound quality issue.

IOS is now at uc500-advipservicesk9-mz.151-2.T2 and CUE at 8.0.3.

The configuration has not changed, however now I am unable to make ANY inbound calls.

SIP conversation always ends up in the same way;

000365: Jan 10 11:32:30.039 GMT: //2767/24851CA88B54/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 88.x.x.x;branch=z9hG4bKxxxxxxxxxxxxxxxxxxxxxxxx---d8754z-ser,SIP/2.0/UDP 88.xx.xx.xx:5061;branch=zxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx---d8754z-;rport=5061
From: <sip:075xxxxxxx@gw3.theiptele.com:5061>;tag=f2xxxxxxxxxxx
To: <sip:4419xxxxxxxx@xx.xx.xx.xx>;tag=EX888888X8X
Date: Mon, 10 Jan 2011 11:32:30 GMT
Call-ID: ZWxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
CSeq: 102 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Reason: Q.850;cause=21
Content-Length: 0

I am going to log an STAC case for this right away as nothing has changed bar IOS.

Cannot go back due to voicemail issue the customer was complaining.

Has anyone else seen this? Nothing in the release notes to watch out for.... Arghh!

Fed up of running into IOS voice issues!

Any light shed would be really helpful!


Thanks guys!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vcappucc
Level 1
Level 1
In response to mattkjohnson

‎01-10-2011 03:56 AM

Hi Matt,

A new feature introduced with 15.(1)2T is the default behavior of a toll-fraud prevention feature. this IOS image mitigate the issues with toll fraud tracked with CSCtc25450, and probably this is what is happening to you.  https://supportforums.cisco.com/docs/DOC-12228

in order to avoid speaking to unknown sources,  you will need to put the IP of your SIP Gw, the configuration is strait forward:


voice service voip                   
   ip address trustedlist            
   ipv4 []     !Here you will put a valid IP address, this is easily found in the invite received by the provider

You can add'ipv4 0.0.0.0 0.0.0.0' to return to XA behavior, allowing call setupsfrom all IP sources.

please call us at our support number http://www.cisco.com/go/smallbizhelp to help you with this configuration if needed

Thank you

Victor

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mattkjohnson
Level 1
Level 1

‎01-10-2011 03:44 AM

Further information;

Just reverted to uc500-advipservicesk9-mz.150-1.XA2;

No configuration changes once again, immediatley inbound AND outbound calls work as expected;

I am fully prepared to stand corrected if i've missed something somewhere, but if not, HOW THE CHUFF does something like that get through pre-release testing?

Matt

0 Helpful

Go to solution
vcappucc
Level 1
Level 1
In response to mattkjohnson

‎01-10-2011 03:56 AM

Hi Matt,

A new feature introduced with 15.(1)2T is the default behavior of a toll-fraud prevention feature. this IOS image mitigate the issues with toll fraud tracked with CSCtc25450, and probably this is what is happening to you.  https://supportforums.cisco.com/docs/DOC-12228

in order to avoid speaking to unknown sources,  you will need to put the IP of your SIP Gw, the configuration is strait forward:


voice service voip                   
   ip address trustedlist            
   ipv4 []     !Here you will put a valid IP address, this is easily found in the invite received by the provider

You can add'ipv4 0.0.0.0 0.0.0.0' to return to XA behavior, allowing call setupsfrom all IP sources.

please call us at our support number http://www.cisco.com/go/smallbizhelp to help you with this configuration if needed

Thank you

Victor

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to vcappucc

‎01-10-2011 04:02 AM

Thanks Victor and welcome back !

You know the SIP Trunk CCA GUI has that advanced Tab. I always populate the proxy and registrar IP addresses in there. Would that propagate to the new VoIP toll fraud CLI?

Steve DiStefano

Technical Solutions Architect - Partner Sales, USA

Cisco Systems

7025 Kit Creek Road

Research Triangle Park

North Carolina, 27709

www.cisco.com/smb

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Steven DiStefano

‎01-12-2011 06:11 AM

I investigated my own question about what he advanced tab in SIP Trunk window in CCA does

...

A. No, CCA is not using the trusted list for SIP trunk toll fraud protection.  CCA continues to use the voice source groups and ACLs for toll fraud protection.  Modifications under the Advanced Tab continue to be applied to the ACLs.

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to mattkjohnson

‎01-10-2011 03:58 AM

Yikes Mike.  This shouldn't be, I agree.

Who was the SIP trunk provider and how was it configured?

Edited:

I found this in the help of CCA for SIP Trunk GUI:

Advanced Options  Tab

For security reasons, CCA blocks SIP traffic from unknown sources.  Configure  additional IP addresses here if your provider uses SIP gateways with IP  addresses  that are different from the proxy servers configured on the SIP Trunks  tab.

Consult your SIP provider for the addresses of the SIP gateways that  they use.

To configure additional IP addresses that are permitted access to the  VoIP  network, follow these steps.

  1. Click Add to open a new row in the table for editing.
  2. Enter the IP address.
  3. Configure additional IP  addresses, if needed.
  4. Click OK.

Steve DiStefano

0 Helpful

Go to solution
Steven DiStefano
VIP Alumni
VIP Alumni
In response to Steven DiStefano

‎01-10-2011 06:31 AM

I just provisioned Triad telecon SIP Trunk (wanted to use generic Profile) and I do see this in my config:

voice service voip
ip address trusted list
  ipv4 0.0.0.0 0.0.0.0
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
sip     
  registrar server expires max 3600 min 3600
  no update-callerid
  sip-profiles 1000
!       

0 Helpful

Go to solution
mattkjohnson
Level 1
Level 1
In response to mattkjohnson

‎01-10-2011 07:08 AM

Many thanks guys!

This is a CLI configured unit (as i needed some functionality that was not in CCA at the time of deployment, such as not wanting two teir dialing).

I was already using an inbound WAN ACL to limit connections to SIP control ports, but thank you for the information and the link to the document!


I have distributed this to our other engineers to prevent similar panic after an IOS upgrade 'breaks' a system

Thanks again for the speedy reply!

Regards,

Matt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents