Wednesday, March 5, 2014

Cisco VoIP Trust Lists with Genesys SIP Server


Starting with Cisco IOS release 15.1(2)T, Cisco has changed the behavior of their voice gateways as it relates to SIP sources. The purpose of the change was to add an additional safeguard against toll fraud.

Prior to this release, the default behavior of a Cisco gateway was to allow any VoIP source to initiate call setup on the gateway. Now, you must explicitly configure a trust relationship on the gateway with any VoIP source that isn’t already configured in a dial peer.

Example:

x.x.x.x represents an instance of Genesys SIP server. Below I add that address to the trust list on my gateway.

voice service voip 
ip address trusted list ipv4 x.x.x.x 
allow-connections sip to sip
sip


With this configuration, call setups initiated from endpoints off Genesys SIP server work correctly.

If we remove the Genesys SIPS IP address entry from the trust list and turn up ccsip logging on the gateway, you’ll see the behavior below (403 Forbidden). In this scenario, I have a Counterpath SIP client (1001) registered to Genesys SIPS and attempting to outdial to a TF number.


#debug ccsip messages

.

.

.

Jun  8 07:24:52: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE
 sip:8008888756@x:5060 SIP/2.0
From:
 sip:1001@x;tag=0004FCE0-8685-1FBF-B162-0100007FAA77-20169
To: <
sip:8008888756@x:5060>
Call-ID:
 0004FCAE-8685-1FBF-B162-0100007FAA77-20163@x
CSeq: 1 INVITE
Content-Length: 138
Content-Type: application/sdp
Via: SIP/2.0/UDPx:5060;branch=z9hG4bK0004FCF4-8685-1FBF-B162-0100007FAA77-13
Contact: <
sip:1001@x:5060>
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, UPDATE
User-Agent: X-Lite 4 release 4.1 stamp 63214
Max-Forwards: 69
X-Genesys-CallUUID: 009LS0K6GKFRVCB204000VTAES000004
X-ISCC-CofId: location=sips;cofid=8
Session-Expires: 1800;refresher=uac
Min-SE: 90
Supported: uui,100rel,timer

v=0
o=- 1337954333 1 IN IP4 192.168.1.70
s=CounterPath X-Lite 4.1
c=IN IP4 192.168.1.70
t=0 0
m=audio 61984 RTP/AVP 0 8
a=sendrecv

Jun  8 07:24:52: //41918/29DBBA08AB62/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP x:5060;branch=z9hG4bK0004FCF4-8685-1FBF-B162-0100007FAA77-13
From:
 sip:1001@x;tag=0004FCE0-8685-1FBF-B162-0100007FAA77-20169
To: <
sip:8008888756@x:5060>
Date: Fri, 08 Jun 2012 13:24:52 GMT
Call-ID:
 0004FCAE-8685-1FBF-B162-0100007FAA77-20163@192.168.1.69
CSeq: 1 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Content-Length: 0


Jun  8 07:24:52: //41918/29DBBA08AB62/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 192.168.1.69:5060;branch=z9hG4bK0004FCF4-8685-1FBF-B162-0100007FAA77-13
From:
 sip:1001@x;tag=0004FCE0-8685-1FBF-B162-0100007FAA77-20169
To: <
sip:8008888756@x>;tag=23E3A1E4-2684
Date: Fri, 08 Jun 2012 13:24:52 GMT
Call-ID:
 0004FCAE-8685-1FBF-B162-0100007FAA77-20163@x

CSeq: 1 INVITE
Allow-Events: telephone-event
Server: Cisco-SIPGateway/IOS-12.x
Reason: Q.850;cause=21
Content-Length: 0


Turning up the lower level ccapi debugs reveals the cause of the 403:


#debug voip ccapi inout

Jun  8 07:30:05: //41926/E4D957C1AB72/CCAPI/cc_process_call_setup_ind:
>>>>CCAPI handed cid 41926 with tag 150 to app "_ManagedAppProcess_TOLLFRAUD_APP"
Jun  8 07:30:05: //41926/E4D957C1AB72/CCAPI/ccCallDisconnect:  Cause Value=21, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=0)Jun  8 07:30:05: //41926/E4D957C1AB72/CCAPI/ccCallDisconnect:  Cause Value=21, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=0)



Net, the trust list/call blocking functionality is default behavior now on IOS releases. If you upgrade a gateway to 15.1(2)T or higher and don’t account for it with additional trust list configuration, calls will be blocked.