Starting with Cisco IOS
release 15.1(2)T, Cisco has changed the behavior of their voice
gateways as it relates to SIP sources. The purpose of the change was
to add an additional safeguard against toll fraud.
Prior to this release,
the default behavior of a Cisco gateway was to allow any VoIP source
to initiate call setup on the gateway. Now, you must explicitly
configure a trust relationship on the gateway with any VoIP source
that isn’t already configured in a dial peer.
Example:
x.x.x.x represents
an instance of Genesys SIP server. Below I add
that address to the trust list on my gateway.
voice service voip ip address trusted list
ipv4 x.x.x.x allow-connections
sip to sipsip
If we remove the
Genesys SIPS IP address entry from the trust list and turn up ccsip
logging on the gateway, you’ll see the behavior below (403 Forbidden). In this scenario, I have a Counterpath SIP client
(1001) registered to Genesys SIPS and attempting to outdial to a TF
number.
#debug
ccsip messages
.
.
.
Jun
8 07:24:52:
//-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
INVITE sip:8008888756@x:5060 SIP/2.0
From: sip:1001@x;tag=0004FCE0-8685-1FBF-B162-0100007FAA77-20169
To:
<sip:8008888756@x:5060>
Call-ID: 0004FCAE-8685-1FBF-B162-0100007FAA77-20163@x
CSeq:
1 INVITE
Content-Length: 138
Content-Type: application/sdp
Via:
SIP/2.0/UDPx:5060;branch=z9hG4bK0004FCF4-8685-1FBF-B162-0100007FAA77-13
Contact:
<sip:1001@x:5060>
Allow:
ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK,
REFER, UPDATE
User-Agent: X-Lite 4 release 4.1 stamp
63214
Max-Forwards: 69
X-Genesys-CallUUID:
009LS0K6GKFRVCB204000VTAES000004
X-ISCC-CofId:
location=sips;cofid=8
Session-Expires: 1800;refresher=uac
Min-SE:
90
Supported: uui,100rel,timer
v=0
o=- 1337954333 1 IN
IP4 192.168.1.70
s=CounterPath X-Lite 4.1
c=IN IP4
192.168.1.70
t=0 0
m=audio 61984 RTP/AVP 0 8
a=sendrecv
Jun
8 07:24:52:
//41918/29DBBA08AB62/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 100
Trying
Via: SIP/2.0/UDP
x:5060;branch=z9hG4bK0004FCF4-8685-1FBF-B162-0100007FAA77-13
From: sip:1001@x;tag=0004FCE0-8685-1FBF-B162-0100007FAA77-20169
To:
<sip:8008888756@x:5060>
Date:
Fri, 08 Jun 2012 13:24:52
GMT
Call-ID: 0004FCAE-8685-1FBF-B162-0100007FAA77-20163@192.168.1.69
CSeq:
1 INVITE
Allow-Events: telephone-event
Server:
Cisco-SIPGateway/IOS-12.x
Content-Length: 0
Jun 8
07:24:52: //41918/29DBBA08AB62/SIP/Msg/ccsipDisplayMsg:
Sent:SIP/2.0
403 Forbidden
Via:
SIP/2.0/UDP
192.168.1.69:5060;branch=z9hG4bK0004FCF4-8685-1FBF-B162-0100007FAA77-13
From: sip:1001@x;tag=0004FCE0-8685-1FBF-B162-0100007FAA77-20169
To:
<sip:8008888756@x>;tag=23E3A1E4-2684
Date:
Fri, 08 Jun 2012 13:24:52
GMT
Call-ID: 0004FCAE-8685-1FBF-B162-0100007FAA77-20163@x
CSeq:
1 INVITE
Allow-Events: telephone-event
Server:
Cisco-SIPGateway/IOS-12.x
Reason: Q.850;cause=21
Content-Length:
0
Turning up the lower level ccapi debugs reveals the
cause of the 403:
#debug
voip ccapi inout
Jun
8 07:30:05:
//41926/E4D957C1AB72/CCAPI/cc_process_call_setup_ind:
>>>>CCAPI
handed cid 41926 with tag 150 to app
"_ManagedAppProcess_TOLLFRAUD_APP"
Jun
8 07:30:05: //41926/E4D957C1AB72/CCAPI/ccCallDisconnect:
Cause Value=21, Tag=0x0, Call Entry(Previous Disconnect Cause=0,
Disconnect Cause=0)Jun
8 07:30:05: //41926/E4D957C1AB72/CCAPI/ccCallDisconnect:
Cause Value=21, Tag=0x0, Call Entry(Previous Disconnect Cause=0,
Disconnect Cause=0)
Net, the trust
list/call blocking functionality is default behavior now on IOS
releases. If you upgrade a gateway to 15.1(2)T or higher and don’t
account for it with additional trust list configuration, calls will
be blocked.
