Cisco 8851 phones registering through Checkpoint firewall

We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs. We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register. The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69. The 7900 phone never generates TFTP on port 69 at all. What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router. I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones. I have done key-word searches on the Forum for this issue, but have not found anything significant. I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue. Any help would b e greatly appreciated.
Thanks,

Hi Andrew
The attached document may assist:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
Hope this helps.
Barry Hesk
Intrinsic Network Solutions

Similar Messages

WAAS Cached content access through Checkpoint firewall

Hello,
I would like to open access to the cached content on the WAAS from a server through a Checkpoint firewall. The server has to have L3 access to the actual WAE device, from what I understand. Is this feasable? What ports would I need to open in the Checkpoint?
Thanks
Doug Bradfield

Hello Douglas,
You're correct, if you see an optimized connection is probably being cache ( probably not the whole file) there is a big difference between "cache data" and "preposition data" .
Cache data is not for you to control or manually retrieve from the WAE box. WAAS controls what is being cache or delete when more new data comes through.
Preposition data is something you can manually store on the Remote WAE so remote users are benefit of a faster access to files already preposition. But this is uppon remote users request to the server( Users don't know that WAAS exist they just see the server-share they've always use) so WAAS notice that a user is requesting a file that a remote WAE already got in their preposition files, so it provide faster access to the file.
Neither of this two options above will let you access WAAS content like you describe on the initial question, you said you want open access to WAE files from a server right ? you can still get the files on your server and this files can be optimazed if you server is behind the WAAS optimization path, but you'd need to go and from the server copy the files one by one just like if you were retrieving them from a client PC.
hope this helps!

Recording Cisco phones registered on CUCM 8.6 with Verint Impact 360 not working.

Hello,
We're trying to record audio from Cisco IP phones registered to a CUCM 8.6 using SPAN and Verint Impact 360 with no success.
Verint provided us with some information to do the integration but we understand we don't need to do much on Cisco side besides configuring SPAN session to monitor the traffic we want.
We configured the following SPAN session:
monitor session 2 source interface Gi1/0/1 - 48
monitor session 2 source interface Gi2/0/1 - 47
monitor session 2 destination interface Gi2/0/48
Verint Impact 360 NIC is connected on port Gi2/0/48 but no RTP traffic is being detected.
Phones are connected to ports 1/0/5 and 1/0/6, this is a two 3750E switches stack. The configuration on the ports is:
interface GigabitEthernet1/0/5
switchport access vlan 186
switchport mode access
switchport voice vlan 176
switchport port-security maximum 2
switchport port-security
speed 100
duplex full
spanning-tree portfast
interface GigabitEthernet1/0/6
switchport access vlan 186
switchport mode access
switchport voice vlan 176
switchport port-security maximum 2
switchport port-security
speed 100
duplex full
spanning-tree portfast
Vlan 176 is the voice vlan we're using. Wireshark will see SCCP traffic but nothing else.
Does anybody have any tips or recommendations we could try?
Regards,
Daniel G.

is there any difference when you SPAN based on vlan?
monitor session 1 source vlan 176
monitor session 1 destination interface Gi2/0/48

No ringback from cisco ip phones to alcatel Phones

I have a CUCM 7.1.3 integrated with a Alcatel OXO PBX and when a try to place a call from cisco IP-Phones registered on CUCM to phones on PBX, I have no ringback,but when a place a call from cisco IP-Phones registered on CUCM to PSTN using PBX as it has a PRI line to the local PSTN, I dont have that issue.
The voice gateway connects to PBX using a PRI(E1) running MGCP and QSIG.
interface Serial 3/1:15
no ip address
encapsulation hdlc
isdn switch-type primary-qsig
isdn timer T310 120000
isdn protocol-emulate network
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable

You can configure COS values for the Cisco IP Phones so that the voice packets from Cisco IP phone are given more priority over the data packets from the PCs/Hosts. But the same might not be configurable for non Cisco IP Phone. I am not very sure of this. Other than that I guess, you can have all QoS features.

Cisco SIP Phone 9971 won't register on CME 8.6 or 8.5 Please HELP

Please help me , I have problem with registering Cisco SIP phone 9971 with CME 8.6 on ISR 2901.
I configured CME for SIP clients, then I add configuration for 9971 phone and create profiles. Phone downloaded SEP...xml file from CME,after that phone look for g4-tones.xml and gd-sip.jar files, I added them to CME after that phone downloaded them and reboot. Now phone is stuck in some kind of loop and does not register on CME.
On phone log I can see repeting next few messeges.
12:01:58a No DNS Server IP
12:01:59a Updating Trust list
12:01:59a No Trust List instaled
12:01:59a SEP04C5AB03B0D.cnf.xml (TFTP) // at this time phone download SEP...xml file from CME
12:02:00a VPN Error: VPN is not Configured
on CME if issue DEBUG TFTP EVENTS i receive next few lines
*Aug 18 18:20:19.891: TFTP: Looking for CTLSEP04C5A4B03B0D.tlv
*Aug 18 18:20:19.987: TFTP: Looking for ITLSEP04C5A4B03B0D.tlv
*Aug 18 18:20:20.083: TFTP: Looking for ITLFile.tlv
*Aug 18 18:20:20.347: TFTP: Looking for SEP04C5A4B03B0D.cnf.xml
*Aug 18 18:20:20.351: TFTP: Opened flash:/SEP04C5A4B03B0D.cnf.xml, fd 14, size 4585 for process 141
*Aug 18 18:20:20.363: TFTP: Finished flash:/SEP04C5A4B03B0D.cnf.xml, time 00:00:00 for process 141
here you can see verison info of CME
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 24-Mar-11 15:31 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
ELTOSAN_ROUTER uptime is 1 hour, 50 minutes
System returned to ROM by reload at 16:29:20 UTC Thu Aug 18 2011
System image file is "flash:/c2900-universalk9-mz.SPA.151-4.M.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
Cisco CISCO2901/K9 (revision 1.0) with 471040K/53248K bytes of memory.
Processor board ID FGL1508252Y
3 Gigabit Ethernet interfaces
2 terminal lines
1 Virtual Private Network (VPN) Module
4 Voice FXO interfaces
4 Voice FXS interfaces
1 Internal Services Module (ISM) with Services Ready Engine (SRE)
   Survivable Remote Site Voicemail (SRSV) on Cisco Unity Express (CUE) 8.5.1 in slot/sub-slot 0/0
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO2901/K9          xxxxxxxxxxxxx
Technology Package License Information for Module:'c2900'
Technology    Technology-package          Technology-package
              Current       Type          Next reboot
ipbase        ipbasek9      Permanent     ipbasek9
security      securityk9    Permanent     securityk9
uc            uck9          Permanent     uck9
data          None          None          None
Configuration register is 0x2102
this is RUNNING CONFIGURATION
! Last configuration change at 16:10:12 UTC Thu Aug 18 2011
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ELTOSAN_ROUTER
boot-start-marker
boot system flash:/c2900-universalk9-mz.SPA.151-4.M.bin
boot-end-marker
no aaa new-model
no ipv6 cef
ip source-route
no ip routing
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp excluded-address 192.168.5.200 192.168.5.255
ip dhcp pool phone
   network 192.168.5.0 255.255.255.0
   default-router 192.168.5.251
   option 150 ip 192.168.5.251
ip dhcp pool data
   relay source 192.168.2.0 255.255.255.0
   relay destination 192.168.2.201
multilink bundle-name authenticated
crypto pki token default removal timeout 0
voice-card 0
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
fax protocol pass-through g711alaw
sip
registrar server expires max 3600 min 120
voice register global
mode cme
source-address 192.168.5.251 port 5060
max-dn 6
max-pool 6
load 9971 sip9971.9-1-1SR1.loads
authenticate register
tftp-path flash:
create profile sync 0005135312289902
voice register dn 1
number 207
allow watch
name GossaVM
label 207
voice register dn 3
number 101
name Dejan
label 101
mwi
voice register pool 1
id mac 000C.29C5.0011
number 1 dn 1
dtmf-relay sip-notify
username testvm password testera
codec g711alaw
voice register pool 3
id mac 04C5.A4B0.3B0D
type 9971
number 3 dn 3
presence call-list
dtmf-relay rtp-nte
username dejan password 1234
codec g711alaw
no vad
license udi pid CISCO2901/K9 sn xxxxxxxxxxxx
hw-module ism 0
hw-module pvdm 0/0
redundancy
interface GigabitEthernet0/0
description INTERFACE INTERNAL
no ip address
no ip route-cache
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/0.2
description LAN DATA
encapsulation dot1Q 2
ip address 192.168.2.251 255.255.255.0
no ip route-cache
interface GigabitEthernet0/0.5
description LAN VOICE
encapsulation dot1Q 5
ip address 192.168.5.251 255.255.255.0
no ip route-cache
interface ISM0/0
no ip address
no ip route-cache
shutdown
!Application: SRSV-CUE Running on ISM
interface GigabitEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
shutdown
interface Vlan1
no ip address
no ip route-cache
shutdown
ip forward-protocol nd
no ip http server
no ip http secure-server
snmp-server community public RO
tftp-server flash:dkern9971.100609R2-9-1-1SR1.sebn alias dkern9971.100609R2-9-1-1SR1.sebn
tftp-server flash:kern9971.9-1-1SR1.sebn alias kern9971.9-1-1SR1.sebn
tftp-server flash:rootfs9971.9-1-1SR1.sebn alias rootfs9971.9-1-1SR1.sebn
tftp-server flash:sboot9971.031610R1-9-1-1SR1.sebn alias sboot9971.031610R1-9-1-1SR1.sebn
tftp-server flash:skern9971.022809R2-9-1-1SR1.sebn alias skern9971.022809R2-9-1-1SR1.sebn
tftp-server flash:sip9971.9-1-1SR1.loads alias sip9971.9-1-1SR1.loads
tftp-server flash:United_States/g4-tones.xml
tftp-server flash:English_United_States/gd-sip.jar
control-plane
voice-port 0/0/0
voice-port 0/0/1
voice-port 0/0/2
voice-port 0/0/3
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
mgcp profile default
gatekeeper
shutdown
line con 0
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password jebiga
login
transport input all
end
I did not have any kind of problem with X-LITE to register to CME. also try with few SCCP phones 7940 and I did not any kind of problem .
this is content of SEP....xml file for 9971
<device>
<deviceProtocol>SIP</deviceProtocol>
<devicePool>
<dateTimeSetting>
<dateTemplate>M/D/YA</dateTemplate>
<timeZone>Pacific Standard/Daylight Time</timeZone>
<ntps>
<ntp priority="0">
<name>0.0.0.0</name>
<ntpMode>unicast</ntpMode>
</ntp>
</ntps>
</dateTimeSetting>
<callManagerGroup>
<members>
<member priority="0">
<callManager>
<ports>
<sipPort>5060</sipPort>
</ports>
<processNodeName>192.168.5.251</processNodeName>
</callManager>
</member>
</members>
</callManagerGroup>
</devicePool>
<sipProfile>
<sipProxies>
<registerWithProxy>true</registerWithProxy>
</sipProxies>
<sipCallFeatures>
<cnfJoinEnabled>true</cnfJoinEnabled>
<localCfwdEnable>true</localCfwdEnable>
<callForwardURI>service-uri-cfwdall</callForwardURI>
<callPickupURI>service-uri-pickup</callPickupURI>
<callPickupGroupURI>service-uri-gpickup</callPickupGroupURI>
<callHoldRingback>2</callHoldRingback>
<semiAttendedTransfer>true</semiAttendedTransfer>
<anonymousCallBlock>2</anonymousCallBlock>
<callerIdBlocking>2</callerIdBlocking>
<dndControl>2</dndControl>
<remoteCcEnable>true</remoteCcEnable>
</sipCallFeatures>
<sipStack>
<remotePartyID>true</remotePartyID>
</sipStack>
<sipLines>
<line button="1" lineIndex="1">
<featureID>9</featureID>
<featureLabel></featureLabel>
<proxy>USECALLMANAGER</proxy>
<port>5060</port>
<name></name>
<displayName></displayName>
<autoAnswer>
<autoAnswerEnabled>2</autoAnswerEnabled>
</autoAnswer>
<callWaiting>1</callWaiting>
<authName>dejan</authName>
<authPassword>1234</authPassword>
<sharedLine>false</sharedLine>
<messagesNumber></messagesNumber>
<ringSettingActive>5</ringSettingActive>
<forwardCallInfoDisplay>
<callerName>true</callerName>
<callerNumber>true</callerNumber>
<redirectedNumber>true</redirectedNumber>
<dialedNumber>true</dialedNumber>
</forwardCallInfoDisplay>
</line>
<line button="2" lineIndex="2">
<featureID>9</featureID>
<featureLabel>101</featureLabel>
<proxy>USECALLMANAGER</proxy>
<port>5060</port>
<name>101</name>
<displayName>Dejan Rakic</displayName>
<autoAnswer>
<autoAnswerEnabled>2</autoAnswerEnabled>
</autoAnswer>
<callWaiting>1</callWaiting>
<authName>dejan</authName>
<authPassword>1234</authPassword>
<sharedLine>false</sharedLine>
<messagesNumber></messagesNumber>
<ringSettingActive>5</ringSettingActive>
<forwardCallInfoDisplay>
<callerName>true</callerName>
<callerNumber>true</callerNumber>
<redirectedNumber>true</redirectedNumber>
<dialedNumber>true</dialedNumber>
</forwardCallInfoDisplay>
</line>
</sipLines>
<enableVad>true</enableVad>
<preferredCodec>g711alaw</preferredCodec>
<dialTemplate></dialTemplate>
<kpml>1</kpml>
<phoneLabel></phoneLabel>
<stutterMsgWaiting>2</stutterMsgWaiting>
<disableLocalSpeedDialConfig>true</disableLocalSpeedDialConfig>
<dscpForAudio>184</dscpForAudio>
<dscpVideo>136</dscpVideo>
</sipProfile>
<commonProfile>
<phonePassword>1234</phonePassword>
<callLogBlfEnabled>2</callLogBlfEnabled>
</commonProfile>
<featurePolicyFile>featurePolicyDefault.xml</featurePolicyFile>
<loadInformation>sip9971.9-1-1SR1.loads</loadInformation>
<vendorConfig>
</vendorConfig>
<commonConfig>
<videoCapability>0</videoCapability>
<ciscoCamera>0</ciscoCamera>
</commonConfig>
<sshUserId>dejan</sshUserId>
<sshPassword>1234</sshPassword>
<userId></userId>
<phoneServices>
<provisioning>2</provisioning>
<phoneService type="1" category="0">
<name>Missed Calls</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/MissedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService type="1" category="0">
<name>Received Calls</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/ReceivedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService type="1" category="0">
<name>Placed Calls</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/PlacedCalls</url>
<vendor></vendor>
<version></version>
</phoneService>
<phoneService type="2" category="0">
<name>Voicemail</name>
<phoneLabel></phoneLabel>
<url>Application:Cisco/Voicemail</url>
<vendor></vendor>
<version></version>
</phoneService>
</phoneServices>
<versionStamp>0131511014412102</versionStamp>
<userLocale>
<name>English_United_States</name>
<langCode>en</langCode>
</userLocale>
<networkLocale>United_States</networkLocale>
<networkLocaleInfo>
<name>United_States</name>
</networkLocaleInfo>
<authenticationURL></authenticationURL>
<directoryURL></directoryURL>
<servicesURL>http://192.168.5.251:80/CMEserverForPhone/serviceurl</servicesURL>
<dscpForSCCPPhoneServices>0</dscpForSCCPPhoneServices>
<dscpForCm2Dvce>96</dscpForCm2Dvce>
<transportLayerProtocol>2</transportLayerProtocol>
</device>

Hello,
I'm facing exactly the same problem, that is:
a Cisco SIP Phone 9971 won't register on CME 8.6 running on a 2811
I have read all the postings to this Forum, but I have not been able to solve it.
In my case the commands voice register dn and voice register pool are OK.
So frankly, I have no idea what I could be missing.
I'm pasting the Router's config.
I hope somebody is able to point me in the right direction.
Here is the config. Thank you!
C2811#sh run
Building configuration...
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname C2811
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 172.25.140.1 172.25.140.10
ip dhcp excluded-address 172.35.140.1 172.35.140.10
ip dhcp pool Data
network 172.25.140.0 255.255.255.0
default-router 172.25.140.1
option 150 ip 172.25.140.1
dns-server 172.25.140.1
ip dhcp pool Voice
network 172.35.140.0 255.255.255.0
default-router 172.35.140.1
option 150 ip 172.35.140.1
dns-server 172.35.140.1
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
voice service voip
allow-connections sip to sip
sip
registrar server expires max 3600 min 120
voice register global
mode cme
source-address 172.25.140.1 port 5060
max-dn 40
max-pool 42
load 9971 sip9971.9-4-1-9.loads
authenticate register
authenticate realm cisco
tftp-path flash:
create profile sync 0004820400584603
voice register dn 1
number 1010
allow watch
name Phone10
label Phone10
mwi
voice register pool 1
id mac 189C.5DB6.BD09
type 9971
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username adm password adm
call-forward b2bua busy 68600
codec g711ulaw
no vad
camera
video
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879153754
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879153754
revocation-check none
rsakeypair TP-self-signed-1879153754
crypto pki certificate chain TP-self-signed-1879153754
certificate self-signed 01
(details ommited)
license udi pid CISCO2811 sn FTX1146A44H
username admin privilege 15 password 0 admin
redundancy
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.25
description Data VLAN
encapsulation dot1Q 25
ip address 172.25.140.1 255.255.255.0
interface FastEthernet0/0.35
description Voice VLAN
encapsulation dot1Q 35
ip address 172.35.140.1 255.255.255.0
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
tftp-server flash:P00308010200.bin
tftp-server flash:P00308010200.sbn
tftp-server flash:P00308010200.sb2
tftp-server flash:P00308010200.loads
tftp-server flash:SCCP42.9-3-1SR3-1S.loads
tftp-server flash:apps42.9-3-1ES19.sbn
tftp-server flash:cnu42.9-3-1ES19.sbn
tftp-server flash:cvm42sccp.9-3-1ES19.sbn
tftp-server flash:dsp42.9-3-1ES19.sbn
tftp-server flash:jar42sccp.9-3-1ES19.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:SCCP45.9-3-1SR3-1S.loads
tftp-server flash:apps45.9-3-1ES19.sbn
tftp-server flash:cnu45.9-3-1ES19.sbn
tftp-server flash:cvm45sccp.9-3-1ES19.sbn
tftp-server flash:dsp45.9-3-1ES19.sbn
tftp-server flash:jar45sccp.9-3-1ES19.sbn
tftp-server flash:term45.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:/Ringtones/Ringlist.xml alias Ringlist.xml
tftp-server flash:/Ringtones/DistinctiveRingList.xml alias DistinctiveRingList.x
ml
tftp-server flash:sip9971.9-4-1-9.loads
tftp-server flash:kern9971.9-4-1-9.sebn
tftp-server flash:rootfs9971.9-4-1-9.sebn
tftp-server flash:dkern9971.100609R2-9-4-1-9.sebn
tftp-server flash:sboot9971.031610R1-9-4-1-9.sebn
tftp-server flash:skern9971.022809R2-9-4-1-9.sebn
tftp-server flash:/g4-tones.xml alias United_States/g4-tones.xml
tftp-server flash:/gd-sip.jar alias English_United_States/gd-sip.jar
control-plane
mgcp profile default
telephony-service
max-ephones 24
max-dn 48
ip source-address 172.25.140.1 port 2000
cnf-file location flash:
load 7960-7940 P00308010200
load 7942 SCCP42.9-3-1SR3-1S.loads
load 7945 SCCP45.9-3-1SR3-1S.loads
load 7962 SCCP42.9-3-1SR3-1S.loads
load 7965 SCCP45.9-3-1SR3-1S.loads
max-conferences 8 gain -6
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 11 2014 07:18:32
ephone-dn 1
number 1001
description Phone 1
name Phone 1
hold-alert 30 originator
ephone-dn 2
number 1002
description Phone 2
name Phone 2
hold-alert 30 originator
ephone-dn 3
number 1003
description Phone 3
name Phone 3
hold-alert 30 originator
ephone 1
device-security-mode none
mac-address 001C.58FB.6E0F
button 1:1
ephone 2
device-security-mode none
mac-address 0014.A981.7F8A
button 1:2
ephone 3
device-security-mode none
mac-address 0006.5356.A4B8
button 1:3
alias exec con conf t
alias exec sib show ip int brief
alias exec srb show run | b
alias exec sri show run int
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
scheduler allocate 20000 1000
ntp master 1
end
C2811#

CME SIP issue - Cisco 7821 phone not registering

Hi
I am having issues with getting a Cisco 7821 phone to register.
Current deployment is with Cisco 6921 phones SCCP registration
SIP integration with CUE
SIP integration with Mitel system
c2951-universalk9-mz.SPA.154-3.M1.bin (CME 10.5)
In flash:
rootfs78xx.10-1-1SR1-4.sbn
kern78xx.10-1-1SR1-4.sbn
sboot78xx.10-1-1SR1-4.sbn
sip78xx.10-1-1SR1-4.loads
The 7821 phone gets IP address but fails to register. Please could somebody let me know why phone is not registering.
Configuration below (10.245.226.132 is CME address) .
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol pass-through g711ulaw
modem passthrough nse codec g711ulaw redundancy maximum-sessions 5
h323
sip
registrar server expires max 600 min 60
options-ping 90
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729r8
voice register global
mode cme
source-address 10.245.226.132 port 5060
max-dn 30
max-pool 10
load 7821 sip78xx.10-1-1SR1-4
authenticate register
authenticate realm all
timezone 22
date-format D/M/Y
voicemail 590
tftp-path flash:
create profile sync 0061443538560005
network-locale GB
voice register dn 1
number 1010
name user1
label user1
mwi
voice register pool 1
busy-trigger-per-button 2
id mac F09E.636E.63F2
type 7821
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username 1010 password 123
codec g711ulaw
no vad
dial-peer voice 391 voip
description *** Auto Attendant ***
destination-pattern 399
session protocol sipv2
session target ipv4:10.245.226.131
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 392 voip
description *** Administration Via Telephone ***
destination-pattern 392
session protocol sipv2
session target ipv4:10.245.226.131
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 393 voip
description *** Extension Assigner ***
service ea out-bound
destination-pattern 393
session target ipv4:10.245.226.132
dial-peer voice 590 voip
description *** Voice Mail Pilot ***
destination-pattern 590
b2bua
session protocol sipv2
session target ipv4:10.245.226.131
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 1 pots
description ** Match all incoming POTS calls **
translation-profile incoming IncomingPSTNcalls
incoming called-number .
direct-inward-dial
dial-peer voice 899 voip
description Call to Mitel
translation-profile incoming Prefix9
translation-profile outgoing rem44
destination-pattern [23]..
session protocol sipv2
session target ipv4:192.168.114.2
voice-class codec 1
dtmf-relay rtp-nte
no vad
interface GigabitEthernet0/0
description *** Connection to Mitel Phone System ***
ip address 192.168.114.5 255.255.255.248
duplex auto
speed auto
interface ISM0/0
description *** Connection to Cisco Unity Express ***
ip unnumbered GigabitEthernet0/1
service-module ip address 10.245.226.131 255.255.255.128
!Application: CUE Running on ISM
service-module ip default-gateway 10.245.226.132
interface GigabitEthernet0/1
description *** Connection to IP Phone LAN ***
ip address 10.245.226.132 255.255.255.128
duplex auto
speed auto
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
ip route 0.0.0.0 0.0.0.0 10.245.226.129
ip route 10.245.226.131 255.255.2
tftp-server flash:apps37sccp.1-4-4-0.bin
tftp-server flash:sip78xx.10-1-1SR1-4.loads
tftp-server flash:rootfs78xx.10-1-1SR1-4.sbn
tftp-server flash:sboot78xx.10-1-1SR1-4.sbn
sip-ua
mwi-server ipv4:10.245.226.131 expires 3600 port 5060 transport udp
registrar ipv4:10.245.226.132 expires 600
gatekeeper
shutdown
telephony-service
authentication credential cmeadmin c4p1ta2012
xml user xmladmin password xmladmin 15
extension-assigner tag-type provision-tag
max-ephones 104
max-dn 299
ip source-address 10.245.226.132 port 2000
auto assign 101 to 105
no service directed-pickup
timeouts interdigit 5
system message CFGS
url services http://10.245.226.131/voiceview/common/login.do
url authentication http://10.245.226.132/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-2-1S
load 6921 SCCP69xx.9-2-1-0
time-zone 22
date-format dd-mm-yy
voicemail 590
max-conferences 8 gain -6
call-forward pattern .T
moh enable-g711 "music-on-hold.au"
web admin system name cmeadmin secret 5 $1$QmIK$46fDKVSudMxzI2bRp/Ef7/
time-webedit
transfer-system full-consult
transfer-pattern .T
secondary-dialtone 9
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-dn 298
number 598...
mwi on
ephone-dn 299
number 599...
mwi off

Page 7 of the following link recommends that you use option 150 with the Cisco 7800 series phones and use option 66 if you cannot use option 150
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/7821_7841_7861/10_1/english/admin_guide/PA2D_BK_AB3F74DA_00_admin-7821-7841-7861-10_0/PA2D_BK_AB3F74DA_00_admin-7821-7841-7861-10_0_chapter_01.pdf
Dynamic Host Configuration Protocol (DHCP)
DHCP dynamically allocates and assigns an IP address to network devices.
DHCP enables you to connect an IP phone into the network and have the phone become operational without your needing to manually assign an IP address or to configure additional network parameters.
DHCP is enabled by default. If disabled, you must manually configure the IP address, subnet mask, gateway, and a TFTP server on each phone locally.
Cisco recommends that you use DHCP custom option 150. With this method, you configure the TFTP server IP address as the option value. For additional supported DHCP configurations, go to the "Dynamic Host Configuration Protocol" chapter and the "Cisco TFTP" chapter in the Cisco Unified Communications Manager System Guide.
Note
If you cannot use option 150, you may try using DHCP option 66.

Cisco 877 router - Cisco IP phone won't register with SIP provider

Hi all,
I'm having a problem with a Cisco SPA504G phone not registering with the SIP carrier over the Internet. We've recently rolled out a Cisco 877 router onto a new NBN business connection and can't get the pre-configured IP phone to register.
When we tested the phone with the NBN-provided Netgear router, it worked fine, as it did with the previous Cisco 1841 router we were using on a different link.
The way it's setup is using VLANs to define the internal subnets, which are then assigned to the physical interfaces (since the 887 doesn't allow IP assignments to the interfaces directly).
VLAN 100 is the internal network and has a SBS2011 server – assigned to F0 – IP range is 192.168.1.0
VLAN 200 is the guest network and has Internet access only – assigned to F1 – IP range is 10.1.1.0
VLAN 500 is the WAN network and connects to the NBN upstream box – assigned to F3 – external IP address assigned by DHCP
I've been playing around with access lists, nat rules, basically everything in my limited Cisco knowledge to try and figure this out, but to no avail. I have even configured what I believe is unrestricted access to IP, UDP and TCP outbound and inbound to all VLANs and still can't get it to register.
Tried isolating the issue by creating a new VLAN and assigning it to the spare interface and basically allowing everything in and out, but still no luck.
The problem has to be something on the router – probably some small line of config I haven’t removed or added.
I am going to pull my hair out soon, so would really appreciate some assistance from the Cisco gurus out there.
My client has just purchased about 10 of these handsets from their provider so I need to fix this ASAP. The guy who provided them wasn't very helpful, and basically said I'm on my own once we tested using the NBN-provided Netgear router.
Happy to post my config as well.
Please help!!!!

Current configuration : 4912 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router1
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
no ip source-route
ip dhcp excluded-address 10.1.1.1
ip dhcp pool GUEST
network 10.1.1.0 255.255.255.0
dns-server 10.1.1.1 203.50.2.71 139.130.4.4
default-router 10.1.1.1
ip cef
no ip domain lookup
ip domain name network.local
ip name-server 192.168.1.123
ip name-server 203.23.53.12
ip name-server 197.12.32.86
ip name-server 8.8.8.8
no ipv6 cef
license udi pid CISCO887VA-K9 sn FGL171220XY
username admin privilege 15 secret 5 $1$aNsm$N1BCQYkoi8gnURyvloYEX/
controller VDSL 0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 10
pvc 8/35
interface FastEthernet0
description NAC - Internal network
switchport access vlan 100
no ip address
interface FastEthernet1
description NAC - Guest network
switchport access vlan 200
no ip address
interface FastEthernet2
no ip address
shutdown
interface FastEthernet3
description **** WAN Port ****
switchport access vlan 500
no ip address
interface Vlan1
no ip address
bridge-group 10
hold-queue 100 out
interface Vlan100
description NAC - Internal Vlan
ip address 192.168.1.1 255.255.255.0
ip access-group IN-100 in
ip access-group OUT-100 out
ip nat inside
ip virtual-reassembly in
interface Vlan200
description NAC - Guest Vlan
ip address 10.1.1.1 255.255.255.0
ip access-group IN-200 in
ip access-group OUT-200 out
ip nat inside
ip virtual-reassembly in
interface Vlan500
description **** WAN Vlan ****
ip address dhcp
ip nat outside
no ip virtual-reassembly in
no ip forward-protocol nd
ip http server
ip http access-class 23
ip http secure-server
ip dns server
ip nat inside source list NAT-100 interface Vlan500 overload
ip nat inside source list NAT-200 interface Vlan500 overload
ip nat inside source static tcp 192.168.1.123 25 interface Vlan500 25
ip nat inside source static tcp 192.168.1.123 443 interface Vlan500 443
ip nat inside source static tcp 192.168.1.123 3389 interface Vlan500 3399
ip nat inside source static tcp 192.168.1.123 80 interface Vlan500 80
ip nat inside source static tcp 192.168.1.123 4125 interface Vlan500 4125
ip nat inside source static tcp 192.168.1.124 3389 interface Vlan500 3390
ip nat inside source static tcp 192.168.1.123 987 interface Vlan500 987
ip nat inside source static tcp 192.168.1.123 1723 interface Vlan500 1723
ip route 0.0.0.0 0.0.0.0 55.234.52.43
ip access-list extended IN-100
permit udp any any range bootps bootpc
deny ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended IN-200
permit udp any any range bootps bootpc
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended NAT-100
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended NAT-200
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended OUT-100
permit udp any range bootps bootpc any
deny ip 10.1.1.0 0.0.0.255 any
permit ip any 192.168.1.0 0.0.0.255
ip access-list extended OUT-200
permit udp any range bootps bootpc any
deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any 10.1.1.0 0.0.0.255
access-list 23 permit 59.23.164.52
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 120.146.0.0 0.0.255.255
access-list 23 permit 149.185.12.0 0.0.0.255
access-list 23 permit 110.44.28.0 0.0.0.255
access-list 23 permit 110.44.26.0 0.0.0.255
access-list 23 permit 103.25.212.0 0.0.0.255
access-list 23 permit any
bridge 10 protocol ieee
banner motd ^C
* Authorized personnel only! *
^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
password password01
login local
transport input all
end

Cisco SIP Phone 9971 won't register on CME 8.6

Hello,
I'm facing a very strange problem:
a Cisco SIP Phone 9971 won't register on CME 8.6 running on a 2811
I have read all the related-postings to this and other Forum, but I have not been able to solve it.
One of the "potential solutions" was to make sure that the Phone had a Line configured.
But I think that the commands voice register dn and voice register pool are properly configured (see config below)
So frankly, I have no idea what I could be missing.
I'm pasting the Router's config.
I hope somebody is able to point me in the right direction.
Here is the config. Thank you!
C2811#sh run
Building configuration...
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname C2811
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 172.25.140.1 172.25.140.10
ip dhcp excluded-address 172.35.140.1 172.35.140.10
ip dhcp pool Data
network 172.25.140.0 255.255.255.0
default-router 172.25.140.1
option 150 ip 172.25.140.1
dns-server 172.25.140.1
ip dhcp pool Voice
network 172.35.140.0 255.255.255.0
default-router 172.35.140.1
option 150 ip 172.35.140.1
dns-server 172.35.140.1
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
voice service voip
allow-connections sip to sip
sip
registrar server expires max 3600 min 120
voice register global
mode cme
source-address 172.25.140.1 port 5060
max-dn 40
max-pool 42
load 9971 sip9971.9-4-1-9.loads
authenticate register
authenticate realm cisco
tftp-path flash:
create profile sync 0004820400584603
voice register dn 1
number 1010
allow watch
name Phone10
label Phone10
mwi
voice register pool 1
id mac 189C.5DB6.BD09
type 9971
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username adm password adm
call-forward b2bua busy 68600
codec g711ulaw
no vad
camera
video
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879153754
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879153754
revocation-check none
rsakeypair TP-self-signed-1879153754
crypto pki certificate chain TP-self-signed-1879153754
certificate self-signed 01
(details ommited)
license udi pid CISCO2811 sn FTX1146A44H
username admin privilege 15 password 0 admin
redundancy
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.25
description Data VLAN
encapsulation dot1Q 25
ip address 172.25.140.1 255.255.255.0
interface FastEthernet0/0.35
description Voice VLAN
encapsulation dot1Q 35
ip address 172.35.140.1 255.255.255.0
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
tftp-server flash:P00308010200.bin
tftp-server flash:P00308010200.sbn
tftp-server flash:P00308010200.sb2
tftp-server flash:P00308010200.loads
tftp-server flash:SCCP42.9-3-1SR3-1S.loads
tftp-server flash:apps42.9-3-1ES19.sbn
tftp-server flash:cnu42.9-3-1ES19.sbn
tftp-server flash:cvm42sccp.9-3-1ES19.sbn
tftp-server flash:dsp42.9-3-1ES19.sbn
tftp-server flash:jar42sccp.9-3-1ES19.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:SCCP45.9-3-1SR3-1S.loads
tftp-server flash:apps45.9-3-1ES19.sbn
tftp-server flash:cnu45.9-3-1ES19.sbn
tftp-server flash:cvm45sccp.9-3-1ES19.sbn
tftp-server flash:dsp45.9-3-1ES19.sbn
tftp-server flash:jar45sccp.9-3-1ES19.sbn
tftp-server flash:term45.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:/Ringtones/Ringlist.xml alias Ringlist.xml
tftp-server flash:/Ringtones/DistinctiveRingList.xml alias DistinctiveRingList.x
ml
tftp-server flash:sip9971.9-4-1-9.loads
tftp-server flash:kern9971.9-4-1-9.sebn
tftp-server flash:rootfs9971.9-4-1-9.sebn
tftp-server flash:dkern9971.100609R2-9-4-1-9.sebn
tftp-server flash:sboot9971.031610R1-9-4-1-9.sebn
tftp-server flash:skern9971.022809R2-9-4-1-9.sebn
tftp-server flash:/g4-tones.xml alias United_States/g4-tones.xml
tftp-server flash:/gd-sip.jar alias English_United_States/gd-sip.jar
control-plane
mgcp profile default
telephony-service
max-ephones 24
max-dn 48
ip source-address 172.25.140.1 port 2000
cnf-file location flash:
load 7960-7940 P00308010200
load 7942 SCCP42.9-3-1SR3-1S.loads
load 7945 SCCP45.9-3-1SR3-1S.loads
load 7962 SCCP42.9-3-1SR3-1S.loads
load 7965 SCCP45.9-3-1SR3-1S.loads
max-conferences 8 gain -6
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 11 2014 07:18:32
ephone-dn 1
number 1001
description Phone 1
name Phone 1
hold-alert 30 originator
ephone-dn 2
number 1002
description Phone 2
name Phone 2
hold-alert 30 originator
ephone-dn 3
number 1003
description Phone 3
name Phone 3
hold-alert 30 originator
ephone 1
device-security-mode none
mac-address 001C.58FB.6E0F
button 1:1
ephone 2
device-security-mode none
mac-address 0014.A981.7F8A
button 1:2
ephone 3
device-security-mode none
mac-address 0006.5356.A4B8
button 1:3
alias exec con conf t
alias exec sib show ip int brief
alias exec srb show run | b
alias exec sri show run int
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
scheduler allocate 20000 1000
ntp master 1
end
C2811#

Thank you for your reply.
I did some debugs and the results are very strange!
This is what I got:
Feb 24 18:01:12.219: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 400 Bad Request
Via: SIP/2.0/UDP 172.35.140.12:5060;branch=z9hG4bK08011844
From: ;tag=189c5db6bd09000260cf3daf-289a76d1
To: ;tag=52488-160A
Date: Mon, 24 Feb 2014 18:01:12 GMT
Call-ID: [email protected]
CSeq: 1000 REFER
Content-Length: 0
Contact:
Feb 24 18:01:12.291: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
REGISTER sip:172.25.140.1 SIP/2.0
Via: SIP/2.0/UDP 172.35.140.12:5060;branch=z9hG4bK1e9ad079
From: ;tag=189c5db6bd0900032df02e9c-25d79707
To:
Call-ID: [email protected]
Max-Forwards: 70
Date: Fri, 01 Jan 1982 00:02:41 GMT
CSeq: 101 REGISTER
User-Agent: Cisco-CP9971/9.4.1
Contact: ;+sip.instance="
000000-0000-0000-0000-189c5db6bd09>";+u.sip!devicename.ccm.cisco.com="SEP189C5DB
6BD09";+u.sip!model.ccm.cisco.com="493";video
Supported: replaces,join,sdp-anat,norefersub,resource-priority,extended-refer,X-
cisco-callinfo,X-cisco-serviceuri,X-cisco-escapecodes,X-cisco-service-control,X-
cisco-srtp-fallback,X-cisco-monrec,X-cisco-config,X-cisco-sis-6.0.2,X-cisco-xsi-
8.0.1
Content-Length: 0
Reason: SIP;cause=200;text="cisco-alarm:22 Name=SEP189C5DB6BD09 ActiveLoad=sip99
71.9-4-1-9.loads InactiveLoad=sip9971.9-3-2SR1-1.loads Last=reset-reset"
Expires: 3600
Feb 24 18:01:12.395: voice_reg_get_reg_expires_timer: no voice register pool found
Feb 24 18:01:12.395: VOICE_REG_POOL: Register request for (1010) from (172.35.140.12)
Feb 24 18:01:12.395: VOICE_REG_POOL: Contact matches pool 1 number list 1
Feb 24 18:01:12.395: VOICE_REG_POOL: No entry for (172.35.140.12) found in srst contact table
Feb 24 18:01:12.395: VOICE_REG_POOL: key(1010) contact(172.35.140.12:5060) add to contact table
Feb 24 18:01:12.395: VOICE_REG_POOL: No entry for (1010) found in contact table
Feb 24 18:01:12.399: VOICE_REG_POOL: key(1010) contact(172.35.140.12) added to contact table
Feb 24 18:01:12.399: VOICE_REG_POOL: key(172.35.140.12) contact(1010) add to srst contact table
Feb 24 18:01:12.399: VOICE_REG_POOL: No entry for (172.35.140.12) found in srst contact table
Feb 24 18:01:12.399: VOICE_REG_POOL: key(172.35.140.12) contact(1010) added to srst contact table
Feb 24 18:01:12.399: VOICE_REG_POOL pool->tag(1), dn->tag(1), submask(1)
But right after these errors, I get the following:
Feb 24 18:01:12.399: VOICE_REG_POOL: Creating param container for dial-peer 4000
1.VOICE_REG_POOL pool->tag(1), dn->tag(1), submask(1)
VOICE_REG_POOL pool_tag(1), dn_tag(1)
Feb 24 18:01:12.399: VOICE_REG_POOL: Created dial-peer entry of type 0
Feb 24 18:01:12.399: VOICE_REG_POOL: Registration successful for 1010, registration id is 1
Feb 24 18:01:12.411: VOICE_REG_POOL: Contact matches pool 1 number list 1
Feb 24 18:01:12.411: VOICE_REG_POOL: GW SIS: X-cisco-cme-sis-1.0.0
Feb 24 18:01:12.411: VOICE REGISTER POOL-1 has registered.
                               Name:SEP189C5DB6BD09 IP:172.35.140.12 DeviceType:Phone
Feb 24 18:01:12.411: VOICE_REG_POOL: Pool[1]: service-control (reset type: 2) message sent to sip:[email protected]
Feb 24 18:01:12.411: voice_reg_privacy_update_to_phone: delay sending privacy update during bulk registration
Feb 24 18:01:12.415: //1/7B0070C28003/SIP/Msg/ccsipDisplayMsg:
====================
And when I do a sh voice register pool, I get the following:
C2811#sh voice register pool 1
Pool Tag 1
Config:
Mac address is 189C.5DB6.BD09
Type is 9971
Number list 1 : DN 1
Proxy Ip address is 0.0.0.0
Current Phone load version is Cisco-CP9971/9.4.1
DTMF Relay is enabled, rtp-nte
Call Waiting is enabled
DnD is disabled
Video is enabled
Camera is enabled
Busy trigger per button value is 0
call-forward b2bua busy 68600
keep-conference is enabled
registration expires timer max is 3600 and min is 120
username adm password adm
kpml signal is enabled
Lpcor Type is none
blf call list is enabled
Transport type is udp
service-control mechanism is supported
registration Call ID is [email protected]
Registration method: per line
Privacy feature is not configured.
Privacy button is disabled
active primary line is: 1010
contact IP address: 172.35.140.12 port 5060
Phone SIS Version: 6.0.2
GW SIS Version: 1.0.0
Dialpeers created:
Dial-peers for Pool 1:
dial-peer voice 40001 voip
destination-pattern 1010
session target ipv4:172.35.140.12:5060
session protocol sipv2
dtmf-relay rtp-nte
digit collect kpml
codec g711ulaw bytes 160
no vad
call-fwd-busy        68600
after-hours-exempt   FALSE
Statistics:
Active registrations : 4
Total SIP phones registered: 1
Total Registration Statistics
    Registration requests : 4
    Registration success   : 4
    Registration failed    : 0
    unRegister requests    : 0
    unRegister success     : 0
    unRegister failed      : 0
    Attempts to register
           after last unregister : 0
    Last register request time   : 18:11:43.551 UTC Mon Feb 24 2014
    Last unregister request time :
    Register success time        : 18:11:43.551 UTC Mon Feb 24 2014
    Unregister success time      :
C2811#
So apparently the Phone is actually registered!
However, the Phone screens still shows this message: Phone Not Registered.
So frankly I don't understand what's going on!
I really hope somebody can help. Thanks!

Cisco SIP Phone 9971 will not register on CME 8.6

Hello,
I'm trying to configure a Cisco SIP Phone 9971,
but it won't register on CME 8.6, which is running on a 2811
The Phone shows this error message: Phone Not Registered.
And when I check the the Status Messages in the Phone, I see the following:
VPN Error: vpn is not configured
Actually, it shows all these 4 messages in a constant Loop:
12:01:59a SEP189C5DB6BD09.cnf.xml (TFTP)
12:01:59a No Trust List instaled
12:01:59a Updating Trust list
12:02:00a VPN Error: VPN is not Configured
It seems that this VPN Error is keeping the Phone from registering.
This is repeated for ever and the Phone never registers; at least that's what it appears.
However, when I do a sh voice register pool, I get the following:
C2811#sh voice register pool 1
Pool Tag 1
Config:
Mac address is 189C.5DB6.BD09
Type is 9971
Number list 1 : DN 1
Proxy Ip address is 0.0.0.0
Current Phone load version is Cisco-CP9971/9.4.1
DTMF Relay is enabled, rtp-nte
Call Waiting is enabled
DnD is disabled
Video is enabled
Camera is enabled
Busy trigger per button value is 0
call-forward b2bua busy 68600
keep-conference is enabled
registration expires timer max is 3600 and min is 120
username adm password adm
kpml signal is enabled
Lpcor Type is none
blf call list is enabled
Transport type is udp
service-control mechanism is supported
registration Call ID is [email protected]
Registration method: per line
Privacy feature is not configured.
Privacy button is disabled
active primary line is: 1010
contact IP address: 172.35.140.12 port 5060
Phone SIS Version: 6.0.2
GW SIS Version: 1.0.0
Dialpeers created:
Dial-peers for Pool 1:
dial-peer voice 40001 voip
destination-pattern 1010
session target ipv4:172.35.140.12:5060
session protocol sipv2
dtmf-relay rtp-nte
digit collect kpml
codec g711ulaw bytes 160
no vad
call-fwd-busy        68600
after-hours-exempt   FALSE
Statistics:
Active registrations : 4
Total SIP phones registered: 1
Total Registration Statistics
    Registration requests : 4
    Registration success   : 4
    Registration failed    : 0
    unRegister requests    : 0
    unRegister success     : 0
    unRegister failed      : 0
    Attempts to register
           after last unregister : 0
    Last register request time   : 18:11:43.551 UTC Mon Feb 24 2014
    Last unregister request time :
    Register success time        : 18:11:43.551 UTC Mon Feb 24 2014
    Unregister success time      :
C2811#
This sh voice register pool seems to indicate that the Phone has actually registered.
But I still get the Phone Not Registered message on the screen!
I did some Debugs and they also seem to indicate that the Phone has indeed registered:
Feb 24 18:01:12.399: VOICE_REG_POOL: Creating param container for dial-peer 4000
1.VOICE_REG_POOL pool->tag(1), dn->tag(1), submask(1)
VOICE_REG_POOL pool_tag(1), dn_tag(1)
Feb 24 18:01:12.399: VOICE_REG_POOL: Created dial-peer entry of type 0
Feb 24 18:01:12.399: VOICE_REG_POOL: Registration successful for 1010, registration id is 1
Feb 24 18:01:12.411: VOICE_REG_POOL: Contact matches pool 1 number list 1
Feb 24 18:01:12.411: VOICE_REG_POOL: GW SIS: X-cisco-cme-sis-1.0.0
Feb 24 18:01:12.411: VOICE REGISTER POOL-1 has registered.
                               Name:SEP189C5DB6BD09 IP:172.35.140.12 DeviceType:Phone
So frankly, I have no idea why the Phone keeps showing the Phone Not Registered message.
I'm pasting the Router's config.
I hope somebody is able to point me in the right direction.
Here is the config. Thank you!
C2811#sh run
Building configuration...
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname C2811
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 172.25.140.1 172.25.140.10
ip dhcp excluded-address 172.35.140.1 172.35.140.10
ip dhcp pool Data
network 172.25.140.0 255.255.255.0
default-router 172.25.140.1
option 150 ip 172.25.140.1
dns-server 172.25.140.1
ip dhcp pool Voice
network 172.35.140.0 255.255.255.0
default-router 172.35.140.1
option 150 ip 172.35.140.1
dns-server 172.35.140.1
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
voice service voip
allow-connections sip to sip
sip
registrar server expires max 3600 min 120
voice register global
mode cme
source-address 172.25.140.1 port 5060
max-dn 40
max-pool 42
load 9971 sip9971.9-4-1-9.loads
authenticate register
authenticate realm cisco
tftp-path flash:
create profile sync 0004820400584603
voice register dn 1
number 1010
allow watch
name Phone10
label Phone10
mwi
voice register pool 1
id mac 189C.5DB6.BD09
type 9971
number 1 dn 1
presence call-list
dtmf-relay rtp-nte
username adm password adm
call-forward b2bua busy 68600
codec g711ulaw
no vad
camera
video
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879153754
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879153754
revocation-check none
rsakeypair TP-self-signed-1879153754
crypto pki certificate chain TP-self-signed-1879153754
certificate self-signed 01
(details ommited)
license udi pid CISCO2811 sn FTX1146A44H
username admin privilege 15 password 0 admin
redundancy
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.25
description Data VLAN
encapsulation dot1Q 25
ip address 172.25.140.1 255.255.255.0
interface FastEthernet0/0.35
description Voice VLAN
encapsulation dot1Q 35
ip address 172.35.140.1 255.255.255.0
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
tftp-server flash:P00308010200.bin
tftp-server flash:P00308010200.sbn
tftp-server flash:P00308010200.sb2
tftp-server flash:P00308010200.loads
tftp-server flash:SCCP42.9-3-1SR3-1S.loads
tftp-server flash:apps42.9-3-1ES19.sbn
tftp-server flash:cnu42.9-3-1ES19.sbn
tftp-server flash:cvm42sccp.9-3-1ES19.sbn
tftp-server flash:dsp42.9-3-1ES19.sbn
tftp-server flash:jar42sccp.9-3-1ES19.sbn
tftp-server flash:term42.default.loads
tftp-server flash:term62.default.loads
tftp-server flash:SCCP45.9-3-1SR3-1S.loads
tftp-server flash:apps45.9-3-1ES19.sbn
tftp-server flash:cnu45.9-3-1ES19.sbn
tftp-server flash:cvm45sccp.9-3-1ES19.sbn
tftp-server flash:dsp45.9-3-1ES19.sbn
tftp-server flash:jar45sccp.9-3-1ES19.sbn
tftp-server flash:term45.default.loads
tftp-server flash:term65.default.loads
tftp-server flash:/Ringtones/Ringlist.xml alias Ringlist.xml
tftp-server flash:/Ringtones/DistinctiveRingList.xml alias DistinctiveRingList.x
ml
tftp-server flash:sip9971.9-4-1-9.loads
tftp-server flash:kern9971.9-4-1-9.sebn
tftp-server flash:rootfs9971.9-4-1-9.sebn
tftp-server flash:dkern9971.100609R2-9-4-1-9.sebn
tftp-server flash:sboot9971.031610R1-9-4-1-9.sebn
tftp-server flash:skern9971.022809R2-9-4-1-9.sebn
tftp-server flash:/g4-tones.xml alias United_States/g4-tones.xml
tftp-server flash:/gd-sip.jar alias English_United_States/gd-sip.jar
control-plane
mgcp profile default
telephony-service
max-ephones 24
max-dn 48
ip source-address 172.25.140.1 port 2000
cnf-file location flash:
load 7960-7940 P00308010200
load 7942 SCCP42.9-3-1SR3-1S.loads
load 7945 SCCP45.9-3-1SR3-1S.loads
load 7962 SCCP42.9-3-1SR3-1S.loads
load 7965 SCCP45.9-3-1SR3-1S.loads
max-conferences 8 gain -6
dn-webedit
transfer-system full-consult
create cnf-files version-stamp 7960 Feb 11 2014 07:18:32
ephone-dn 1
number 1001
description Phone 1
name Phone 1
hold-alert 30 originator
ephone-dn 2
number 1002
description Phone 2
name Phone 2
hold-alert 30 originator
ephone-dn 3
number 1003
description Phone 3
name Phone 3
hold-alert 30 originator
ephone 1
device-security-mode none
mac-address 001C.58FB.6E0F
button 1:1
ephone 2
device-security-mode none
mac-address 0014.A981.7F8A
button 1:2
ephone 3
device-security-mode none
mac-address 0006.5356.A4B8
button 1:3
alias exec con conf t
alias exec sib show ip int brief
alias exec srb show run | b
alias exec sri show run int
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
scheduler allocate 20000 1000
ntp master 1
end
C2811#

VPN is not Configured prints on all phones now with the built-in VPN client if VPN isn't configured. That's normal and is just cosmetic. That should not be causing your registration issues.

Cisco IP Phone 7962 not registering with CME 9

Dear Experts,
I have CME router 2811 with 15 - 6921 phones and added 1 new Cisco 7962 phone. All the 6921 phones are registered and working fine.
7962 phone does not register and the screen goes blank after the phone boot. Software version the phone is running is 9.3.1 SR2-1S
Verified the CNF File is created
tftp-server system:/its/vrf1/XMLDefault7962.cnf.xml alias SEP501CBFFC8735.cnf.xml
Here is the configuration on the router.
ip dhcp pool VOICE
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   option 150 ip 192.168.10.1
ephone-dn 11 octo-line
number 2211
label ABC 2221
name ABC
ephone 11
device-security-mode none
mac-address 501C.BFFC.8735
type 7962
button 1:11
The results of the debug tftp events are as below -
Oct 26 17:52:06.491: TFTP: Looking for CTLSEP501CBFFC8735.tlv
Oct 26 17:52:06.595: TFTP: Looking for ITLSEP501CBFFC8735.tlv
Oct 26 17:52:06.699: TFTP: Looking for ITLFile.tlv
Oct 26 17:52:06.931: TFTP: Looking for SEP501CBFFC8735.cnf.xml
Oct 26 17:52:07.487: TFTP: Opened system:/its/vrf1/XMLDefault7962.cnf.xml, fd 10, size 1278 for process 366
Oct 26 17:52:07.495: TFTP: Finished system:/its/vrf1/XMLDefault7962.cnf.xml, time 00:00:00 for process 366
Oct 26 17:52:09.799: TFTP: Looking for English_United_States/mk-sccp.jar
Oct 26 17:52:10.119: TFTP: Looking for United_States/g3-tones.xml
Oct 26 17:52:11.067: New Skinny socket accepted [2] from 0, sub 1 (15 active)
Oct 26 17:52:11.067: sin_family 2, sin_port 49152, in_addr 192.168.110.30
Oct 26 17:52:11.067: skinny_add_socket 2 192.168.110.30 49152
Oct 26 17:52:11.799: Cannot find device entry on socket fd 7 for message 346
Oct 26 17:52:11.799: Got wrong skinny message size 1836597052 on socket fd 7
Oct 26 17:52:11.799: Got wrong skinny message size 824327534 on socket fd 7
Oct 26 17:52:11.799: Got wrong skinny message size 1735289188 on socket fd 7
Oct 26 17:52:11.799: Got wrong skinny message size 1007304255 on socket fd 7
Oct 26 17:52:11.799: Got wrong skinny message size 1918987361 on socket fd 7
Oct 26 17:52:11.799: Got wrong skinny message size 1632510061 on socket fd 7
Oct 26 17:52:11.799: Got wrong skinny message size 1333032271 on socket fd 7 ... .so on
Oct 26 17:52:11.815: Got wrong skinny message size 2622 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.815: Got wrong skinny message size 0 on socket fd 7.. so on
Oct 26 17:52:11.883: Cannot find device entry on socket fd 7 for message 0
Oct 26 17:52:11.883: Got wrong skinny message size -2056126442 on socket fd 7
Oct 26 17:52:11.883: Got wrong skinny message size -54584240 on socket fd 7
Oct 26 17:52:11.883: Got wrong skinny message size 3 on socket fd 7
Oct 26 17:52:11.883: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.883: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:11.883: Got wrong skinny message size 825045805 on socket fd 7
Oct 26 17:52:11.883: Got wrong skinny message size 0 on socket fd 7
Oct 26 17:52:21.915: Cannot find device entry on socket fd 7 for message 0
Oct 26 17:52:41.995: Cannot find device entry on socket fd 7 for message 0
Oct 26 17:53:02.064: Cannot find device entry on socket fd 7 for message 0
ADVILLA-2811#
Oct 26 17:54:24.556: socket 3 fatal error 260! can't read msg header with size -1, fd 3
Oct 26 17:54:24.556: it's a stale socket! delete it!!
Please advise the issue.. thanks..

This could be a compatibility issue. Looking at the feature matrix, 15.1 is CME8.8 and only has support for SCCP42.9-2-1S.loads. Even the latest CME (10.5) only has listed support for 9.2.1 on 7962.
I would try downgrading the phone firmware to 9.2.1 and see if you continue to have the issue.
Also, make sure you are advertising all the following files on TFTP:
SCCP42.9-2-1S.loads
apps42.9-2-1TH1-13.sbn
cnu42.9-2-1TH1-13.sbn
cvm42sccp.9-2-1TH1-13.sbn
dsp42.9-2-1TH1-13.sbn
jar42sccp.9-2-1TH1-13.sbn
term42.default.loads
term62.default.loads

No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

Hello!
We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
Any help would be very much appreciated!
Jakob J. Blaette

Hi Jakob,
Adding my two cents here.
You always need to confirm that the following ports and protocol are opened:
1- UDP port 500 --> ISAKMP
2- UDP port 4500 --> NAT-T
3- Protocol 50 ---> ESP
A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
HTH.
Portu.
Please rate any helpful posts and mark this post as answered.

Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
Could the last CISCO Security Manager product help in this process ?
thanks in advance

Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
http://www.lumeta.com/
Also reference this thread, it may help.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
HTH
Jorge

Cisco Call manager 7.2 through ASA firewall

Hi,
We have a part of our building that we have sold to another company. We still have to provide them with some resources until they can install their own network. We have a 6500 switch there and we are going to implement a ASA in between and lock down most communication. One of the resources required are Cisco IP phones.
Does anyone know which ports etc are required to be opened to allow communication between these phones and Call manager and other IP phones on the site?
Any help would be appreciated

Hi Andrew
The attached document may assist:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
Hope this helps.
Barry Hesk
Intrinsic Network Solutions

Integration with Cisco IP Phones

Possible to integrate Lync to Cisco IP Phones?

Depends on what you mean by integrate. You cannot directly register Cisco phones with Lync, but you have the following options:
Create a SIP trunk (or trunk through a gateway) and connect CUCM to Lync and then you would be able to call back and forth
If you want to repurpose Cisco phones to use with Lync then you can use a third party product from AudioCodes (SPS -
http://www.audiocodes.com/sps ) or NET (SmartSIP -
http://www.net.com/Pages/Product.aspx?pgid=229 )
Tim Harrington | MVP: Lync | MCITP: EMA 2007/2010, Lync 2010, MCTS: OCS | Blog:
http://HowDoUC.blogspot.com | Twitter:
@twharrington

8851 Phones rebooting randomly

Hi there,
For Customer ABC we deployed 8851 Phones for their Contact center ( around 80). They are using Finesse/UCCE. CUCM ver is 9.1.2.
Issue: Randomly any 8851 phone will reboot. It will go through the whole power cycle and Agent will have to login again to Extension Mobility and Finesse.
Steps taken (Issue still not resolved as of now):
1) Customer had 3560 series switches. At that time there were almost 15 to 20 phone resets were happening in a day.
2) Changed Switches to 3750G. Reset reduced to almost around 2 a day. (Seems like a cabling issue at this point)
3) Cabling tests were done by third party company using Fluke. Results came green and OK.
4) Patch cables from Phone to Jack was replaced with a Cat6 but no difference.
5) Speed and Duplex on phone and Switch was hard-coded to 1000 Full but again no difference.
6) Firmware upgraded on all phones as suggested by TAC but since then it's almost 6 phones a day which are rebooting. Possibly rollback for that either today or tomorrow.
Next Steps scheduled to be taken:
1) Put a Sniffer/Pcap to capture all the IP traffic and go on from there.
2) Hard-code the Speed and Duplex to 100 and FULL.
3) Possibly put few 7900 series phone to see if it's SIP causing the issue.
The issue is still not resolved so if anyone is experiencing similar situation or had faced in past, Please share your thoughts. I did read a few forums where people faced similar issue and for some it got resolved by replacing switches or by changing port security timer setting on Switch. We haven't tried port security timer yet but will update if we ended up doing it.
I will update this if issue gets resolved or about the steps taken, meanwhile please share any information you think can help out here.
Thanks

Just providing an update here.
After lots of troubleshooting and based on findings from Developers it is discovered that Firmware of USB port 8851 was causing the issue. Since last week or so Agents are using RJ11 headsets or analog headsets and there has been no issue whatsoever. So it clearly was a USB related issue.
Cisco has sent details to their Partner who develops that firmware to USB and once it's fixed we will try again with the USB headsets.
I will keep it updated if there's anything new.

Cisco 8851 phones registering through Checkpoint firewall

Similar Messages

Maybe you are looking for