Configure a Trunk in ISR4000 - Webex Calling

Luis2 · ‎03-07-2022

Hello all,

I have a problem with a configuration of a ISR 4k. I have a Webex Calling solution, and I configured the router to up a session between the cloud of Webex and the ISR. When I finish with that, and I check in Control Hub, the Trunk still "offline". I checked the configuration steps many times and try a debug, but I cannot locate the problem.

Could someone help me to locate whats happend in this case? (Thank you very much!!)

=============================================================================

RUN CONFIG

=============================================================================

The config that I used was:

GADORGW#sh running-config
Building configuration...

Current configuration : 11710 bytes
!
! Last configuration change at 12:33:50 URU Fri Mar 4 2022 by soporte
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname GADORGW
!
boot-start-marker
boot system flash isr4300-universalk9.16.12.07.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
clock timezone URU -3 0
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip name-server 200.40.30.245
ip domain name gador.com
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
password encryption aes
!
!
crypto pki trustpoint TP-self-signed-2737591448
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2737591448
revocation-check none
rsakeypair TP-self-signed-2737591448
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint sampleTP
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2737591448
certificate self-signed 01
(I remove the cert)
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
(I remove the cert too)
crypto pki certificate chain sampleTP
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
!
!
voice service voip
ip address trusted list
ipv4 85.119.56.0 255.255.254.0
ipv4 135.84.168.0 255.255.248.0
ipv4 185.115.196.0 255.255.252.0
ipv4 199.59.64.0 255.255.248.0
ipv4 170.72.17.128 255.255.255.128
ipv4 128.177.14.0 255.255.255.0
ipv4 139.177.64.0 255.255.248.0
ipv4 199.19.196.0 255.255.254.0
ipv4 23.89.76.128 255.255.255.128
ipv4 170.72.0.128 255.255.255.128
ipv4 128.177.36.0 255.255.255.0
ipv4 139.177.72.0 255.255.254.0
ipv4 199.19.199.0 255.255.255.0
ipv4 170.72.29.0 255.255.255.0
ipv4 170.72.82.0 255.255.255.128
mode border-element license capacity 100
media statistics
media bulk-stats
allow-connections sip to sip
no supplementary-service sip refer
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 6 _TBSbQA\LOigasd87fyasdvubaosvu7gBR_]MJZR_
sip
min-se 600
early-offer forced
g729 annexb-all
no call service stop
!
!
voice class uri 100 sip
host ipv4:190.64.60.17
!
voice class uri 200 sip
pattern dtg=antel5400.lgu
voice class codec 99
codec preference 1 g711ulaw
codec preference 2 g711alaw
!
voice class stun-usage 200
stun usage firewall-traversal flowdata
stun usage ice lite
!
!
voice class sip-profiles 200
rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>"
rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
rule 20 request ANY sip-header From modify ">" ";otg=antel5400_lgu>"
rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"
!
!
!
voice class dpg 100
description Incoming WxC(DP200201) to IP PSTN(DP101)
dial-peer 101 preference 1
!
voice class dpg 200
description Incoming IP PSTN(DP100) to Webex Calling(DP200201)
dial-peer 200201 preference 1
!
voice class tenant 100
no remote-party-id
retry invite 2
retry register 10
timers connect 100
timers register 1000
connection-reuse
session transport udp
url sip
error-passthru
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
no pass-thru content custom-sdp
!
voice class tenant 300
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
no pass-thru content custom-sdp
!
voice class tenant 200
registrar dns:08135916.us10.bcld.webex.com scheme sips expires 240 refresh-ratio 50 tcp tls
credentials number antel9030_LGU username antel5400_LGU password 6 E\SJLdEPeHDHef[_iVDSOAgCI`bQe[P]`SX` realm BroadWorks
authentication username Antel5400_LGU password 6 `S[W[JW[asdfa444MgcXMEAcQVJVGf realm BroadWork
authentication username Antel5400_LGU password 6 WFsfsdfsdfQK realm 08135916.us10.bcld.webex.com
no remote-party-id
sip-server dns:08135916.us10.bcld.webex.com
connection-reuse
srtp-crypto 200
session transport tcp tls
url sips
error-passthru
asserted-id pai
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0
no pass-thru content custom-sdp
sip-profiles 200
outbound-proxy dns:da11.sipconnect-us.bcld.webex.com
privacy-policy passthru
!
voice class srtp-crypto 200
crypto 1 AES_CM_128_HMAC_SHA1_80
!
!
!
!
!
!
!
voice-card 0/1
no watchdog
!
no license feature hseck9
license udi pid ISR4321/K9 sn FLM25510063
license boot level uck9
license boot level securityk9
memory free low-watermark processor 69075
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username soporte privilege 15 password 6 ]AZ_`¨´´:_:[¨PPPPFe[\AG`fC_ThW]47JHFDLO
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description LAN
ip address 192.168.20.10 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description ANTEL-SIP-TRUNK
ip address 200.2.63.34 255.255.255.252
shutdown
negotiation auto
!
interface Service-Engine0/1/0
!
interface GigabitEthernet0/2/0
!
interface GigabitEthernet0/2/1
!
interface GigabitEthernet0/2/2
!
interface GigabitEthernet0/2/3
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.20.6
ip route 190.64.60.0 255.255.255.0 200.2.63.33
!
!
!
!
!
!
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dial-peer voice 101 voip
description Outgoing dial-peer to IP PSTN
destination-pattern BAD.BAD
session protocol sipv2
session target ipv4:190.64.60.17
voice-class codec 99
voice-class sip tenant 100
dtmf-relay rtp-nte
no vad
!
dial-peer voice 200201 voip
description Inbound/Outbound Webex Calling
max-conn 250
destination-pattern BAD.BAD
session protocol sipv2
session target sip-server
destination dpg 100
incoming uri request 200
voice-class codec 99
voice-class stun-usage 200
no voice-class sip localhost
dtmf-relay rtp-nte
srtp
no vad
!
dial-peer voice 100 voip
description Incoming dial-peer from PSTN
session protocol sipv2
destination dpg 200
incoming uri via 100
voice-class codec 99
voice-class sip tenant 300
dtmf-relay rtp-nte
no vad
!
!
sip-ua
transport tcp tls v1.2
crypto signaling default trustpoint sampleTP cn-san-validate server
tcp-retry 1000
!
!
line con 0
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input ssh
!
!
!
!
!
!
end

=============================================================================

OUTPUT DEBUG

=============================================================================

Ratheesh Kumar · ‎03-07-2022

Hi there

I would make sure all the relevant ports are open, then followed by an ios update

https://help.webex.com/en-us/article/b2exve/Port-Reference-Information-for-Cisco-Webex-Calling-

Hope this Helps

Cheers
Rath!

***Please rate helpful posts and if applicable mark "Accept as a Solution"***

dtibbe · ‎03-07-2022

@Luis2 , you probably want to remove all the crypted passwords as well..

KY_ · ‎04-13-2022

ı have a question about that point "destination-pattern BAD.BAD" why we need to use BAD.BAD here ? what is the purpuses for this ?

b.winter · ‎04-19-2022

It's just a placeholder pattern when using the Dial-peer group feature (Check the Cisco Docs for more information about this feature).

Following config example:

voice class dpg 100
 dial-peer 200
!
dial-peer voice 100 voip
 description ### Inbound Dial-peer ###
 <any inbound matching statement>
 voice-class dpg 100
 ...
!
dial-peer voice 200 voip
 description ### Outbound Dial-peer ###
 destination-pattern BAD.BAD
 ...

When the dial-peer 100 is matched as an inbound dial-peer, it has a Dial-peer group 100 assigned.

The Dial-peer group defines the outbound dial-peer(s) to take, without the need for going through the outbound dial-peer matching mechanism.

But since you need a matching mechanism statement, to bring the dial-peer in operation mode up/up, you need to configure any command (usually the destination-pattern command). Without any statement, the dial-peer would remain in mode down/down and therefore couldn't be used for call routing.

And as written, there is no outbound dial-peer matching mechanism taking place, you can write any pattern that you want in the destination-pattern command.

b.winter · ‎04-19-2022

Hi,

you are missing your tenant 200 in the dial-peer 200201.

Also, please share the output of the following debugs / show commands, while capturing a registration process.

show sip-ua register status

debug ccsip non-call

debug ccsip messages

If you don't see any SIP messages, then probably the TLS connection towards Webex cannot be established in the first place.

This can either be a FW in the middle, that's blocking something, or a missconfig on the CUBE.

Check the command show sip-ua connections tcp tls detail for more info on this, or do a debug ccsip all to troubleshoot this problem.

Vaijanath Sonvane · ‎04-20-2022

Hi @Luis2,

I have found below configuration discrepancies in your configuration:

1. Make sure you have below complete list of trusted IP Address list under voice service voip:

voice service voip
ip address trusted list
ipv4 85.119.56.128 255.255.255.192
ipv4 85.119.57.128 255.255.255.192
ipv4 185.115.196.0 255.255.255.128
ipv4 185.115.197.0 255.255.255.128
ipv4 128.177.14.0 255.255.255.128
ipv4 128.177.36.0 255.255.255.192
ipv4 135.84.169.0 255.255.255.128
ipv4 135.84.170.0 255.255.255.128
ipv4 135.84.171.0 255.255.255.128
ipv4 135.84.172.0 255.255.255.192
ipv4 199.59.64.0 255.255.255.128
ipv4 199.59.65.0 255.255.255.128
ipv4 199.59.66.0 255.255.255.128
ipv4 199.59.67.0 255.255.255.128
ipv4 199.59.70.0 255.255.255.128
ipv4 199.59.71.0 255.255.255.128
ipv4 135.84.172.0 255.255.255.128
ipv4 135.84.173.0 255.255.255.128
ipv4 135.84.174.0 255.255.255.128
ipv4 199.19.197.0 255.255.255.0
ipv4 199.19.199.0 255.255.255.0
ipv4 139.177.64.0 255.255.255.0
ipv4 139.177.65.0 255.255.255.0
ipv4 139.177.66.0 255.255.255.0
ipv4 139.177.67.0 255.255.255.0
ipv4 139.177.68.0 255.255.255.0
ipv4 139.177.69.0 255.255.255.0
ipv4 139.177.70.0 255.255.255.0
ipv4 139.177.71.0 255.255.255.0
ipv4 139.177.72.0 255.255.255.0
ipv4 139.177.73.0 255.255.255.0

2. Make sure that the media and control source-interface configured under voice class tenant 100 and 300 are correct. In your configuration these are configured with GigabitEthernet0/0/1. But voice class tenant 200 is configured with interface GigabitEthernet0/0/0.

3. The username configured in in below three commands under voice class tenant 200 need to match. please see blue and red highlighted items

credentials number antel9030_LGU username antel5400_LGU password 6 E\SJLdEPeHDHef[_iVDSOAgCI`bQe[P]`SX` realm BroadWorks
authentication username Antel5400_LGU password 6 `S[W[JW[asdfa444MgcXMEAcQVJVGf realm BroadWork
authentication username Antel5400_LGU password 6 WFsfsdfsdfQK realm 08135916.us10.bcld.webex.com

Hope this will fix your issue.

Please rate helpful posts and if applicable mark "Accept as a Solution".
Thanks, Vaijanath S.