Failing to SRST mode without shutting CCM service

Unanswered Question
Dec 17th, 2008

I am trying to test out SRST mode for one site without shutting ccm service.

I got hold of this ACL.

access-list 111 deny tcp host eq 2000

access-list 111 deny tcp host eq 2428

access-list 111 deny udp host eq 2427

access-list 111 permit ip any any

where is ccm and is router ip addr.

The issue is when I apply this acl and check sh ccm fallback, the router does nto fail to srst mode.

I believe their remote site has

data----voice gtw--phone

voice gtw has 2 FE connections and is ip of voice gtw towards data router.

Do you think this acl will work?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
david-lima Wed, 12/17/2008 - 10:48

Hi, try to shutdown the port where the CCM is connected or crate an ACL like: access-list 111 deny tcp IPT-Network host CUCM eq 2000

When the IP phones (not GW) lose 3 keepalives with the CCM, they try to register with the local gateway that is configured for SRST mode. When the WAN link is restored, the IP Phones are able to re-establish a TCP connection with the CCM.

Best regards


allan.thomas Wed, 12/17/2008 - 14:30

The simplest option to ensure that CUCM traffic is blocked would be to restrict the CallManager host completely:

ip access-list extended Block-CCM

deny ip host any

permit ip any any

Apply the ACL to the inbound interface on the Voice gateway from the Data router, if you believe this is the route towards CallManager?

When you apply the ACL you should see that the Callmanager Agent status is down when you do a 'show ccm-manager'

Hope this helps

Allan. Wed, 12/17/2008 - 23:38

You should implement ACL on two sides of the WAN.


Beacause ACLs filter traffic that path THROUGH the gateway, but they didn't block access the gateway to the CCM.

I tested SRST like your ACL, and in this mode maximum that you can take - is to register phones on gateway, but gateway still be working in normal mode.

Also you can make static route to test SRST.

mikram Thu, 12/18/2008 - 03:45


You could also user static host route pointing to bin instead of shutting down CCM Service.

ip route null 0

works fine for me.



kadambari.beelw... Thu, 12/18/2008 - 08:30

I several acl without any luck.

This is their network

MPLS circuit--0/46--switch1-0/47-data-voicegtw





Does anyone has recommendation how to block the ccm access from voicegtw?


This Discussion