SIP Trunk Provider says UC520 replying with "500 internal server error" in response to inbound call

Answered Question
Feb 18th, 2009

I am trying to set up a SIP trunk DID. The calls do no go through, when a trace is performed the SIP Trunk Provider says UC520 replying with "500 internal server error" in response to inbound call.

Is this a generic message that has lots of possible sources or can this tell me anything?

thanks

Correct Answer by Marcos Hernandez about 7 years 12 months ago

CCA 1.9 adds a voice source group for security purposes, that makes the UC500 accept calls ONLY from the configured Proxy server under the SIP Trunk tab. This is put in place to avoid toll fraud (by blocking calls from anonymous sources).

The CLI for that voice source group is as follows:

!
voice source-group CCA_SIP_SOURCE_GROUP
access-list 2
translation-profile incoming SIP_Incoming

!

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit a.b.c.d
access-list 2 deny   any

!

where a.b.c.d is the IP of the proxy.

What was happening here, is that the UC500 was not receiving SIP signaling from that particular IP, but a different one (a 4.x.x.x IP from Level3). this is very common in the SIP world, where ITSP's resell service from wholesale providers.

By adding the 4.x.x.x subnet to the access-list, signalign from that wholesale provider is now allowed:

!

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit a.b.c.d

access-list 2 permit 4.0.0.0 0.0.0.255
access-list 2 deny   any

!

Adding specific subnets to this "allowed list" via the CCA GUI is an enhancement that we will need to incorporate. I will take this up to my team for consideration. That way, CLI won't be required to fix this rather common situation.

Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mcastrigno Wed, 02/18/2009 - 14:51

the cli says "SIP Call messages tracing is enabled"

I made a call in (tried to) where is the output of that trace?

thanks

Marcos Hernandez Wed, 02/18/2009 - 15:03

Use this command:

"terminal monitor"

and you will see console output on your Telnet/SSH session. Make sure you have enough buffer space to go back and capture all the messages.

Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.

mcastrigno Wed, 02/18/2009 - 15:16

figured out the debug - used "terminal monitor."

I have sent you the output as well as the running configuration.

thanks

Correct Answer
Marcos Hernandez Wed, 02/18/2009 - 16:34

CCA 1.9 adds a voice source group for security purposes, that makes the UC500 accept calls ONLY from the configured Proxy server under the SIP Trunk tab. This is put in place to avoid toll fraud (by blocking calls from anonymous sources).

The CLI for that voice source group is as follows:

!
voice source-group CCA_SIP_SOURCE_GROUP
access-list 2
translation-profile incoming SIP_Incoming

!

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit a.b.c.d
access-list 2 deny   any

!

where a.b.c.d is the IP of the proxy.

What was happening here, is that the UC500 was not receiving SIP signaling from that particular IP, but a different one (a 4.x.x.x IP from Level3). this is very common in the SIP world, where ITSP's resell service from wholesale providers.

By adding the 4.x.x.x subnet to the access-list, signalign from that wholesale provider is now allowed:

!

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit a.b.c.d

access-list 2 permit 4.0.0.0 0.0.0.255
access-list 2 deny   any

!

Adding specific subnets to this "allowed list" via the CCA GUI is an enhancement that we will need to incorporate. I will take this up to my team for consideration. That way, CLI won't be required to fix this rather common situation.

Marcos Hernandez
Technical Marketing Engineer
Cisco Systems, Inc.

Barry Hunsinger Wed, 06/03/2009 - 14:15

I am having the exact same issue. I am runningcca 2.0. how do I implement this fix?

I'm eperiencing the same problem with not being able to receive calls on a SIP trunk, no problems with outbound. I'm using a UC540 and CCA 2.2 (2). My provider (EtherSpeak) gave me an IP for the SIP proxy server with no other information, user/pass not needed. I've tried everything in this thread with no luck so far, all help would be appreciated.. thanks

I upgraded the UC540 to 8.0(1), and still having the same issue, I can make outbound calls over the SIP trunk, but no incoming.. Like I said previously, I've attempted all the fixes in this thread, but still in the same situation.. I have also configured the UC540 both from CCA 2.2.2, and from the CLI, each time starting from a default configuration, same results each time..

Maulik Shah Wed, 03/24/2010 - 17:02

Please gather the logs as identified in section 1 on link below and post to the thread - be sure to mask any passwords or other sensitive information (pvt msg if you do not want to post this)

https://supportforums.cisco.com/docs/DOC-9830

Minor note - maybe best to start a new thread on this topic so as to not confuse with the original poster's question

mcastrigno Wed, 03/24/2010 - 18:24

Maulik,

I am the orignal poster and appreciate that this thread has been expanded.

I am very interested is learning this persons resolution as it is very common that users have only this message from ISPs to work with.

I look forward to reading your responses to his logs and config.

Thank you,

mcastrigno

This issue has been RESOLVED, the problem was on the ITSP side, they gave me the wrong DID.. However, while trying to troubleshoot this I reset the UC540 to default, and rebuilt using the CLI instead of CCA 2.2.2, and at this point I don't have any access-lists in place. I'm going to save this config and start from default again and build with CCA to see if I get the same results.. Thanks to folks who offered suggestions.

Barry

Actions

This Discussion

Related Content