Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VCS Alarm - Call license limit reached

I got some alarms on VCS-E and i dont know how to troubleshoot those alarms. Following are some alarms that i recieved :

 

1. Call license limit reached

2.Capacity warning

 

Please tell me if there is any way to troubleshoot these alarms or how can I clear off these alarms.

Some call got rejected because of these alarma also. Below is the log status for the calls which are dicsonnected.

 

 

 

 

18 REPLIES
VIP Purple

You're image isn't appearing

You can first by checking your Call History on the VCS, see if there are a lot of calls incoming and outgoing around the same time frame overlapping.  Both of the alarms are related, meaning that you've reached the maximum number of calls the VCS can have.

What is the number of Traversal and Non-Traversal call licenses on your VCS?  Together, that is the total number of calls you can have at any one time.

Also, the image you attached isn't appearing by the way.

New Member

Hi Patrick I am unable to see

Hi Patrick

 

I am unable to see your reply, but only one thing. That IP belongs to our VCS.

 

Please tell me if there is anything we can do and please let me know how to create call pilocy for a SIP address.

 

Thanks

VIP Purple

No worries, after I made that

No worries, after I made that comment I did some testing with my lab VCS and a CPL script and I just edited that reply since they were a few minutes apart and uploaded a CPL script for you, see my last reply in this discussion below.

New Member

I am unable to see that

I am unable to see that script. Can you Please upload that script again.

 

And also please tell me how to use that script to overcome this problem.

 

Thanks in advance.

VIP Purple

Its at the very bottom of

Its at the very bottom of this discussion, scroll all the way down or click here to be taken directly to it, directions are there in that reply.

New Member

Hi Patrick, like I said

Hi Patrick, like I said earlier I am unable to check your reply. Please find attatched the image how it look like.

 

So can you please reply me again but not under this comment. Please add a new reply yo my post.

VIP Purple

Oh wow, that's interesting,

Oh wow, that's interesting, looks like the forums don't like what you're trying to view it on.

Here is the CPL, copy and paste it into notepad and save it as an XML file.

<cpl xmlns="urn:ietf:params:xml:ns:cpl"
    xmlns:taa="http://www.tandberg.net/cpl-extensions"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:ietf:params:xml:ns:cpl
    cpl.xsd">
<taa:routed>
  <taa:rule-switch>
    <taa:rule origin="100@VCS_IP" destination=".*">
      <reject status="404" reason="Denied by policy"/>
    </taa:rule>
    <taa:rule unauthenticated-origin="100@VCS_IP" destination=".*">
      <reject status="404" reason="Denied by policy"/>
    </taa:rule>
  </taa:rule-switch>
</taa:routed>
</cpl>

New Member

Hi PatrickI ams till unable

Hi Patrick

I ams till unable to see your reply there. Anyways I got one more issue today and this time i think the protocol used was H323 but not SIP. The call was established but there was no video, the screen was all black. And when i checked the logs, it was showing Destination Not Reachable. Can you please tell me if we can do anything on VCS or Tandberg to resolve the issue. Please find the image for your reference.

 

VIP Purple

I've never seen "No route to

I've never seen "No route to destination - Unreachable destination" before, but I suggest you open a new discussion to troubleshoot it, so it doesn't get mixed up or lost in this one.  Provide as much information as possible, such as search history, and how the endpoints are configured etc.

Send me a private message here in the forums with your email, and I'll send you the CPL file.

 

EDIT:

A quick search of the forums turned up this comment.

The 'Unreachable destination' reason indicates a network/firewall issue, so I would check if any H323/SIP ALG/inspection is available and enabled in the firewall that you are using.

Might be worth a check to see if the ports are open on the endpoint's firewall, and/or if NAT is configured, if it's set correct.  However, as I mentioned, it would be best to open another discussion to look further into this new issue to separate it from the current topic.

 

New Member

Ok. Thanks for your reply.

Ok. Thanks for your reply.

But there is no Private message option on your profile.

VIP Purple

Eh, oh well.  What's your

Eh, oh well.  What's your email?

 

EDIT:

I see the message option when viewing my profile, so I'm guessing it has to be sent from within our own profile (the message tab is not viewable by others, only yourself).  Though you'd think there would be an option in anyone's profile to send a message to that person instead of having to go through your own profile to send it.  Learn something new everyday.  :)

New Member

My email ID id online

VIP Green

In addition to what Patrick

In addition to what Patrick has said, to have a look at which licences you're running out of, you can have a look at the Status > Overview screen in the web interface of the VCS.  This will show you the number of licences installed (licence limit) and the peak number used.

Fom those numbers, you should be able to quickly see which ones you're running out of at times (Traversal, or Non-Traversal) - but being a VCS-Expressway, it's likely to be the Traversal licences.

As Patrick has also said, your screenshot of your call log didn't work, so we're unable to see what's there.  It's also possible that, depending on your configuration and firewall setup, you're being probed by a SIPVicious scan or something similar which could be using up your licence pool.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
New Member

Hi Wayne/PatrickI checked the

Hi Wayne/Patrick

I checked the Overview status . The "Call license limit reached" is related to Traversal calls and the limit is 5.  Please find attached the image of the Event Logs for your reference and please tell me if there is anything suspicious.

 

Thanks

VIP Purple

All the 100@ calls are the

All the 100@ calls are the result of you getting scanned, such as what Wayne mentions in his post above (SIPVicious), and those call attempts are them trying to exploit possible PSTN trunks.  If you don't use a PSTN gateway in your environment connected to your VCS, you can turn off UDP on the VCS.  One other solution is to create a CPL, call policy, that can block those incoming call attempt.

VIP Green

Yes, as Patrick has said, and

Yes, as Patrick has said, and as per the link in my previous post (this one), you're getting scanned by SIPVicious or something similar.

As suggested, you can turn off SIP UDP Mode - see Page 445 of the VCS Administrator Guide.

There's some CPL examples for blocking similar traffic in this old thread: https://supportforums.cisco.com/discussion/11234081/calls-asteriskdifferent-ip-addresses

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
New Member

Thanks for your reply again.I

Thanks for your reply again.

I will create a call policy as you said but for call policy i need to mention some destination pattern. Can you please telll me how can we create a call policy in this case as we are getting calls from some SIP ID's.

 

I am very new to this stuff so please dont mind my stupid questions.

 

Thanks

VIP Purple

159.108.1.120 from the

The attached a CPL script, which is an XML file, that should work.  You need to open up the XML file, look for 100@VCS_IP, and change VCS_IP to be the address of your VCS that the calls are coming in on.  Once done you can upload it to your VCS by going to Configuration > Call Policy > Configuration, and browse to the CPL script and upload it.  Remember to set call policy mode to use "Local CPL".

You can test to make sure it works by going to Maintenance > Tools > Locate.  I based the CPL to block all call attempts on 100@vcs_ip, where vcs_ip is the IP address you change to that is in use on your VCS.  I tested it against my lab VCS it stopped the search attempt before it reached the search rules, and uses up a call license.

Suggest you also disable UDP on your VCS if you don't need it, that is what all these scans are using.  It's disabled by default whenever a VCS is installed anyway, so it won't harm anything, unless you need it turned on for something specific.

1143
Views
0
Helpful
18
Replies