You have sip-server defined as 58.96.1.2:5060 so all calls to 'sip-server' will go there.

Your better bet is to configure your dial-peers to ipv4: instead of using sip-server when you have multiple registrar servers.

I've tried that also but I had no luck with it but perhaps I have missed something...

If I define it in the dial-peer how would the unit know how to authenticate with that particular ipv4 address and what credentials to use? If there would be any way to define in the dial-peer authertication to the ipv4 address I think that would work.

Any suggestions?

Have you read this document?

http://www.cisco.com/en/US/docs/ios/voice/sip/configuration/guide/sip_cg-multi-registrars_ps10592_TSD_Products_Configuration_Guide_Chapter.html

Determination of Authentication Details

When a SIP INVITE or SIP REGISTER request is challenged, the username and password details for authentication are determined in the following order:

Note     Configuring more than one username is not supported—you must remove any currently configured username before configuring a new username.

     1.     If the realm specified in the challenge matches the realm in the authentication configuration for a POTS dial peer, the system uses the corresponding username and password.

     2.     If the realm specified in the challenge doesn't match the configured authentication for the POTS dial peer, then it will check for credentials configured for SIP UA.

     3.     If the realm specified in the challenge does not match the realm configured for credentials, then it will check for authentication configurations for SIP UA.

     4.     If the system does not find a matching authentication or credential for the received realm, then the request is terminated.

     5.     If there is no realm specified for the authentication configuration, then the system uses the username received from the challenge to build the response message.

Do you see the router attempting a re-invite after the 401 unauthorized?  Does the 401 have a realm which matches you've got configured for that authentication?  Read that document, and then its time to do some SIP debugging.

Steven, thank you for your prompt reply.

I have looked at the document and the good information you have provided but I would like to confirm something. The document talks about defining credentials under POTS but because I try to sent the call through voip only this will have no effect correct?

I have modified the setup as such that the dial-peer voice now has session target se to dns:sip.802.cz

Because the realm of the provider is only 802.cz I suppose the match won't ever be found and all will default to authentication defined under sip-ua.

Here is the current setup and I have also attached degug of the call where origin number (my number was 910...) and the number at the destination was 597...

dial-peer voice 1063 voip
description **CCA*Australia*Czech Numbers**
translation-profile outgoing PSTN_Outgoing
preference 1
destination-pattern 059[5-7]......
session protocol sipv2
session target dns:sip.802.cz
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad

sip-ua
credentials username 02800xxxxx password 7 xxxxxxxxxxxx realm 58.96.1.2
credentials username 6128090xxxx password 7 xxxxxxxxxxx realm sip.microelmark.com.au
credentials username 91080xxxxxx password 7 xxxxxxxxxxxxx realm 802.cz
credentials username 02820xxxxx password 7 xxxxxxxxxxxx realm 58.96.1.2
authentication username 02800xxxx password 7 xxxxxxxxxxxxxxxx
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar 1 ipv4:58.96.1.2:5060 expires 240
registrar 2 dns:sip.802.cz expires 240
registrar 3 dns:sip.microelmark.com.au expires 240
sip-server ipv4:58.96.1.2:5060
host-registrar

Marek,

You see the 407 come back from the ITSP with this realm:

Proxy-Authenticate: Digest realm="802.cz", nonce="4cacf27900014869da003628ac882272928567ee463b61d4"

But the router is using these authentication credentials for a response:
Proxy-Authorization: Digest username="0280080090",realm="802.cz",uri="sip:597431212@sip.802.cz:5060",response="d7d3d4a49517dfc2298bee55f1c1b837",nonce="4cacf27900014869da003628ac882272928567ee463b61d4",algorithm=md5

I think that is because that username is configured as an auth credential without a realm defined.  Can you try removing that line 'authentication username 02800xxxx password 7 xxxxxxxxxxxxxxxx'?

Once that line is gone, since the 407 has the realm 802.cz, it should authenticate off of the credentials found under the realm here:

credentials username 91080xxxxxx password 7 xxxxxxxxxxxxx realm 802.cz

If you still have issues, post new SIP debugs, and current config and version and I'll investigate further.

Steven,

I have tried that but as soon as I remove the authentication I can't maky any calls including calls to the dial-peer voice 1058 which is to call local numbers. I have even modified this dial-peer to session target ipv4:58.96.1.2 which is the correct ip for the local call ITSP registrar but still no luck.

I have attached config and traces for both, the local ITSP and Czech ITSP providers.

dial-peer voice 1058 voip
corlist outgoing call-national
description **CCA*Australia*NSW Numbers**
translation-profile outgoing PSTN_Outgoing
preference 1
destination-pattern 002........
session protocol sipv2
session target ipv4:58.96.1.2
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad

dial-peer voice 1061 voip
description **CCA*Australia*Czech Numbers**
translation-profile outgoing PSTN_Outgoing
preference 1
destination-pattern 059[5-7]......
session protocol sipv2
session target dns:802.cz
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad

sip-ua
credentials username 0280080090 password 7 012637320826252476786F realm 58.96.1.2
credentials username 61280903590 password 7 0317420F080A381E1E5849 realm sip.microelmark.com.au
credentials username 910806353 password 7 044812020124551C594855 realm 802.cz
credentials username 0282058458 password 7 005534525C0353365C realm 58.96.1.2
no remote-party-id
retry invite 2
retry register 10
timers connect 100
registrar 1 ipv4:58.96.1.2:5060 expires 240
registrar 2 dns:sip.802.cz expires 240
registrar 3 dns:sip.microelmark.com.au expires 240
sip-server ipv4:58.96.1.2:5060
host-registrar

I have been trying this also, but as I understand, where the ITSP requires each SIP trunk to provide digest authentication, this can't be done.

My client has 2 lines from their ITSP, however both require authentication, so as far as I understand, this cannot be done. I can only register and authenticate their main line.

I am thinking of putting in a workaround by using a SPA ATA to register the second line and connecting via analogue... It is rather unfortunate that UC500/CME is not up to this task.

Dear Cisco, not all clients have high-end multi-line SIP trunks with single authentication in a SBCS environment. Please look into it as a feature request!

Scott,

Thank you for your input. So far I'm also leaning towards to the conclusion that it can't be done but still hoping that Steve can get it investigated and let us know if this will be added in any future releases as it is important part of the least cost routing feature which otherwise doesn't work.

The way I have set the system up now is same as you are thinking. All outgoing calls to the secondary provider I'm sending out through PSTN port where I have ATA that isn't normally registered to the ITSP and makes SIP calls without requiring registration. This way all the incoming calls are still coming directly to the UC500 but all outgoing are going through PSTN.

The downside of the solution is the capacity that would be limited by the number of ATA's attached, which isn't really viable option for large deployment.

The disappointment really is that this system replaced SPA9000 Linksys system that did not have any problem with this functionality but this new whiz-bang system can’t do it. Well let’s be fair, there is much more functionality in the UC500 system so the pros overweigh the cons but if we wouldn’t find workable solution it wouldn’t be good.

Could Cisco please give us some sort of closure to this issue and let us know if there is a plan on including it in future build if it can't be done in the current release?

I think it's a core CME limitation - rather than specific to UC5x0.

I'm using a SPA2102 which handles two lines and registrations/authentications just nicely. Intersting that a $50 product can do this but thousands of dollars worth of gear cannot...

My only problem is, I need this for another client but they've got the BRI version - so no FXOs unfortunately - and hardly worth purchasing an FXO card when this will hopefully be fixed in future CME software upgrades.  I wonder if the FXS/DID ports could be configured to do this?

Regardless, we need multiple SIP authentications in CME please Cisco!

I finally got this to work.  I did have to use username authentication for one ITSP (BabyTEL) and IP authentication for the second ITSP (Skype). I still have not got it to work with two ITSP's using username authentication.  Although, at least now it allows two usernames authentication lines whereas before it did not.  So it either works now or seems like it will be in soon-to-be future release.

Direct from the config document: http://www.cisco.com/en/US/docs/ios/voice/sip/configuration/guide/sip_cg-multi-registrars.html

Configuring more than one username is not supported—you must remove any currently configured username before configuring a new username.

Why on earth would you have the same username with two ITSPs? This is especially odd considering the username is the DID number in most cases.

I have a situation where the multiple SIP trunks are from the same provider - nice and easy to configure you might think, however they both require username authentication which means I can only register one at a time.

Unfortunately IP based authentication isn't an option in my case. Glad you got it to work though.

I don't -- that was the point in the early posts.  The whole issue started with wanting to register two different ITSP's with username authentication that also didn't have the same username.

We are in the same boat then... let's grumble in unison

Instead of 'grumbling,' I urge all of you that would like to see this feature to be proactive about it, so that the right people see that this is an important feature to have.

Anyone looking for this feature should talk to their account team and have them file a product enhancement request (PERS) for this, so that it gets tracked and tied to business cases.  That is the way you can drive new features in products into the business unit.

I thought there was a section on CSC somewhere for feature requests with SBCS products (heard this in a meeting yesterday), but I haven't been able to find it yet.  If anyone knows where that is, that could also be an approriate channel for this.