Local Gateway configuration task flow

There are two options to configure the Local Gateway for your Webex Calling trunk:

  • Registration-based trunk

  • Certificate-based trunk

Use the task flow either under the Registration-based Local Gateway or Certificate-based Local Gateway to configure Local Gateway for your Webex Calling trunk. See Configure trunks, route groups, and dial plans for Webex Calling for more information on different trunk types. Perform the following steps on the Local Gateway itself, using the Command Line Interface (CLI). We use Session Initiation Protocol (SIP) and Transport Layer Security (TLS) transport to secure the trunk and Secure Real-time Protocol (SRTP) to secure the media between the Local Gateway and Webex Calling.

Before you begin

  • Understand the premises-based Public Switched Telephone Network (PSTN) and Local Gateway (LGW) requirements for Webex Calling. See Cisco Preferred Architecture for Webex Calling for more information.

  • This article assumes that a dedicated Local Gateway platform is in place with no existing voice configuration. If you modify an existing PSTN gateway or Local Gateway enterprise deployment to use as the Local Gateway function for Webex Calling, then pay careful attention to the configuration. Ensure that you do not interrupt the existing call flows and functionality because of the changes that you make.

  • Create a trunk in Control Hub and assign it to the location. See Configure trunks, route groups, and dial plans for Webex Calling for more information.

Before you begin

  • Ensure that the following baseline platform configuration that you configure are set up according to your organization's policies and procedures:

    • NTPs

    • ACLs

    • enable passwords

    • primary password

    • IP routing

    • IP Addresses, and so on

  • You require a minimum supported release of Cisco IOS XE 16.12 or IOS-XE 17.3 for all Local Gateway deployments.

1

Ensure that you assign any Layer 3 interfaces have valid and routable IP addresses:

interface GigabitEthernet0/0/0
description Interface facing PSTN and/or CUCM
ip address 192.168.80.14 255.255.255.0!
interface GigabitEthernet0/0/1
description Interface facing Webex Calling
ip address 192.168.43.197 255.255.255.0
2

Preconfigure a primary key for the password using the following commands, before you use in the credentials and shared secrets. You encrypt the Type 6 passwords using AES cipher and user-defined primary key.

conf t
key config-key password-encrypt Password123
password encryption aes
3

Configure IP name server to enable DNS lookup and ping to ensure that server is reachable. The Local Gateway uses DNS to resolve Webex Calling proxy addresses:

conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ip name-server 8.8.8.8
end
4

Enable TLS 1.2 Exclusivity and a default placeholder trustpoint:

  1. Create a placeholder PKI trustpoint and call it sampleTP.

  2. Assign the trustpoint as the default signaling trustpoint under sip-ua.


     
    • Ensure that cn-san-validate server establishes the Local Gateway connection only if the outbound proxy that you configure on the tenant 200 (described later) matches with CN-SAN list that you receive from the server.

    • You require the crypto trustpoint for TLS to work. Although you do not require a local client certificate (for example, mTLS) set up for the connection.

  3. Enable v1.2 exclusivity to disable TLS v1.0 and v1.1.

  4. Set tcp-retry count to 1000 (5-msec multiples = 5 seconds).

  5. Set timers connection to establish TLS <wait-timer in sec>. Range is in 5–20 seconds and the default is 20 seconds. (LGW takes 20 seconds to detect the TLS connection failure before it attempts to establish a connection to the next available Webex Calling access SBC. The CLI allows the admin to change the value to accommodate network conditions and detect connection failures with the Access SBC much faster).


     

    Cisco IOS XE 17.3.2 and later version is applicable.

configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
crypto pki trustpoint sampleTP
revocation-check crl
exit

sip-ua
crypto signaling default trustpoint sampleTP cn-san-validate server
transport tcp tls v1.2
tcp-retry 1000
end
5

Update the Local Gateway trust pool:

The default trustpool bundle does not include the "DigiCert Root CA" or "IdenTrust Commercial" certificates that you need for validating the server-side certificate during TLS connection establishment to Webex Calling.

Download the latest “Cisco Trusted Core Root Bundle” from http://www.cisco.com/security/pki/ to update the trustpool bundle.

  1. Check if the DigiCert Room CA and IdenTrust Commercial certificates exist:

    show crypto pki trustpool | include DigiCert
  2. If the DigiCert Room CA and IdenTrust Commercial certificates doesn't exist, update as follows:

    configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    crypto pki trustpool import clean url 
    http://www.cisco.com/security/pki/trs/ios_core.p7b
    Reading file from http://www.cisco.com/security/pki/trs/ios_core.p7b
    Loading http://www.cisco.com/security/pki/trs/ios_core.p7b 
    % PEM files import succeeded.
    end
    

     

    Alternatively, you can download the certificate bundle and install from a local server or Local Gateway flash memory.

    For example:

    crypto pki trustpool import clean url flash:ios_core.p7b
  3. Verify:

    show crypto pki trustpool | include DigiCert
    cn=DigiCert Global Root CA
    o=DigiCert Inc
    cn=DigiCert Global Root CA
    o=DigiCert Inc
    
    show crypto pki trustpool | include IdenTrust Commercial
    cn=IdenTrust Commercial Root CA 1
    cn=IdenTrust Commercial Root CA 1

Before you begin

Ensure that you complete the steps in Control Hub to create a location and add a trunk for that location. In the following example, you obtain the information from Control Hub.

1

Enter the following commands to turn on the Local Gateway application (see the Port Reference Information for Cisco Webex Calling for the latest IP subnets that you must add to the trust list):

configure terminal 
voice service voip
ip address trusted list
ipv4 x.x.x.x y.y.y.y
exit
allow-connections sip to sip
media statistics
media bulk-stats
no supplementary-service sip refer
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 0 Password123$
sip
g729 annexb-all
early-offer forced
end

Here's an explanation of the fields for the configuration:

Toll-fraud prevention
voice service voip
ip address trusted list
ipv4 x.x.x.x y.y.y.y
  • Enables the source IP addresses of entities from which the Local Gateway expects legitimate VoIP calls, such as Webex Calling peers, Unified CM nodes, and IP PSTN.

  • By default, LGW blocks all incoming VoIP call setups from IP addresses not in its trusted list. IP Addresses from dial-peers with “session target IP” or server group are trusted by default, and you need not populate here.

  • IP addresses in the list must match the IP subnets according to the regional Webex Calling data center that you connect. For more information, see Port Reference Information for Webex Calling.


     

    If your LGW is behind a firewall with restricted cone NAT, you may prefer to disable the IP address trusted list on the Webex Calling-facing interface. The firewall already protects you from unsolicited inbound VoIP. Disable action reduces your longer-term configuration overhead, because we cannot guarantee that the addresses of the Webex Calling peers remain fixed, and you must configure your firewall for the peers in any case.

  • Configure other IP addresses on other interfaces, for example: you ensure to add the Unified CM addresses to the inward-facing interfaces.

  • IP addresses must match the hosts IP and the outbound-proxy resolves to tenant 200 .

  • See https://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html for more information.

Media
voice service voip
 media statistics 
 media bulk-stats 
SIP-to-SIP basic functionality
allow-connections sip to sip
Supplementary services
no supplementary-service sip refer
no supplementary-service sip handle-replaces

Disables REFER and replaces the dialog ID in replaces header with the peer dialog ID.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s12.html#wp2876138889 for more information.

Fax protocol
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

Enables T.38 for fax transport, though the fax traffic will not be encrypted.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-f1.html#wp3472350152 for more information.
Enable global stun
stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 0 Password123$
  • When you forward a call to a Webex Calling user (for example, both the called and calling parties are Webex Calling subscribers and if you anchor media at the Webex Calling SBC), then the media cannot flow to the Local Gateway as the pinhole isn't open.

  • The stun bindings feature on the Local Gateway allows locally generated stun requests to send over the negotiated media path. The stun helps to open the pinhole in the firewall.

  • Stun password is a prerequisite for the Local Gateway to send stun messages out. You can configure Cisco IOS/IOS XE-based firewalls to check for this password and open pinholes dynamically (for example, without explicit in-out rules). But for the Local Gateway deployment, you configure the firewall statically to open pinholes in and out based on the Webex Calling SBC subnets. As such, the firewall must treat this as any inbound UDP packet, which triggers the pinhole opening without explicitly looking at the packet contents.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v2.html#wp1961799183 for more information.
G729
sip
g729 annexb-all

Allows all variants of G729.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3562947976 for more information.
SIP
early-offer forced

Forces the Local Gateway to send the SDP information in the initial INVITE message instead of waiting for acknowledgment from the neighboring peer.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-e1.html#wp3350229210 for more information.
2

Configure “SIP Profile 200.”

voice class sip-profiles 200
rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>" 
rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"

Here's an explanation of the fields for the configuration:

  • rule 9

    Ensures that you list the header as “SIP-Req-URI” and not “SIP-Req-URL” .

    The rule converts between SIP URIs and SIP URLs, because Webex Calling doesn't support SIP URIs in the request/response messages, but needs them for SRV queries, for example: _sips._tcp.<outbound-proxy>.
  • rule 20

    Modifies the From header to include the trunk group OTG/DTG parameter from Control Hub to uniquely identify a Local Gateway site within an enterprise.

  • Applies SIP Profile to voice class tenant 200 (discussed later) for all traffic-facing Webex Calling. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3265081475 for more information.

3

Configure codec profile, stun definition, and SRTP Crypto suite.

voice class codec 99
codec preference 1 g711ulaw
codec preference 2 g711alaw 
exit
voice class srtp-crypto 200
crypto 1 AES_CM_128_HMAC_SHA1_80
exit
voice class stun-usage 200
stun usage firewall-traversal flowdata
stun usage ice lite
exit

Here's an explanation of the fields for the configuration:


 

If your anchor media at the ITSP SBC and the Local Gateway is behind a NAT, then wait for the inbound media stream from ITSP. You can apply stun command on ITSP facing dial-peers.


 

You require stun usage ice-lite for call flows utilizing media path optimization.

4

Map Control Hub parameters to Local Gateway configuration.

Add Webex Calling as a tenant within the Local Gateway. You require configuration to register the Local Gateway under voice class tenant 200. You must obtain the elements of that configuration from the Trunk Info page from Control Hub as shown in the following image. The following example displays what are the fields that map to the respective Local Gateway CLI.

Apply tenant 200 to all the Webex Calling facing dial-peers (2xx tag) within the Local Gateway configuration. The voice class tenant feature allows to group and configure SIP trunk parameters that are otherwise done under voice service VoIP and sip-ua. When you configure tenant and apply it under a dial-peer, then the following order of preference applies to Local Gateway configurations:

  • Dial-peer configuration

  • Tenant configuration

  • Global configuration (voice service VoIP / sip-ua)

5

Configure voice class tenant 200 to enable trunk registration from Local Gateway to Webex Calling based on the parameters you've obtained from Control Hub:


 

The following command line and parameters are examples only. Use the parameters for your own deployment.

voice class tenant 200
  registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
  credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
  authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
  authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-bcld.com
  no remote-party-id
  sip-server dns:40462196.cisco-bcld.com
  connection-reuse
  srtp-crypto 200
  session transport tcp tls 
  url sips 
  error-passthru
  asserted-id pai 
  bind control source-interface GigabitEthernet0/0/1
  bind media source-interface GigabitEthernet0/0/1
  no pass-thru content custom-sdp 
  sip-profiles 200 
  outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com  
  privacy-policy passthru

Here's an explanation of the fields for the configuration:

voice class tenant 200

Enables specific global configurations for multiple tenants on SIP trunks that allow differentiated services for tenants.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp2159082993 for more information.
registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls

Registrar server for the Local Gateway with the registration set to refresh every two minutes (50% of 240 seconds). For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-r1.html#wp1687622014.

credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks

Credentials for trunk registration challenge. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-c6.html#wp3153621104.

authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks
authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm 40462196.cisco-bcld.com

Authentication challenge for calls. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1551532462.

no remote-party-id

Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using CIO asserted-id pai. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-r1.html#wp1580543764 for more information.

sip-server dns:40462196.cisco-bcld.com
Defines the Webex Calling servers. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1551532462
connection-reuse

Uses the same persistent connection for registration and call processing.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-c6.html#wp1622025569 for more information.
srtp-crypto 200

Defines voice class srtp-crypto 200to specify SHA1_80. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp1731779246 for more information.

session transport tcp tls
Sets transport to TLS. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp1960850066 for more information.
url sips

SRV query must be SIPs as supported by the access SBC; all other messages are changed to SIP by sip-profile 200.

error-passthru

Specifies SIP error response pass-thru functionality.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-e1.html#wp2069028434 for more information.
asserted-id pai

Turns on PAI processing in Local Gateway. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1052365203 for more information.

bind control source-interface GigabitEthernet0/0/1

Configures a source IP address for signaling source interface facing Webex Calling. See, https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-b1.html#wp2714966862 for more information.

bind media source-interface GigabitEthernet0/0/1

Configures a source IP address for media source interface facing Webex Calling. See, https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-b1.html#wp2714966862 for more information.

no pass-thru content custom-sdp

Default command under tenant. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-p1.html#wp1894635288 for more information.

sip-profiles 200

Changes SIPs to SIP and modify Line/Port for INVITE and REGISTER messages as defined in voice class sip-profiles 200. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3265081475 for more information.

outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com

Webex Calling access SBC. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-o1.html#wp3297755699.

privacy-policy passthru

Transparently pass across privacy header values from the incoming to the outgoing leg. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-p2.html#wp2238903481 for more information.

After you define tenant 200 within the Local Gateway and configure a SIP VoIP dial-peer, the gateway then initiates a TLS connection toward Webex Calling, at which point the access SBC presents its certificate to the Local Gateway. The Local Gateway validates the Webex Calling access SBC certificate using the CA root bundle that is updated earlier. Establishes a persistent TLS session between the Local Gateway and Webex Calling access SBC. The Local Gateway then sends a REGISTER to the access SBC that is challenged. Registration AOR is number@domain. The number is taken from credentials “number” parameter and domain from the “registrar dns:<fqdn>”. When the registration is challenged:

  • the username, password, and realm parameters from credentials are used to build the header and sip-profile 200.

  • converts SIPS url back to SIP.

Registration is successful when you receive 200 OK from the access SBC.

This deployment requires the following configuration on the Local Gateway:

  1. Voice class tenants—You create additional tenants for dial-peers facing ITSP similar to tenant 200 that you create for Webex Calling facing dial-peers.

  2. Voice class URIs—You define patterns for host IP addresses/ports for various trunks terminating on Local Gateway:

    • Webex Calling to LGW

    • PSTN SIP trunk termination on LGW

  3. Outbound dial-peers—You can route outbound call legs from LGW to ITSP SIP trunk and Webex Calling.

  4. Voice class DPG—You can invoke to target the outbound dial-peers from an inbound dial-peer.

  5. Inbound dial-peers—You can accept inbound call legs from ITSP and Webex Calling.

Use the configurations either for partner-hosted Local Gateway setup, or customer site gateway, as shown in the following image.

1

Configure the following voice class tenants:

  1. Apply voice class tenant 100 to all outbound dial-peers facing IP PSTN.

    voice class tenant 100 
    session transport udp
    url sip
    error-passthru
    bind control source-interface GigabitEthernet0/0/0
    bind media source-interface GigabitEthernet0/0/0
    no pass-thru content custom-sdp
    
  2. Apply voice class tenant 300 to all inbound dial-peers from IP PSTN.

    voice class tenant 300 
    bind control source-interface GigabitEthernet0/0/0
    bind media source-interface GigabitEthernet0/0/0
    no pass-thru content custom-sdp
    
2

Configure the following voice class uri:

  1. Define ITSP’s host IP address:

    voice class uri 100 sip
      host ipv4:192.168.80.13
    
  2. Define pattern to uniquely identify a Local Gateway site within an enterprise based on Control Hub's trunk group OTG or DTG parameter:

    voice class uri 200 sip
     pattern dtg=hussain2572.lgu
    

     

    Local gateway doesn't currently support underscore "_" in the match pattern. As a workaround, we use dot "." (match any) to match the "_".

    Received
    INVITE sip:+16785550123@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
    Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
    pattern :8934
    
3

Configure the following outbound dial peers:

  1. Outbound dial-peer toward IP PSTN:

    dial-peer voice 101 voip 
    description Outgoing dial-peer to IP PSTN
    destination-pattern BAD.BAD
    session protocol sipv2
    session target ipv4:192.168.80.13
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 100
    no vad

    Here's an explanation of the fields for the configuration:

    dial-peer voice 101 voip
     description Outgoing dial-peer to PSTN
    

    Defines a VoIP dial-peer with a tag of 101and gives a meaningful description for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    Allows selection of dial-peer 101. However, you invoke this outgoing dial-peer directly from the inbound dial-peer using dpg statements and that bypasses the digit pattern match criteria. You are using an arbitrary pattern based on alphanumeric digits allowed by the destination-pattern CLI.

    session protocol sipv2

    Specifies that dial-peer101 handles SIP call legs.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address to send the call leg. In this case, ITSP’s IP address.

    voice-class codec 99

    Indicates codec preference list 99 to be used for this dial-peer.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on this call leg.

    voice-class sip tenant 100

    The dial-peer inherits all the parameters from tenant 100 unless that same parameter is defined under the dial-peer itself.

    no vad

    Disables voice activity detection.

  2. Outbound dial-peer toward Webex Calling (You update outbound dial-peer to serve as inbound dial-peer from Webex Calling as well later in the configuration guide).

    dial-peer voice 200201 voip
     description Inbound/Outbound Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target sip-server
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class stun-usage 200
    no voice-class sip localhost
    voice-class sip tenant 200
    srtp
    no vad
    

    Explanation of commands:

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling

    Defines a VoIP dial-peer with a tag of 200201 and gives a a meaningful description for ease of management and troubleshooting

    session target sip-server

    Indicates that the global SIP server is the destination for calls from this dial peer. Webex Calling server that you define in tenant 200 is inherited for dial-peer 200201.

    voice-class stun-usage 200

    Allows locally generated stun requests on the Local Gateway to send over the negotiated media path. Stun helps in opening up the pinhole in the firewall.

    no voice-class sip localhost

    Disables substitution of the DNS local host name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from tenant 200 (LGW <--> Webex Calling Trunk) unless that same parameter is defined under the dial-peer itself.

    srtp

    Enables SRTP for the call leg.

    no vad

    Disables voice activity detection.

4

Configure the following dial-peer groups (dpg):

  1. Defines dial-peer group 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking dial-peer group 100. We apply DPG 100 to incoming dial-peer 200201 for Webex Calling --> LGW --> PSTN path.

    voice class dpg 100
    description Incoming WxC(DP200201) to IP PSTN(DP101)
    dial-peer 101 preference 1
    
  2. Define dial-peer group 200 with outbound dial-peer 200201 as the target for PSTN --> LGW --> Webex Calling path. DPG 200 is applied to incoming dial-peer 100 that is defined later.

    voice class dpg 200
    description Incoming IP PSTN(DP100) to Webex Calling(DP200201)
    dial-peer 200201 preference 1
    
5

Configure the following inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
    description Incoming dial-peer from PSTN
    session protocol sipv2
    destination dpg 200
    incoming uri via 100
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 300
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 100 voip
    description Incoming dial-peer from PSTN

    Defines a VoIP dial-peer with a tag of 100 and gives a a meaningful description for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that dial-peer 100 handles SIP call legs.

    incoming uri via 100

    Specifies the voice class uri 100 to match all incoming traffic from IP PSTN to Local Gateway on a VIA header’s host IP address. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 200

    Specifies dial peer group 200 to select an outbound dial peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    voice-class sip tenant 300

    The dial-peer inherits all the parameters from tenant 300 unless that same parameter is defined under the dial-peer itself.

    no vad

    Disables voice activity detection.

  2. Inbound dial-peer for incoming Webex Calling call legs:

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling
    max-conn 250
    destination dpg 100
    incoming uri request 200
     

    Here's an explanation of the fields for the configuration:

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling

    Updates a VoIP dial-peer with a tag of 200201and gives a meaningful description for ease of management and troubleshooting.

    incoming uri request 200

    Specifies the voice class uri 200 to match all incoming traffic from Webex Calling to LGW on on the unique dtg pattern in the request uri, uniquely identifying the Local Gateway site within an enterprise and in the Webex Calling ecosystem. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 100

    Specifies dial peer group 100 to select an outbound dial peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    max-conn 250

    Restricts the number of concurrent calls to 250 between the LGW and Webex Calling, assuming a single dial-peer facing Webex Calling for both inbound and outbound calls as defined in this article. For more information on concurrent call limits involving Local Gateway, see https://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/mcp/DEPLOYMENT_CALLING_Unified_CM_to_Webex_Calling.pdf.

PSTN to Webex Calling

Match all incoming IP PSTN call legs on the Local Gateway with dial-peer 100 to define a match criterion for the VIA header with the IP PSTN’s IP address. DPG 200 invokes outgoing dial-peer 200201, that has the Webex Calling server as a target destination.

Webex Calling to PSTN

Match all incoming Webex Calling call legs on the Local Gateway with dial-peer 200201 to define the match criterion for the REQUEST URI header pattern with the trunk group OTG/DTG parameter, unique to this Local Gateway deployment. DPG 100 invokes outgoing dial-peer 101, that has the IP PSTN IP address as a target destination.

This deployment requires the following configuration on the Local Gateway:

  1. Voice class tenants—You create more tenants for dial-peers facing Unified CM and ITSP, similar to tenant 200 that you create for Webex Calling facing dial-peers.

  2. Voice class URIs—You define a pattern for host IP addresses/ports for various trunks terminating on the LGW from:

    • Unified CM to LGW for PSTN destinations

    • Unified CM to LGW for Webex Calling destinations

    • Webex Calling to LGW destinations

    • PSTN SIP trunk termination on LGW

  3. Voice class server-group—You can target IP addresses/ports for outbound trunks from:

    • LGW to Unified CM

    • LGW to Webex Calling

    • LGW to PSTN SIP trunk

  4. Outbound dial-peers—You can route outbound call legs from:

    • LGW to Unified CM

    • ITSP SIP trunk

    • Webex Calling

  5. Voice class DPG—You can invoke to target outbound dial-peers from an inbound dial-peer.

  6. Inbound dial-peers—You can accept inbound call legs from Unified CM, ITSP, and Webex Calling.

1

Configure the following voice class tenants:

  1. Apply voice class tenant 100 on all outbound dial-peers facing Unified CM and IP PSTN:

    voice class tenant 100 
    session transport udp
    url sip
    error-passthru
    bind control source-interface GigabitEthernet0/0/0
    bind media source-interface GigabitEthernet0/0/0
    no pass-thru content custom-sdp
    
  2. Apply voice class tenant 300 on all inbound dial-peers from Unified CM and IP PSTN:

    voice class tenant 300 
    bind control source-interface GigabitEthernet0/0/0
    bind media source-interface GigabitEthernet0/0/0
    no pass-thru content custom-sdp
    
2

Configure the following voice class uri:

  1. Defines ITSP’s host IP address:

    voice class uri 100 sip
      host ipv4:192.168.80.13
    
  2. Define a pattern to uniquely identify a Local Gateway site within an enterprise based on Control Hub's trunk group OTG/DTG parameter:

    voice class uri 200 sip
    pattern dtg=hussain2572.lgu
    

     

    The Local Gateway doesn't currently support underscore "_" in the match pattern. As a workaround, you use dot "." (match any) to match the "_".

    Received
    INVITE sip:+16785550123@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
    Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
    pattern :8934
    
  3. Defines Unified CM signaling VIA port for the Webex Calling trunk:

    voice class uri 300 sip
    pattern :5065
    
  4. Defines CUCM source signaling IP and VIA port for PSTN trunk:

    voice class uri 302 sip
    pattern 192.168.80.60:5060
    
3

Configure the following voice class server-groups:

  1. Defines Unified CM trunk’s target host IP address and port number for Unified CM group 1 (5 nodes). Unified CM uses port 5065 for inbound traffic on the Webex Calling trunk (Webex Calling <-> LGW --> Unified CM).

    voice class server-group 301
    ipv4 192.168.80.60 port 5065
    
  2. Defines Unified CM trunk’s target host IP address and port number for Unified CM group 2 if applicable:

    voice class server-group 303
    ipv4 192.168.80.60 port 5065
    
  3. Defines Unified CM trunk’s target host IP address for Unified CM group 1 (5 nodes). Unified CM uses default port 5060 for inbound traffic on the PSTN trunk. With no port number specified, default 5060 is used. (PSTN <-> LGW --> Unified CM)

    voice class server-group 305
    ipv4 192.168.80.60
    
  4. Defines Unified CM trunk’s target host IP address for Unified CM group 2, if applicable.

    voice class server-group 307 
    ipv4 192.168.80.60
    
4

Configure the following outbound dial-peers:

  1. Outbound dial-peer toward IP PSTN:

    dial-peer voice 101 voip 
    description Outgoing dial-peer to IP PSTN
    destination-pattern BAD.BAD
    session protocol sipv2
    session target ipv4:192.168.80.13
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 100
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 101 voip
    description Outgoing dial-peer to PSTN

    Defines a VoIP dial-peer with a tag of 101 and a meaningful description is given for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    Allows selection of dial-peer 101. However, you invoke this outgoing dial-peer directly from the inbound dial-peer using dpg statements and that bypasses the digit pattern match criteria. We're using an arbitrary pattern based on alphanumeric digits that are allowed by the destination-pattern CLI.

    session protocol sipv2

    Specifies that dial-peer 101 handles SIP call legs.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address to send the call leg. (In this case, ITSP’s IP address.)

    voice-class codec 99

    Indicates codec preference list 99 to be used for this dial-peer.

    voice-class sip tenant 100

    The dial-peer inherits all the parameters from tenant 100 unless that same parameter is defined under the dial-peer itself.

  2. Outbound dial-peer toward Webex Calling (This dial-peer is updated to serve as inbound dial-peer from Webex Calling later in the configuration guide.):

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target sip-server
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class stun-usage 200
    no voice-class sip localhost
    voice-class sip tenant 200
    srtp
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling

    Defines a VoIP dial-peer with a tag of 200201 and gives a meaningful description for ease of management and troubleshooting.

    session target sip-server

    Indicates that the global SIP server is the destination for calls from this dial-peer. Webex Calling server that is defined in tenant 200 is inherited for this dial-peer.

    voice-class stun-usage 200

    Allows locally generated stun requests to send over the negotiated media path. Stun helps in opening up the pinhole in the firewall.

    no voice-class sip localhost

    Disables substitution of the DNS local host name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from tenant 200 (LGW <--> Webex Calling trunk) unless that same parameter is defined under the dial-peer itself.

    srtp

    Enables SRTP for the call leg.

  3. Outbound dial-peer toward Unified CM's Webex Calling trunk:

    dial-peer voice 301 voip
    description Outgoing dial-peer to CUCM-Group-1 for 
    inbound from Webex Calling - Nodes 1 to 5
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 301
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 100
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 301 voip
    description Outgoing dial-peer to CUCM-Group-1 for 
    inbound from Webex Calling – Nodes 1 to 5

    Defines a VoIP dial-peer with a tag of 301 and gives a meaningful description for ease of management and troubleshooting.

    session server-group 301

    Instead of session target IP in the dial-peer, you are pointing to a destination server group (server-group 301 for dial-peer 301) to define multiple target UCM nodes though the example only shows a single node.

    Server group in outbound dial-peer

    With multiple dial-peers in the DPG and multiple servers in the dial-peer server group, you can achieve random distribution of calls over all Unified CM call processing subscribers or hunt based on a defined preference. Each server group can have up to five servers (IPv4/v6 with or without port). A second dial-peer and second server group is only required if more than five call processing subscribers are used.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/multiple-server-groups.html for more information.

  4. Second outbound dial-peer toward Unified CM's Webex Calling trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 303 voip
    description Outgoing dial-peer to CUCM-Group-2 
    for inbound from Webex Calling - Nodes 6 to 10
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 303
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 100
    no vad
  5. Outbound dial-peer toward Unified CM's PSTN trunk:

    dial-peer voice 305 voip
    description Outgoing dial-peer to CUCM-Group-1for inbound from PSTN - Nodes 1 to 5
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 305
    voice-class codec 99 
    dtmf-relay rtp-nte
    voice-class sip tenant 100
    no vad
    
  6. Second outbound dial-peer toward Unified CM’s PSTN trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 307 voip
    description Outgoing dial-peer to CUCM-Group-2 for inbound from PSTN - Nodes 6 to 10
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 307
    voice-class codec 99  
    dtmf-relay rtp-nte
    voice-class sip tenant 100
    no vad
    
5

Configure the following DPG:

  1. Defines DPG 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking dial-peer group 100. We apply DPG 100 to incoming dial-peer 302 defined later for the Unified CM --> LGW --> PSTN path:

    voice class dpg 100
    dial-peer 101 preference 1
    
  2. Define DPG 200 with outbound dial-peer 200201 as the target for Unified CM --> LGW --> Webex Calling path:

    voice class dpg 200
    dial-peer 200201 preference 1
    
  3. Define DPG 300 for outbound dial-peers 301 or 303 for the Webex Calling --> LGW --> Unified CM path:

    voice class dpg 300
    dial-peer 301 preference 1
    dial-peer 303 preference 1
    
  4. Define DPG 302 for outbound dial-peers 305 or 307 for the PSTN --> LGW --> Unified CM path:

    voice class dpg 302
    dial-peer 305 preference 1
    dial-peer 307 preference 1
    
6

Configure the following inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
    description Incoming dial-peer from PSTN
    session protocol sipv2
    destination dpg 302
    incoming uri via 100
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 300
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 100 voip
    description Incoming dial-peer from PSTN

    Defines a VoIP dial-peer with a tag of 100 and gives a meaningful description for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that dial-peer100 handles SIP call legs.

    incoming uri via 100

    Specifies the voice class uri 100 to all incoming traffic from Unified CM to LGW on the VIA header’s host IP address. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 302

    Specifies dial-peer group 302 to select an outbound dial-peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    voice-class sip tenant 300

    The dial-peer inherits all the parameters from tenant 300 unless that same parameter is defined under the dial-peer itself.

  2. Inbound dial-peer for incoming Webex Calling call legs:

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling
    max-conn 250
    destination dpg 300
    incoming uri request 200
     

    Here's an explanation of the fields for the configuration:

    dial-peer voice 200201 voip
    description Inbound/Outbound Webex Calling

    Updates a VoIP dial-peer with a tag of 200201 and gives a meaningful description for ease of management and troubleshooting.

    incoming uri request 200

    Specifies the voice class uri 200 to all incoming traffic from Unified CM to LGW on the unique dtg pattern in the request uri, uniquely identifying a Local Gateway site within an enterprise and in the Webex Calling ecosystem. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080

    destination dpg 300

    Specifies dial-peer group 300 to select an outbound dial-peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    max-conn 250

    Restricts the number of concurrent calls to 250 between the LGW and Webex Calling assuming a single dial-peer facing Webex Calling for both inbound and outbound calls as defined in this guide. For more details about concurrent call limits involving Local Gateway, see https://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/mcp/DEPLOYMENT_CALLING_Unified_CM_to_Webex_Calling.pdf.

  3. Inbound dial-peer for incoming Unified CM call legs with Webex Calling as the destination:

    dial-peer voice 300 voip
    description Incoming dial-peer from CUCM for Webex Calling
    session protocol sipv2
    destination dpg 200
    incoming uri via 300
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 300
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 300 voip
    description Incoming dial-peer from CUCM for Webex Calling

    Defines a VoIP dial-peer with a tag of 300 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri via 300

    Specifies the voice class URI 300 to all incoming traffic from Unified CM to LGW on the via source port (5065). See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 200

    Specifies dial-peer group 200 to select an outbound dial-peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    voice-class sip tenant 300

    The dial-peer inherits all the parameters from tenant 300 unless that same parameter is defined under the dial-peer itself.

  4. Inbound dial-peer for incoming Unified CM call legs with PSTN as the destination:

    dial-peer voice 302 voip
    description Incoming dial-peer from CUCM for PSTN
    session protocol sipv2
    destination dpg 100
    incoming uri via 302
    voice-class codec 99
    dtmf-relay rtp-nte
    voice-class sip tenant 300
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 302 voip
    description Incoming dial-peer from CUCM for PSTN

    Defines a VoIP dial-peer with a tag of 302 and gives a meaningful description for ease of management and troubleshooting.

    incoming uri via 302

    Specifies the voice class uri 302 to all incoming traffic from Unified CM to LGW on the via source port (5065). See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 100

    Specifies dial-peer group 100 to select an outbound dial-peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    voice-class sip tenant 300

    The dial-peer inherits all the parameters from tenant 300 unless that same parameter is defined under the dial-peer itself.

IP PSTN to Unified CM PSTN trunk

Webex Calling Platform to Unified CM Webex Calling trunk

Unified CM PSTN trunk to IP PSTN

Unified CM Webex Calling trunk to Webex Calling Platform

Diagnostic Signatures (DS) proactively detects commonly observed issues in the IOS XE based Local Gateway and generates email, syslog, or terminal message notification of the event. You can also install the DS to automate diagnostics data collection and transfer collected data to the Cisco TAC case to accelerate resolution time.

Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to be taken to inform, troubleshoot, and remediate the issue. The problem detection logic is defined using syslog messages, SNMP events and through periodic monitoring of specific show command outputs. The action types include collecting show command outputs, generating a consolidated log file and uploading the file to a user provided network location such as HTTPS, SCP, FTP server. DS files are authored by TAC engineers and are digitally signed for integrity protection. Each DS file has a unique numerical ID assigned by the system. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting various problems.

Before you begin:

  • Do not edit the DS file that you download from DSLT. The files that you modify fail installation due to integrity check error.

  • A Simple Mail Transfer Protocol (SMTP) server you require for the Local Gateway to send out email notifications.

  • Ensure that the Local Gateway is running IOS XE 17.6.1 or higher if you wish to use secure SMTP server for email notifications.

Prerequisites

Local Gateway running IOS XE 17.3.2 or higher

  1. Diagnostic Signatures is enabled by default.

  2. Configure the secure email server to be used to send proactive notification if the device is running Cisco IOS XE 17.3.2 or higher.

    configure terminal 
    call-home  
    mail-server <username>:<pwd>@<email server> priority 1 secure tls 
    end 
  3. Configure the environment variable ds_email with the email address of the administrator to you notify.

    configure terminal 
    call-home  
    diagnostic-signature 
    environment ds_email <email address> 
    end 

Local Gateway running 16.11.1 or higher

  1. Diagnostic signatures is enabled by default

  2. Configure the email server to be used to send proactive notifications if the device is running a version earlier than 17.3.2.

    configure terminal 
    call-home  
    mail-server <email server> priority 1 
    end 
  3. Configure the environment variable ds_email with the email address of the administrator to be notified.

    configure terminal 
    call-home  
    diagnostic-signature 
    environment ds_email <email address>
    end 

Local Gateway running 16.9.x version

  1. Enter the following commands to enable diagnostic signatures.

    configure terminal 
    call-home reporting contact-email-addr sch-smart-licensing@cisco.com  
    end  
  2. Configure the email server to be used to send proactive notifications if the device is running a version earlier than 17.3.2.

    configure terminal 
    call-home  
    mail-server  <email server> priority 1 
    end 
  3. Configure the environment variable ds_email with the email address of the administrator to be notified.

    configure terminal 
    call-home  
    diagnostic-signature 
    environment ds_email <email address> 
    end 

The following shows an example configuration of a Local Gateway running on Cisco IOS XE 17.3.2 to send the proactive notifications to tacfaststart@gmail.com using Gmail as the secure SMTP server:

call-home  
mail-server tacfaststart:password@smtp.gmail.com priority 1 secure tls 
diagnostic-signature 
environment ds_email "tacfaststart@gmail.com" 

Local Gateway running on Cisco IOS XE Software is not a typical web-based Gmail client that supports OAuth, so we must configure a specific Gmail account setting and provide specific permission to have the email from the device processed correctly:

  1. Go to Manage Google Account > Security and turn on Less secure app access setting.

  2. Answer “Yes, it was me” when you receive an email from Gmail stating “Google prevented someone from signing into your account using a non-Google app.”

Install diagnostic signatures for proactive monitoring

Monitoring high CPU utilization

This DS tracks 5-seconds CPU utilization using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the utilization reaches 75% or more, it disables all debugs and uninstall all diagnostic signatures that are installed in the Local Gateway. Use these steps below to install the signature.

  1. Ensure to enable SNMP using the command show snmp. If you do not enable, then configure the “snmp-server manager” command.

    show snmp 
    %SNMP agent not enabled 
    
    config t 
    snmp-server manager 
    end 
    
    show snmp 
    Chassis: ABCDEFGHIGK 
    149655 SNMP packets input 
        0 Bad SNMP version errors 
        1 Unknown community name 
        0 Illegal operation for community name supplied 
        0 Encoding errors 
        37763 Number of requested variables 
        2 Number of altered variables 
        34560 Get-request PDUs 
        138 Get-next PDUs 
        2 Set-request PDUs 
        0 Input queue packet drops (Maximum queue size 1000) 
    158277 SNMP packets output 
        0 Too big errors (Maximum packet size 1500) 
        20 No such name errors 
        0 Bad values errors 
        0 General errors 
        7998 Response PDUs 
        10280 Trap PDUs 
    Packets currently in SNMP process input queue: 0 
    SNMP global trap: enabled 
    
  2. Download DS 64224 using the following drop-down options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    High CPU Utilization with Email Notification.

  3. Copy the DS XML file to the Local Gateway flash.

    LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash: 

    The following example shows copying the file from an FTP server to the Local Gateway.

    copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash: 
    Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...! 
    [OK - 3571/4096 bytes] 
    3571 bytes copied in 0.064 secs (55797 bytes/sec) 
    
  4. Install the DS XML file in the Local Gateway.

    call-home diagnostic-signature load DS_64224.xml 
    Load file DS_64224.xml success 
  5. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

    show call-home diagnostic-signature  
    Current diagnostic-signature settings: 
    Diagnostic-signature: enabled 
    Profile: CiscoTAC-1 (status: ACTIVE) 
    Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
    Environment variable: 
    ds_email: username@gmail.com 

    Download DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-07 22:05:33


    When triggered, this signature uninstalls all running DSs including itself. If necessary, please reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.

Monitoring SIP trunk registration

This DS checks for un-registration of a Local Gateway SIP Trunk with Cisco Webex Calling cloud every 60 seconds. Once the unregistration event is detected, it generates an email and syslog notification and uninstalls itself after two unregistration occurrences. Please use the steps below to install the signature.

  1. Download DS 64117 using the following drop-down options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    SIP-SIP

    Problem Type

    SIP Trunk Unregistration with Email Notification.

  2. Copy the DS XML file to the Local Gateway.

    copy ftp://username:password@<server name or ip>/DS_64117.xml bootflash: 
  3. Install the DS XML file in the Local Gateway.

    call-home diagnostic-signature load DS_64117.xml 
    Load file DS_64117.xml success 
    LocalGateway#  
  4. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

Monitoring abnormal call disconnects

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and email notification. Please use the steps below to install the signature.

  1. Check whether SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command.

    show snmp 
    %SNMP agent not enabled 
     
    
    config t 
    snmp-server manager 
    end 
    
    show snmp 
    Chassis: ABCDEFGHIGK 
    149655 SNMP packets input 
        0 Bad SNMP version errors 
        1 Unknown community name 
        0 Illegal operation for community name supplied 
        0 Encoding errors 
        37763 Number of requested variables 
        2 Number of altered variables 
        34560 Get-request PDUs 
        138 Get-next PDUs 
        2 Set-request PDUs 
        0 Input queue packet drops (Maximum queue size 1000) 
    158277 SNMP packets output 
        0 Too big errors (Maximum packet size 1500) 
        20 No such name errors 
        0 Bad values errors 
        0 General errors 
        7998 Response PDUs 
        10280 Trap PDUs 
    Packets currently in SNMP process input queue: 0 
    SNMP global trap: enabled 
    
  2. Download DS 65221 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    SIP abnormal call disconnect detection with Email and Syslog Notification.

  3. Copy the DS XML file to the Local Gateway.

    copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:
  4. Install the DS XML file in the Local Gateway.

    call-home diagnostic-signature load DS_65221.xml 
    Load file DS_65221.xml success 
    
  5. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

Install diagnostic signatures to troubleshoot a problem

Diagnostic Signatures (DS) can also be used to resolve issues quickly. Cisco TAC engineers have authored several signatures that enable the necessary debugs that are required to troubleshoot a given problem, detect the problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco TAC case. This eliminates the need to manually check for the problem occurrence and makes troubleshooting of intermittent and transient issues a lot easier.

You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to self-solve a given issue or you can install the signature that is recommended by the TAC engineer as part of the support engagement.

Here is an example of how to find and install a DS to detect the occurrence “%VOICE_IEC-3-GW: CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using the the following steps:

  1. Configure an additional DS environment variable ds_fsurl_prefix which is the Cisco TAC file server path (cxd.cisco.com) to which the collected diagnostics data are uploaded. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager in the following command. The file upload token can be generated in the Attachments section of the Support Case Manager, as needed.

    configure terminal 
    call-home  
    diagnostic-signature 
    LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com"  
    end 

    Example:

    call-home  
    diagnostic-signature 
    environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"  
  2. Ensure that SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command.

    show snmp 
    %SNMP agent not enabled 
     
     
    config t 
    snmp-server manager 
    end 
  3. Ensure to install the High CPU monitoring DS 64224 as a proactive measure to disable all debugs and diagnostics signatures during the time of high CPU utilization. Download DS 64224 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    High CPU Utilization with Email Notification.

  4. Download DS 65095 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Syslogs

    Problem Type

    Syslog - %VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. Copy the DS XML files to the Local Gateway.

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash: 
    copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash: 
  6. Install the High CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway.

    call-home diagnostic-signature load DS_64224.xml 
    Load file DS_64224.xml success 
     
    call-home diagnostic-signature load DS_65095.xml 
    Load file DS_65095.xml success 
    
  7. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

    show call-home diagnostic-signature  
    Current diagnostic-signature settings: 
    Diagnostic-signature: enabled 
    Profile: CiscoTAC-1 (status: ACTIVE) 
    Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
    Environment variable: 
               ds_email: username@gmail.com 
               ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com 

    Downloaded DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-08

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    Registered

    2020-11-08

Verify diagnostic signatures execution

In the following command, the “Status” column of the command show call-home diagnostic-signature changes to “running” while the Local Gateway executes the action defined within the signature. The output of show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature detects an event of interest and execute the action. The “Triggered/Max/Deinstall” column indicates the number of times the given signature has triggered an event, the maximum number of times it is defined to detect an event and whether the signature deinstalls itself after detecting the maximum number of triggered events.

show call-home diagnostic-signature  
Current diagnostic-signature settings: 
Diagnostic-signature: enabled 
Profile: CiscoTAC-1 (status: ACTIVE) 
Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
Environment variable: 
           ds_email: carunach@cisco.com 
           ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com 

Downloaded DSes:

DS ID

DS Name

Revision

Status

Last Update (GMT+00:00)

64224

DS_LGW_CPU_MON75

0.0.10

Registered

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

Running

2020-11-08 00:12:53

show call-home diagnostic-signature statistics

DS ID

DS Name

Triggered/Max/Deinstall

Average Run Time (seconds)

Max Run Time (seconds)

64224

DS_LGW_CPU_MON75

0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

The notification email that is sent during diagnostic signature execution contains key information such as issue type, device details, software version, running configuration, and show command outputs that are relevant to troubleshoot the given problem.

Uninstall diagnostic signatures

Diagnostic signatures that are used for troubleshooting purposes are typically defined to uninstall after detection of a certain number of problem occurrences. If you want to uninstall a signature manually, retrieve the DS ID from the output of show call-home diagnostic-signature and run the following command:

call-home diagnostic-signature deinstall <DS ID> 

Example:

call-home diagnostic-signature deinstall 64224 

New signatures are added to Diagnostics Signatures Lookup Tool periodically, based on issues that are commonly observed in deployments. TAC currently doesn’t support requests to create new custom signatures.

Before you begin

  • Ensure that following baseline platform configuration that you configure are set up according to your organization's policies and procedures:

    • NTPs

    • ACLs

    • enable passwords

    • primary password

    • IP routing

    • IP Addresses, and so on

  • You require minimum supported release of IOS XE 17.6 for all Local Gateway deployments.

1

Ensure that you assign valid and routable IP addresses to any Layer 3 interfaces:

interface GigabitEthernet0/0/0
 description Interface facing PSTN and/or CUCM
 ip address 192.168.80.14 255.255.255.0
!
interface GigabitEthernet0/0/1
 description Interface facing Webex Calling
 ip address 198.51.100.1 255.0.0.0

 
Interface toward Webex Calling must be reachable from outside.

 

Control Hub can only be configured with FQDN/SRV of the Local Gateway. Ensure that the FQDN resolves to the interface IP.

2

You must preconfigure a primary key for the password with the following commands before it is used as a credential and shared secrets. Type 6 passwords are encrypted using AES cipher and user-defined primary key.

conf t
key config-key password-encrypt Password123
password encryption aes
3

Configure IP Name Server to enable DNS lookup. Ping the IP Name Server and ensure that the server is reachable. Local Gateway must resolve Webex Calling proxy addresses using this DNS:

conf t
Enter configuration commands, one per line. End with CNTL/Z. 
ip name-server 8.8.8.8
end
4

Enable TLS 1.2 Exclusivity and a default placeholder Trustpoint:


 
  • A signed and trusted CA certificate must be recognized.

  • Domain in the Contact Header URI of the SIP Request messages (for example: Invite, Options) must be present in the SAN certificate to establish the TLS connection.

  1. Create an RSA key matching the certificate length of the root certificate with the following command:

    crypto key generate rsa general-keys exportable label my-cube modulus 4096
  2. Create a trustpoint to hold a CA-signed certificate with the following commands:

    crypto pki trustpoint CUBE_CA_CERT
     enrollment terminal pem
     serial-number none
     subject-name CN=my-cube.domain.com (this has to match the router’s hostname  [hostname.domain.name])
     revocation-check none
     rsakeypair TestRSAkey !(this has to match the RSA key you just created)
  3. Generate Certificate Signing Request (CSR) with the following command:

    crypto pki enroll CUBE_CA_CERT

     
    • Use this CSR to request a certificate from one of the supported certificate authorities.

    • Ensure that the trunk destination (FQDN or SRV) that is configured on Control Hub is present in the SAN of the certificate.

5

If the root certificate has an intermediate CA, then execute the following commands:


 

If there are no intermediate certificate authorities, skip to Step 6.

crypto pki trustpoint Root_CA_CERT
 enrollment terminal
 revocation-check none
!
crypto pki authenticate Root_CA_CERT
<paste root CA X.64 based certificate here >

crypto pki trustpoint Intermediate_CA
 enrollment terminal
 chain-validation continue Root_CA_CERT
 revocation-check none
!
crypto pki authenticate Intermediate_CA
<paste Intermediate CA X.64 based certificate here >

crypto pki authenticate CUBE_CA_CERT 
<paste Intermediate CA X.64 based certificate here >


crypto pki import CUBE_CA_CERT certificate
<paste CUBE  CA X.64 based certificate here >
6

Create a trustpoint to hold the root certificate. (Execute the following commands, if there is no intermediate CA.)

crypto pki trustpoint Root_CA_CERT
enrollment terminal
revocation-check none
!
crypto pki authenticate Root_CA_CERT
<paste root CA X.64 based certificate here >

crypto pki authenticate CUBE_CA_CERT 
<paste root  CA X.64 based certificate here >

crypto pki import CUBE_CA_CERT certificate
<paste CUBE  CA X.64 based certificate here >

7

Configure SIP-UA to use the trustpoint you created.

configure terminal
sip-ua
crypto signaling default trustpoint CUBE_CA_CERT
transport tcp tls v1.2

Before you begin

  • The network toward Webex Calling must use a public IPv4 address. Fully Qualified Domain Names (FQDN) or Service Record (SRV) addresses must resolve to a public IPv4 address on the internet.

  • All SIP and media ports on the external interface must be accessible from the internet. The ports must not be behind a Network Address Translation (NAT). Ensure that you update the firewall on your enterprise network components.

  • Install a signed certificate on the Local Gateway.

    • The certificate must be signed by a CA as mentioned in What Root Certificate Authorities are Supported for Calls to Cisco Webex Audio and Video Platforms?.

    • The FQDN selected from the Control Hub must be the Common Name (CN) or Subject Alternate Name (SAN) of the certificate. For example:

      • If a trunk configured from your organization’s Control Hub has london.lgw.cisco.com:5061 as FQDN of the Local Gateway, then CN or SAN must contain london.lgw.cisco.com in the certificate.  

      • If a trunk configured from your organization’s Control Hub has london.lgw.cisco.com as the SRV address of the Local Gateway, then CN or SAN must contain london.lgw.cisco.com in the certificate. The records that the SRV address resolves to (CNAME, A Record, or IP Address) are optional in SAN.

      • In the FQDN or SRV example that is used for your trunk, the contact address for all new SIP dialogs from your Local Gateway must have london.lgw.cisco.com in the host portion of the SIP address. See, Step 5 for configuration.

  • Ensure that certificates are signed for client and server usage.

  • You must upload the trust bundle to the Local Gateway as mentioned in What Root Certificate Authorities are Supported for Calls to Cisco Webex Audio and Video Platforms?.

1

Enter the following commands to turn on the Local Gateway application (Refer to Port Reference Information for Cisco Webex Calling for the latest IP subnets to add as a trust list):

configure terminal
voice service voip
ip address trusted list
ipv4 x.x.x.x y.y.y.y
allow-connections sip to sip
no supplementary-service sip refer
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none 
sip 
early-offer forced

Here's an explanation of the fields for the configuration:

Toll-fraud prevention
voice service voip
ip address trusted list
ipv4 x.x.x.x y.y.y.y
  • Enables the source IP addresses of entities from which the Local Gateway expects legitimate VoIP calls, from Webex Calling peers.

  • By default, Local Gateway blocks all incoming VoIP call setups from IP addresses not in its trusted list. IP Addresses from dial-peers with “session target IP” or server group are trusted by default and does not populate here.

  • IP addresses in this list must match the IP subnets according to the regional Webex Calling data center that the customer connects. See Port Reference Information for Webex Calling for more information.


     

    If your Local Gateway is behind a firewall with restricted static NAT, disable the IP address trusted list on the interface that faces Webex Calling. This is because the firewall protects you from unsolicited inbound VoIP calls. This action reduces your longer-term configuration overhead, because the addresses of the Webex Calling peers may change, and you must configure your firewall for the peers.

  • See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp3977511557 for more information.

SIP-to-SIP basic functionality
allow-connections sip to sip
Fax protocol
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

Enables T.38 for fax transport, though the fax traffic is not be encrypted. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-f1.html#wp3472350152 for more information.

SIP
early-offer forced

Forces the Local Gateway to send the SDP information in the initial INVITE message instead of waiting for acknowledgment from the neighboring peer.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-f1.html for more information.
2

Configure "voice class codec 100."

voice class codec 100
codec preference 1 opus
codec preference 2 g711ulaw
codec preference 3 g711alaw

Here's an explanation of the fields for the configuration:

Voice class codec 100

Allows opus and both g711 (mu and a-law) codecs for sessions. Applies the preferred codec to all the dial-peers. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3562947976 for more information.

3

Configure "voice class stun-usage 100" to enable ICE.

voice class stun-usage 100 
stun usage ice lite

Here's an explanation of the fields for the configuration:

Voice class stun-usage 100

Defines stun usage. Applies stun to all Webex Calling-facing dial-peers to avoid no way audio when a Unified CM phone forwards the call to another Webex Calling phone.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v2.html#wp1961799183 for more information.
4

Configure "voice class srtp-crypto 100" to limit the crypto supported.

voice class srtp-crypto 100
 crypto 1 AES_CM_128_HMAC_SHA1_80

Here's an explanation of the fields for the configuration:

Voice class srtp-crypto 100
Specifies SHA1_80 as the only SRTP cipher-suite that's offered by a Local Gateway in the SDP in offer and answer. Webex Calling only supports SHA1_80.
5

Configure “SIP Profiles 100”. In the example, cube1.abc.lgwtrunking.com is the FQDN selected for the Local Gateway and "172.x.x.x" is the IP address of the Local Gateway interface that is toward Webex Calling:

voice class sip-profiles 100
rule 10 request ANY sip-header Contact modify "172.x.x.x" "cube1.abc.lgwtrunking.com" 
rule 20 response ANY sip-header Contact modify "172.x.x.x" "cube1.abc.lgwtrunking.com" 
 

Here's an explanation of the fields for the configuration:

rule 10 to rule 20
Ensures that the Local Gateway IP address is replaced with FQDN in the ‘Contact’ header of request and response messages.

This is a requirement for authentication of your Local Gateway to be used as a trunk in a given Webex Calling location for your organization.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3265081475 for more information.
6

Configure the following four outbound dial-peers:

  1. Configure first outbound dial-peer toward Webex Calling.

    dial-peer voice 101 voip 
    description OutBound Dial peer towards Webex Calling
    destination-pattern BAD.BAD 
    session protocol sipv2
    session target dns:peering1.sipconnect.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable 
    voice-class codec 100
    voice-class stun-usage 100 
    voice-class sip profiles 100 
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1 
    voice-class sip bind media source-interface GigabitEthernet 1 
    dtmf-relay rtp-nte
    srtp!
    Here's an explanation of the fields for the configuration:
    dial-peer voice 101 voip
    description OutBound Dial peer towards Webex Calling

    Defines a VoIP dial-peer with a tag of 101 and gives a meaningful description for ease of management and troubleshooting. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

    destination-pattern BAD.BAD

    Allows selection of dial-peer 101. However, we invoke outgoing dial-peer 101 directly from the inbound dial-peer using dpg statements and that bypasses the digit pattern match criteria. We are using an arbitrary pattern that is based on alphanumeric digits that are allowed by the destination-pattern CLI. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp3350083587 for more information.

    session protocol sipv2

    Specifies that dial-peer 101 handles SIP call legs. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp1960850066 for more information.

    session target dns:peering1.sipconnect-int.bcld.webex.com:5062

    Indicates the destination’s target FQDN address from Control Hub to send the call leg. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp3465578841 for more information.

    voice-class codec 100

    Indicates codec preference list 100 to be used for dial-peer101. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3869826384 for more information.

  2. Configure the rest of an outbound dial-peer toward Webex Calling. The steps remains the same as Step 6a but has different ‘session target’ for the dial-peers.

    dial-peer voice 102 voip
    description OutBound Dial peer towards Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering2.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
    !
    dial-peer voice 103 voip
    description OutBound Dial peer towards Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering3.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
    !
    dial-peer voice 104 voip
    description OutBound Dial peer towards Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering4.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
     !
7

Create dial-peer group based on the dial-peer toward Webex Calling in the active/active model.


 

This configuration is applicable for all regions except trunks that you configure in a Singapore based location. See Step 8 for more information.

  1. Define dpg 100 with outbound dial-peer 101,102,103,104toward Webex Calling. Apply dpg 100 to incoming dial-peer 100 to define PSTN or Unified CM.

voice class dpg 100
dial-peer 101 preference 1 
dial-peer 102 preference 1 
dial-peer 103 preference 1 
dial-peer 104 preference 1 
Here's an explanation of the fields for the configuration:
dial-peer 101 preference 1 

Associates an outbound dial-peer with dial-peer group 100 and configure dial-peer 101, 102, 103, and 104 with the same preference. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

8

Create dial-peer group based on the dial-peer toward Webex Calling in the primary/backup model.


 

This configuration is applicable only fortrunks that you configure in the Singapore locations.

  1. Define dial-peer group 100 with outbound dial-peer 101,102,103,104 toward Webex Calling. Apply dpg 100 to incoming dial-peer 100 to define PSTN or Unified CM.

voice class dpg 100
dial-peer 101 preference 1 
dial-peer 102 preference 1 
dial-peer 103 preference 2 
dial-peer 104 preference 2 
Here's an explanation of the fields for the configuration:
dial-peer 101 and 102 preference 1 

Associates an outbound dial-peer with dial-peer group 100 and configure dial-peer 101 and 102 as first preference. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

dial-peer 103 and 104 preference 2 

Associates an outbound dial-peer with the dial-peer group 100and configure dial-peer 103 and 104 as second preference. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

9

Configure inbound dial-peer from Webex Calling. Incoming match is based on the uri request.

voice class uri 120 sip 
pattern awscube2a.var2-sg.lgwtrunking.com 
dial-peer voice 110 voip 
session protocol sipv2
session transport tcp tls
destination dpg 120
incoming uri request 120
voice-class codec 100
voice-class stun-usage 100 
voice-class sip profiles 100 
voice-class sip srtp-crypto 100
voice-class sip bind control 
source-interface GigabitEthernet1 
voice-class sip bind media 
source-interface GigabitEthernet1 
srtp!

Here's an explanation of the fields for the configuration:

voice class uri 120 sip
Defines the match pattern for an incoming call from Webex Calling. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3880836726 for more information.
session transport tcp tls
Sets transport to TLS. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp3059887680 for more information.
destination dpg 120
Specifies dial-peer group 120 to select an outbound dial-peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.
incoming uri request 120

Matches all incoming traffic from Webex Calling to Local Gateway on the unique dtg pattern in the request URI, uniquely identifying a Local Gateway site within an enterprise and in the Webex Calling ecosystem. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

Voice class srtp-crypto 100

Configures the preferred cipher-suites for the SRTP call leg (connection). See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp1731779246 for more information.

bind control source-interface GigabitEthernet0/0/1

Configures a source IP address for signaling source interface facing Webex Calling. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-b1.html#wp2714966862 for more information.

bind media source-interface GigabitEthernet0/0/1

Configures a source IP address for media source interface facing Webex Calling. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-b1.html#wp2714966862 for more information.

This deployment requires the following configuration on the Local Gateway:

  1. Voice class URIs—You can define host IP addresses/ports patterns for various trunks terminating on Local Gateway:

    • Webex Calling to LGW

    • PSTN SIP trunk termination on LGW

  2. Outbound dial-peers—You can route outbound call legs from a LGW to Internet telephony service provider (ITSP) SIP trunk and Webex Calling.

  3. Voice class DPG—You can invoke to target outbound dial-peers from an inbound dial-peer.

  4. Inbound dial-peers—You can accept inbound call legs from ITSP and Webex Calling.

Use the configuration either for a partner-hosted Local Gateway setup, or local customer site gateway. See the following:

1

Configure the following voice class uri:

  1. Define ITSP’s host IP address:

    voice class uri 100 sip
      host ipv4:192.168.80.13
    
  2. Define a pattern to uniquely identify a Local Gateway site within an enterprise. Use the Local Gateway hostname as the Uniform Resource Identifier (URI) match pattern.

    voice class uri 200 sip
    pattern awscube2a.var2-sg.lgwtrunking.com
    

     

    Local gateway doesn't currently support underscore "_" in the match pattern. As a workaround, you use dot "." (match any) to match the "_".

    Received
    INVITE sip:+6531239003@awscube1a.var1-sg.lgwtrunking.com:5061;transport=tls;dtg=awscube1a.var1-sg.lgwtrunking.com SIP/2.0 
2

Configure the following outbound dial-peers:

  1. Outbound dial-peer toward IP PSTN:

    dial-peer voice 121 voip
    description Outgoing dial-peer to IP PSTN
    destination-pattern BAD.BAD
    session protocol sipv2
    session target ipv4:192.168.80.13 
    voice-class codec 100
    dtmf-relay rtp-nte 
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 121 voip
     description Outgoing dial-peer to PSTN
    

    Defines a VoIP dial-peer with a tag of 121 and gives a meaningful description for ease of management and troubleshooting. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

    destination-pattern BAD.BAD

    Allows selection of dial-peer 121. However, you invoke this outgoing dial-peer directly from the inbound dial-peer using dpg statements and that bypasses the digit pattern match criteria. You are using an arbitrary pattern that is based on alphanumeric digits that are allowed by the destination-pattern CLI. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp3350083587 for more information.

    session protocol sipv2

    Specifies that dial-peer 121 handles SIP call legs. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp1960850066 for more information.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address to send the call leg. The session target here is ITSP’s IP address. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp3465578841 for more information.

    voice-class codec 100.

    Indicates codec preference list 100 to use for dial-peer 121.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3869826384 for more information.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d2.html#wp3639536185 for more information.

    no vad

    Disables voice activity detection. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp2063966724 for more information.

  2. Outbound dial-peer toward Webex Calling. See Configure certificate-based trunk for configurations.

3

Configure the following dial-peer group (dpg):

  1. Defines dial-peer group 120. Outbound dial-peer 121 is the target for Webex Calling--> LGW --> PSTN. You apply dpg 120 to incoming dial-peer 110 for Webex Calling --> LGW --> PSTN path.

    voice class dpg 120
    description Incoming IP PSTN to Webex Calling
    dial-peer 110 

     

    You must configure the dpg 120 to the inbound dial-peer from Webex Calling, see Step 9 in Configure certificate-based trunk for more information.

4

Configure the following inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 122 voip
    description Incoming dial-peer from PSTN 
    session protocol sipv2
    destination dpg 100 
    incoming uri via 100 
    voice-class codec 100 
    dtmf-relay rtp-nte
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 122 voip
    description Incoming dial-peer from PSTN

    Defines a VoIP dial-peer with a tag of 122 and gives a meaningful description for ease of management and troubleshooting. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

    session protocol sipv2

    Specifies that dial-peer 122 handles SIP call legs. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp1960850066 for more information.

    incoming uri via 100

    Defines a match criterion for the VIA header with the IP PSTN’s IP address. Matches all incoming IP PSTN call legs on the Local Gateway with dial-peer 122. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 100

    Bypasses the classic outbound dial-peer matching criteria in Local Gateway with the destination dpg 100. Set up the outgoing call leg using dial-peers defined within destination dpg 100, that is dial-peer 101,102,103,104. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    no vad

    Disables voice activity detection. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp2063966724 for more information.

  2. Inbound dial-peer for incoming Webex Calling call legs:

PSTN to Webex Calling:

Match all incoming IP PSTN call legs on the Local Gateway with dial-peer 122 to define a match criterion for the VIA header with the IP PSTN’s IP address. Dpg 100 invokes outgoing dial-peer 101,102,103,104, that has the Webex Calling server as a target destination.

Webex Calling to PSTN:

Match all incoming Webex Calling call legs on the Local Gateway with dial-peer 110 to define the match criterion for the REQUEST URI header pattern with the Local Gateway hostname, unique to the Local Gateway deployment. Dpg 120 invokes outgoing dial-peer 121, that has the IP PSTN IP address as a target destination.

This deployment requires the following configuration on the Local Gateway:

  1. Voice class URIs—You can define patterns of host IP addresses/ports for various trunks terminating on the LGW from:

    • Unified CM to LGW for PSTN destinations

    • Unified CM to LGW for Webex Calling destinations

    • Webex Calling to LGW destinations

    • PSTN SIP trunk termination on LGW destinations

  2. Voice class server-group—You can target IP addresses or ports for outbound trunks from:

    • LGW to Unified CM

    • LGW to Webex Calling

    • LGW to PSTN SIP trunk

  3. Outbound dial-peers—You can route outbound call legs from:

    • LGW to Unified CM

    • Internet Telephony Service Provider (ITSP) SIP trunk

    • Webex Calling

  4. Voice class dpg—You can target to invoke outbound dial-peers from an inbound dial-peer.

  5. Inbound dial-peers—You can accept inbound call legs from Unified CM, ITSP, and Webex Calling.

1

Configure the following voice class URIs:

  1. Defines ITSP’s host IP (IP) address:

    voice class uri 100 sip
    host ipv4:192.168.80.13
    
  2. Define a pattern to uniquely identify a Local Gateway site within an enterprise. Use Local Gateway hostname as the required Uniform Resource Identifier (URI) match pattern.

    voice class uri 200 sip
    pattern awscube2a.var2-sg.lgwtrunking.com

     

    The Local Gateway doesn't currently support an underscore "_" in the match pattern. As a workaround, we use a dot "." (match any) to match the "_".

    Received
    INVITE sip:+6531239003@awscube1a.var1-sg.lgwtrunking.com:5061;transport=tls;dtg=awscube1a.var1-sg.lgwtrunking.com SIP/2.0 
  3. Defines Unified CM signaling VIA port for the Webex Calling trunk:

    voice class uri 300 sip
    pattern :5065
    
  4. Defines Unified CM source signaling IP and VIA port for PSTN trunk:

    voice class uri 302 sip
    pattern 192.168.80.60:5060
    
2

Configure the following voice class server-groups:

  1. Defines Unified CM trunk’s target host IP address and port number for Unified CM group 1 (5 nodes). Unified CM uses port 5065 for inbound traffic on the Webex Calling trunk (Webex Calling <-> LGW --> Unified CM).

    voice class server-group 301
    ipv4 192.168.80.60 port 5065
    
  2. Defines Unified CM trunk’s target host IP address and port number for Unified CM Group 2 if applicable:

    voice class server-group 303
    ipv4 192.168.80.60 port 5065
    
  3. Defines Unified CM trunk’s target host IP address for Unified CM Group 1 (5 nodes). Unified CM uses default port 5060 for inbound traffic on the PSTN trunk. Use the default 5060 port, if you do not specify the port number. (PSTN <-> LGW --> Unified CM)

    voice class server-group 305
    ipv4 192.168.80.60
    
  4. Defines Unified CM trunk’s target host IP address for Unified CM Group 2, if applicable.

    voice class server-group 307
    ipv4 192.168.80.60
    
3

Configure the following outbound dial-peers:

  1. Outbound dial-peer toward IP PSTN:

    dial-peer voice 121 voip 
    description Outgoing dial-peer to IP PSTN
    destination-pattern BAD.BAD
    session protocol sipv2
    session target ipv4:192.168.80.13
    voice-class codec 100
    dtmf-relay rtp-nte
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 121 voip
    description Outgoing dial-peer to PSTN

    Defines a VoIP dial-peer with a tag of 121 and gives a meaningful description for ease of management and troubleshooting. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

    destination-pattern BAD.BAD

    Allows selection of dial peer 121. However, we invoke this outgoing dial-peer directly from the inbound dial-peer using dpg statements and that bypasses the digit pattern match criteria. We're using an arbitrary pattern based on alphanumeric digits that are allowed by the destination-pattern CLI. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp3350083587 for more information. session protocol sipv2

    Specifies that dial-peer 121 handles SIP call legs.

    session target ipv4:192.168.80.13

    Provide the destination’s target IPv4 address to send the call leg. (In this case, ITSP’s IP address.) See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s2.html#wp1960850066 for more information.

    voice-class codec 100

    Indicates codec preference list 100 you use for dial-peer 121.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3869826384 for more information.

  2. Outbound dial-peer toward Webex Calling:

    dial-peer voice 200201 voip
    description Outgoing dial-peer to Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering1.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
    !
    
    dial-peer voice 200202 voip
    description Outgoing dial-peer to Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering2.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
    !
    
    dial-peer voice 200203 voip
    description Outgoing dial-peer to Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering3.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
    !
    
    dial-peer voice 200204 voip
    description Outgoing dial-peer to Webex Calling
    destination-pattern BAD.BAD
    session protocol sipv2
    session target dns:peering4.sipconnect-int.bcld.webex.com:5062
    session transport tcp tls
    voice-class sip rel1xx disable
    voice-class codec 100  
    voice-class stun-usage 100
    voice-class sip profiles 100
    voice-class sip srtp-crypto 100
    voice-class sip options-keepalive
    voice-class sip bind control source-interface GigabitEthernet 1
    voice-class sip bind media source-interface GigabitEthernet 1
    dtmf-relay rtp-nte
    srtp
    !
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 200201 voip
    description Outgoing dial-peer to Webex Calling

    Defines a VoIP dial-peer with a tag of 200201, 200202, 200203, 200204 and gives a meaningful description for ease of management and troubleshooting.

    voice-class stun-usage 100

    Send locally generated stun request over the negotiated media path. Stun opens the pinhole in the firewall.

    srtp

    Enables SRTP for the call leg.

  3. Outbound dial-peer toward Unified CM's Webex Calling trunk:

    dial-peer voice 301 voip
    description Outgoing dial-peer to CUCM-Group-1 for inbound from Webex Calling - Nodes 1 to 5
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 301
    voice-class codec 100
    dtmf-relay rtp-nte
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 301 voip
    description Outgoing dial-peer to CUCM-Group-1 for inbound from Webex Calling – Nodes 1 to 5

    Defines a VoIP dial-peer with a tag of 301 and gives a meaningful description for ease of management and troubleshooting.

    session server-group 301

    Defines the session target of the multiple Unified CM nodes (server-group 301 for dial-peer 301) though the example only shows a single node.

    Server group in outbound dial peer

    Achieves random distribution of calls over all Unified CM call processing subscribers or hunt based on a defined preference with multiple dial-peers in the dpg and multiple servers in the dial-peer server group. Each server group can have up to five servers (IPv4/v6 with or without port). You can only use a second dial-peer and second server group for more than five call processing subscribers.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/multiple-server-groups.html for more information.

  4. Second outbound dial-peer toward Unified CM's Webex Calling trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 303 voip
    description Outgoing dial-peer to CUCM-Group-2 for inbound from Webex Calling - Nodes 6 to 10
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 303
    voice-class codec 100
    dtmf-relay rtp-nte
    no vad
  5. Outbound dial-peer toward Unified CM's PSTN trunk:

    dial-peer voice 305 voip
    description Outgoing dial-peer to CUCM-Group-1 for inbound from PSTN - Nodes 1 to 5
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 305
    voice-class codec 100 
    dtmf-relay rtp-nte
    no vad
    
  6. Second outbound dial-peer toward Unified CM’s PSTN trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 307 voip
    description Outgoing dial-peer to CUCM-Group-2 for inbound from PSTN - Nodes 6 to 10
    destination-pattern BAD.BAD
    session protocol sipv2
    session server-group 307
    voice-class codec 100  
    dtmf-relay rtp-nte
    no vad
    
4

Configure the following dial-peer group (DPG):

  1. Defines dpg 121. Outbound dial-peer 121 is the target for any incoming dial-peer that invokes dpg 121. Apply dpg 121 to incoming dial-peer 302 defined later for the Unified CM --> LGW --> PSTN path:

    voice class dpg 121
    dial-peer 121 preference 1
    
  2. Define DPG 100 with outbound dial-peer 200201, 200202, 200203, 200204 as the target for Unified CM --> LGW --> Webex Calling path:


     

    Ensure that preference changes are based on the location of the configured Local Gateway. See Step 7, and Step 8 in Configure certificate-based trunk for more information.

    voice class dpg 100
    dial-peer 200201 preference 1
    dial-peer 200202 preference 1
    dial-peer 200203 preference 1
    dial-peer 200204 preference 1
    
  3. Define dpg 300 for outbound dial-peers 301 or 303 for the Webex Calling --> LGW --> Unified CM path:

    voice class dpg 300
    dial-peer 301 preference 1
    dial-peer 303 preference 1
    
  4. Define DPG 302 for outbound dial-peers 305 or 307 for the PSTN --> LGW --> Unified CM path:

    voice class dpg 302
    dial-peer 305 preference 1
    dial-peer 307 preference 1
    
5

Configure the following inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
    description Incoming dial-peer from PSTN
    session protocol sipv2
    destination dpg 302
    incoming uri via 100
    voice-class codec 100
    dtmf-relay rtp-nte
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 100 voip
    description Incoming dial-peer from PSTN

    Defines a VoIP dial-peer with a tag of 100 and gives a meaningful description for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that dial-peer 100 handles SIP call legs.

    incoming uri via 100

    Specifies the voice class uri 100 to match all incoming traffic from IP PSTN to Local Gateway on an incoming VIA header’s host IP address. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 302

    Specifies dial peer group 302 to select an outbound dial peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.
  2. Inbound dial-peer for incoming Webex Calling call legs:

    dial-peer voice 110 voip
    description Incoming dial-peer from Webex Calling  
    session protocol sipv2 
    session transport tcp tls 
    destination dpg 120 
    incoming uri request 120  
    voice-class codec 100 
    voice-class stun-usage 100 
    voice-class sip profiles 100 
    voice-class sip srtp-crypto 100 
    voice-class sip bind control source-interface GigabitEthernet1 
    voice-class sip bind media source-interface GigabitEthernet1 
    srtp 
     

    Here's an explanation of the fields for the configuration:

    dial-peer voice 110 voip
    description Incoming dial-peer from Webex Calling

    Updates a VoIP dial-peer with a tag of 110 and gives a meaningful description for ease of management and troubleshooting.

    destination dpg 120

    Specifies dial peer group 120 to select an outbound dial peer. See, https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

    Voice class srtp-crypto 100

    Configures the preferred cipher-suites for the SRTP call leg (connection). See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp1731779246 for more information.

    bind control source-interface GigabitEthernet0/0/1

    Configures a source IP address for signaling source interface facing Webex Calling.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-b1.html#wp2714966862 for more information.

    bind media source-interface GigabitEthernet0/0/1

    Configures a source IP address for media source interface facing Webex Calling.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-b1.html#wp2714966862 for more information.

  3. Inbound dial-peer for incoming Unified CM call legs with Webex Calling as the destination:

    dial-peer voice 300 voip
    description Incoming dial-peer from CUCM for Webex Calling
    session protocol sipv2
    destination dpg 200
    incoming uri via 300
    voice-class codec 100
    dtmf-relay rtp-nte
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 300 voip
    description Incoming dial-peer from CUCM for Webex Calling

    Defines a VoIP dial-peer with a tag of 300 and gives a meaningful description for ease of management and troubleshooting. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

    incoming uri via 300

    Specifies the voice class URI 300 to all incoming traffic from Unified CM to LGW on the via source port (5065). See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-i1.html#wp7490919080 for more information.

    destination dpg 200

    Specifies dial peer group 200 to select an outbound dial peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

  4. Inbound dial-peer for incoming Unified CM call legs with PSTN as the destination:

    dial-peer voice 302 voip
    description Incoming dial-peer from CUCM for PSTN
    session protocol sipv2
    destination dpg 100
    incoming uri via 302
    voice-class codec 100
    dtmf-relay rtp-nte
    no vad
    

    Here's an explanation of the fields for the configuration:

    dial-peer voice 302 voip
    description Incoming dial-peer from CUCM for PSTN

    Defines a VoIP dial-peer with a tag of 302 and gives a meaningful description for ease of management and troubleshooting. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr2/vcr2-cr-book/vcr-d1.html#wp2182184624 for more information.

    incoming uri via 302

    Specifies the voice class URI 300 to match all incoming traffic from Unified CM to a Local Gateway for a PSTN destination on VIA port. You can use the 5060 port as a standard SIP port. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp3880836726 for more information.

    destination dpg 100

    Specifies dial peer group 100 to select an outbound dial peer. See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr5/vcr5-cr-book/vcr-v1.html#wp7209864940 for more information.

Diagnostic Signatures (DS) proactively detects commonly observed issues in the Cisco IOS XE based Local Gateway and generates email, syslog, or terminal message notification of the event. You can also install the DS to automate diagnostics data collection and transfer collected data to the Cisco TAC case to accelerate resolution time.

Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to be taken to inform, troubleshoot, and remediate the issue. The problem detection logic is defined using syslog messages, SNMP events and through periodic monitoring of specific show command outputs. The action types include collecting show command outputs, generating a consolidated log file and uploading the file to a user provided network location such as HTTPS, SCP, FTP server. DS files are authored by TAC engineers and are digitally signed for integrity protection. Each DS file has a unique numerical ID assigned by the system. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting various problems.

Before you begin:

  • Do not edit the DS file that you download from DSLT. The files that you modify fail installation due to integrity check error.

  • A Simple Mail Transfer Protocol (SMTP) server you require for the Local Gateway to send out email notifications.

  • Ensure that the Local Gateway is running IOS XE 17.6.1 or higher if you wish to use secure SMTP server for email notifications.

Prerequisites

Local Gateway running IOS XE 17.6.1 or higher

  1. Diagnostic Signatures is enabled by default.

  2. Configure the secure email server you use to send proactive notification if the device is running IOS XE 17.6.1 or higher.

    
    configure terminal 
    call-home  
    mail-server <username>:<pwd>@<email server> priority 1 secure tls 
    end 
  3. Configure the environment variable ds_email with the email address of the administrator to you notify.

    
    configure terminal 
    call-home  
    diagnostic-signature 
    LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> 
    end 

Local Gateway running 17.6.1 version

  1. Enter the following commands to enable Diagnostic Signatures.

    configure terminal 
    call-home reporting contact-email-addr sch-smart-licensing@cisco.com  
    end  
  2. Configure the email server to be used to send proactive notifications if the device is running a version earlier than 17.6.1.

    configure terminal 
    call-home  
    mail-server  <email server> priority 1 
    end 
  3. Configure the environment variable ds_email with the email address of the administrator that you notify.

    
    configure terminal 
    call-home  
    diagnostic-signature 
    LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> 
    end 

The following shows an example configuration of a Local Gateway running on Cisco IOS XE 17.6.1 to send the proactive notifications to tacfaststart@gmail.com using Gmail as the secure SMTP server:


call-home
mail-server tacfaststart:password@smtp.gmail.com priority 1 secure tls
diagnostic-signature
environment ds_email "tacfaststart@gmail.com"

Local Gateway running on Cisco IOS XE Software is not a typical web-based Gmail client that supports OAuth, so we must configure a specific Gmail account setting and provide specific permission to have the email from the device processed correctly:

  1. Go to Manage Google Account > Security and turn on Less secure app access setting.

  2. Answer “Yes, it was me” when you receive an email from Gmail stating “Google prevented someone from signing into your account using a non-Google app.”

Install diagnostic signatures for proactive monitoring

Monitoring high CPU utilization

This DS tracks 5-seconds CPU utilization using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the utilization reaches 75% or more, it disables all debugs and uninstall all diagnostic signatures you install in the Local Gateway. Use these steps below to install the signature.

  1. Ensure that SNMP is enabled using the command show snmp. If you do not enable, then configure the “snmp-server manager” command.

    
    show snmp 
    %SNMP agent not enabled  
    
    config t 
    snmp-server manager 
    end  
    
    show snmp 
    Chassis: ABCDEFGHIGK 
    149655 SNMP packets input 
        0 Bad SNMP version errors 
        1 Unknown community name 
        0 Illegal operation for community name supplied 
        0 Encoding errors 
        37763 Number of requested variables 
        2 Number of altered variables 
        34560 Get-request PDUs 
        138 Get-next PDUs 
        2 Set-request PDUs 
        0 Input queue packet drops (Maximum queue size 1000) 
    158277 SNMP packets output 
        0 Too big errors (Maximum packet size 1500) 
        20 No such name errors 
        0 Bad values errors 
        0 General errors 
        7998 Response PDUs 
        10280 Trap PDUs 
    Packets currently in SNMP process input queue: 0 
    SNMP global trap: enabled 
    
  2. Download DS 64224 using the following drop-down options in Diagnostic Signatures Lookup Tool:

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    High CPU Utilization with Email Notification.

  3. Copy the DS XML file to the Local Gateway flash.

    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    The following example shows copying the file from an FTP server to the Local Gateway.

    copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash: 
    Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...! 
    [OK - 3571/4096 bytes] 
    3571 bytes copied in 0.064 secs (55797 bytes/sec) 
    
  4. Install the DS XML file in the Local Gateway.

    
    call-home diagnostic-signature load DS_64224.xml 
    Load file DS_64224.xml success  
  5. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

    
    show call-home diagnostic-signature  
    Current diagnostic-signature settings: 
     Diagnostic-signature: enabled 
     Profile: CiscoTAC-1 (status: ACTIVE) 
     Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
     Environment variable: 
               ds_email: username@gmail.com 

    Download DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-07 22:05:33


    When triggered, this signature uninstalls all running DSs including itself. If necessary, please reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.

Monitoring abnormal call disconnects

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and email notification. Please use the steps below to install the signature.

  1. Check whether SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command.

    show snmp 
    %SNMP agent not enabled  
    
    config t 
    snmp-server manager 
    end  
    
    show snmp 
    Chassis: ABCDEFGHIGK 
    149655 SNMP packets input 
        0 Bad SNMP version errors 
        1 Unknown community name 
        0 Illegal operation for community name supplied 
        0 Encoding errors 
        37763 Number of requested variables 
        2 Number of altered variables 
        34560 Get-request PDUs 
        138 Get-next PDUs 
        2 Set-request PDUs 
        0 Input queue packet drops (Maximum queue size 1000) 
    158277 SNMP packets output 
        0 Too big errors (Maximum packet size 1500) 
        20 No such name errors 
        0 Bad values errors 
        0 General errors 
        7998 Response PDUs 
        10280 Trap PDUs 
    Packets currently in SNMP process input queue: 0 
    SNMP global trap: enabled 
  2. Download DS 65221 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    SIP abnormal call disconnect detection with Email and Syslog Notification.

  3. Copy the DS XML file to the Local Gateway.

    copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:
  4. Install the DS XML file in the Local Gateway.

    
    call-home diagnostic-signature load DS_65221.xml 
    Load file DS_65221.xml success 
  5. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

Install diagnostic signatures to troubleshoot a problem

Diagnostic Signatures (DS) can also be used to resolve issues quickly. Cisco TAC engineers have authored several signatures that enable the necessary debugs that are required to troubleshoot a given problem, detect the problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco TAC case. This eliminates the need to manually check for the problem occurrence and makes troubleshooting of intermittent and transient issues a lot easier.

You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to selfsolve a given issue or you can install the signature that is recommended by the TAC engineer as part of the support engagement.

Here is an example of how to find and install a DS to detect the occurrence “%VOICE_IEC-3-GW: CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using the following steps:

  1. Configure an additional DS environment variable ds_fsurl_prefix which is the CiscoTAC file server path (cxd.cisco.com) to which the collected diagnostics data are uploaded. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager as shown in the following. The file upload token can be generated in the Attachments section of the Support Case Manager, as required.

    
    configure terminal 
    call-home  
    diagnostic-signature 
    LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com"  
    end 

    Example:

    
    call-home  
    diagnostic-signature 
    environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"  
  2. Ensure that SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command.

    
    show snmp 
    %SNMP agent not enabled 
     
    config t 
    snmp-server manager 
    end 
  3. We recommend to install the High CPU monitoring DS 64224 as a proactive measure to disable all debugs and diagnostics signatures during the time of high CPU utilization. Download DS 64224 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    High CPU Utilization with Email Notification.

  4. Download DS 65095 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Syslogs

    Problem Type

    Syslog - %VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. Copy the DS XML files to the Local Gateway.

    
    copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash: 
    copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash: 
  6. Install the High CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway.

    
    call-home diagnostic-signature load DS_64224.xml 
    Load file DS_64224.xml success 
    call-home diagnostic-signature load DS_65095.xml 
    Load file DS_65095.xml success 
    
  7. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

    
    show call-home diagnostic-signature  
    Current diagnostic-signature settings: 
     Diagnostic-signature: enabled 
     Profile: CiscoTAC-1 (status: ACTIVE) 
     Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
     Environment variable: 
               ds_email: username@gmail.com 
               ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com 

    Downloaded DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-08:00:07:45

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    Registered

    2020-11-08:00:12:53

Verify diagnostic signatures execution

In the following command, the “Status” column of the command show call-home diagnostic-signature changes to “running” while the Local Gateway executes the action defined within the signature. The output of show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature detects an event of interest and executed the action. The “Triggered/Max/Deinstall” column indicates the number of times the given signature has triggered an event, the maximum number of times it is defined to detect an event and whether the signature deinstalls itself after detecting the maximum number of triggered events.

show call-home diagnostic-signature  
Current diagnostic-signature settings: 
 Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
 Environment variable: 
           ds_email: carunach@cisco.com 
           ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com 

Downloaded DSes:

DS ID

DS Name

Revision

Status

Last Update (GMT+00:00)

64224

DS_LGW_CPU_MON75

0.0.10

Registered

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

Running

2020-11-08 00:12:53

show call-home diagnostic-signature statistics

DS ID

DS Name

Triggered/Max/Deinstall

Average Run Time (seconds)

Max Run Time (seconds)

64224

DS_LGW_CPU_MON75

0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

The notification email sent during Diagnostic Signature execution contains key information such as issue type, device details, software version, running configuration and show command outputs that are relevant to troubleshoot the given problem.

Uninstall diagnostic signatures

Use the diagnostic signatures for troubleshooting purposes are typically define to uninstall after detection of a certain number of problem occurrences. If you wish to uninstall a signature manually, retrieve the DS ID from the output of show call-home diagnostic-signature and run the following command:

call-home diagnostic-signature deinstall <DS ID> 

Example:

call-home diagnostic-signature deinstall 64224 

New signatures are added to Diagnostics Signatures Lookup Tool periodically, based on issues that are commonly observed in deployments. TAC currently doesn’t support requests to create new custom signatures.