Local Gateway Configuration Task Flow

Use this task flow to configure local gateways for your Webex Calling deployment. The steps that follow are performed on the CLI interface itself. The trunk between the local gateway and Webex Calling is always secured using SIP TLS transport and SRTP for media between Local gateway and the Webex Calling Access SBC.

Before you begin

  • Meet the local gateway requirements for Webex Calling.

  • Create a local gateway in Control Hub.

  • The configuration guidelines provided in this document assume that a dedicated local gateway platform is in place with no existing voice configuration. If an existing PSTN gateway or CUBE enterprise deployment is being modified to also use the local gateway function for Webex Calling, pay careful attention to the configuration applied and make sure existing call flows and functionality are not interrupted as a result of changes that you make.

  Command or Action Purpose
1

Parameter Mapping Between Cisco Webex Control Hub and Cisco Unified Border Element

Use this table as a reference for the parameters that come from Control Hub and where they map onto the local gateway.
2

Perform Reference Platform Configuration

Implement these steps as a common global configuration for the local gateway. The configuration includes baseline platform configuration and a trust pool update.

3

Register Local Gateway to Webex Calling
4

Choose one, depending on your deployment:

Call Routing on the local gateway is based on the Webex Calling deployment option that you chose. This section assumes that IP PSTN termination is on the same platform as the local gateway. The configuration that follows is for one of these options on the local gateway:

  • The local gateway deployment option without an on-premises IP PBX. The local gateway and IP PSTN CUBE are coresident.

  • The local gateway deployment option within an existing Unified CM environment. The local gateway and IP PSTN CUBE are coresident.

Parameter Mapping Between Cisco Webex Control Hub and Cisco Unified Border Element

Table 1. Parameter Mapping Between Cisco Webex Control Hub and Local Gateway

Control Hub

Local Gateway

Registrar Domain:

Control Hub should parse the domain from the LinePort that is received from UCAPI.

example.com

registrar

example.com

Trunk Group OTG/DTG

sip profiles:

rule <rule-number> request ANY sip-header

From modify ">" ";otg=otgDtgId>"

Line/Port

user@example.com

number: user

Outbound Proxy

outbound proxy (DNS name – SRV of the Access SBC)

SIP Username

username

SIP Password

password

Perform Reference Platform Configuration

Before you begin

  • Ensure that baseline platform configuration such as NTPs, ACLs, enable passwords, primary password, IP routing, IP Addresses, and so on are configured according to your organization's policies and procedures.

  • Latest of IOS-XE 16.12 or IOS-XE 17.3 required for all LGW deployments.

1

Ensure that any layer 3 interfaces have valid and routable IP addresses assigned:

interface GigabitEthernet0/0/0
 description Interface facing PSTN and/or CUCM
 ip address 192.168.80.14 255.255.255.0
!
interface GigabitEthernet0/0/1
 description Interface facing Webex Calling
 ip address 192.168.43.197 255.255.255.0
2

You must preconfigure a master key for the password using the commands shown below before it can be used in the credentials and shared secrets. Type 6 passwords are encrypted using AES cypher and user-defined master key. 


LocalGateway#conf t
LocalGateway(config)#key config-key password-encrypt Password123
LocalGateway(config)#password encryption aes
3

Configure IP Name Server to enable DNS lookup and ensure it is reachable by pinging it:


LocalGateway#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
LocalGateway(config)#ip name-server 8.8.8.8
LocalGateway(config)#end
4

Enable TLS 1.2 Exclusivity and a default Dummy Trustpoint:

  1. Create a dummy PKI Trustpoint and call it dummyTp

  2. Assign the trustpoint as the default signaling trustpoint under sip-ua

  3. cn-san-validate server is needed to ensure that the local gateway establishes the connection only if the outbound proxy configured on the tenant 200 (described later) matches with CN-SAN list received from the server.

  4. The crypto trustpoint is needed for TLS to work even though a local client certificate (for example, mTLS) is not required for the connection to be set up.

  5. Disable TLS v1.0 and v1.1 by enabling v1.2 exclusivity.

  6. Set tcp-retry count to 1000 (5 msec multiples = 5 seconds).

  7. (IOS-XE 17.3.2 and later) Set timers connection establish tls <wait-timer in sec>. Range is between 5 and 20 seconds and the default is 20 seconds. (LGW takes 20 seconds to detect the TLS connection failure before it attempts to establish a connection to the next available Webex Calling Access SBC. This CLI allows the admin to change the value to accommodate network conditions and detect connection failures with the Access SBC much faster). 


LocalGateway#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
LocalGateway(config)#
LocalGateway(config)#crypto pki trustpoint dummyTp
LocalGateway(ca-trustpoint)# revocation-check crl
LocalGateway(ca-trustpoint)#exit

LocalGateway(config)#sip-ua
LocalGateway(config-sip-ua)# crypto signaling default trustpoint dummyTp cn-san-validate server

LocalGateway(config-sip-ua)# transport tcp tls v1.2
LocalGateway(config-sip-ua)# tcp-retry 1000
LocalGateway(config-sip-ua)#end
5

Update Local Gateway Trustpool:

The default trustpool bundle does not include the “DigiCert Root CA” certificate needed for validating the server side certificate during TLS connection establishment to Webex Calling.

The trustpool bundle must be updated by downloading the latest “Cisco Trusted Core Root Bundle” from http://www.cisco.com/security/pki/.

  1. Check if the DigiCert Room CA certificate exists:

    
LocalGateway#show crypto pki trustpool | include DigiCert

  2. If it doesn't exist, update as follows:

    
LocalGateway#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
LocalGateway(config)#crypto pki trustpool import clean url 
http://www.cisco.com/security/pki/trs/ios_core.p7b
Reading file from http://www.cisco.com/security/pki/trs/ios_core.p7b
Loading http://www.cisco.com/security/pki/trs/ios_core.p7b 
% PEM files import succeeded.
LocalGateway(config)#end

  1. Verify:

    
LocalGateway#show crypto pki trustpool | include DigiCert
cn=DigiCert Global Root CA
o=DigiCert Inc
cn=DigiCert Global Root CA
o=DigiCert Inc

Register Local Gateway to Webex Calling

Before you begin

Ensure that you completed the steps in Control Hub to create a location and add a local gateway. In the example local gateway shown here, the information was obtained from Control Hub.

1

Enter these commands to turn on the local gateway application (see the Port Reference Information for Cisco Webex Calling for the latest IP subnets that need to be added to the trust list): 

LocalGateway#configure terminal
LocalGateway(config)#voice service voip
LocalGateway(conf-voi-serv)#ip address trusted list
LocalGateway(cfg-iptrust-list)#ipv4 x.x.x.x y.y.y.y
LocalGateway(cfg-iptrust-list)#exit
LocalGateway(conf-voi-serv)#allow-connections sip to sip
LocalGateway(conf-voi-serv)#media statistics
LocalGateway(conf-voi-serv)#media bulk-stats
LocalGateway(conf-voi-serv)#no supplementary-service sip refer
LocalGateway(conf-voi-serv)#no supplementary-service sip handle-replaces
LocalGateway(conf-voi-serv)# fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

LocalGateway(conf-serv-stun)#stun
LocalGateway(conf-serv-stun)#stun flowdata agent-id 1 boot-count 4
LocalGateway(conf-serv-stun)#stun flowdata shared-secret 0 Password123$

LocalGateway(conf-serv-stun)#sip

   LocalGateway(conf-serv-sip)#g729 annexb-all
   LocalGateway(conf-serv-sip)#early-offer forced
   LocalGateway(conf-serv-sip)#end

Explanation of commands:

Toll-Fraud Prevention
Device(config)# voice service voip
Device(config-voi-serv)# ip address trusted list
Device(cfg-iptrust-list)# ipv4 x.x.x.x y.y.y.y

  • Explicitly enables the source IP addresses of entities from which the local gateway expects legitimate VoIP calls, such as Webex Calling peers, Unified CM nodes, IP PSTN.

  • By default, LGW blocks all incoming VoIP call setups from IP addresses not in its trusted list. IP Addresses from dial-peers with “session target ip” or Server Group are trusted by default and need not be populated here.

  • IP addresses in this list need to match the IP subnets according to the regional Webex Calling data center the customer is connected to. For more information, see Port Reference Information for Webex Calling.


     

    If your LGW is behind a firewall with restricted cone NAT, you may prefer to disable the IP address trusted list on the Webex Calling-facing interface. This is because the firewall already protects you from unsolicited inbound VoIP. This action would reduce your longer term configuration overhead, because we cannot guarantee that the addresses of the Webex Calling peers will remain fixed, and you would need to configure your firewall for the peers in any case.

  • Other IP addresses may need to be configured on other interfaces; for example, your Unified CM addresses may need to be added to the inward-facing interfaces.

  • IP addresses must match the IP of hosts the outbound-proxy resolves to in tenant 200

  • See https://www.cisco.com/c/en/us/support/docs/voice/call-routing-dial-plans/112083-tollfraud-ios.html for more information.

Media
voice service voip
 media statistics 
 media bulk-stats

  • Media Statistics enables media monitoring on the local gateway.

  • Media bulk-stats enables the control plane to poll the data plane for bulk call statistics.

SIP-to-SIP Basic Functionality
allow-connections sip to sip
Supplementary Services
 no supplementary-service sip refer
 no supplementary-service sip handle-replaces

Disables REFER and replaces dialog ID in Replaces header with the peer dialog ID.

See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr4/vcr4-cr-book/vcr-s12.html#wp2876138889 for more information.

Fax Protocol
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

Enables T.38 for fax transport, though the fac traffic will not be encrypted.

Enable Global STUN
stun
  stun flowdata agent-id 1 boot-count 4
  stun flowdata shared-secret 0 Password123$

  • When a call is forwarded back to a Webex Calling user (for example, both the called and calling parties are Webex Calling subscribers and have the media anchored at the Webex Calling SBC), the media cannot flow to the local gateway as the pinhole isn't open.

  • The STUN bindings feature on the local gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

  • STUN password is a prerequisite for the local gateway to send STUN messages out. IOS/IOS-XE based firewalls can be configured to check for this password and open pinholes dynamically (for example, without explicit in-out rules). But for the local gateway deployment case, the firewall is statically configured to open pinholes in and out based on the Webex Calling SBC sub nets. As such, the firewall should just treat this as any inbound UDP packet which will trigger the pinhole opening without explicitly looking at the packet contents.

G729
sip
  g729 annexb-all

Allows all variants of G729.

SIP
early-offer forced

Forces the local gateway to send the SDP information in the initial INVITE message instead of waiting for acknowledgement from the neighboring peer.

2

Configure “SIP Profile 200”.

LocalGateway(config)# voice class sip-profiles 200
LocalGateway (config-class)# rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
LocalGateway (config-class)# rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "<sip:\1;transport=tls>" 
LocalGateway (config-class)# rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
LocalGateway (config-class)# rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
LocalGateway (config-class)# rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"

These rules are

Explanation of commands:

  • rule 9 ensures the header is listed as “SIP-Req-URI” and not “SIP-Req-URL”

    This converts between SIP URIs and SIP URLs, because Webex Calling doesn't support SIP URIs in the request/response messages, but needs them for SRV queries, e.g. _sips._tcp.<outbound-proxy>.

  • rule 20 modifies the From header to include the Trunk Group OTG/DTG parameter from Control Hub to uniquely identify a LGW site within an enterprise.

  • This SIP Profile will be applied to voice class tenant 200 (discussed later) for all traffic facing Webex Calling.

3

Configure Codec Profile, STUN definition, and SRTP Crypto suite.

LocalGateway(config)# voice class codec 99
LocalGateway(config-class)# codec preference 1 g711ulaw
LocalGateway(config-class)# codec preference 2 g711alaw 
LocalGateway(config-class)# exit
LocalGateway(config)# voice class srtp-crypto 200
LocalGateway(config-class)# crypto 1 AES_CM_128_HMAC_SHA1_80
LocalGateway(config-class)# exit
LocalGateway(config)# voice class stun-usage 200
LocalGateway(config-class)# stun usage firewall-traversal flowdata
LocalGateway(config-class)# stun usage ice lite
LocalGateway(config-class)# exit

Explanation of commands:

  • Voice class codec 99: Allows both g711 (mu and a-law) codecs for sessions. Is applied to all the dial-peers.

  • Voice class srtp-crypto 200: Specifies SHA1_80 as the only SRTP cipher-suite that's offered by local gateway in the SDP in offer and answer. Webex Calling only supports SHA1_80.

  • Will be applied to voice class tenant 200 (discussed later) facing Webex Calling.

  • Voice class stun-usage 200: Defines STUN usage. Is applied to all Webex Calling-facing (2XX tag) dial-peers to avoid no way audio when a Unified CM phone forwards the call to another Webex Calling phone.


 

In cases where media is anchored at the ITSP SBC and the Local Gateway is behind a NAT and waiting for the inbound media stream from ITSP, this command may be applied on ITSP facing dial-peers.


 

Stun usage ice lite is required for call flows utilizing media path optimization.
4

Map Control Hub parameters to local gateway configuration:

Webex Calling is added as a tenant within the local gateway. The configuration required to register the local gateway is defined under voice class tenant 200. You must obtain the elements of that configuration from the local gateway administration page within the Control Hub as shown in this screenshot. This is an example to display what fields map to the respective local gateway CLI.

Tenant 200 is then applied to all the Webex Calling facing dial-peers (2xx tag) within the local gateway configuration. The voice class tenant feature allows for grouping and configuring of SIP trunk parameters otherwise done under voice service voip and sip-ua. When a tenant is configured and applied under a dial-peer, the IOS-XE configurations are applied in the following order of preference:

  • Dial-peer configuration

  • Tenant configuration

  • Global configuration (voice service voip / sip-ua)
5

Configure voice class tenant 200 to enable Trunk Registration from LGW to Webex Calling based on the parameters you've obtained from Control Hub:


 

The command line and parameters below are examples only. You must use the parameters for your own deployment.

 
LocalGateway(config)#voice class tenant 200
  registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls
  credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
  authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
  authentication username Hussain2572_LGU password 0 meX7]~)VmF realm 40462196.cisco-bcld.com
  no remote-party-id
  sip-server dns:40462196.cisco-bcld.com
  connection-reuse
  srtp-crypto 200
  session transport tcp tls 
  url sips 
  error-passthru
  asserted-id pai 
  bind control source-interface GigabitEthernet0/0/1
  bind media source-interface GigabitEthernet0/0/1
  no pass-thru content custom-sdp 
  sip-profiles 200 
  outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com  
  privacy-policy passthru

Explanation of commands:

voice class tenant 200

A local gateway's multitenant feature enables specific global configurations for multiple tenants on SIP trunks that allow differentiated services for tenants.

registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50 tcp tls

Registrar server for the Local gateway with the registration set to refresh every two minutes (50% of 240 seconds). For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-r1.html#wp1687622014.

credentials number Hussain6346_LGU username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks

Credentials for Trunk Registration challenge. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-c6.html#wp3153621104.

authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks
authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm 40462196.cisco-bcld.com

Authentication challenge for calls. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1551532462.

no remote-party-id

Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using CIO asserted-id pai (see below).

sip-server dns:40462196.cisco-bcld.com
Webex Calling servers. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr1/vcr1-cr-book/vcr-a1.html#wp1551532462
connection-reuse

To use the same persistent connection for registration and call processing.

srtp-crypto 200

Specifies SHA1_80 as defined in voice class srtp-crypto 200.

session transport tcp tls
Sets transport to TLS
url sips

SRV query has to be SIPs as supported by the access SBC; all other messages are changed to SIP by sip-profile 200.

error-passthru

SIP error response pass-thru functionality

asserted-id pai

Turns on PAI processing in local gateway.

bind control source-interface GigabitEthernet0/0/1

Signaling source interface facing Webex Calling.

bind media source-interface GigabitEthernet0/0/1

Media source interface facing Webex Calling.

no pass-thru content custom-sdp

Default command under tenant.

sip-profiles 200

Changes SIPS to SIP and modify Line/Port for INVITE and REGISTER messages as defined in voice class sip-profiles 200.

outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com

Webex Calling Access SBC. For more information, see https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/vcr3/vcr3-cr-book/vcr-o1.html#wp3297755699.

privacy-policy passthru

Transparently pass across privacy header values from incoming to the outgoing leg.

After tenant 200 is defined within the local gateway and a SIP VoIP dial-peer is configured, the gateway then initiates a TLS connection towards Webex Calling, at which point the Access SBC presents its certificate to the local gateway. The local gateway validates the Webex Calling Access SBC certificate using the CA root bundle updated earlier. A persistent TLS session is established between the local gateway and Webex Calling Access SBC. The Local gateway then sends a REGISTER to the Access SBC which is challenged. Registration AOR is number@domain. The number is taken from credentials “number” parameter and domain from the “registrar dns:<fqdn>”. When the Registration is challenged, the username, password and realm parameters from credentials are used to build the header and sip-profile 200 converts SIPS URL back to SIP. Registration is successful once 200 OK is received from the Access SBC.

Configure Local Gateway Without IP PBX

The following configuration on the local gateway is required for this deployment option:

  1. Voice class tenants—First we will create additional tenants for dial-peers facing ITSP similar to tenant 200 that we created for Webex Calling facing dial-peers.

  2. Voice class URIs—Patterns defining host IP addresses/ports for various trunks terminating on Local Gateway: Webex Calling to LGW; and PSTN SIP trunk termination on LGW.

  3. Outbound dial-peers—To route outbound call legs from LGW to ITSP SIP trunk and Webex Calling.

  4. Voice class DPG—Target outbound dial-peers invoked from an inbound dial-peer.

  5. Inbound dial-peers—To accept inbound call legs from ITSP and Webex Calling.

Configuration in this section can be used for either partner-hosted local gateway setup, as shown below, or local customer site gateway.

1

Configure the following voice class tenants:

  1. Voice class tenant 100 is applied on all OUTBOUND dial-peers facing IP PSTN.

    voice class tenant 100 
  session transport udp
  url sip
  error-passthru
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp

  2. Voice class tenant 300 is applied on all INBOUND dial-peers from IP PSTN.

    voice class tenant 300 
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp
2

Configure the following voice class URI:

  1. Define ITSP’s host IP address:

    voice class uri 100 sip
  host ipv4:192.168.80.13

  2. Define pattern to uniquely identify a local gateway site within an Enterprise based on Control Hub's TrunkGroup OTG/DTG parameter:

    voice class uri 200 sip
 pattern dtg=hussain2572.lgu

     

    Local gateway doesn't currently support underscore "_" in the match pattern. As a workaround, we use dot "." (match any) to match the "_". 

    Received
INVITE sip:+16785550123@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
   Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
 pattern :8934
3

Configure the following outbound dial peers:

  1. Outbound dial-peer toward IP PSTN:

    dial-peer voice 101 voip 
 description Outgoing dial-peer to IP PSTN
 destination-pattern BAD.BAD
 session protocol sipv2
 session target ipv4:192.168.80.13
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

    Explanation of Commands:

    dial-peer voice 101 voip
 description Outgoing dial-peer to PSTN

    Defines a VOIP dial-peer with a tag of 101 and a meaningful description is given for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    Digit pattern that allows selection of this dial-peer. However, we will invoke this outgoing dial-peer directly from the inbound dial-peer using DPG statements and that bypasses the digit pattern match criteria. As a result, we're using an arbitrary pattern based on alphanumeric digits allowed by the destination-pattern CLI.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address where this call leg will be sent. In this case, ITSP’s IP address.

    voice-class codec 99

    Indicates codec preference list 99 to be used for this dial-peer.

    dtmf-relay rtp-nte

    Defines RTP-NTE (RFC2833) as the DTMF capability expected on this call leg.

    voice-class sip tenant 100

    The dial-peer will inherit all the parameters from Tenant 100 unless that same parameter is defined under the dial-peer itself.

    no vad

    Disables voice activity detection.

  2. Outbound dial-peer towards Webex Calling (This dial-peer will be updated to serve as Inbound dial-peer from Webex Calling as well later in the configuration guide). 

    dial-peer voice 200201 voip
 description Inbound/Outbound Webex Calling
 destination-pattern BAD.BAD
 session protocol sipv2
 session target sip-server
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class stun-usage 200
 no voice-class sip localhost
 voice-class sip tenant 200
 srtp
 no vad

    Explanation of commands:

    dial-peer voice 200201 voip
     description Inbound/Outbound Webex Calling

    Defines a VOIP dial-peer with a tag of 200201 and a meaningful description is given for ease of management and troubleshooting

    session target sip-server

    Indicates that the global SIP server is the destination for calls from this dial peer. Webex Calling server defined in tenant 200 is inherited for this dial-peer.

    voice-class stun-usage 200

    The STUN bindings feature on the local gateway allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

    no voice-class sip localhost

    Disables substitution of the DNS localhost name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from Tenant 200 (LGW <--> Webex Calling Trunk) unless that same parameter is defined under the dial-peer itself.

    srtp

    SRTP is enabled for this call leg.

    no vad

    Disables voice activity detection.
4

Configure the following dial-peer groups (DPG):

  1. Defines dial-peer group 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking dial-peer group 100. We will apply DPG 100 to incoming dial-peer 200201 for Webex Calling --> LGW --> PSTN path. 

    voice class dpg 100
 description Incoming WxC(DP200201) to IP PSTN(DP101)
 dial-peer 101 preference 1

  2. Define dial-peer group 200 with outbound dial-peer 200201 as the target for PSTN --> LGW --> Webex Calling path. DPG 200 will be applied to incoming dial-peer 100 defined later. 

    voice class dpg 200
 description Incoming IP PSTN(DP100) to Webex Calling(DP200201)
 dial-peer 200201 preference 1
5

Configure the following Inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
 description Incoming dial-peer from PSTN
 session protocol sipv2
 destination dpg 200
 incoming uri via 100
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 100 voip
description Incoming dial-peer from PSTN

    Defines a VOIP dial-peer with a tag of 100 and a meaningful description is given for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    incoming uri via 100

    All incoming traffic from IP PSTN to LocalGW is matched on the incoming VIA header’s host IP address defined in voice class URI 100 SIP to match based on source IP (ITSP’s) address.

    destination dpg 200

    With the destination dpg 200, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination Dial-peer group 200, which is dial-peer 200201.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

    no vad

    Disables voice activity detection.

  2. Inbound dial-peer for incoming Webex Calling call legs: 

    dial-peer voice 200201 voip
 description Inbound/Outbound Webex Calling
 max-conn 150
 destination dpg 100
 incoming uri request 200

    Explanation of Commands

    dial-peer voice 200201 voip
description Inbound/Outbound Webex Calling

    Updates a VOIP dial-peer with a tag of 200201 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri request 200

    All incoming traffic from Webex Calling to LGW can be matched on the unique dtg pattern in the request URI, uniquely identifying the local gateway site within an Enterprise and in the Webex Calling ecosystem.

    destination dpg 100

    With the destination dpg 100, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination Dial-peer group 100, which is dial-peer 101.

    max-conn 150

    Restricts the number of concurrent calls to 150 between the LGW and Webex Calling, assuming a single dial-peer facing Webex Calling for both inbound and outbound calls as defined in this guide. For more details on concurrent call limits involving local gateway, visit https://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/mcp/DEPLOYMENT_CALLING_Unified_CM_to_Webex_Calling.pdf.

PSTN to Webex Calling

All incoming IP PSTN call legs on the local gateway are matched on dial-peer 100 as it defines a match criteria for the VIA header with the IP PSTN’s IP address. Outbound dial-peer selection is dictated by DPG 200 that directly invokes outgoing dial-peer 200201, which has the Webex Calling server listed as the target destination.

Webex Calling to PSTN

All incoming Webex Calling call legs on the local gateway are matched on dial-peer 200201 as it meets a match criteria for the REQUEST URI header pattern with the TrunkGroup OTG/DTG parameter, unique to this local gateway deployment. Outbound dial-peer selection is dictated by DPG 100 that directly invokes outgoing dial-peer 101, which has the IP PSTN IP address listed as the target destination.

Configure Local Gateway with an Existing Unified CM Environment

For this deployment option, the following configuration on the local gateway is required:

  1. Voice class tenants—You must create additional tenants for dial-peers facing Unified CM and ITSP, similar to tenant 200 that we created for Webex Calling facing dial-peers.

  2. Voice class URIs—Patterns defining host IP addresses/ports for various trunks terminating on the LGW: from Unified CM to LGW for PSTN destinations; Unified CM to LGW for Webex Calling destinations; Webex Calling to LGW; and PSTN SIP trunk termination on LGW.

  3. Voice class server-group—Target IP addresses/ports for outbound trunks from LGW to Unified CM, LGW to Webex Calling, and LGW to PSTN SIP trunk.

  4. Outbound dial-peers—To route outbound call legs from LGW to Unified CM, ITSP SIP trunk, and/or Webex Calling.

  5. Voice class DPG—Target outbound dial-peer(s) invoked from an inbound dial-peer.

  6. Inbound dial-peers —To accept inbound call legs from Unified CM, ITSP, and/or Webex Calling.

1

Configure the following voice class tenants:

  1. Voice class tenant 100 is applied on all outbound dial-peers facing Unified CM and IP PSTN:

    voice class tenant 100 
  session transport udp
  url sip
  error-passthru
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp

  2. Voice class tenant 300 will be applied on all inbound dial-peers from Unified CM and IP PSTN:

    voice class tenant 300 
  bind control source-interface GigabitEthernet0/0/0
  bind media source-interface GigabitEthernet0/0/0
  no pass-thru content custom-sdp
2

Configure the following voice class URIs:

  1. Defines ITSP’s host IP address:

    voice class uri 100 sip
  host ipv4:192.168.80.13

  2. Define pattern to uniquely identify a local gateway site within an Enterprise based on Control Hub's TrunkGroup OTG/DTG parameter:

    voice class uri 200 sip
 pattern dtg=hussain2572.lgu

     

    The local gateway doesn't currently support underscore "_" in the match pattern. As a workaround, we use dot "." (match any) to match the "_". 

    Received
INVITE sip:+16785550123@198.18.1.226:5061;transport=tls;dtg=hussain2572_lgu SIP/2.0
   Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
 pattern :8934

  3. Defines Unified CM signaling VIA port for the Webex Calling trunk:

    voice class uri 300 sip
 pattern :5065

  4. Defines CUCM source signaling IP and VIA port for PSTN trunk:

    voice class uri 302 sip
 pattern 192.168.80.60:5060
3

Configure the following voice class server-groups:

  1. Defines Unified CM trunk’s target host IP address and port number for Unified CM Group 1 (5 nodes). Unified CM uses port 5065 for inbound traffic on the Webex Calling trunk (Webex Calling <-> LGW --> Unified CM). 

    voice class server-group 301
 ipv4 192.168.80.60 port 5065

  2. Defines Unified CM trunk’s target host IP address and port number for Unified CM Group 2 if applicable:

    voice class server-group 303
 ipv4 192.168.80.60 port 5065

  3. Defines Unified CM trunk’s target host IP address for Unified CM Group 1 (5 nodes). Unified CM uses default port 5060 for inbound traffic on the PSTN trunk. With no port number specified, default 5060 is used. (PSTN <-> LGW --> Unified CM) 

    voice class server-group 305
 ipv4 192.168.80.60

  4. Defines Unified CM trunk’s target host IP address for Unified CM Group 2, if applicable.

    voice class server-group 307 
 ipv4 192.168.80.60
4

Configure the following outbound dial-peers:

  1. Outbound dial-peer towards IP PSTN:

    dial-peer voice 101 voip 
 description Outgoing dial-peer to IP PSTN
 destination-pattern BAD.BAD
 session protocol sipv2
 session target ipv4:192.168.80.13
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

    Explanation of commands

    dial-peer voice 101 voip
description Outgoing dial-peer to PSTN

    Defines a VOIP dial-peer with a tag of 101 and a meaningful description is given for ease of management and troubleshooting.

    destination-pattern BAD.BAD

    Digit pattern that will allow selection of this dial-peer. However, we will invoke this outgoing dial-peer directly from the inbound dial-peer using DPG statements and that bypasses the digit pattern match criteria. As a result, we're using an arbitrary pattern based on alphanumeric digits allowed by the destination-pattern CLI.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    session target ipv4:192.168.80.13

    Indicates the destination’s target IPv4 address where this call leg will be send. (In this case, ITSP’s IP address.)

    voice-class codec 99

    Indicates codec preference list 99 to be used for this dial-peer.

    voice-class sip tenant 100

    The dial-peer will inherit all the parameters from Tenant 100 unless that same parameter is defined under the dial-peer itself.

  2. Outbound dial-peer towards Webex Calling (This dial-peer will be updated to serve as Inbound dial-peer from Webex Calling as well later in the configuration guide.): 

    dial-peer voice 200201 voip
 description Inbound/Outbound Webex Calling
 destination-pattern BAD.BAD
 session protocol sipv2
 session target sip-server
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class stun-usage 200
 no voice-class sip localhost
 voice-class sip tenant 200
 srtp
 no vad

    Explanation of commands

    dial-peer voice 200201 voip
 description Inbound/Outbound Webex Calling

    Defines a VOIP dial-peer with a tag of 200201 and a meaningful description is given for ease of management and troubleshooting.

    session target sip-server

    Indicates that the global SIP server is the destination for calls from this dial peer. Webex Calling server defined in tenant 200 will be inherited for this dial-peer.

    voice-class stun-usage 200

    The STUN bindings feature on the LGW allows locally generated STUN requests to be sent over the negotiated media path. This helps in opening up the pinhole in the firewall.

    no voice-class sip localhost

    Disables subsititution of the DNS localhost name in place of the physical IP address in the From, Call-ID, and Remote-Party-ID headers of outgoing messages.

    voice-class sip tenant 200

    The dial-peer inherits all the parameters from Tenant 200 (LGW <--> Webex Calling Trunk) unless that same parameter is defined under the dial-peer itself.

    srtp

    SRTP is enabled for this call leg.

  3. Outbound dial-peer toward Unified CM's Webex Calling Trunk:

    dial-peer voice 301 voip
 description Outgoing dial-peer to CUCM-Group-1 for 
inbound from Webex Calling - Nodes 1 to 5
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 301
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

    Explanation of Commands

    dial-peer voice 301 voip
description Outgoing dial-peer to CUCM-Group-1 for 
inbound from Webex Calling – Nodes 1 to 5

    Defines a VOIP dial-peer with a tag of 301 and a meaningful description is given for ease of management and troubleshooting.

    session server-group 301

    Instead of session target IP in the dial-peer, we are pointing to a Destination Server Group (server-group 301 for dial-peer 301) to define multiple target UCM nodes though the example only shows a single node.

    Server Group in Outbound Dial Peer

    With multiple dial-peers in the DPG and multiple servers in the dial-peer server group, we can achieve random distribution of calls over all Unified CM call processing subscribers or hunt based on a defined preference. Each server group can have up to five servers (IPv4/v6 with or without port). A second dial-peer and second server group is only required if more than five call processing subscribers are used.

    See https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/multiple-server-groups.html for more information.

  4. Second outbound dial-peer toward Unified CM's Webex Calling Trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 303 voip
 description Outgoing dial-peer to CUCM-Group-2 
for inbound from Webex Calling - Nodes 6 to 10
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 303
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

  5. Outbound dial-peer toward Unified CM's PSTN trunk:

    dial-peer voice 305 voip
 description Outgoing dial-peer to CUCM-Group-1 
for inbound from PSTN - Nodes 1 to 5
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 305
 voice-class codec 99 
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad

  6. Second outbound dial-peer toward Unified CM’s PSTN Trunk if you have more than 5 Unified CM nodes:

    dial-peer voice 307 voip
 description Outgoing dial-peer to CUCM-Group-2 
for inbound from PSTN - Nodes 6 to 10
 destination-pattern BAD.BAD
 session protocol sipv2
 session server-group 307
 voice-class codec 99  
 dtmf-relay rtp-nte
 voice-class sip tenant 100
 no vad
5

Configure the following DPG:

  1. Defines DPG 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking dial-peer group 100. We will apply DPG 100 to incoming dial-peer 302 defined later for the Unified CM --> LGW --> PSTN path: 

    voice class dpg 100
 dial-peer 101 preference 1

  2. Define DPG 200 with outbound dial-peer 200201 as the target for Unified CM --> LGW --> Webex Calling path: 

    voice class dpg 200
 dial-peer 200201 preference 1

  3. Define DPG 300 for outbound dial-peers 301 or 303 for the Webex Calling --> LGW --> Unified CM path: 

    voice class dpg 300
 dial-peer 301 preference 1
 dial-peer 303 preference 1

  4. Define DPG 302 for outbound dial-peers 305 or 307 for the PSTN --> LGW --> Unified CM path: 

    voice class dpg 302
 dial-peer 305 preference 1
 dial-peer 307 preference 1
6

Configure the following inbound dial-peers:

  1. Inbound dial-peer for incoming IP PSTN call legs:

    dial-peer voice 100 voip
 description Incoming dial-peer from PSTN
 session protocol sipv2
 destination dpg 302
 incoming uri via 100
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 100 voip
description Incoming dial-peer from PSTN

    Defines a VOIP dial-peer with a tag of 100 and a meaningful description is given for ease of management and troubleshooting.

    session protocol sipv2

    Specifies that this dial-peer will be handling SIP call legs.

    incoming uri via 100

    All incoming traffic from IP PSTN to LGW is matched on the incoming VIA header’s host IP address defined in voice class URI 100 SIP to match based on source IP (ITSP’s) address.

    destination dpg 302

    With the destination DPG 302, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 302, which can be either dial-peer 305 or dial-peer 307.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

  2. Inbound dial-peer for incoming Webex Calling call legs: 

    dial-peer voice 200201 voip
 description Inbound/Outbound Webex Calling
 max-conn 150
 destination dpg 300
 incoming uri request 200

    Explanation of Commands

    dial-peer voice 200201 voip
description Inbound/Outbound Webex Calling

    Updates a VOIP dial-peer with a tag of 200201 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri request 200

    All incoming traffic from Webex Calling to LGW can be matched on the unique dtg pattern in the request URI, uniquely identifying a local gateway site within an Enterprise and in the Webex Calling ecosystem.

    destination dpg 300

    With the destination DPG 300, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 300, which can be either dial-peer 301 or dial-peer 303.

    max-conn 150

    Restricts the number of concurrent calls to 150 between the LGW and Webex Calling assuming a single dial-peer facing Webex Calling for both inbound and outbound calls as defined in this guide. For more details about concurrent call limits involving local gateway, visit https://www.cisco.com/c/dam/en/us/td/docs/solutions/PA/mcp/DEPLOYMENT_CALLING_Unified_CM_to_Webex_Calling.pdf.

  3. Inbound dial-peer for incoming Unified CM call legs with Webex Calling as the destination: 

    dial-peer voice 300 voip
 description Incoming dial-peer from CUCM for Webex Calling
 session protocol sipv2
 destination dpg 200
 incoming uri via 300
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 300 voip
description Incoming dial-peer from CUCM for Webex Calling

    Defines a VOIP dial-peer with a tag of 300 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri via 300

    All incoming traffic from Unified CM to LGW is matched on the via source port (5065), defined in voice class URI 300 SIP.

    destination dpg 200

    With the destination DPG 200, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 200, which will be dial-peer 200201.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

  4. Inbound dial-peer for incoming Unified CM call legs with PSTN as the destination:

    dial-peer voice 302 voip
 description Incoming dial-peer from CUCM for PSTN
 session protocol sipv2
 destination dpg 100
 incoming uri via 302
 voice-class codec 99
 dtmf-relay rtp-nte
 voice-class sip tenant 300
 no vad

    Explanation of Commands

    dial-peer voice 302 voip
description Incoming dial-peer from CUCM for PSTN

    Defines a VOIP dial-peer with a tag of 302 and a meaningful description is given for ease of management and troubleshooting.

    incoming uri via 302

    All incoming traffic from Unified CM to LGW for a PSTN destination is matched on the Unified CM source signaling IP address and VIA port defined in voice class URI 302 SIP. Standard SIP port 5060 is used.

    destination dpg 100

    With the destination DPG 100, IOS-XE by passes the classic outbound dial-peer matching criteria and straight away proceeds to setup the outgoing call leg using dial-peers defined within destination DPG 100, which will be dial-peer 101.

    voice-class sip tenant 300

    The dial-peer will inherit all the parameters from Tenant 300 unless that same parameter is defined under the dial-peer itself.

IP PSTN to Unified CM PSTN Trunk

Webex Calling Platform to Unified CM Webex Calling Trunk

Unified CM PSTN Trunk to IP PSTN

Unified CM Webex Calling Trunk to Webex Calling Platform

Monitor and Troubleshoot Local Gateway with Diagnostic Signatures

Diagnostic Signatures (DS) proactively detects commonly observed issues in the IOS XE based local gateway and generates email, syslog or terminal message notification of the event. You can also install the DS to automate diagnostics data collection and transfer collected data to the Cisco TAC case to accelerate resolution time.

Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to be taken to inform, troubleshoot and remediate the issue. The problem detection logic is defined using syslog messages, SNMP events and through periodic monitoring of specific show command outputs. The action types include collecting show command outputs, generating a consolidated log file and uploading the file to a user provided network location such as HTTPS, SCP, FTP server. DS files are authored by TAC engineers and are digitally signed for integrity protection. Each DS file has a unique numerical ID assigned by the system. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find applicable signatures for monitoring and troubleshooting a variety of problems.

Before you begin:

  • Do not edit the DS file downloaded from DSLT. Modified files will fail installation due to integrity check error.

  • A Simple Mail Transfer Protocol (SMTP) server is required for the local gateway to send out email notifications.

  • Ensure that the local gateway is running IOS XE 17.3.2 or higher if you wish to use secure SMTP server for email notifications.

Prerequisites

Local Gateway running IOS XE 17.3.2 or higher

  1. Diagnostic Signatures is enabled by default.

  2. Configure the secure email server to be used to send proactive notification if the device is running IOS XE 17.3.2 or higher.

    
LocalGateway#configure terminal 
LocalGateway(config)#call-home  
LocalGateway(cfg-call-home)#mail-server <username>:<pwd>@<email server> priority 1 secure tls 
LocalGateway(config)#end

  3. Configure the environment variable ds_email with the email address of the administrator to be notified. 

    
LocalGateway#configure terminal 
LoclGateway(config)#call-home  
LocalGateway(cfg-call-home)#diagnostic-signature 
LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> 
LocalGateway(config)#end

Local Gateway running IOS XE 16.11.1 or higher

  1. Diagnostic Signatures is enabled by default.

  2. Configure the email server to be used to send proactive notifications if the device is running a version earlier than 17.3.2.

    
LocalGateway#configure terminal 
LocalGateway(config)#call-home  
LocalGateway(cfg-call-home)#mail-server  <email server> priority 1 
LocalGateway(config)#end

  3. Configure the environment variable ds_email with the email address of the administrator to be notified. 

    
LocalGateway#configure terminal 
LoclGateway(config)#call-home  
LocalGateway(cfg-call-home)#diagnostic-signature 
LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> 
LocalGateway(config)#end

Local Gateway running 16.9.x version

  1. Enter the following commands to enable Diagnostic Signatures. 

    
LocalGateway#configure terminal 
LocalGateway(config)#call-home reporting contact-email-addr sch-smart-licensing@cisco.com  
LocalGateway(config)#end

  2. Configure the email server to be used to send proactive notifications if the device is running a version earlier than 17.3.2. 

    
LocalGateway#configure terminal 
LocalGateway(config)#call-home  
LocalGateway(cfg-call-home)#mail-server  <email server> priority 1 
LocalGateway(config)#end

  3. Configure the environment variable ds_email with the email address of the administrator to be notified. 

    
LocalGateway#configure terminal 
LoclGateway(config)#call-home  
LocalGateway(cfg-call-home)#diagnostic-signature 
LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address> 
LocalGateway(config)#end

The following shows an example configuration of a local gateway running IOS XE 17.3.2 to send the proactive notifications to tacfaststart@gmail.com using Gmail as the secure SMTP server: 


call-home
mail-server tacfaststart:password@smtp.gmail.com priority 1 secure tls
diagnostic-signature
environment ds_email "tacfaststart@gmail.com"

Local gateway running IOS XE software is not a typical web-based Gmail client that supports OAuth, so we need to configure a specific Gmail account setting and provide specific permission to have the email from the device processed correctly:

  1. Go to Manage Google Account > Security and turn on Less secure app access setting.

  2. Answer “Yes, it was me” when you receive an email from Gmail stating “Google prevented someone from signing in to your account using a non-Google app.”

Install Diagnostic Signatures for Proactive Monitoring

Monitoring High CPU Utilization

This DS tracks 5 seconds CPU utilization using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the utilization reaches 75% or more, it will disable all debugs and uninstall all diagnostic signatures installed in the local gateway. Use these steps below to install the signature.

  1. Ensure SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command. 

    
LocalGateway# show snmp 
%SNMP agent not enabled 
LocalGateway# 

LocalGateway# 
LocalGateway# config t 
LocalGateway(config)# snmp-server manager 
LocalGateway(config)#end 
LocalGateway# 

LocalGateway# show snmp 
Chassis: ABCDEFGHIGK 
149655 SNMP packets input 
    0 Bad SNMP version errors 
    1 Unknown community name 
    0 Illegal operation for community name supplied 
    0 Encoding errors 
    37763 Number of requested variables 
    2 Number of altered variables 
    34560 Get-request PDUs 
    138 Get-next PDUs 
    2 Set-request PDUs 
    0 Input queue packet drops (Maximum queue size 1000) 
158277 SNMP packets output 
    0 Too big errors (Maximum packet size 1500) 
    20 No such name errors 
    0 Bad values errors 
    0 General errors 
    7998 Response PDUs 
    10280 Trap PDUs 
Packets currently in SNMP process input queue: 0 
SNMP global trap: enabled 
.... 
.... 
LocalGateway#

  2. Download DS 64224 using the following drop-down options in Diagnostic Signatures Lookup Tool: 

    
LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    High CPU Utilization with Email Notification

  3. Copy the DS XML file to the Local Gateway flash.

    
LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash:

    The following shows an example of copying the file from a FTP server to the Local Gateway.

    
LocalGateway# copy ftp://user:pwd@192.0.2.12/DS_64224.xml bootflash: 
Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...! 
[OK - 3571/4096 bytes] 
3571 bytes copied in 0.064 secs (55797 bytes/sec) 
LocalGateway #

  4. Install the DS XML file in the Local Gateway.

    
LocalGateway# call-home diagnostic-signature load DS_64224.xml 
Load file DS_64224.xml success 
LocalGateway#

  5. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value. 

    
LocalGateway# show call-home diagnostic-signature  
Current diagnostic-signature settings: 
 Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
 Environment variable: 
           ds_email: username@gmail.com

    Download DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-07 22:05:33

    LocalGateway#


    When triggered, this signature uninstalls all running DSs including itself. If required, please reinstall DS 64224 to continue monitoring high CPU utilization on the local gateway.

Monitoring SIP Trunk Registration

This DS checks for un-registration of a local gateway SIP Trunk with Cisco Webex Calling cloud every 60 seconds. Once the un-registration event is detected, it generates an email and syslog notification and uninstalls itself after two un-registration occurrences. Please use the steps below to install the signature.

  1. Download DS 64117 using the following drop-down options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    SIP-SIP

    Problem Type

    SIP Trunk Un-registration with Email Notification

  2. Copy the DS XML file to the Local Gateway.

    
LocalGateway# copy ftp://username:password@<server name or ip>/DS_64117.xml bootflash:

  3. Install the DS XML file in the Local Gateway. 

    
LocalGateway# call-home diagnostic-signature load DS_64117.xml 
Load file DS_64117.xml success 
LocalGateway#

  4. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

Monitoring Abnormal Call Disconnects

This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and 503.  If the error count increment is greater than or equal to 5 from the last poll, it will generate a syslog and email notification. Please use the steps below to install the signature.

  1. Check whether SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command. 

    
LocalGateway# show snmp 
%SNMP agent not enabled 
LocalGateway# 

LocalGateway# 
LocalGateway# config t 
LocalGateway(config)# snmp-server manager 
LocalGateway(config)#end 
LocalGateway# 

LocalGateway# show snmp 
Chassis: ABCDEFGHIGK 
149655 SNMP packets input 
    0 Bad SNMP version errors 
    1 Unknown community name 
    0 Illegal operation for community name supplied 
    0 Encoding errors 
    37763 Number of requested variables 
    2 Number of altered variables 
    34560 Get-request PDUs 
    138 Get-next PDUs 
    2 Set-request PDUs 
    0 Input queue packet drops (Maximum queue size 1000) 
158277 SNMP packets output 
    0 Too big errors (Maximum packet size 1500) 
    20 No such name errors 
    0 Bad values errors 
    0 General errors 
    7998 Response PDUs 
    10280 Trap PDUs 
Packets currently in SNMP process input queue: 0 
SNMP global trap: enabled 
.... 
.... 
LocalGateway#

  2. Download DS 65221 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    SIP abnormal call disconnect detection with Email and Syslog Notification

  3. Copy the DS XML file to the Local Gateway.

    
LocalGateway# copy ftp://username:password@<server name or ip>/DS_65221.xml bootflash:

  4. Install the DS XML file in the Local Gateway. 

    
LocalGateway# call-home diagnostic-signature load DS_65221.xml 
Load file DS_65221.xml success 
LocalGateway#

  5. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value.

Install Diagnostic Signatures to Troubleshoot a Problem

Diagnostic Signatures (DS) can also be used to resolve issues quickly. Cisco TAC engineers have authored several signatures that enable the necessary debugs required to troubleshoot a given problem, detect the problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco TAC case. This eliminates the need to manually check for the problem occurrence and makes troubleshooting of intermittent and transient issues a lot easier.

You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to self-solve a given issue or you can install the signature recommended by the TAC engineer as part of the support engagement.

Here is an example of how to find and install a DS to detect the occurrence “%VOICE_IEC-3-GW: CCAPI: Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using the steps shown below.

  1. Configure an additional DS environment variable ds_fsurl_prefix which is the CiscoTAC file server path (cxd.cisco.com) to which the collected diagnostics data are uploaded. The username in the file path is the case number and the password is the file upload token which can be retrieved from Support Case Manager as shown below. The file upload token can be generated in the Attachments section of the Support Case Manager, as needed. 

    
LocalGateway#configure terminal 
LocalGateway(config)#call-home  
LocalGateway(cfg-call-home)#diagnostic-signature 
LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case number>:<file upload token>@cxd.cisco.com"  
LocalGateway(config)#end

    Example: 

    
call-home  
diagnostic-signature 
environment ds_fsurl_prefix " environment ds_fsurl_prefix "scp://612345678:abcdefghijklmnop@cxd.cisco.com"

  2. Ensure SNMP is enabled using the command show snmp. If it is not enabled, configure the “snmp-server manager” command. 

    
LocalGateway# show snmp 
%SNMP agent not enabled 
LocalGateway# 
 
LocalGateway# 
LocalGateway# config t 
LocalGateway(config)# snmp-server manager 
LocalGateway(config)#end 
LocalGateway#

  3. It is recommended to install the High CPU monitoring DS 64224 as a proactive measure to disable all debugs and diagnostics signatures during the time of high cpu utilization. Download DS 64224 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Performance

    Problem Type

    High CPU Utilization with Email Notification

  4. Download DS 65095 using the following options in Diagnostic Signatures Lookup Tool:

    Field Name

    Field Value

    Platform

    Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series

    Product

    CUBE Enterprise in Webex Calling Solution

    Problem Scope

    Syslogs

    Problem Type

    Syslog - %VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold): IEC=1.1.181.1.29.0

  5. Copy the DS XML files to the Local Gateway.

    
LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml bootflash: 
LocalGateway# copy ftp://username:password@<server name or ip>/DS_65095.xml bootflash:

  6. Install the High CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway. 

    
LocalGateway# call-home diagnostic-signature load DS_64224.xml 
Load file DS_64224.xml success 
LocalGateway# 
LocalGateway# call-home diagnostic-signature load DS_65095.xml 
Load file DS_65095.xml success 
LocalGateway#

  7. Verify that the signature is successfully installed using show call-home diagnostic-signature. The status column should have a “registered” value. 

    
LocalGateway# show call-home diagnostic-signature  
Current diagnostic-signature settings: 
 Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
 Environment variable: 
           ds_email: username@gmail.com 
           ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

    Downloaded DSes:

    DS ID

    DS Name

    Revision

    Status

    Last Update (GMT+00:00)

    64224

    00:07:45

    DS_LGW_CPU_MON75

    0.0.10

    Registered

    2020-11-08:00:07:45

    65095

    00:12:53

    DS_LGW_IEC_Call_spike_threshold

    0.0.12

    Registered

    2020-11-08:00:12:53

    LocalGateway#

Verify Diagnostic Signatures Execution

As shown below, the “Status” column of the command show call-home diagnostic-signature will change to “running” while the local gateway is executing the action defined within the signature. The output of show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature has detected an event of interest and executed the action. The “Triggered/Max/Deinstall” column indicates the number of times the given signature has triggered an event, the maximum number of times it is defined to detect an event and whether the signature will automatically deinstall itself after detecting the maximum number of triggered events. 


LocalGateway# show call-home diagnostic-signature  
Current diagnostic-signature settings: 
 Diagnostic-signature: enabled 
 Profile: CiscoTAC-1 (status: ACTIVE) 
 Downloading  URL(s):  https://tools.cisco.com/its/service/oddce/services/DDCEService 
 Environment variable: 
           ds_email: carunach@cisco.com 
           ds_fsurl_prefix: scp://612345678:abcdefghijklmnop@cxd.cisco.com

Downloaded DSes:

DS ID

DS Name

Revision

Status

Last Update (GMT+00:00)
64224

DS_LGW_CPU_MON75

0.0.10

Registered

2020-11-08 00:07:45

65095

DS_LGW_IEC_Call_spike_threshold

0.0.12

Running

2020-11-08 00:12:53

LocalGateway#

LocalGateway# show call-home diagnostic-signature statistics

DS ID

DS Name

Triggered/Max/Deinstall

Average Run Time (seconds)

Max Run Time (seconds)
64224

DS_LGW_CPU_MON75

0/0/N

0.000

0.000

65095

DS_LGW_IEC_Call_spike_threshold

1/20/Y

23.053

23.053

LocalGateway#

The notification email sent during Diagnostic Signature execution contains key information such as issue type, device details, software version, running configuration and show command outputs that are relevant to troubleshoot the given problem.

Uninstall Diagnostic Signatures

Diagnostic signatures that are used for troubleshooting purposes are typically defined to uninstall after detection of a certain number of problem occurrences. If you would like to uninstall a signature manually, retrieve the DS ID from the output of show call-home diagnostic-signature and run the command shown below. 


LocalGateway# call-home diagnostic-signature deinstall <DS ID> 
LocalGateway#

Example:


LocalGateway# call-home diagnostic-signature deinstall 64224 
LocalGateway#

New signatures are added to Diagnostics Signatures Lookup Tool periodically, based on issues commonly observed in deployments. TAC currently doesn’t support requests to create new custom signatures.