<div dir="ltr">I just thought I would update with how I got this working. It was a multi staged "fix." I rewrote the entire dial plan to use e164 pattern maps and SRV records. This reduced my dial peer count from 150+ to less than 20. Then I took the INSIDE dial peers and bound them at the DP level to the inside interface. OUTSIDE PSTN facing DPs got bound to the outside interface. <div><br></div><div>At this point, register requests were sourcing from the external interface IP address and not the external VIP (I'm using CUBE HA).</div><div><br></div><div>To fix that, I placed a global bind in voice service voip to the outside interface. This made the REGISTER requests source from the external VIP... but it broke other stuff.<div><div><br></div><div>With the internal DPs bound inside and the external DPs bound outside... the SIP REGISTER events were now using the global bind... but my SIP OPTIONS pings from CUCM were also answering from that public IP on the outside interface... so my SIP trunks to the cube from CUCM went out of service.</div><div><br></div><div>I added voice class SIP URIs to my internal CUCM dial peers so that the inside interface would answer SIP OPTIONS pings.</div><div><br></div><div>I put my credentials lines in sip-ua and auth lines in the external DPs.</div><div><br></div><div>Everything is up and running.</div><div><br></div><div>Thanks for everyone's help and suggestions.<br><br><div class="gmail_quote"><div dir="ltr">On Wed, May 4, 2016, 4:54 PM Dave Goodwin <<a href="mailto:dave.goodwin@december.net" target="_blank">dave.goodwin@december.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Is there anything wrong with adding voice-class sip bind commands to ALL the voip dial-peers, and then set the global binding to the interface that faces the ITSP requiring authentication (since it seems sip-ua REGISTER messages use the global bind)?</div></div><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">-Dave</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 4, 2016 at 4:22 PM, Nick Barnett <span dir="ltr"><<a href="mailto:nicksbarnett@gmail.com" target="_blank">nicksbarnett@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for everybody's ideas.<div><br></div><div>Unfortunately, 15.6 is OUT because it is not on the CVP 10.0 compatibility matrix :(<div><br></div><div>I'm going to look at using multiple registrars and see if I can trick it into behaving... if that doesn't work, I guess I'll have to remove my global binding...</div></div><div><br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 4, 2016 at 11:35 AM, Sreekanth <span dir="ltr"><<a href="mailto:sreenara@cisco.com" target="_blank">sreenara@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<font size="-1"><font face="Helvetica, Arial, sans-serif">Yes,
sip-ua tells CUBE to send REGISTER messages towards a Registrar
server globally with the authentication and credential
parameters. These REGISTER messages will be bound to the
interface that is bound under voice service voip -> sip.
However, in the 15.6(2)T version, the tenant configurations
under the dial-peers will instruct the CUBE to send out REGISTER
messages.<br>
<br>
I just checked with the router in my lab and actually, option 2
won't be possible. It won't instruct the CUBE to send out
REGISTER messages. It will only instruct the CUBE to add
authentication credentials and realm settings when sending out
the INVITE messages towards the session target configured under
the dial-peer.<br>
<br>
You will have to go with option 1.<br>
<b>1. Create the voice class tenant for the SIP trunk to ITSP
and bind it with the right interface.</b><br>
voice class tenant 1<br>
registrar dns:<a href="http://cisco.com" target="_blank">cisco.com</a> expires 3600<br>
credentials username cisco password cisco realm <a href="http://cisco.com" target="_blank">cisco.com</a><br>
authentication username cisco123 password 7 cisco123<br>
sip-server dns:<a href="http://cisco.com" target="_blank">cisco.com</a><br>
bind control source-interface GigabitEthernet0/2<br>
bind media source-interface GigabitEthernet0/2<br>
early-offer forced<br>
<br>
<b>2. Apply the voice class tenant to the dial-peer. Create
specific dial-peers towards ITSP.</b><br>
dial-peer voice X voip<br>
voice-class sip tenant 1<br>
<br>
When this is done, CUBE will send REGISTER messages as well
towards this ITSP with the traffic bound to gig0/2.<br>
This way you can have multiple ITSP trunks on 1 CUBE.<span><font color="#888888"><br>
<br>
Sreekanth<br>
<br>
<br>
<br>
</font></span></font></font><div><div><br>
<div>On Wednesday 04 May 2016 09:29 PM, Nick
Barnett wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I'm currently on
c3900e-universalk9-mz.SPA.153-3.M6, but can totally upgrade. Was
actually planning on going to 15.4 this weekend. Jumping 3
versions kind of scares me, so maybe staging is in order.
<div><br>
</div>
<div><b>I do have some limited auth commands on the dial peer,
if this is what you were talking about... but I don't think
it applies in this scenario. I don't have any options for
credentials:</b></div>
<div>CUBE(config-dial-peer)#voice-class sip authenticate ?<br>
</div>
<div>
<div> redirecting-number Use redirecting number credentials
while authenticating</div>
<div><br>
</div>
<div>CUBE(config-dial-peer)#voice-class sip cred </div>
<div>CUBE(config-dial-peer)#voice-class sip c? </div>
<div> call-route calltype-video conn-reuse copy-list</div>
<div><b><br>
</b></div>
<div><b>There is also the registration commands:</b></div>
<div>
<div>CUBE(config-dial-peer)#voice-class sip registration ?<br>
</div>
<div> passthrough SIP Registration Passthrough Options</div>
<div><br>
</div>
<div>CUBE(config-dial-peer)#voice-class sip registration
passthrough ?<br>
</div>
<div> dynamic SIP Registration Use dynamic
Registrar Details (default)</div>
<div> local-fallback Local Fallback - (e2e)</div>
<div> rate-limit SIP Registration pass-through
rate-limit Options</div>
<div> reg-sync Registration Sync - send REGISTER
when registrar up (p2p)</div>
<div> registrar-index Registrar Index(s) used for
registration passthrough</div>
<div> static SIP Registration Use static
Registrar Details</div>
<div> system Use global registration passthrough
CLI setting</div>
<div> <cr></div>
</div>
<div><br>
</div>
<div><b>I tried using the system passthrough setting, but it
did not work.</b></div>
</div>
<div><b><br>
</b></div>
<div><b>I need to make sure I understand what is actually
happening.</b></div>
<div><b><br>
</b></div>
<div><b>I don't think the CUBE is even looking at dial-peers for
REGISTER messages. Am I correct? If so, no amount of dial
peer settings is going to make any difference here... unless
there is a way to create a dial-peer that will intercept
REGISTER messages. I believe it is using the REALM settings
in the credentials and authentication strings (that I
entered into sip-ua). And sip-ua is using the global bind
settings I set within voice service voip -> SIP (which
are set to the inside interface).</b></div>
<div><b><br>
</b></div>
<div><b>Please set me straight!</b></div>
<div><br>
</div>
<div>Thanks,</div>
<div>Nick</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 4, 2016 at 10:37 AM,
Sreekanth Narayanan (sreenara) <span dir="ltr"><<a href="mailto:sreenara@cisco.com" target="_blank"></a><a href="mailto:sreenara@cisco.com" target="_blank">sreenara@cisco.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>What IOS version are you running on the CUBE? I can
think of a couple of things.</div>
<div>1. In 15.6(2)T, a new feature has been introduced
called multi-tenant where you can configure separate
voice class tenants. Each tenant can have separate
authentication mutually exclusive to one another and can
be bound to different interfaces.</div>
<div><br>
</div>
<div>2. In your current IOS, check if you are able to
configure the authentication and credential commands at
the dial peer level. I am not sure which IOS had this
introduced but it is worth a try.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size:85%;color:#575757">Sreekanth</div>
<div style="font-size:85%;color:#575757"><br>
</div>
<div style="font-size:85%;color:#575757">Sent from a
phone.</div>
</div>
<span>
<div><br>
</div>
<div><br>
</div>
<div>-------- Original message --------</div>
<div>From: Nick Barnett <<a href="mailto:nicksbarnett@gmail.com" target="_blank">nicksbarnett@gmail.com</a>>
</div>
<div>Date: 5/4/16 8:03 PM (GMT+05:30) </div>
<div>To: Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>>
</div>
<div>Cc: Cisco VoIP Group <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>> </div>
<div>Subject: Re: [cisco-voip] Authenticating sip trunk
to ITSP from CUBE? </div>
<div><br>
</div>
</span>
<div>
<div>
<div>
<div dir="ltr">
<p>I'm binding control and media to my inside
interface:</p>
<p>sip </p>
<p> bind control source-interface
GigabitEthernet0/0<br>
bind media source-interface GigabitEthernet0/0<br>
</p>
<p>I suspect this is the issue... is there any way
to make the REGISTER messages come from the
outside gi0/1 interface?</p>
<p>The reason I'm binding to inside is that we
have a a very fluid internal network. I have to
make and modify internal dial peers almost
daily. When I need to create a dial peer and
put the bind statements on the dial peer, it
won't bind properly since there are active SIP
calls on the CUBE... so I bound it globally. My
external dial peers rarely change, so I bind
those directly to gi0/1 (on the DP).<br>
</p>
<p>I was under the impression that REGISTER events
can take place without a dial peer... but is
there a way to, i dunno, make a dial peer for
register messages? Can I use SIP profile magic
to get it working as is?<br>
</p>
<p>I found this article which is pretty much
exactly what I'm dealing with, but it doesn't
mention REGISTER at all...</p>
<p><span style="font-family:Symbol;color:rgb(31,73,125)"><span> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__supportforums.cisco.com_blog_154506&d=CwMFAg&c=M-KQspD_LQogCbR-BWCHOaeDEPOhF8vWqHZTaiwxT3c&r=T9uVLZucbHG2NKKKzOrp-o5cpdReHj02PkJJsCVkgfwcv7S0R5lDeFJg2VRbiNih&m=UIAzGDQs8RCZld9kCbExwqpJhTgzpDVwM0k8_I7JRqU&s=jZN-R2pRsZOWN3r5is-aSivDlf9hqddUzDIoOWRWc3E&e=" target="_blank"></a><a href="https://supportforums.cisco.com/blog/154506" target="_blank">https://supportforums.cisco.com/blog/154506</a></p>
<p><span style="color:rgb(31,73,125)"></span></p>
<p> <br>
</p>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 4, 2016 at
9:06 AM, Brian Meade <span dir="ltr">
<<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Do you already have the SIP
bind under voice service voip?
<div>voice service voice</div>
<div> sip</div>
<div> bind all source-interface
FastEthernet0</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On Wed, May 4, 2016 at 9:58 AM,
Nick Barnett <span dir="ltr"><<a href="mailto:nicksbarnett@gmail.com" target="_blank"></a><a href="mailto:nicksbarnett@gmail.com" target="_blank">nicksbarnett@gmail.com</a>></span>
wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr">I've never dealt with
an authenticated SIP trunk before
and I'm having some issues. I was
wondering if anyone has had a
similar experience. I already have
2 SIP trunks from ITSP-1 that do
NOT require authentication. These
are working fine and have been for
years.
<div><br>
</div>
<div>We are adding ITSP-2 and
their SIP service DOES require
auth. I've followed their
integration guide (which left a
lot to be desired) and their
acceptance team is telling me my
auth is coming from our private
class A address.
<div><br>
</div>
<div>Our CUBE is in HA with an
inside (10.x.x.x) and outside
(public) IP address. They are
seeing REGISTER messages
sourcing the inside VIP.</div>
<div><br>
</div>
<div>I was looking around for an
auth BIND statement or
something like that, but I
haven't had any luck. Any
pointers?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Nick</div>
</div>
</div>
<br>
</div>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>
</blockquote></div></div></div></div></div>