[VoiceOps] Cisco 7941 SIP

Mark Lindsey lindsey at e-c-group.com
Tue Oct 6 22:52:17 EDT 2015

1. In Hosted PBX, accommodating new, non-productized devices that the
customer just has to keep is the price you pay to enjoy slow growth
(because the engineering effort for the customer is immense), poor
reliability (because you can test much less), and an unsupportable customer
deployments (because the support team isn't equipped to support this

2. In Hosted PBX, the demarc is the audible voice on the speaker and the
input to the microphone. Supporting random devices the customer brings you
makes it impossible for you to fulfill your end of the bargain: make this
voice stuff work every time for every call.

3. The best thing to do with a customer's old device is trade in credit
then liquidate.

4. Cisco 79xx SIP has gone back and forth on symmetric sip signaling over
the past few decades. But generally, when nat is involved, the sip phone
has to do symmetric sip ports -- I.e., it must use the same port numbers
for both sending sip and receiving sip. (And when carrier SBCs are
involved, it needs to use the same port number for all sip transactions,
not just those related to direct call control).

But I remember Cisco 79xx configs having a "nat_enable" or similar flag
that actually enable the symmetric sip.

mailto:mark at ecg.co <mark at ecg.co>
tel:+1-229-316-0013 <+1-229-316-0013> http://ecg.co/lindsey

On Oct 6, 2015, at 17:10, Pete E <peeip989 at gmail.com> wrote:

Greetings Voice Operators,

We have an interesting (code word for annoying) challenge that we've never
dealt with before, probably because we don't do much with Cisco phones. We
have a new customer coming on who wants to keep their very old Cisco 7941
phones. They have a few offices and the phones work as expected behind an
Edgemarc. However, they also have 100+ home users, and that's where the
issue comes in.

Apparently Cisco introduced a security "feature" where they create the
session using a random high numbered port (e.g. 49123) but in the Via
header, they say to respond to *private IP, port 5060*. So when the SBC
sees the private address it assumes it is being NAT'd through a firewall
and replies back to *public IP, port 49123*. What we're seeing is that the
home router passes the response back to *private IP, port 49123*, which the
phone doesn't accept (because it wants it on 5060) and the REGISTER fails.

As you know most home routers are poor at handling ALG (and we've tested
and found they are equally bad at handling this scenario). We (and the
customer) don't want to troubleshoot 100+ individual home routers.

We haven't found a way to turn off this really awesome "feature" so we're
trying to find other solutions. Anyone been through this and have any


VoiceOps mailing list
VoiceOps at voiceops.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20151006/3be41722/attachment.html>

More information about the VoiceOps mailing list