Quick notes regarding X-Lite or third party SIP phones and CUCM / CallManager testing:
Use a SIP profile that requires digest authentication.
The username is your DN.
The authorization user is your username.
Your password is the user's digest credentials.
Diary of technical happenstance, simple Internet accessible scratchpad, and brain dump to save myself later
Pages
▼
Friday, December 31, 2010
Tuesday, December 14, 2010
Cisco Unity message notification dialing rules dialing permissions
When modifying the Home Phone, Phone 2, etc. message notification devices for users, you may run into situations where the Phone Number: field will not accept entries that are not restricted. The error returned is “Phone number does not fit the dialing rules or dialing permissions”.
You DO need to first verify the number you are trying to enter is not restricted. In Call Management > Restriction Tables, verify you have a restriction table that allows the number you are trying to enter. Remember, the Dial String list is analyzed from top (0) down, so for example, not allowing 9* in string 0 but allowing 9011 in string 1 will block all numbers starting with 9, including those starting with 9011 (assuming your Minimum and Maximum digits allowed are met).
Then, verify your Subscriber’s Class of Service is using that Restriction Table for Outcalling. See Subscribers > Profile and Class of Service > Restriction Tables.
Then, when you try to add a number to a message notification device for that subscriber that is verified allowed, you may have the SAME PROBLEM!.
It appears that when modifying that field, the Class of Service of the user CURRENTLY LOGGED INTO THE GUI is checked, rather than the Subscriber’s, as defined in the GUI.
The answer is to have the end user modify the entry themselves via http://your unity server/ciscopca.
Dumb.
Wednesday, November 10, 2010
Cisco Phone Designer
When trying to preview wallpapers or ring tones on a 7941 phone your receive "An unknown error occurred on your Cisco IP Phone". Authentication with a user / password appears to work fine at loggin because the available phone list is updated appropriately.
It appears in my case the CUCM Authentication URL was incorrect. Typically it's http://YourCUCMserver:8080/ccmcip/authenticate.jsp by default (7.1.X). Whoever was testing the IP paging solution here never set it back to default and all push technologies likely failed.
Check your Enterprise Setting URLs, specifically the Authentication URL. Remember to to reboot phones after modifying this entry to have it apply.
It appears in my case the CUCM Authentication URL was incorrect. Typically it's http://YourCUCMserver:8080/ccmcip/authenticate.jsp by default (7.1.X). Whoever was testing the IP paging solution here never set it back to default and all push technologies likely failed.
Check your Enterprise Setting URLs, specifically the Authentication URL. Remember to to reboot phones after modifying this entry to have it apply.
Sunday, November 07, 2010
SRST sample - MGCP PRI with DIDs
Here is a sample of a MGCP controlled gateway with a working SRST configuration. The interesting element is the translation rule to perform DID manipulation in fall back mode:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
no service password-encryption
!
boot-start-marker
boot system flash c2801-spservicesk9-mz.124-24.T3.bin
boot-end-marker
!
card type t1 0 0
card type t1 0 2
logging message-counter syslog
logging buffered 32768
enable secret 5 -removed-
!
no aaa new-model
clock timezone EDT -4
network-clock-participate wic 0
network-clock-participate wic 2
network-clock-select 2 T1 0/2/0
network-clock-select 3 T1 0/0/0
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.33.1 10.10.33.10
!
ip dhcp pool Site1Voice
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 10.10.11.10
!
ip cef
ip name-server 192.168.11.10
ip name-server 192.168.11.12
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
!
isdn switch-type primary-ni
!
trunk group FXO
!
voice service voip
fax protocol cisco
h323
call preserve
!
voice class codec 1
codec preference 1 g711ulaw
!
voice class h323 1
h225 timeout tcp establish 1
!
voice translation-rule 1
rule 1 /^3910$/ /4101/
rule 2 /^3917$/ /4103/
rule 3 /^3918$/ /4104/
rule 4 /^3926$/ /4102/
rule 5 /^2800$/ /4100/
rule 6 /^39\(..\)$/ /41\1/
!
voice translation-profile ToSite1ForSRST
translate called 1
!
voice-card 0
dsp services dspfarm
!
application
global
service alternate default
!
username -removed- privilege 15 password 0 -removed-
archive
log config
hidekeys
!
controller T1 0/0/0
cablelength long 0db
ds0-group 2 timeslots 13-24 type e&m-delay-dial
description -- LD T1 --
!
controller T1 0/2/0
cablelength long 0db
pri-group timeslots 1-24 service mgcp
description -- LOCAL PRI --
!
ip tftp source-interface FastEthernet0/0
!
class-map match-any VoIP-RTP-Trust
match ip dscp ef
class-map match-any VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
policy-map VOIP-Policy-Trust
class VoIP-RTP-Trust
priority percent 50
class VoIP-Control-Trust
bandwidth percent 10
class class-default
fair-queue
!
interface Loopback1
ip address 10.254.11.3 255.255.255.255
ip pim sparse-dense-mode
!
interface FastEthernet0/0
description -- to port 1 switch 2960 --
ip address 10.10.33.1 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
no mop enabled
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.10.33.1
!
interface FastEthernet0/1
description -- to port 24 switch 2960 --
ip address 192.168.33.6 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface Serial0/2/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/3/0
description MPLS Qwest
bandwidth 1536
ip address X.X.X.X 255.255.255.252
ip pim sparse-dense-mode
encapsulation ppp
service-policy output VOIP-Policy-Trust
!
router bgp 65XXX
no synchronization
bgp log-neighbor-changes
network 10.10.33.0 mask 255.255.255.0
network X.X.X.X mask 255.255.255.252
neighbor X.X.X.X remote-as XXX
neighbor X.X.X.X soft-reconfiguration inbound
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.33.1
ip http server
no ip http secure-server
!
control-plane
!
disable-eadi
!
voice-port 0/0/0:2
echo-cancel coverage 64
!
voice-port 0/2/0:23
echo-cancel coverage 64
!
voice-port 0/1/0
description -Paging-
!
voice-port 0/1/1
!
ccm-manager fallback-mgcp
ccm-manager redundant-host 10.10.11.10
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 10.10.11.10
ccm-manager config
!
mgcp
mgcp call-agent 10.10.22.10 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp bind control source-interface FastEthernet0/0
mgcp bind media source-interface FastEthernet0/0
!
mgcp profile default
!
sccp local FastEthernet0/0
sccp ccm 10.10.11.10 identifier 1 version 7.0
sccp
!
sccp ccm group 999
bind interface FastEthernet0/0
associate ccm 1 priority 1
associate profile 1 register CONF_Site1
!
dspfarm profile 1 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 1
associate application SCCP
!
dial-peer voice 20 pots
destination-pattern 9[2-9]......
port 0/2/0:23
forward-digits 7
!
dial-peer voice 30 pots
destination-pattern 4125
port 0/1/0
forward-digits 0
!
dial-peer voice 999010 pots
service mgcpapp
port 0/1/0
!
dial-peer voice 999000991 pots
service mgcpapp
!
dial-peer voice 999000992 pots
service mgcpapp
port 0/0/0:2
!
dial-peer voice 1 pots
translation-profile incoming ToSite1ForSRST
incoming called-number .
direct-inward-dial
port 0/2/0:23
!
dial-peer voice 21 pots
destination-pattern 91[2-9]..[2-9]......
port 0/2/0:23
forward-digits 11
!
dial-peer voice 911 pots
destination-pattern 911
port 0/2/0:23
forward-digits 3
!
dial-peer voice 9911 pots
destination-pattern 9911
port 0/2/0:23
forward-digits 3
!
call-manager-fallback
secondary-dialtone 8
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 5
timeouts busy 30
timeouts ringing 60
ip source-address 10.10.33.1 port 2000
max-ephones 25
max-dn 30 dual-line
system message primary Currently Running in Fall Back
system message secondary FallBack
default-destination 4100
moh Site1.AU
multicast moh 239.1.1.1 port 16384 route 10.254.11.3 10.10.33.1
!
line con 0
line aux 0
line vty 0 4
password -removed-
login
line vty 5 15
password -removed-
login
!
scheduler allocate 20000 1000
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
no service password-encryption
!
boot-start-marker
boot system flash c2801-spservicesk9-mz.124-24.T3.bin
boot-end-marker
!
card type t1 0 0
card type t1 0 2
logging message-counter syslog
logging buffered 32768
enable secret 5 -removed-
!
no aaa new-model
clock timezone EDT -4
network-clock-participate wic 0
network-clock-participate wic 2
network-clock-select 2 T1 0/2/0
network-clock-select 3 T1 0/0/0
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.33.1 10.10.33.10
!
ip dhcp pool Site1Voice
network 10.10.33.0 255.255.255.0
default-router 10.10.33.1
option 150 ip 10.10.11.10
!
ip cef
ip name-server 192.168.11.10
ip name-server 192.168.11.12
ip multicast-routing
no ipv6 cef
multilink bundle-name authenticated
!
isdn switch-type primary-ni
!
trunk group FXO
!
voice service voip
fax protocol cisco
h323
call preserve
!
voice class codec 1
codec preference 1 g711ulaw
!
voice class h323 1
h225 timeout tcp establish 1
!
voice translation-rule 1
rule 1 /^3910$/ /4101/
rule 2 /^3917$/ /4103/
rule 3 /^3918$/ /4104/
rule 4 /^3926$/ /4102/
rule 5 /^2800$/ /4100/
rule 6 /^39\(..\)$/ /41\1/
!
voice translation-profile ToSite1ForSRST
translate called 1
!
voice-card 0
dsp services dspfarm
!
application
global
service alternate default
!
username -removed- privilege 15 password 0 -removed-
archive
log config
hidekeys
!
controller T1 0/0/0
cablelength long 0db
ds0-group 2 timeslots 13-24 type e&m-delay-dial
description -- LD T1 --
!
controller T1 0/2/0
cablelength long 0db
pri-group timeslots 1-24 service mgcp
description -- LOCAL PRI --
!
ip tftp source-interface FastEthernet0/0
!
class-map match-any VoIP-RTP-Trust
match ip dscp ef
class-map match-any VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
!
policy-map VOIP-Policy-Trust
class VoIP-RTP-Trust
priority percent 50
class VoIP-Control-Trust
bandwidth percent 10
class class-default
fair-queue
!
interface Loopback1
ip address 10.254.11.3 255.255.255.255
ip pim sparse-dense-mode
!
interface FastEthernet0/0
description -- to port 1 switch 2960 --
ip address 10.10.33.1 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
no mop enabled
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.10.33.1
!
interface FastEthernet0/1
description -- to port 24 switch 2960 --
ip address 192.168.33.6 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface Serial0/2/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/3/0
description MPLS Qwest
bandwidth 1536
ip address X.X.X.X 255.255.255.252
ip pim sparse-dense-mode
encapsulation ppp
service-policy output VOIP-Policy-Trust
!
router bgp 65XXX
no synchronization
bgp log-neighbor-changes
network 10.10.33.0 mask 255.255.255.0
network X.X.X.X mask 255.255.255.252
neighbor X.X.X.X remote-as XXX
neighbor X.X.X.X soft-reconfiguration inbound
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.33.1
ip http server
no ip http secure-server
!
control-plane
!
disable-eadi
!
voice-port 0/0/0:2
echo-cancel coverage 64
!
voice-port 0/2/0:23
echo-cancel coverage 64
!
voice-port 0/1/0
description -Paging-
!
voice-port 0/1/1
!
ccm-manager fallback-mgcp
ccm-manager redundant-host 10.10.11.10
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 10.10.11.10
ccm-manager config
!
mgcp
mgcp call-agent 10.10.22.10 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp bind control source-interface FastEthernet0/0
mgcp bind media source-interface FastEthernet0/0
!
mgcp profile default
!
sccp local FastEthernet0/0
sccp ccm 10.10.11.10 identifier 1 version 7.0
sccp
!
sccp ccm group 999
bind interface FastEthernet0/0
associate ccm 1 priority 1
associate profile 1 register CONF_Site1
!
dspfarm profile 1 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
maximum sessions 1
associate application SCCP
!
dial-peer voice 20 pots
destination-pattern 9[2-9]......
port 0/2/0:23
forward-digits 7
!
dial-peer voice 30 pots
destination-pattern 4125
port 0/1/0
forward-digits 0
!
dial-peer voice 999010 pots
service mgcpapp
port 0/1/0
!
dial-peer voice 999000991 pots
service mgcpapp
!
dial-peer voice 999000992 pots
service mgcpapp
port 0/0/0:2
!
dial-peer voice 1 pots
translation-profile incoming ToSite1ForSRST
incoming called-number .
direct-inward-dial
port 0/2/0:23
!
dial-peer voice 21 pots
destination-pattern 91[2-9]..[2-9]......
port 0/2/0:23
forward-digits 11
!
dial-peer voice 911 pots
destination-pattern 911
port 0/2/0:23
forward-digits 3
!
dial-peer voice 9911 pots
destination-pattern 9911
port 0/2/0:23
forward-digits 3
!
call-manager-fallback
secondary-dialtone 8
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 5
timeouts busy 30
timeouts ringing 60
ip source-address 10.10.33.1 port 2000
max-ephones 25
max-dn 30 dual-line
system message primary Currently Running in Fall Back
system message secondary FallBack
default-destination 4100
moh Site1.AU
multicast moh 239.1.1.1 port 16384 route 10.254.11.3 10.10.33.1
!
line con 0
line aux 0
line vty 0 4
password -removed-
login
line vty 5 15
password -removed-
login
!
scheduler allocate 20000 1000
end
Thursday, November 04, 2010
MGCP FXS port cannot break dial tone
Found user with butt set on an MGCP controlled VIC3-FXS/DID port can break DT and dial a number without issue. When a Sonitrol alarm panel is connected to the same port and dials the same number, either DT cannot be broken or number cannot be completed as dialed.
Fix was to reduce the input gain on the FXS port via CLI. This cannot be adjusted via CUCM like an FXO port, but is still an available option. Show voice port X/X/X indicates the default gain is 0db.
Working configuration is:
voice-port 0/2/1
input gain -6
description << Sonitrol Alarm >>
caller-id enable
Fix was to reduce the input gain on the FXS port via CLI. This cannot be adjusted via CUCM like an FXO port, but is still an available option. Show voice port X/X/X indicates the default gain is 0db.
Working configuration is:
voice-port 0/2/1
input gain -6
description << Sonitrol Alarm >>
caller-id enable
Monday, October 25, 2010
CUCM conferencing remote sites without transcoders
Scenario: Two main sites with CUCMs clustered over WAN, remote sites are 28XX gateways. All calls are G.711 intra-site and G.729 inter-site to conserve bandwidth. Remote sites use IOS / DSP conferencing, main sites use CUCMs as software conference resources.
Q. How to conference users in main site using G.711 with remote G.729 users without transcoders, or just converting all inter-site calls to G.711? There are no transcoder resources available and bandwidth issues prevent conversion to G.711.
A. Create a new CUCM region using G.711 to all other regions. Create a new device pool with that region. Change CUCM conference resource to use new device pool (no resets necessary except for conference resource). Repeat for other CUCM server to allow registration on conferencing server to local CUCM server.
Now, calls between main and remote sites negotiate G.729 normally, but when main site conferences other local or remote sites, the calls renegotiate to G.711.
Q. How to conference users in main site using G.711 with remote G.729 users without transcoders, or just converting all inter-site calls to G.711? There are no transcoder resources available and bandwidth issues prevent conversion to G.711.
A. Create a new CUCM region using G.711 to all other regions. Create a new device pool with that region. Change CUCM conference resource to use new device pool (no resets necessary except for conference resource). Repeat for other CUCM server to allow registration on conferencing server to local CUCM server.
Now, calls between main and remote sites negotiate G.729 normally, but when main site conferences other local or remote sites, the calls renegotiate to G.711.
Tuesday, September 21, 2010
Cisco NAC guest server AD sponsor group mapping
Monday, September 13, 2010
MS VPN Connection options grayed out
When attempting to create a new Microsoft VPN connection on MS XP Pro, I found the radio button options to select between Dial-up connection and Virtual Private Network connection are grayed out and the Next > button not available.
I found I needed to start the Remote Access Connection Manager service (previously disabled) to allow for configuration.
I found I needed to start the Remote Access Connection Manager service (previously disabled) to allow for configuration.
Friday, September 03, 2010
Translation Rules in IOS gateways
Some quick notes stolen from http://cciev.wordpress.com/2006/06/10/translation-rules-and-profiles/:
voice translation-rule 1
rule 1 /123/ /456/
rule 2 /^123/ /456/
rule 3 /^123$/ /456/
rule 4 /.*/ /456/
rule 5 /^123*/ /456/
rule 6 /^123+/ /456/
rule 7 /^123?/ /456/
rule 8 /^$/ /456/
a. rule 1 is a one to one replacement of any occurence of 123 in the source number with 456.
b. rule 2 replaces any number starting with 123 with a 456.
c. rule 3 replaces only the number 123 as the source number with 456.
d. rule 4 replaces any number with the number 456, including null.
e. rule 5 says any number that starts with 12 and has 0 or more occurence of 3 with 456.
f. rule 6 says any number that starts with 12 and has 1 or more occurence of 3 with 456
g. rule 7 says any number that starts with 12 and has 0 or 1 occurence of 3 with 456.
h. rule 8 says any number with no input digits (empty ani for example) with 456.
Misc items:
A. dot means a single digit.
B. [0-9] specifies a range
C. .* means any digit followed by zero or more occurence, virtually any digit including null
D. .+ means any digit followed by one or more occurence, virtually any digit excluding null
E. ^$ means no digits.
F. () groups digits into sets
voice translation-rule 1
rule 1 /123/ /456/
rule 2 /^123/ /456/
rule 3 /^123$/ /456/
rule 4 /.*/ /456/
rule 5 /^123*/ /456/
rule 6 /^123+/ /456/
rule 7 /^123?/ /456/
rule 8 /^$/ /456/
a. rule 1 is a one to one replacement of any occurence of 123 in the source number with 456.
b. rule 2 replaces any number starting with 123 with a 456.
c. rule 3 replaces only the number 123 as the source number with 456.
d. rule 4 replaces any number with the number 456, including null.
e. rule 5 says any number that starts with 12 and has 0 or more occurence of 3 with 456.
f. rule 6 says any number that starts with 12 and has 1 or more occurence of 3 with 456
g. rule 7 says any number that starts with 12 and has 0 or 1 occurence of 3 with 456.
h. rule 8 says any number with no input digits (empty ani for example) with 456.
Misc items:
A. dot means a single digit.
B. [0-9] specifies a range
C. .* means any digit followed by zero or more occurence, virtually any digit including null
D. .+ means any digit followed by one or more occurence, virtually any digit excluding null
E. ^$ means no digits.
F. () groups digits into sets
Sunday, August 22, 2010
CSIM START call simulator
CSIM START is a badly, if not undocumented Cisco IOS command that allows you to generate a voice call from a voice enabled router. It seems even if buggy, it could be really useful in situations where you are configuring or supporting configurations remotely and / or don't have live users to test configurations for you.
I have used it successfully with version 124-24.T3 with loop start analog POTS lines, but have seen demonstrations with older versions over PRI as well.
It seems that csim always returns a failed=1 code despite calls being made correctly.
I have found debug voip ccapi inout reflects the call generated by csim accurately.
A successful call looks like:
router#csim start 917167994818
csim: called number = 917167994818, loop count = 1 ping count = 0
csim err csimDisconnected recvd DISC cid(21)
csim: loop = 1, failed = 1
csim: call attempted = 1, setup failed = 1, tone failed = 0
A call to a number without a dial-peer match looks like:
router#csim start 917167994818
csim: called number = 089151, loop count = 1 ping count = 0
csim err:csim_do_test Error peer not found
I have used it successfully with version 124-24.T3 with loop start analog POTS lines, but have seen demonstrations with older versions over PRI as well.
It seems that csim always returns a failed=1 code despite calls being made correctly.
I have found debug voip ccapi inout reflects the call generated by csim accurately.
A successful call looks like:
router#csim start 917167994818
csim: called number = 917167994818, loop count = 1 ping count = 0
csim err csimDisconnected recvd DISC cid(21)
csim: loop = 1, failed = 1
csim: call attempted = 1, setup failed = 1, tone failed = 0
A call to a number without a dial-peer match looks like:
router#csim start 917167994818
csim: called number = 089151, loop count = 1 ping count = 0
csim err:csim_do_test Error peer not found
Thursday, August 19, 2010
qos pre-classify
Absolutely elegant discussion of qos pre-classify at href="http://packetlife.net/blog/2009/jun/17/qos-pre-classification.
I'm reposting it below (with crappy formatting) simply as a backup. Please give credit where credit is due.
I'm reposting it below (with crappy formatting) simply as a backup. Please give credit where credit is due.
QoS pre-classification
By stretch | Wednesday, June 17, 2009 at 10:37 a.m. UTC
Implementing quality of service provisions on virtual tunnel interfaces (VTIs) poses a challenge: QoS policy enforcement is normally applied only after tunnel encapsulation has taken place. Consider the following service policy applied to a GRE tunnel:
class-map match-all ICMP
match access-group name MATCH_ICMP
class-map match-all GRE
match access-group name MATCH_GRE
!
!
policy-map MyPolicy
class ICMP
class GRE
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
service-policy output MyPolicy
!
ip access-list extended MATCH_GRE
permit gre any any
ip access-list extended MATCH_ICMP
permit icmp any any
(Note that the policy map used as an example here does not actually enforce any policy; its class maps are included simply to illustrate the manner in which packets are being matched.)
In default operation, our QoS policy will be applied to packets exiting the physical interface only after they have undergone tunnel encapsulation.
When we generate ICMP traffic to the far end of the tunnel, we can verify that our policy only matches the packets as GRE traffic:
R1# ping 192.168.0.2 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 8/10/24 ms
R1# show policy-map interface f0/0
FastEthernet0/0
Service-policy output: MyPolicy
Class-map: ICMP (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps
Match: protocol icmp
Class-map: GRE (match-all)
10 packets, 1240 bytes
30 second offered rate 0 bps
Match: protocol gre
Class-map: class-default (match-any)
5 packets, 620 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
This hinders our ability to differentiate between packets which have undergone tunnel encapsulation. However, enabling QoS pre-classification configures the tunnel interface to maintain a copy of the original packet in memory long enough for the physical interface policy to inspect it.
After enabling pre-classification, our policy is applied to the original "inner" header instead of the encapsulation header:
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# interface tunnel0
R1(config-if)# qos pre-classify
R1(config-if)# ^Z
R1# clear counters f0/0
Clear "show interface" counters on this interface [confirm]
R1# ping 192.168.0.2 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 4/8/12 ms
R1# show policy-map interface f0/0
FastEthernet0/0
Service-policy output: MyPolicy
Class-map: ICMP (match-all)
10 packets, 1240 bytes
30 second offered rate 0 bps
Match: access-group name MATCH_ICMP
Class-map: GRE (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps
Match: access-group name MATCH_GRE
Class-map: class-default (match-any)
2 packets, 120 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
A couple side notes from my experiments on IOS 12.4(22)T:
I initially wrote the class maps to utilize NBAR (match protocol), but for some reason the ICMP class map didn't appear to take effect, so I switched to extended ACLs. Your mileage may vary.
Pre-classification seems to have no effect when applied to a VTI performing native IPsec encapsulation (versus a crypto map). Again, this may be IOS version-specific.
Tuesday, August 17, 2010
QoS conversions for extended pings sample
To emulate DSCP tagged traffic:
ef = dscp 46 = 101110 = tos 0xb8 (184) = ip prec 5
af31 = dscp 26 = 011010 = tos 0x68 (104) = ip prec 3
af32 = dscp 28 = 011100 = tos 0x70 (112) = ip prec 3
cs3 = dscp 24 = 011000 = tos 0x60 (96) = ip prec 3
voice_gw#ping ip
Target IP address: 10.10.10.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.10.1
Type of service [0]: 184 --->dscp is ef
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
A simple way to calculate is to put your binary representation of the value into your calculator and add two zeros to the end (i.e. 101110 becomes 10111000).
If you are looking to emulate IP Precedence values, use 224,192,160,128,96,64,32,0 for IPP 7 to 0.
ef = dscp 46 = 101110 = tos 0xb8 (184) = ip prec 5
af31 = dscp 26 = 011010 = tos 0x68 (104) = ip prec 3
af32 = dscp 28 = 011100 = tos 0x70 (112) = ip prec 3
cs3 = dscp 24 = 011000 = tos 0x60 (96) = ip prec 3
voice_gw#ping ip
Target IP address: 10.10.10.1
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.10.1
Type of service [0]: 184 --->dscp is ef
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
A simple way to calculate is to put your binary representation of the value into your calculator and add two zeros to the end (i.e. 101110 becomes 10111000).
If you are looking to emulate IP Precedence values, use 224,192,160,128,96,64,32,0 for IPP 7 to 0.
Thursday, June 17, 2010
Send caller directly to Unity voicemail greeting from CUCM
A well documented tip, rehashed here:
Using CUCM / Unity, how to send a caller directly to a voicemail box?
Assuming you have 4 digit extensions:
1. Create a voicemail profile in CUCM with a mask XXXX, and the pilot of the appropriate voicemail system.
2. Create a CTI Route Point.
3. Make the CTI Route Point DN extension #XXXX (or *XXXX, 37XXXX, etc.).
4. On the CTI Route Point DN, use the voicemail profile you just created.
5. Forward the CTI Route Point DN CFA to voicemail.
Dial #1234 and you will hear 1234's greeting.
Using CUCM / Unity, how to send a caller directly to a voicemail box?
Assuming you have 4 digit extensions:
1. Create a voicemail profile in CUCM with a mask XXXX, and the pilot of the appropriate voicemail system.
2. Create a CTI Route Point.
3. Make the CTI Route Point DN extension #XXXX (or *XXXX, 37XXXX, etc.).
4. On the CTI Route Point DN, use the voicemail profile you just created.
5. Forward the CTI Route Point DN CFA to voicemail.
Dial #1234 and you will hear 1234's greeting.
Tuesday, June 08, 2010
Remove a UCCX agent after removal from CUCM
Here's a nice new feature in version 7 that avoids some previous confusion about deleting agents...
Remove a UCCX agent after removal from CUCM
From the version 7 admin guide:
When Unified CCX detects that the agent no longer exists in Unified CM, it does not automatically delete that agent from the Unified CCX database. Instead, the Unified CCX Resources page displays a new link called Inactive Agents. When you click this link, Unified CCX displays a list of agents deleted from Unified CM but still existing in the Unified CCX database. In this case, select the agents to delete from Unified CCX by checking the check box next to the required agent (or select all agents for deletion by clicking Check All). Then click Delete to remove the selected agents from the Unified CCX database. Unless you follow this procedure, agents deleted in Unified CM will continue to appear in the agents list in the Unified CCX Resources page, but they will not be able to log in as the Unified CM authentication will not be successful
Remove a UCCX agent after removal from CUCM
From the version 7 admin guide:
When Unified CCX detects that the agent no longer exists in Unified CM, it does not automatically delete that agent from the Unified CCX database. Instead, the Unified CCX Resources page displays a new link called Inactive Agents. When you click this link, Unified CCX displays a list of agents deleted from Unified CM but still existing in the Unified CCX database. In this case, select the agents to delete from Unified CCX by checking the check box next to the required agent (or select all agents for deletion by clicking Check All). Then click Delete to remove the selected agents from the Unified CCX database. Unless you follow this procedure, agents deleted in Unified CM will continue to appear in the agents list in the Unified CCX Resources page, but they will not be able to log in as the Unified CM authentication will not be successful
UCCX agent doesn't appear in CSD
Ran into a situation after an upgrade to UCCX 7 sr 4, where an agent on a particular team was not visible to the supervisor in CSD. Call flow was not affected.
Manual synchronization techniques https://supportforums.cisco.com/docs/DOC-9162
If you are running UCCX 7.0(1) SR4 and after performed a change under the team configuration its not been reflect in the supervisor application, the root cause of this could be the following DDTs CSCtd46752 and a manual synchronization comes handy, this process does not affect your call procesing or any other services of your UCCX. Here are the steps to go through the process.
1. If necessary open a RDP or VNC connection towards the UCCX server. (UCCX IP address)
2. In the CDA go to "Desktop Administrator" menu and select the option for "Site A"
3. The new window will request for a username and password. Default values are username "admin" and live the password as blank.
4. Go over the personnel menu and confirm if your agents appear under the correct team
5. If a mis-synchronization occurs between your AppAdmin configuration and what your output displays; we need to perform a manual synchronization to update the team information. In order to accomplish this please go over "Services Configuration" - "Synchronize Directory Services" and click over "Manual Synchronization of Directory Services".
6. After the process has ended please go over the personnel menu and confirm if the synchronization succeed.
Restart service
If that doesn't work, you can restart the 'Cisco Desktop Sync Service' - if you do this from Control Centre in appadmin then it shouldn't cause a failover or outage. Often the sync stops, so what you configure in Cisco-land (appadmin) doesn't make it's way over to Calabrio-land (CAD etc).
See CSCtd46752 Bug Details for details:
Issue is seen after the UCCX 7.0(1) is upgraded to SR 4
Changing agent TEAM successfully maps the agent to the new team in APPADMIN page but in Cisco desktop ADMIN the TEAM of that agent shows as "DEFAULT" instead of the new Team.
At this time, the bug is unresolved.
Manual synchronization techniques https://supportforums.cisco.com/docs/DOC-9162
If you are running UCCX 7.0(1) SR4 and after performed a change under the team configuration its not been reflect in the supervisor application, the root cause of this could be the following DDTs CSCtd46752 and a manual synchronization comes handy, this process does not affect your call procesing or any other services of your UCCX. Here are the steps to go through the process.
1. If necessary open a RDP or VNC connection towards the UCCX server. (UCCX IP address)
2. In the CDA go to "Desktop Administrator" menu and select the option for "Site A"
3. The new window will request for a username and password. Default values are username "admin" and live the password as blank.
4. Go over the personnel menu and confirm if your agents appear under the correct team
5. If a mis-synchronization occurs between your AppAdmin configuration and what your output displays; we need to perform a manual synchronization to update the team information. In order to accomplish this please go over "Services Configuration" - "Synchronize Directory Services" and click over "Manual Synchronization of Directory Services".
6. After the process has ended please go over the personnel menu and confirm if the synchronization succeed.
Restart service
If that doesn't work, you can restart the 'Cisco Desktop Sync Service' - if you do this from Control Centre in appadmin then it shouldn't cause a failover or outage. Often the sync stops, so what you configure in Cisco-land (appadmin) doesn't make it's way over to Calabrio-land (CAD etc).
See CSCtd46752 Bug Details for details:
Issue is seen after the UCCX 7.0(1) is upgraded to SR 4
Changing agent TEAM successfully maps the agent to the new team in APPADMIN page but in Cisco desktop ADMIN the TEAM of that agent shows as "DEFAULT" instead of the new Team.
At this time, the bug is unresolved.
Thursday, June 03, 2010
CPTONE reference site
A nice reference site for world wide CPTONE information http://www.3amsystems.com/wireline/tone-search.htm.
Tuesday, April 27, 2010
CUCM reboot sequence
Cisco Support Forum suggestion
Having been asked again today, I would say the sort of official recommendation is to restart your publisher server first and wait for it to fully recover. Then repeat the process with each of your subscribers. My thought was obviously to always retain as much phone service as possible by rebooting and recovering each individually, but frankly I don't know why the publisher should go first. If you have one freshly rebooted server to rehome to, what does it matter which one?
At least Cisco confirms that I'm not missing anything (see link above).
Of course something in version 8 will likely explode if you do so in the undocumented correct order ;)
Having been asked again today, I would say the sort of official recommendation is to restart your publisher server first and wait for it to fully recover. Then repeat the process with each of your subscribers. My thought was obviously to always retain as much phone service as possible by rebooting and recovering each individually, but frankly I don't know why the publisher should go first. If you have one freshly rebooted server to rehome to, what does it matter which one?
At least Cisco confirms that I'm not missing anything (see link above).
Of course something in version 8 will likely explode if you do so in the undocumented correct order ;)
Sunday, April 18, 2010
CUPC 7 Calendar Integration
Despite the documentation, CUPS / CUPC Outlook calendar integration WILL work while Outlook Web Access is using forms based authentication (if you see a pretty web form when logging into OWA vs. a Windows form requesting a username and password).
One problem is while setting it up and troubleshooting CUPC, the errors returned from Exchange during the CUPC / CUPS calendar communication can be based on results from OWA / IIS, and not Exchange. You may get errors that are either too general to be helpful or misleading (i.e. 440 Timeout).
By disabling FBA in Exchange (and / or IIS), you can restart the Presense engine and collect real errors rather quickly.
I found Exchange was looking for a DOMAIN\USER Presence Outlook Gateway User loggin name format (vs. simply USER, or cn=USER, ou=DOMAIN...). TAC may suggest any variation of them without really investigating the root requirements from Exchange. One mystery problem is that an incorrect authentication method CAN work for a long enough time to make you think your exhaustive list of calendar testing is complete, and then simply stop working an hour later.
Drop FBA, verify what Exchange is looking for re: loggin methods, and cross your fingers.
When you decipher the root cause of your calendar integration failure, you can re-enable FBA on OWA.
One problem is while setting it up and troubleshooting CUPC, the errors returned from Exchange during the CUPC / CUPS calendar communication can be based on results from OWA / IIS, and not Exchange. You may get errors that are either too general to be helpful or misleading (i.e. 440 Timeout).
By disabling FBA in Exchange (and / or IIS), you can restart the Presense engine and collect real errors rather quickly.
I found Exchange was looking for a DOMAIN\USER Presence Outlook Gateway User loggin name format (vs. simply USER, or cn=USER, ou=DOMAIN...). TAC may suggest any variation of them without really investigating the root requirements from Exchange. One mystery problem is that an incorrect authentication method CAN work for a long enough time to make you think your exhaustive list of calendar testing is complete, and then simply stop working an hour later.
Drop FBA, verify what Exchange is looking for re: loggin methods, and cross your fingers.
When you decipher the root cause of your calendar integration failure, you can re-enable FBA on OWA.
Thursday, March 18, 2010
CUPS version 7 and intermittent desk phone control
Assuming all other configuration in CUPS and CUCM is correct (licensing, devices, lines, user association, etc.) you will have intermittent desk phone control, if any, when using port 389 to authenticate CUCM against AD.
By changing LDAP authentication in CUCM to use the AD global catalog on port 3268 your problem is solved.
It got me.
By changing LDAP authentication in CUCM to use the AD global catalog on port 3268 your problem is solved.
It got me.
Sunday, January 31, 2010
Get Active Directory names via command line
Working on domain member server without any AD tools available, I needed to confirm the display name of an AD user. I was only supplied the logon user name. A common example might be Joe Smith being the display name and the logon / SAM user name being jsmith.
The commands involved are dsquery and dsget, both quite powerful.
Given the AD logon username is webmaxtor in the MAXTOR.LOCAL domain, the associated request and result returning the display name might be:
H:\>dsquery user dc=MAXTOR,dc=LOCAL -name web* | dsget user -display
display
Web Administrator
Web Maxtor
dsget succeeded
Since two names appear on the list, we know two users are returned and can see the logon / SAM names via:
H:\>dsquery user dc=MAXTOR,dc=LOCAL -name web* | dsget user -samid
samid
IISadmin
webmaxtor
dsget succeeded
Running the dsquery command without the piped dsget can also return all sorts of useful information all by itself.
The commands involved are dsquery and dsget, both quite powerful.
Given the AD logon username is webmaxtor in the MAXTOR.LOCAL domain, the associated request and result returning the display name might be:
H:\>dsquery user dc=MAXTOR,dc=LOCAL -name web* | dsget user -display
display
Web Administrator
Web Maxtor
dsget succeeded
Since two names appear on the list, we know two users are returned and can see the logon / SAM names via:
H:\>dsquery user dc=MAXTOR,dc=LOCAL -name web* | dsget user -samid
samid
IISadmin
webmaxtor
dsget succeeded
Running the dsquery command without the piped dsget can also return all sorts of useful information all by itself.
Monday, January 11, 2010
Cisco TSAPI client configuration hangs
Using Windows XP sp3 and Cisco Unified Communications Manager 7.0.1, I find that clicking Configure on the Phone and Modem Options in Control Panel hangs on some machines.
Attempting to restart the Telephony service indicates the Remote Access Connection Manager service is a dependency.
Unfortunately, I have not researched the implications of disabling this service as of yet but doing so and setting Telephony to start automatically seems to allow configuration appropriately.
Attempting to restart the Telephony service indicates the Remote Access Connection Manager service is a dependency.
Unfortunately, I have not researched the implications of disabling this service as of yet but doing so and setting Telephony to start automatically seems to allow configuration appropriately.
Tuesday, January 05, 2010
WII remote and Lenovo T61 Bluetooth connection
My Lenovo T61 uses what looks like a Widcomm / Broadcom Bluetooth stack.
Although other sites indicate there are problems connecting the WII remote to your Lenovo T61, this Smoothboard wiki provides a very concise tutorial on doing so.
The missing link for even starting the procedure is hitting Fn+F5 first, assuming you haven't trashed all of pre-installed ThinkVantage software.
There you will at least be able to verify your Bluetooth radio is on.
Whoops :)
Although other sites indicate there are problems connecting the WII remote to your Lenovo T61, this Smoothboard wiki provides a very concise tutorial on doing so.
The missing link for even starting the procedure is hitting Fn+F5 first, assuming you haven't trashed all of pre-installed ThinkVantage software.
There you will at least be able to verify your Bluetooth radio is on.
Whoops :)