As an Amazon Associate I earn from qualifying purchases.

New Gateway Feature - Toll-Fraud Prevention in IOS 15.1(2)T

This post is a big warning for anyone upgrading a voice gateway to 15.1(2)T or later.  Without additional configuration, all inbound VoIP call setups will be blocked after the upgrade.  Yup.  Blocked.  Additionally, two-stage dialing is no longer enabled by default.

Per Cisco's explanation of the new Toll-Fraud Prevention Feature, a "trusted list" must be configured on the voice gateway so that the sources generating the VoIP call setups will be accepted.

Note:  If you have "session target" defined within dial-peers that you currently use, those calls will be accepted even if no "trusted list" is defined.

Debug Example - Blocked Call 

debug voice ccapi inout
%VOICE_IEC-3-GW: Application Framework Core: Internal Error (Toll fraud call rejected): 
IEC=1.1.228.3.31.0 on callID 3 GUID=F146D6B0539C11DF800CA596C4C2D7EF 
000183: *Apr 30 14:38:57.251: //3/F146D6B0800C/CCAPI/ccCallSetContext: 
   Context=0x49EC9978 
000184: *Apr 30 14:38:57.251: //3/F146D6B0800C/CCAPI/cc_process_call_setup_ind: 
   >>>>CCAPI handed cid 3 with tag 1002 to app "_ManagedAppProcess_TOLLFRAUD_APP" 
000185: *Apr 30 14:38:57.251: //3/F146D6B0800C/CCAPI/ccCallDisconnect: 
   Cause Value=21, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=0)

Disable Toll-Fraud Prevention Feature

If you need to quickly return your router to it's previous functionality after an upgrade, take one of these two paths:
  1. Configure the router to accept incoming call setups from all source IP addresses.
    voice service voip
     ip address trusted list
      ipv4 0.0.0.0 0.0.0.0
  2. Disable the toll-fraud prevention application completely.
    voice service voip
     no ip address trusted authenticate

Restore Two-Stage Dialing After Upgrade

If two-stage dialing is required, the following can be configured to return behavior to match previous releases.

For inbound ISDN calls:
voice service pots
 no direct-inward-dial isdn
For inbound FXO calls:
voice-port <fxo-port>
 secondary dialtone

No comments:

Post a Comment