Configure Local Gateway On Cisco IOS XE For Webex Calling

Product: Platform: For:
Webex Calling Web Browser Administrator, Partner
Subscribe
January 23, 2023 | 67313 view(s) | 172 people thought this was helpful
Configure Local Gateway on Cisco IOS XE for Webex Calling

In this article
After you configure Webex Calling for your organization, you can configure a trunk to
connect your Local Gateway to Webex Calling. SIP TLS transport secures the trunk
between the Local Gateway and the Webex cloud. The media between the Local
Gateway and Webex Calling uses SRTP.
Local Gateway Configuration Task Flow
There are two options to configure the Local Gateway for your Webex Calling trunk:
Registration-based trunk
Certificate-based trunk
Use the task flow either under the Registration-based Local Gateway or Certificate-based Local Gateway to
configure Local Gateway for your Webex Calling trunk. See Configure trunks, route groups, and dial plans for
Webex Calling for more information on different trunk types. Perform the following steps on the Local Gateway
itself, using the Command Line Interface (CLI). We use Session Initiation Protocol (SIP) and Transport Layer
Security (TLS) transport to secure the trunk and Secure Real-time Protocol (SRTP) to secure the media between
the Local Gateway and Webex Calling.
Before you begin
Understand the premises-based Public Switched Telephone Network (PSTN) and Local Gateway (LGW)
requirements for Webex Calling. See Cisco Preferred Architecture for Webex Calling for more
information.
This article assumes that a dedicated Local Gateway platform is in place with no existing voice
configuration. If you modify an existing PSTN gateway or Local Gateway enterprise deployment to use
as the Local Gateway function for Webex Calling, then pay careful attention to the configuration. Ensure
that you do not interrupt the existing call flows and functionality because of the changes that you make.
Create a trunk in Control Hub and assign it to the location. See Configure trunks, route groups, and dial
plans for Webex Calling for more information.
The procedures contain links to command reference documentation where you can learn more about the
individual command options. All command reference links go to the Webex Managed Gateways
Command Reference unless stated otherwise (in which case, the command links go to Cisco IOS Voice
Command Reference). You can access all of these guides at Cisco Unified Border Element Command
References.
Registration-Based Local Gateway
Perform Reference Platform Configuration
Before you begin
Ensure that the following baseline platform configuration that you configure are set up
according to your organization's policies and procedures:
NTPs
ACLs
enable passwords
primary password
IP routing
IP Addresses, and so on
You require a minimum supported release of Cisco IOS XE 16.12 or IOS-XE 17.3 for all Local
Gateway deployments.
1 Ensure that you assign any Layer 3 interfaces have valid and routable IP addresses:
interface GigabitEthernet0/0/0
description Interface facing PSTN and/or CUCM
ip address 192.168.80.14 255.255.255.0!
description Interface facing Webex Calling
ip address 192.168.43.197 255.255.255.0
2 Preconfigure a primary key for the password using the following commands, before you use in the
credentials and shared secrets. You encrypt the Type 6 passwords using AES cipher and user-
defined primary key.
conf t
key config-key password-encrypt Password123
password encryption aes
3 Configure IP name server to enable DNS lookup and ping to ensure that server is reachable. The
Local Gateway uses DNS to resolve Webex Calling proxy addresses:
conf t
Enter configuration commands, one per line. End with CNTL/Z.
ip name-server 8.8.8.8
end
4 Enable TLS 1.2 Exclusivity and a default placeholder trustpoint:
1 Create a placeholder PKI trustpoint and call it sampleTP.
2 Assign the trustpoint as the default signaling trustpoint under sip-ua.
Ensure that a cn-san-validate server establishes the Local Gateway

connection only if the outbound proxy that you configure on tenant 200
(described later) matches with the CN-SAN list that you receive from the server.
You require the crypto trustpoint for TLS to work. Although you do not require a
local client certificate (for example, mTLS) set up for the connection.
3 Enable v1.2 exclusivity to disable TLS v1.0 and v1.1.
4 Set tcp-retry count to 1000 (5-msec multiples = 5 seconds).
5 Set timers connection to establish TLS <wait-timer in sec>. Range is in 5–20 seconds and
the default is 20 seconds. (LGW takes 20 seconds to detect the TLS connection failure
before it attempts to establish a connection to the next available Webex Calling access SBC.
The CLI allows the admin to change the value to accommodate network conditions and
detect connection failures with the Access SBC much faster).
Cisco IOS XE 17.3.2 and later version is applicable.
configure terminal
crypto pki trustpoint sampleTP
revocation-check crl
exit
sip-ua
crypto signaling default trustpoint sampleTP cn-san-validate server
transport tcp tls v1.2
tcp-retry 1000
end
5 Update the Local Gateway trust Pool:
The default trustpool bundle does not include the "DigiCert Root CA" or "IdenTrust Commercial"
certificates that you need for validating the server-side certificate during TLS connection
establishment to Webex Calling.
Download the latest “Cisco Trusted Core Root Bundle” from http://www.cisco.com/security/pki/ to
update the trustpool bundle.
1 Check if the DigiCert Room CA and IdenTrust Commercial certificates exist:
show crypto pki trustpool | include DigiCert
2 If the DigiCert Room CA and IdenTrust Commercial certificates doesn't exist, update as
follows:
configure terminal
crypto pki trustpool import clean url
http://www.cisco.com/security/pki/trs/ios_core.p7b
Reading file from http://www.cisco.com/security/pki/trs/ios_core.p7b
Loading http://www.cisco.com/security/pki/trs/ios_core.p7b
% PEM files import succeeded.
end
Alternatively, you can download the certificate bundle and install from a local server
or Local Gateway flash memory.
For example:
crypto pki trustpool import clean url flash:ios_core.p7b
3 Verify:
show crypto pki trustpool | include DigiCert

cn=DigiCert Global Root CA
o=DigiCert Inc
cn=DigiCert Global Root CA
o=DigiCert Inc
show crypto pki trustpool | include IdenTrust Commercial

cn=IdenTrust Commercial Root CA 1
cn=IdenTrust Commercial Root CA 1
Configure Registration-Based Trunk
Before you begin
Ensure that you complete the steps in Control Hub to create a location and add a trunk for that
location. In the following example, you obtain the information from Control Hub.
1 Enter the following commands to turn on the Local Gateway application, see Port Reference
Information for Cisco Webex Calling for the latest IP subnets that you must add to the trust list:
configure terminal
voice service voip
ip address trusted list
ipv4 x.x.x.x y.y.y.y
exit
allow-connections sip to sip
media statistics
media bulk-stats
no supplementary-service sip refer
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 0 Password123$
sip
g729 annexb-all
early-offer forced
asymmetric payload full
end
Here's an explanation of the fields for the configuration:
Toll-fraud prevention
voice service voip

Enables the source IP addresses of entities from which the Local Gateway expects legitimate
VoIP calls, such as Webex Calling peers, Unified CM nodes, and IP PSTN.
By default, LGW blocks all incoming VoIP call setups from IP addresses not in its trusted list.
IP Addresses from dial-peers with “session target IP” or server group are trusted by default,
and you need not populate here.
IP addresses in the list must match the IP subnets according to the regional Webex Calling
data center that you connect. For more information, see Port Reference Information for Webex
Calling.
If your LGW is behind a firewall with restricted cone NAT, you may prefer to disable the
IP address trusted list on the Webex Calling-facing interface. The firewall already
protects you from unsolicited inbound VoIP. Disable action reduces your longer-term
configuration overhead, because we cannot guarantee that the addresses of the Webex
Calling peers remain fixed, and you must configure your firewall for the peers in any
case.
Configure other IP addresses on other interfaces, for example: you ensure to add the Unified
CM addresses to the inward-facing interfaces.
IP addresses must match the hosts IP and the outbound-proxy resolves to tenant 200.
For more information on how to use an IP address trusted list to prevent toll fraud, see IP
address trusted.
Media
voice service voip

media statistics
media bulk-stats
Media statistics
Enables media monitoring on the Local Gateway.
Media bulk-stats
Enables the control plane to poll the data plane for bulk call statistics.
For more information on these commands see Media in the Cisco IOS Voice Command
Reference - K through R.
SIP-to-SIP basic functionality
Allow SIP-to-SIP connections.
By default, Cisco IOS or IOS XE voice devices do not allow an incoming VoIP leg to go out as
VoIP.
For more information on this command, see Allow connections.
Supplementary services

Disables REFER and replaces the dialog ID in the replaces header with the peer dialog ID.
For more information, see Supplementary service sip.
Fax protocol
Enables T.38 for fax transport, though the fax traffic will not be encrypted. For more information on
this command, see fax protocol t38 (voice-service).
Enable global stun
stun
stun flowdata agent-id 1 boot-count 4
stun flowdata shared-secret 0 Password123$
When you forward a call to a Webex Calling user (for example, both the called and calling
parties are Webex Calling subscribers and if you anchor media at the Webex Calling SBC),
then the media cannot flow to the Local Gateway as the pinhole isn't open.
The stun bindings feature on the Local Gateway allows locally generated stun requests to
send over the negotiated media path. The stun helps to open the pinhole in the firewall.
Stun password is a prerequisite for the Local Gateway to send stun messages out. You can
configure Cisco IOS/IOS XE-based firewalls to check for the password and open pinholes
dynamically (for example, without explicit in-out rules). But for the Local Gateway deployment,
you configure the firewall statically to open pinholes in and out based on the Webex Calling
SBC subnets. As such, the firewall must treat SBC subnets as any inbound UDP packet,
which triggers the pinhole opening without explicitly looking at the packet contents.
For more information, see stun flowdata agent-id and stun flowdata shared-secret.
G729
sip
g729 annexb-all
Allows all variants of G729.
For more information, see g729 annexb-all.

SIP
early-offer forced
Forces the Local Gateway to send the SDP information in the initial INVITE message instead of
waiting for acknowledgment from the neighboring peer.
For more information on this command, see early-offer.

2 Configure “SIP Profile 200.”
voice class sip-profiles 200

rule 9 request ANY sip-header SIP-Req-URI modify "sips:(.*)" "sip:\1"
rule 10 request ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 11 request ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 12 request ANY sip-header Contact modify "<sips:(.*)>" "
<sip:\1;transport=tls>"
rule 13 response ANY sip-header To modify "<sips:(.*)" "<sip:\1"
rule 14 response ANY sip-header From modify "<sips:(.*)" "<sip:\1"
rule 15 response ANY sip-header Contact modify "<sips:(.*)" "<sip:\1"
rule 20 request ANY sip-header From modify ">" ";otg=hussain2572_lgu>"
rule 30 request ANY sip-header P-Asserted-Identity modify "sips:(.*)" "sip:\1"
rule 9
Ensures that you list the header as “SIP-Req-URI” and not “SIP-Req-URL” .
The rule converts between SIP URIs and SIP URLs, because Webex Calling doesn't support
SIP URIs in the request/response messages, but needs them for SRV queries, for example:
_sips._tcp.<outbound-proxy>.
rule 20
Modifies the From header to include the trunk group OTG/DTG parameter from Control Hub to
uniquely identify a Local Gateway site within an enterprise.
Applies SIP Profile to voice class tenant 200 (discussed later) for all traffic-facing Webex
Calling. For more information, see voice class sip-profiles.
For more information on rule commands, see rule (voice translation-rule) in Cisco IOS Voice
Command Reference - K through R.
3 Configure codec profile, stun definition, and SRTP Crypto suite.
voice class codec 99

codec preference 1 g711ulaw
codec preference 2 g711alaw
exit
voice class srtp-crypto 200
crypto 1 AES_CM_128_HMAC_SHA1_80
exit
voice class stun-usage 200
stun usage firewall-traversal flowdata
stun usage ice lite
exit
Voice class codec 99
Allows both g711 (mu and a-law) codecs for sessions. Apply stun to all the dial-peers.
For more information, see voice class codec.
Voice class srtp-crypto 200

Specifies SHA1_80 as the only SRTP cipher-suite that the Local Gateway offers in the SDP in
offer and answer. Webex Calling only supports SHA1_80. For more information on the voice
class command, see voice class srtp-crypto.
Applies voice class tenant 200 (discussed later) facing- Webex Calling.
Voice class stun-usage 200

stun usage firewall-traversal flowdata
stun usage ice lite
Defines stun usage. Applies stun to all Webex Calling-facing (2XX tag) dial-peers to avoid no-
way audio when a Unified CM phone forwards the call to another Webex Calling phone. See
stun usage firewall-traversal flowdata and stun usage ice lite.
If your anchor media at the ITSP SBC and the Local Gateway is behind a NAT, then wait for
the inbound media stream from ITSP. You can apply the stun command on ITSP facing dial-
peers.
You require stun usage ice-lite for call flows utilizing media path optimization.
4 Map Control Hub parameters to Local Gateway configuration.
Add Webex Calling as a tenant within the Local Gateway. You require configuration to register the
Local Gateway under voice class tenant 200. You must obtain the elements of that configuration
from the Trunk Info page from Control Hub as shown in the following image. The following example
displays what are the fields that map to the respective Local Gateway CLI.
Apply tenant 200 to all the Webex Calling facing dial-peers (2xx tag) within the Local Gateway
configuration. The voice class tenant feature allows to group and to configure SIP trunk parameters
that are otherwise done under voice service VoIP and sip-ua. When you configure a tenant and
apply it under a dial-peer, then the following order of preference applies to Local Gateway
configurations:
Dial-peer configuration
Tenant configuration
Global configuration (voice service VoIP / sip-ua)

5 Configure voice class tenant 200 to enable trunk registration from Local Gateway to Webex Calling
based on the parameters you've obtained from Control Hub:
The following command line and parameters are examples only. Use the parameters for your
own deployment.
voice class tenant 200

registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50
tcp tls
credentials number Hussain6346_LGU username Hussain2572_LGU password 0
meX7]~)VmF realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm BroadWorks
authentication username Hussain2572_LGU password 0 meX7]~)VmF realm
40462196.cisco-bcld.com
no remote-party-id
sip-server dns:40462196.cisco-bcld.com
connection-reuse
srtp-crypto 200
session transport tcp tls
url sips
error-passthru
asserted-id pai
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
no pass-thru content custom-sdp
sip-profiles 200
outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com
privacy-policy passthru

Enables specific global configurations for multiple tenants on SIP trunks that allow differentiated
services for tenants.
For more information, see voice class tenant.
registrar dns:40462196.cisco-bcld.com scheme sips expires 240 refresh-ratio 50
tcp tls
Registrar server for the Local Gateway with the registration set to refresh every two minutes (50% of
240 seconds). For more information, see registrar in the Cisco IOS Voice Command Reference - K
through R.
credentials number Hussain6346_LGU username Hussain2572_LGU password 0
meX71]~)Vmf realm BroadWorks
Credentials for trunk registration challenge. For more information, see credentials (SIP UA) in Cisco
IOS Voice Command Reference - A through C.
authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm BroadWorks
authentication username Hussain2572_LGU password 0 meX71]~)Vmf realm
40462196.cisco-bcld.com
Authentication challenge for calls. For more information, see authentication (dial-peer) in Cisco IOS
Voice Command Reference - A through C.
no remote-party-id
Disable SIP Remote-Party-ID (RPID) header as Webex Calling supports PAI, which is enabled using
CIO asserted-id pai . For more information, see remote-party-id in Cisco IOS Voice Command
Reference - K through R.
sip-server dns:40462196.cisco-bcld.com
Defines the Webex Calling servers. For more information, see sip-server in Cisco IOS Voice
Command Reference - S commands.
connection-reuse
Uses the same persistent connection for registration and call processing. For more information, see
connection-reuse.
srtp-crypto 200
Defines voice class srtp-crypto 200 to specify SHA1_80 (specified in step 3). For more
information, see voice class srtp-crypto.
Sets transport to TLS. For more information, see session-transport.
url sips
SRV query must be SIPs as supported by the access SBC; all other messages are changed to SIP
by sip-profile 200.
error-passthru
Specifies SIP error response pass-thru functionality.
For more information, see error-passthru.
asserted-id pai
Turns on PAI processing in Local Gateway. For more information, see asserted-id.
Configures a source IP address for signaling source interface facing Webex Calling.
Configures a source IP address for media source interface facing Webex Calling.
For more information on the bind commands, see bind in Cisco IOS Voice Command Reference - A
through C.
Default command under tenant. For more information on this command, see pass-thru content.
sip-profiles 200
Changes SIPs to SIP and modify Line/Port for INVITE and REGISTER messages as defined in
voice class sip-profiles 200 . For more information, see voice class sip-profiles.
outbound-proxy dns:la01.sipconnect-us10.cisco-bcld.com
Webex Calling access SBC. For more information, see outbound-proxy.
privacy-policy passthru
Transparently pass across privacy header values from the incoming to the outgoing leg. For more
information, see privacy-policy in Cisco IOS Voice Command Reference - K through R.
After you define tenant 200 within the Local Gateway and configure a SIP VoIP dial-peer, the gateway then
initiates a TLS connection toward Webex Calling, at which point the access SBC presents its certificate to the
Local Gateway. The Local Gateway validates the Webex Calling access SBC certificate using the CA root
bundle that is updated earlier. Establishes a persistent TLS session between the Local Gateway and Webex
Calling access SBC. The Local Gateway then sends a REGISTER to the access SBC that is challenged.
Registration AOR is number@domain. The number is taken from credentials “number” parameter and domain
from the “registrar dns:<fqdn>.” When the registration is challenged:
Use the username, password, and realm parameters from the credentials to build the header and
sip-profile 200.
Converts SIPS url back to SIP.
Registration is successful when you receive 200 OK from the access SBC.
Configure Local Gateway Without IP PBX
This deployment requires the following configuration on the Local Gateway:
1 Voice class tenants—You create other tenants for dial-peers facing ITSP similar to tenant
200 that you create for Webex Calling facing dial-peers.
2 Voice class URIs—You define patterns for host IP addresses/ports for various trunks
terminating on Local Gateway:
Webex Calling to LGW
PSTN SIP trunk termination on LGW
3 Outbound dial-peers—You can route outbound call legs from LGW to ITSP SIP trunk and
Webex Calling.
4 Voice class DPG—You can invoke to target the outbound dial-peers from an inbound dial-
peer.
5 Inbound dial-peers—You can accept inbound call legs from ITSP and Webex Calling.
Use the configurations either for partner-hosted Local Gateway setup, or customer site gateway, as
shown in the following image.
1 Configure the following voice class tenants:
1 Apply voice class tenant 100 to all outbound dial-peers facing IP PSTN.

session transport udp
url sip
error-passthru
2 Apply voice class tenant 300 to all inbound dial-peers from IP PSTN.

2 Configure the following voice class uri:
1 Define ITSP’s host IP address:
voice class uri 100 sip

host ipv4:192.168.80.13
2 Define a pattern to uniquely identify a Local Gateway site within an enterprise based on
Control Hub's trunk group OTG or DTG parameter:

pattern dtg=hussain2572.lgu
Local Gateway doesn't currently support an underscore "_" in the match pattern. As
a workaround, you can use a dot "." (match any) to match the "_".
Received
INVITE
sip:[email protected]:5061;transport=tls;dtg=hussain2572_lgu
SIP/2.0
Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
pattern :8934
3 Configure the following outbound dial peers:
1 Outbound dial-peer toward IP PSTN:
dial-peer voice 101 voip

description Outgoing dial-peer to IP PSTN
destination-pattern BAD.BAD
session protocol sipv2
session target ipv4:192.168.80.13
voice-class codec 99
dtmf-relay rtp-nte
voice-class sip tenant 100
no vad

description Outgoing dial-peer to PSTN
Defines a VoIP dial-peer with a tag of 101and gives a meaningful description for ease of
management and troubleshooting.
Allows selection of dial-peer 101. However, you invoke this outgoing dial-peer directly from
the inbound dial-peer using dpg statements and that bypasses the digit pattern match
criteria. You are using an arbitrary pattern based on alphanumeric digits that are allowed by
the destination-pattern CLI.
Specifies that dial-peer101 handles SIP call legs.
Indicates the destination’s target IPv4 address to send the call leg. In this case, ITSP’s IP
address.
Indicates codec preference list 99 to be used for this dial-peer.
dtmf-relay rtp-nte
Defines RTP-NTE (RFC2833) as the DTMF capability expected on this call leg.

The dial-peer inherits all the parameters from tenant 100 unless that same parameter is
defined under the dial-peer itself.
no vad
Disables voice activity detection.
2 Outbound dial-peer toward Webex Calling (You update outbound dial-peer to serve as
inbound dial-peer from Webex Calling as well later in the configuration guide).

description Inbound/Outbound Webex Calling
session target sip-server
dtmf-relay rtp-nte
voice-class stun-usage 200
no voice-class sip localhost
srtp
no vad
Explanation of commands:

Defines a VoIP dial-peer with a tag of 200201 and gives a meaningful description for ease
of management and troubleshooting
Indicates that the global SIP server is the destination for calls from this dial peer. Webex
Calling server that you define in tenant 200 is inherited for dial-peer 200201.
Allows locally generated stun requests on the Local Gateway to send over the negotiated
media path. Stun helps in opening up the pinhole in the firewall.
Disables substitution of the DNS local host name in place of the physical IP address in the
From, Call-ID, and Remote-Party-ID headers of outgoing messages.

The dial-peer inherits all the parameters from tenant 200 (LGW <--> Webex Calling Trunk)
unless you define the same parameter under the dial-peer itself.
srtp
Enables SRTP for the call leg.
no vad
4 Configure the following dial-peer groups (dpg):
1 Defines dial-peer group 100. Outbound dial-peer 101 is the target for any incoming dial-peer
invoking dial-peer group 100. We apply DPG 100 to the incoming dial-peer 200201 for
Webex Calling --> LGW --> PSTN path.
voice class dpg 100

description Incoming WxC(DP200201) to IP PSTN(DP101)
dial-peer 101 preference 1
2 Define dial-peer group 200 with outbound dial-peer 200201 as the target for PSTN --> LGW
--> Webex Calling path. Apply DPG 200 to the incoming dial-peer 100 that you define later.
voice class dpg 200

description Incoming IP PSTN(DP100) to Webex Calling(DP200201)
5 Configure the following inbound dial-peers:
1 Inbound dial-peer for incoming IP PSTN call legs:

description Incoming dial-peer from PSTN
destination dpg 200
incoming uri via 100
dtmf-relay rtp-nte
no vad

Defines a VoIP dial-peer with a tag of 100 and gives a meaningful description for ease of
Specifies that dial-peer 100 handles SIP call legs.
Specifies the voice class uri 100 to match all incoming traffic from IP PSTN to Local
Gateway on a VIA header’s host IP address. For more information, see incoming uri in
Cisco IOS Voice Commands Reference - D through I.
destination dpg 200
Specifies dial peer group 200 to select an outbound dial peer. For more information on
setting a dial-peer group, see voice class dpg in Cisco IOS Voice Commands Reference - T
through Z.
The dial-peer inherits all the parameters from tenant 300 unless that same parameter is
defined under the dial-peer itself.
no vad
2 Inbound dial-peer for incoming Webex Calling call legs:

max-conn 250
destination dpg 100
incoming uri request 200

Updates a VoIP dial-peer with a tag of 200201and gives a meaningful description for ease
of management and troubleshooting.
Specifies the voice class uri 200 to match all incoming traffic from Webex Calling to LGW
on the unique dtg pattern in the request URI, uniquely identifying the Local Gateway site
within an enterprise and in the Webex Calling ecosystem. For more information, see
incoming uri in Cisco IOS Voice Commands Reference - D through I.
destination dpg 100
setting a dial-peer group, see voice class dpg in Cisco IOS Voice Commands Reference - T
through Z.
max-conn 250
Restricts the number of concurrent calls to 250 between the LGW and Webex Calling,
assuming a single dial-peer facing Webex Calling for both inbound and outbound calls as
defined in this article. For more information on concurrent call limits involving Local
Gateway, refer to the document Transitioning from Unified CM to Webex Calling.
PSTN to Webex Calling
Match all incoming IP PSTN call legs on the Local Gateway with dial-peer 100 to define a match criterion for
the VIA header with the IP PSTN’s IP address. DPG 200 invokes outgoing dial-peer 200201, that has the
Webex Calling server as a target destination.
Webex Calling to PSTN

Match all incoming Webex Calling call legs on the Local Gateway with dial-peer 200201 to define the match
criterion for the REQUEST URI header pattern with the trunk group OTG/DTG parameter, unique to this Local
Gateway deployment. DPG 100 invokes the outgoing dial-peer 101, that has the IP PSTN IP address as a
target destination.
Configure Local Gateway with an Existing Unified CM Environment
1 Voice class tenants—You create more tenants for dial-peers facing Unified CM and ITSP,
similar to tenant 200 that you create for Webex Calling facing dial-peers.
2 Voice class URIs—You define a pattern for host IP addresses/ports for various trunks
terminating on the LGW from:
Unified CM to LGW for PSTN destinations
Unified CM to LGW for Webex Calling destinations
Webex Calling to LGW destinations
3 Voice class server-group—You can target IP addresses/ports for outbound trunks from:
LGW to Unified CM
LGW to Webex Calling
LGW to PSTN SIP trunk
4 Outbound dial-peers—You can route outbound call legs from:
LGW to Unified CM
ITSP SIP trunk
Webex Calling
5 Voice class DPG—You can invoke to target outbound dial-peers from an inbound dial-peer.
6 Inbound dial-peers—You can accept inbound call legs from Unified CM, ITSP, and Webex
Calling.
1 Configure the following voice class tenants:
1 Apply voice class tenant 100 on all outbound dial-peers facing Unified CM and IP PSTN:

session transport udp
url sip
error-passthru
2 Apply voice class tenant 300 on all inbound dial-peers from Unified CM and IP PSTN:

1 Defines ITSP’s host IP address:

host ipv4:192.168.80.13
2 Define a pattern to uniquely identify a Local Gateway site within an enterprise based on
Control Hub's trunk group OTG/DTG parameter:

pattern dtg=hussain2572.lgu
The Local Gateway doesn't currently support underscore "_" in the match pattern. As
a workaround, you use dot "." (match any) to match the "_".
Received
INVITE
sip:[email protected]:5061;transport=tls;dtg=hussain2572_lgu
SIP/2.0
Via: SIP/2.0/TLS 199.59.70.30:8934;branch=z9hG4bK2hokad30fg14d0358060.1
pattern :8934
3 Defines Unified CM signaling VIA port for the Webex Calling trunk:

pattern :5065
4 Defines Unified CM source signaling IP and VIA port for PSTN trunk:

pattern 192.168.80.60:5060
3 Configure the following voice class server-groups:
1 Defines Unified CM trunk’s target host IP address and port number for Unified CM group 1 (5
nodes). Unified CM uses port 5065 for inbound traffic on the Webex Calling trunk (Webex
Calling <-> LGW --> Unified CM).
voice class server-group 301

ipv4 192.168.80.60 port 5065
2 Defines Unified CM trunk’s target host IP address and port number for Unified CM group 2 if
applicable:

ipv4 192.168.80.60 port 5065
3 Defines Unified CM trunk’s target host IP address for Unified CM group 1 (5 nodes). Unified
CM uses default port 5060 for inbound traffic on the PSTN trunk. With no port number
specified, you can use the default 5060 port. (PSTN <-> LGW --> Unified CM)

ipv4 192.168.80.60
4 Defines Unified CM trunk’s target host IP address for Unified CM group 2, if applicable.

ipv4 192.168.80.60
4 Configure the following outbound dial-peers:

dtmf-relay rtp-nte
no vad

Defines a VoIP dial-peer with a tag of 101 and a meaningful description is given for ease of
Allows selection of dial-peer 101. However, you invoke the outgoing dial-peer directly from
the inbound dial-peer using dpg statements and that bypasses the digit pattern match
criteria. You are using an arbitrary pattern that is based on alphanumeric digits that are
allowed by the destination-pattern CLI.
Indicates the destination’s target IPv4 address to send the call leg. (In this case, ITSP’s IP
address.)
Indicates codec preference list 99 to be in use for this dial-peer.
The dial-peer inherits all the parameters from tenant 100 unless you define the same
parameter under the dial-peer itself.
2 Outbound dial-peer toward Webex Calling (Update the outbound dial-peer to serve as the
inbound dial-peer from Webex Calling):

dtmf-relay rtp-nte
srtp
no vad

Defines a VoIP dial-peer with a tag of 200201 and gives a meaningful description for ease
Indicates that the global SIP server is the destination for calls from the dial-peer200201 .
Webex Calling server that is defined in tenant 200 is inherited for the dial-peer 200201.
Allows locally generated stun requests to send over the negotiated media path. Stun helps
in opening up the pinhole in the firewall.
Disables substitution of the DNS local host name in place of the physical IP address in the
From, Call-ID, and Remote-Party-ID headers of outgoing messages.
The dial-peer inherits all the parameters from tenant 200 (LGW <--> Webex Calling trunk)
unless you define the same parameter under the dial-peer itself.
srtp

3 Outbound dial-peer toward Unified CM's Webex Calling trunk:

description Outgoing dial-peer to CUCM-Group-1 for
inbound from Webex Calling - Nodes 1 to 5
session server-group 301
dtmf-relay rtp-nte
no vad

description Outgoing dial-peer to CUCM-Group-1 for
inbound from Webex Calling – Nodes 1 to 5
Instead of session target IP in the dial-peer, you are pointing to a destination server group
(server-group 301 for dial-peer 301) to define multiple target UCM nodes though the
example only shows a single node.
Server group in outbound dial-peer
With multiple dial-peers in the DPG and multiple servers in the dial-peer server group, you
can achieve random distribution of calls over all Unified CM call processing subscribers or
hunt based on a defined preference. Each server group can have up to five servers
(IPv4/v6 with or without port). You only require a second dial-peer and second server group
if more than five call processing subscribers are use.
For more information, see Server Groups in Outbound Dial Peers in Cisco Unified Border
Element Configuration Guide - Cisco IOS XE 17.6 Onwards.
4 Second outbound dial-peer toward Unified CM's Webex Calling trunk if you have more than
5 Unified CM nodes:
description Outgoing dial-peer to CUCM-Group-2
for inbound from Webex Calling - Nodes 6 to 10
dtmf-relay rtp-nte
no vad
5 Outbound dial-peer toward Unified CM's PSTN trunk:

description Outgoing dial-peer to CUCM-Group-1for inbound from PSTN -
Nodes 1 to 5
dtmf-relay rtp-nte
no vad
6 Second outbound dial-peer toward Unified CM’s PSTN trunk if you have more than 5 Unified
CM nodes:

description Outgoing dial-peer to CUCM-Group-2 for inbound from PSTN -
Nodes 6 to 10
dtmf-relay rtp-nte
no vad
5 Configure the following DPG:
1 Defines DPG 100. Outbound dial-peer 101 is the target for any incoming dial-peer invoking
dial-peer group 100. We apply DPG 100 to incoming dial-peer 302 defined later for the
Unified CM --> LGW --> PSTN path:
voice class dpg 100

2 Define DPG 200 with outbound dial-peer 200201 as the target for Unified CM --> LGW -->
Webex Calling path:
voice class dpg 200

3 Define DPG 300 for outbound dial-peers 301 or 303 for the Webex Calling --> LGW -->
Unified CM path:
voice class dpg 300

4 Define DPG 302 for outbound dial-peers 305 or 307 for the PSTN --> LGW --> Unified CM
path:
voice class dpg 302


destination dpg 302
dtmf-relay rtp-nte
no vad

Specifies that dial-peer100 handles SIP call legs.
Specifies the voice class uri 100 to all incoming traffic from Unified CM to LGW on the VIA
header’s host IP address. For more information, see incoming uri in Cisco IOS Voice
Commands Reference - D through I.
destination dpg 302
Specifies dial-peer group 302 to select an outbound dial-peer. For more information on
setting a dial-peer group, see voice class dpg in Cisco IOS Voice Commands Reference -
T through Z.

max-conn 250
destination dpg 300

Updates a VoIP dial-peer with a tag of 200201 and gives a meaningful description for ease
Specifies the voice class uri 200 to all incoming traffic from Unified CM to LGW on the
unique dtg pattern in the request URI, uniquely identifying a Local Gateway site within an
enterprise and in the Webex Calling ecosystem. For more information, see incoming uri in
Cisco IOS Voice Commands Reference - D through I.
destination dpg 300
T through Z.
max-conn 250
Restricts the number of concurrent calls to 250 between the LGW and Webex Calling
assuming a single dial-peer facing Webex Calling for both inbound and outbound calls as
defined in this guide. For more details about concurrent call limits involving Local Gateway,
see the document Transitioning from Unified CM to Webex Calling.
3 Inbound dial-peer for incoming Unified CM call legs with Webex Calling as the destination:
description Incoming dial-peer from CUCM for Webex Calling
destination dpg 200
dtmf-relay rtp-nte
no vad

Specifies the voice class URI 300 to all incoming traffic from Unified CM to LGW on the via
source port (5065). For more information, see incoming uri in Cisco IOS Voice Commands
Reference - D through I.
destination dpg 200
T through Z.
4 Inbound dial-peer for incoming Unified CM call legs with PSTN as the destination:
description Incoming dial-peer from CUCM for PSTN
destination dpg 100
dtmf-relay rtp-nte
no vad

Specifies the voice class uri 302 to all incoming traffic from Unified CM to LGW on the via
source port (5065). For more information, see incoming uri in Cisco IOS Voice Commands
destination dpg 100
T through Z.
IP PSTN to Unified CM PSTN trunk

Webex Calling Platform to Unified CM Webex Calling trunk
Unified CM PSTN trunk to IP PSTN

Unified CM Webex Calling trunk to Webex Calling Platform
Monitor and Troubleshoot Local Gateway with Diagnostic Signatures
Diagnostic Signatures (DS) proactively detects commonly observed issues in the IOS XE-based Local
Gateway and generates email, syslog, or terminal message notification of the event. You can also install the
DS to automate diagnostics data collection and transfer collected data to the Cisco TAC case to accelerate
resolution time.
Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to
be taken to inform, troubleshoot, and remediate the issue. you can define the problem detection logic using
syslog messages, SNMP events and through periodic monitoring of specific show command outputs.
The action types include collecting show command outputs:
generating a consolidated log file
uploading the file to a user provided network location such as HTTPS, SCP, FTP server
TAC engineers author the DS files and digitally sign it for integrity protection. Each DS file has a unique
numerical ID assigned by the system. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find
applicable signatures for monitoring and troubleshooting various problems.
Before you begin:
Do not edit the DS file that you download from DSLT. The files that you modify fail installation due to
the integrity check error.
A Simple Mail Transfer Protocol (SMTP) server you require for the Local Gateway to send out email
notifications.
Ensure that the Local Gateway is running IOS XE 17.6.1 or higher if you wish to use the secure SMTP
server for email notifications.
Prerequisites
Local Gateway running IOS XE 17.3.2 or higher
1 Diagnostic Signatures is enabled by default.
2 Configure the secure email server to be used to send proactive notification if the device is running
Cisco IOS XE 17.3.2 or higher.
configure terminal
call-home
mail-server <username>:<pwd>@<email server> priority 1 secure tls
end
3 Configure the environment variable ds_email with the email address of the administrator to you
notify.
configure terminal
call-home
diagnostic-signature
environment ds_email <email address>
end
Local Gateway running 16.11.1 or higher
1 Diagnostic signatures are enabled by default
2 Configure the email server to be used to send proactive notifications if the device is running a version
earlier than 17.3.2.
configure terminal
call-home
mail-server <email server> priority 1
end
3 Configure the environment variable ds_email with the email address of the administrator to be
notified.
configure terminal
call-home
end
Local Gateway running 16.9.x version
1 Enter the following commands to enable diagnostic signatures.
configure terminal
call-home reporting contact-email-addr [email protected]
end
2 Configure the email server to be used to send proactive notifications if the device is running a version
earlier than 17.3.2.
configure terminal
call-home
end
3 Configure the environment variable ds_email with the email address of the administrator to be
notified.
configure terminal
call-home
end
The following shows an example configuration of a Local Gateway running on Cisco IOS XE 17.3.2 to send
the proactive notifications to [email protected] using Gmail as the secure SMTP server:
call-home
mail-server tacfaststart:[email protected] priority 1 secure tls
environment ds_email "[email protected]"
A Local Gateway running on Cisco IOS XE Software is not a typical web-based Gmail client that
supports OAuth, so we must configure a specific Gmail account setting and provide specific permission
to have the email from the device processed correctly:
1 Go to Manage Google Account > Security and turn on Less secure app access setting.
2 Answer “Yes, it was me” when you receive an email from Gmail stating “Google prevented someone
from signing into your account using a non-Google app.”
Install diagnostic signatures for proactive monitoring
Monitoring high CPU utilization
This DS tracks 5-seconds CPU utilization using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the
utilization reaches 75% or more, it disables all debugs and uninstalls all diagnostic signatures that are installed
in the Local Gateway. Use these steps below to install the signature.
1 Ensure to enable SNMP using the command show snmp. If you do not enable, then configure the
“snmp-server manager” command.
show snmp
%SNMP agent not enabled
config t
snmp-server manager
end
show snmp
Chassis: ABCDEFGHIGK
149655 SNMP packets input
0 Bad SNMP version errors
1 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
37763 Number of requested variables
2 Number of altered variables
34560 Get-request PDUs
138 Get-next PDUs
2 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
158277 SNMP packets output
0 Too big errors (Maximum packet size 1500)
20 No such name errors
0 Bad values errors
0 General errors
7998 Response PDUs
10280 Trap PDUs
Packets currently in SNMP process input queue: 0
SNMP global trap: enabled
2 Download DS 64224 using the following drop-down options in Diagnostic Signatures Lookup Tool:
Field Name Field Value
Platform Cisco 4300, 4400 ISR Series or Cisco CSR 1000V Series
Product CUBE Enterprise in Webex Calling Solution
Problem Scope Performance
Problem Type High CPU Utilization with Email Notification.
3 Copy the DS XML file to the Local Gateway flash.

LocalGateway# copy ftp://username:password@<server name or ip>/DS_64224.xml
bootflash:
The following example shows copying the file from an FTP server to the Local Gateway.
copy ftp://user:[email protected]/DS_64224.xml bootflash:

Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...!
[OK - 3571/4096 bytes]
3571 bytes copied in 0.064 secs (55797 bytes/sec)
4 Install the DS XML file in the Local Gateway.
call-home diagnostic-signature load DS_64224.xml

Load file DS_64224.xml success
5 Verify that the signature is successfully installed using show call-home diagnostic-signature. The
status column should have a “registered” value.
show call-home diagnostic-signature

Current diagnostic-signature settings:
Diagnostic-signature: enabled
Profile: CiscoTAC-1 (status: ACTIVE)
Downloading URL(s):
https://tools.cisco.com/its/service/oddce/services/DDCEService
Environment variable:
ds_email: [email protected]
Download DSes:
DS ID DS Name Revision Status Last Update (GMT+00:00)
64224 DS_LGW_CPU_MON75 0.0.10 Registered 2020-11-07 22:05:33
When triggered, this signature uninstalls all running DSs including itself. If necessary, please
reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.
Monitoring SIP trunk registration
This DS checks for unregistration of a Local Gateway SIP Trunk with Webex Calling cloud every 60 seconds.
Once the unregistration event is detected, it generates an email and syslog notification and uninstalls itself
after two unregistration occurrences. Please use the steps below to install the signature.

Problem Scope SIP-SIP
Problem Type SIP Trunk Unregistration with Email Notification.
2 Copy the DS XML file to the Local Gateway.
copy ftp://username:password@<server name or ip>/DS_64117.xml bootflash:

LocalGateway#
4 Use show call-home diagnostic-signatureto verify that the signature is successfully installed . The
status column must have a “registered” value.
Monitoring abnormal call disconnects
This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and
503. If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and
email notification. Please use the steps below to install the signature.
1 Check whether SNMP is enabled using the command show snmp. If it is not enabled, configure the
show snmp
config t
snmp-server manager
end
show snmp
0 Encoding errors
138 Get-next PDUs
2 Set-request PDUs
0 Bad values errors
0 General errors
7998 Response PDUs
10280 Trap PDUs
2 Download DS 65221 using the following options in Diagnostic Signatures Lookup Tool:
Problem Type SIP abnormal call disconnect detection with Email and Syslog Notification.


5 Use show call-home diagnostic-signatureto verify that the signature is successfully installed using
. The status column must have a “registered” value.
Install diagnostic signatures to troubleshoot a problem
Use Diagnostic Signatures (DS) to resolve issues quickly. Cisco TAC engineers have authored several
signatures that enable the necessary debugs that are required to troubleshoot a given problem, detect the
problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco
TAC case. Diagnostic Signatures (DS) eliminates the need to manually check for the problem occurrence and
makes troubleshooting of intermittent and transient issues a lot easier.
You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to
selfsolve a given issue or you can install the signature that is recommended by the TAC engineer as part of
the support engagement.
Here is an example of how to find and install a DS to detect the occurrence “%VOICE_IEC-3-GW: CCAPI:
Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using
the following steps:
1 Configure an additional DS environment variable ds_fsurl_prefix which is the Cisco TAC file server
path (cxd.cisco.com) to which the collected diagnostics data are uploaded. The username in the file
path is the case number and the password is the file upload token which can be retrieved from
Support Case Manager in the following command. The file upload token can be generated in the
Attachments section of the Support Case Manager, as needed.
configure terminal
call-home
LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case
number>:<file upload token>@cxd.cisco.com"
end
Example:
call-home
environment ds_fsurl_prefix " environment ds_fsurl_prefix
"scp://612345678:[email protected]"
2 Ensure that SNMP is enabled using the command show snmp. If it is not enabled, configure the
show snmp
config t
snmp-server manager
end
3 Ensure to install the High CPU monitoring DS 64224 as a proactive measure to disable all debugs
and diagnostics signatures during the time of high CPU utilization. Download DS 64224 using the
following options in Diagnostic Signatures Lookup Tool:
Problem
Syslogs
Scope
Syslog - %VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold):

Problem Type
IEC=1.1.181.1.29.0
5 Copy the DS XML files to the Local Gateway.

6 Install the High CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway.

status column must have a “registered” value.

Downloading URL(s):
ds_fsurl_prefix: scp://612345678:[email protected]
Downloaded DSes:
Last Update
DS ID DS Name Revision Status
(GMT+00:00)
64224
DS_LGW_CPU_MON75 0.0.10 Registered 2020-11-08
00:07:45
65095
DS_LGW_IEC_Call_spike_threshold 0.0.12 Registered 2020-11-08
00:12:53
Verify diagnostic signatures execution
In the following command, the “Status” column of the command show call-home diagnostic-signature
changes to “running” while the Local Gateway executes the action defined within the signature. The output of
show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature
detects an event of interest and executes the action. The “Triggered/Max/Deinstall” column indicates the
number of times the given signature has triggered an event, the maximum number of times it is defined to
detect an event and whether the signature deinstalls itself after detecting the maximum number of triggered
events.
Downloading URL(s):
Downloaded DSes:
65095 DS_LGW_IEC_Call_spike_threshold 0.0.12 Running 2020-11-08 00:12:53
show call-home diagnostic-signature statistics
Average Run Max Run Time

DS ID DS Name Triggered/Max/Deinstall
Time (seconds) (seconds)
64224 DS_LGW_CPU_MON75 0/0/N 0.000 0.000
65095 DS_LGW_IEC_Call_spike_threshold 1/20/Y 23.053 23.053
The notification email that is sent during diagnostic signature execution contains key information such as issue
type, device details, software version, running configuration, and show command outputs that are relevant to
troubleshoot the given problem.
Uninstall diagnostic signatures
Use Diagnostic signatures for troubleshooting purposes are typically defined to uninstall after detection of
some problem occurrences. If you want to uninstall a signature manually, retrieve the DS ID from the output of
show call-home diagnostic-signature and run the following command:
call-home diagnostic-signature deinstall <DS ID>
Example:
call-home diagnostic-signature deinstall 64224
New signatures are added to Diagnostics Signatures Lookup Tool periodically, based on issues that are
commonly observed in deployments. TAC currently doesn’t support requests to create new custom
signatures.
Manage and Validate Cisco IOS XE Gateways through Control Hub
For better management of Cisco IOS XE Gateways, we recommend that you enroll and manage the gateways
through the Control Hub. It is an optional configuration. When enrolled, you can use the configuration
validation option in the Control Hub to validate your Local Gateway configuration and identify any configuration
issues. Currently, only registration-based trunks support this functionality.
For more information, refer the following:
Enroll Cisco IOS Managed Gateways to Webex Cloud
Assign Services to Managed Gateways
Validate Cisco Local Gateway Configuration
Certificate-Based Local Gateway
Perform Reference Platform Configuration
Before you begin
Ensure that the following baseline platform configuration that you configure are set up
according to your organization's policies and procedures:
NTPs
ACLs
enable passwords
primary password
IP routing
IP Addresses, and so on
You require a minimum supported release of IOS XE 17.6 for all Local Gateway deployments.
1 Ensure that you assign valid and routable IP addresses to any Layer 3 interfaces:
description Interface facing PSTN and/or CUCM
ip address 192.168.80.14 255.255.255.0
!
description Interface facing Webex Calling
ip address 198.51.100.1 255.0.0.0
Interface toward Webex Calling must be reachable from outside.
You can only configure the Control Hub with FQDN/SRV of the Local Gateway. Ensure that
the FQDN resolves to the interface IP.
2 Preconfigure a primary key for the password with the following commands before it is used as a
credential and shared secrets. Type 6 passwords are encrypted using AES cipher and user-defined
primary key.
conf t
key config-key password-encrypt Password123
password encryption aes
3 Configure IP Name Server to enable DNS lookup. Ping the IP Name Server and ensure that the
server is reachable. Local Gateway must resolve Webex Calling proxy addresses using this DNS:
conf t
ip name-server 8.8.8.8
end
4 Enable TLS 1.2 Exclusivity and a default placeholder Trustpoint:
A signed and trusted CA certificate must be recognized.
Domain in the Contact Header URI of the SIP Request messages (for example: Invite,
Options) must be present in the SAN certificate to establish the TLS connection.
1 Create an RSA key matching the certificate length of the root certificate with the following
command:
crypto key generate rsa general-keys exportable label my-cube modulus

4096
2 Create a trustpoint to hold a CA-signed certificate with the following commands:
crypto pki trustpoint CUBE_CA_CERT

enrollment terminal pem
serial-number none
subject-name CN=my-cube.domain.com (This has to match the DNS hostname
through which this router is reachable)
revocation-check none
rsakeypair TestRSAkey !(this has to match the RSA key you just created)
3 Generate Certificate Signing Request (CSR) with the following command:
crypto pki enroll CUBE_CA_CERT
Use this CSR to request a certificate from one of the supported certificate
authorities.
Ensure that the trunk destination (FQDN or SRV) that you configure on Control
Hub is present in the SAN of the certificate.
5 If the root certificate has an intermediate CA, then execute the following commands:
If there are no intermediate certificate authorities, skip to the subsequent step.
crypto pki trustpoint Root_CA_CERT

enrollment terminal
!
crypto pki authenticate Root_CA_CERT
<paste root CA X.64 based certificate here >
crypto pki trustpoint Intermediate_CA

enrollment terminal
chain-validation continue Root_CA_CERT
!
crypto pki authenticate Intermediate_CA
<paste Intermediate CA X.64 based certificate here >
crypto pki authenticate CUBE_CA_CERT

<paste Intermediate CA X.64 based certificate here >
crypto pki import CUBE_CA_CERT certificate

<paste CUBE CA X.64 based certificate here >
6 Create a trustpoint to hold the root certificate. Execute the following commands, if there is no
intermediate CA:
crypto pki trustpoint Root_CA_CERT

enrollment terminal
!
crypto pki authenticate Root_CA_CERT
crypto pki authenticate CUBE_CA_CERT

crypto pki import CUBE_CA_CERT certificate

<paste CUBE CA X.64 based certificate here >
7 Configure SIP-UA to use the trustpoint you created.
configure terminal
sip-ua
crypto signaling default trustpoint CUBE_CA_CERT
transport tcp tls v1.2
Configure Certificate-Based Trunk

Before you begin
The network toward Webex Calling must use a public IPv4 address. Fully Qualified Domain
Names (FQDN) or Service Record (SRV) addresses must resolve to a public IPv4 address on
the internet.
All SIP and media ports on the external interface must be accessible from the internet. The
ports must not be behind a Network Address Translation (NAT). Ensure that you update the
firewall on your enterprise network components.
Install a signed certificate on the Local Gateway.
Certificate Authority (CA) must sign the certificate as mentioned in What Root
Certificate Authorities are Supported for Calls to Cisco Webex Audio and Video
Platforms?.
The FQDN selected from the Control Hub must be the Common Name (CN) or Subject
Alternate Name (SAN) of the certificate. For example:
If a trunk configured from your organization’s Control Hub has

london.lgw.cisco.com:5061 as FQDN of the Local Gateway, then CN or SAN
must contain london.lgw.cisco.com in the certificate.
If a trunk configured from your organization’s Control Hub has

london.lgw.cisco.com as the SRV address of the Local Gateway, then CN or
SAN must contain london.lgw.cisco.com in the certificate. The records that the
SRV address resolves to (CNAME, A Record, or IP Address) are optional in
SAN.
In the FQDN or SRV example that you use for trunk, the contact address for all
new SIP dialogs from your Local Gateway must have london.lgw.cisco.com in
the host portion of the SIP address. See, Step 5 for configuration.
Ensure that certificates are signed for client and server usage.
Upload the trust bundle to the Local Gateway as mentioned in What Root Certificate
Authorities are Supported for Calls to Cisco Webex Audio and Video Platforms?.
1 Enter the following commands to turn on the Local Gateway application (Refer to Port Reference
Information for Cisco Webex Calling for the latest IP subnets to add as a trust list):
configure terminal
voice service voip
sip
early-offer forced
asymmetric payload full
Toll-fraud prevention
voice service voip

Enables the source IP addresses of entities from which the Local Gateway expects legitimate
VoIP calls, from Webex Calling peers.
By default, Local Gateway blocks all incoming VoIP call setups from IP addresses not in its
trusted list. IP Addresses from dial-peers with “session target IP” or server group are trusted
by default and does not populate here.
IP addresses in this list must match the IP subnets according to the regional Webex Calling
data center that the customer connects. See Port Reference Information for Webex Calling for
more information.
For more information on how to use an IP address trusted list to prevent toll fraud, see IP
address trusted.
SIP-to-SIP basic functionality
Allow SIP-to-SIP connections.
By default, Cisco IOS or IOS XE voice devices do not allow an incoming VoIP leg to go out as
VoIP.
For more information on this command, see Allow connections.
Fax protocol
Enables T.38 for fax transport, though the fax traffic is not be encrypted. For more information on this
command, see fax protocol t38 (voice-service).
SIP
early-offer forced
Forces the Local Gateway to send the SDP information in the initial INVITE message instead of
waiting for acknowledgment from the neighboring peer. For more information on this command, see
early-offer.
2 Configure "voice class codec 100."
voice class codec 100

codec preference 1 opus
codec preference 2 g711ulaw
codec preference 3 g711alaw
Voice class codec 100
Allows opus and both g711 (mu and a-law) codecs for sessions. Applies the preferred codec to all
the dial-peers. For more information, see voice class codec.
3 Configure "voice class stun-usage 100" to enable ICE.

stun usage ice lite
Voice class stun-usage 100
Defines stun usage. Applies stun to all Webex Calling-facing dial-peers to avoid no way audio when
a Unified CM phone forwards the call to another Webex Calling phone. See voice class stun usage
in Cisco IOS Voice Commands - T through Z and stun usage ice lite.
4 Configure "voice class srtp-crypto 100" to limit the crypto supported.


Specifies SHA1_80 as the only SRTP cipher-suite a Local Gateway offers in the SDP in offer and
answer. Webex Calling only supports SHA1_80.
For more information, see voice class srtp-crypto.
5 Configure “SIP Profiles 100”. In the example, cube1.abc.lgwtrunking.com is the FQDN selected for
the Local Gateway and "172.x.x.x" is the IP address of the Local Gateway interface that is toward
Webex Calling:
voice class sip-profiles 100

rule 10 request ANY sip-header Contact modify "172.x.x.x"
"cube1.abc.lgwtrunking.com"
rule 20 response ANY sip-header Contact modify "172.x.x.x"
"cube1.abc.lgwtrunking.com"
rule 10 to rule 20
Ensures that you replace the Local Gateway IP address with FQDN in the ‘Contact’ header of
request and response messages.
This is a requirement for authentication of your Local Gateway to use as a trunk in a given Webex
Calling location for your organization.
For more information,see voice class sip-profiles.
For more information,see rule (voice translation-rule) in Cisco IOS Voice Command Reference - K
through R.
6 Configure the following four outbound dial-peers:
1 Configure first outbound dial-peer toward Webex Calling.

description OutBound Dial peer towards Webex Calling
session target dns:peering1.sip.address:5062p tls
voice-class sip rel1xx disable
voice-class sip profiles 100
voice-class sip srtp-crypto 100
voice-class sip options-keepalive
voice-class sip bind control source-interface GigabitEthernet 1
voice-class sip bind media source-interface GigabitEthernet 1
dtmf-relay rtp-nte
srtp
!

management and troubleshooting. See dial-peer voice for more information.
Allows selection of dial-peer 101. However, we invoke outgoing dial-peer 101 directly from
the inbound dial-peer using DPG statements and that bypasses the digit pattern match
allowed by the destination-pattern CLI. See destination-pattern (interface) in Cisco IOS
Voice Command Reference - D through I for more information.
Specifies that dial-peer 101 handles SIP call legs. See session protocol (dial-peer) in Cisco
IOS Voice Command Reference - S Commands for more information.
session target dns:peering1.sip.address:5062

Indicates the destination’s target FQDN address from Control Hub to send the call leg. See
session target (VoIP dial-peer) in Cisco IOS Voice Command Reference - S Commands for
more information.
Indicates codec preference list 100 to use for dial-peer101. See voice class codec for more
information.
2 Configure the rest of an outbound dial-peer toward Webex Calling. The steps remain the
same as in the previous substep under Step 6 but has different ‘session target’ for the dial-
peers.

dtmf-relay rtp-nte
srtp
!
dtmf-relay rtp-nte
srtp
!

dtmf-relay rtp-nte
srtp
!
7 Create dial-peer group based on the dial-peer toward Webex Calling in the active/active model.
This configuration is applicable for all regions except trunks that you configure in a Singapore
based location. See Step 8 for more information.
1 Define DPG 100 with outbound dial-peer 101,102,103,104toward Webex Calling. Apply DPG
100 to the incoming dial-peer 100 to define PSTN or Unified CM.
voice class dpg 100

Associates an outbound dial-peer with dial-peer group 100 and configure dial-peer 101, 102, 103,
and 104 with the same preference. See dial-peer voice for more information.
8 Create dial-peer group based on the dial-peer toward Webex Calling in the primary/backup model.
This configuration is applicable only for trunks that you configure in the Singapore locations.
1 Define dial-peer group 100 with outbound dial-peer 101,102,103,104 toward Webex Calling.
Apply DPG 100 to the incoming dial-peer 100 to define PSTN or Unified CM.
voice class dpg 100

dial-peer 101 and 102 preference 1
Associates an outbound dial-peer with dial-peer group 100 and configure dial-peer 101 and 102 as
first preference. See voice-class dpg in Cisco IOS Voice Command Reference - T through Z for
more information.
dial-peer 103 and 104 preference 2
Associates an outbound dial-peer with the dial-peer group 100and configure dial-peer 103 and 104
as second preference.
9 Configure inbound dial-peer from Webex Calling. Incoming match is based on the URI request.

pattern cube.domain.com

destination dpg 300
voice-class sip bind control source-interface GigabitEthernet1
voice-class sip bind media source-interface GigabitEthernet1
srtp
!

Defines the match pattern for an incoming call from Webex Calling. See voice class uri sip
preference in Cisco IOS Voice Command ReferencT through Z for more information.
Sets transport to TLS. See session-transport for more information.
destination dpg 300
Specifies dial-peer group 120 to select an outbound dial-peer. See voice-class dpg in Cisco IOS
Voice Command Reference - T through Z for more information.on dial-peer groups.
Matches all incoming traffic from Webex Calling to Local Gateway on the unique DTG pattern in the
request URI, uniquely identifying a Local Gateway site within an enterprise and in the Webex Calling
ecosystem. See incoming uri Cisco IOS Voice Command Reference - D through I for more
information.
Configures the preferred cipher-suites for the SRTP call leg (connection). See voice class srtp-crypto
for more information.
Configures a source IP address for signaling source interface facing Webex Calling. See bind in
Cisco IOS Voice Command Reference - A through C for more information on how to use bind.
Configure Local Gateway Without IP PBX
1 Voice class URIs—You can define host IP addresses/ports patterns for various trunks
terminating on Local Gateway:
Webex Calling to LGW
2 Outbound dial-peers—You can route outbound call legs from an LGW to Internet telephony
service provider (ITSP) SIP trunk and Webex Calling.
3 Voice class DPG—You can invoke to target outbound dial-peers from an inbound dial-peer.
4 Inbound dial-peers—You can accept inbound call legs from ITSP and Webex Calling.
Use the configuration either for a partner-hosted Local Gateway setup, or local customer site gateway.
See the following:
1 Define ITSP’s host IP address:

host ipv4:192.168.80.13
2 Define a pattern to uniquely identify a Local Gateway site within an enterprise. Use the Local
Gateway hostname as the Uniform Resource Identifier (URI) match pattern.

Local gateway doesn't currently support an underscore "_" in the match pattern. As a
workaround, you use dot "." (match any) to match the "_".
Received
INVITE sip:[email protected]
sg.lgwtrunking.com:5061;transport=tls;dtg=awscube1a.var1-
sg.lgwtrunking.com SIP/2.0

dtmf-relay rtp-nte
no vad

management and troubleshooting. For more information, see dial-peer voice.
Allows selection of dial-peer 121. However, you invoke this outgoing dial-peer directly from
allowed by the destination-pattern CLI. For more information, see destination-pattern
(interface) in Cisco IOS Voice Command Reference - D through I.
Specifies that dial-peer 121 handles SIP call legs. For more information, see session
protocol (dial peer) in Cisco IOS Voice Command Reference - S Commands.
Indicates the destination’s target IPv4 address to send the call leg. The session target here
is ITSP’s IP address. For more information, see session target (VoIP dial peer) in Cisco
IOS Voice Command Reference - S Commands.
voice-class codec 100.
Indicates codec preference list 100 to use for dial-peer 121. For more information, see
voice-class codec.
dtmf-relay rtp-nte
Defines RTP-NTE (RFC2833) as the DTMF capability expected on the call leg. For more
information, see DTMF Relay (Voice over IP).
no vad
Disables voice activity detection. For more information, see vad (dial peer) in Cisco IOS
Voice Command Reference - T through Z.
2 Outbound dial-peer toward Webex Calling. See the other procedure Configure Certificate-
Based Trunk within this article.
3 Configure the following Dial-peer Group (DPG):
1 Defines dial-peer group 120. Outbound dial-peer 121 is the target for Webex Calling-->
LGW --> PSTN. You apply DPG 120 to the incoming dial-peer 110 for Webex Calling -->
LGW --> PSTN path.
voice class dpg 120

description Incoming IP PSTN to Webex Calling
dial-peer 110
You must configure the DPG 120 to the inbound dial-peer from Webex Calling. For
more information, see Step 9 in the procedure Configure Certificate-Based Trunk
within this article.

destination dpg 100
dtmf-relay rtp-nte
no vad

Specifies that dial-peer 122 handles SIP call legs. See session protocol (dial peer) in Cisco
IOS Voice Command Reference - S Commands for more information.

Defines a match criterion for the VIA header with the IP PSTN’s IP address. Matches all
incoming IP PSTN call legs on the Local Gateway with dial-peer 122. For more information,
see incoming url in Cisco IOS Voice Command Reference - D through I.
destination dpg 100
Bypasses the classic outbound dial-peer matching criteria in Local Gateway with the
destination DPG 100. Set up the outgoing call leg using dial-peers defined within destination
DPG 100, that is dial-peer 101,102,103,104. For more information on configuring dial peer
groups, see voice-class dpg in Cisco IOS Voice Command Reference - D through I.
no vad
Disables voice activity detection. For more information, see vad (dial peer) in Cisco IOS
Voice Command Reference - T though Z.
PSTN to Webex Calling:

Match all incoming IP PSTN call legs on the Local Gateway with dial-peer 122 to define a match criterion for
the VIA header with the IP PSTN’s IP address. DPG 100 invokes outgoing dial-peer 101,102,103,104, that has
the Webex Calling server as a target destination.
Webex Calling to PSTN:
Match all incoming Webex Calling call legs on the Local Gateway with dial-peer 110 to define the match
criterion for the REQUEST URI header pattern with the Local Gateway hostname, unique to the Local
Gateway deployment. DPG 120 invokes outgoing dial-peer 121, that has the IP PSTN IP address as a target
destination.
Configure Local Gateway with an Existing Unified CM Environment
1 Voice class URIs—You can define patterns of host IP addresses/ports for various trunks
terminating on the LGW from:
Unified CM to LGW for PSTN destinations
Unified CM to LGW for Webex Calling destinations
Webex Calling to LGW destinations
PSTN SIP trunk termination on LGW destinations
2 Voice class server-group—You can target IP addresses or ports for outbound trunks from:
LGW to Unified CM
LGW to Webex Calling
LGW to PSTN SIP trunk
3 Outbound dial-peers—You can route outbound call legs from:
LGW to Unified CM
Internet Telephony Service Provider (ITSP) SIP trunk
Webex Calling
4 Voice class dpg—You can target to invoke outbound dial-peers from an inbound dial-peer.
5 Inbound dial-peers—You can accept inbound call legs from Unified CM, ITSP, and Webex
Calling.
1 Configure the following voice class URIs:
1 Defines ITSP’s host IP (IP) address:

host ipv4:192.168.80.13
2 Define a pattern to uniquely identify a Local Gateway site within an enterprise. Use Local
Gateway hostname as the required Uniform Resource Identifier (URI) match pattern.

The Local Gateway doesn't currently support an underscore "_" in the match pattern.
As a workaround, we use a dot "." (match any) to match the "_".
Received
INVITE sip:[email protected]
sg.lgwtrunking.com:5061;transport=tls;dtg=awscube1a.var1-
sg.lgwtrunking.com SIP/2.0
3 Defines Unified CM signaling VIA port for the Webex Calling trunk:

pattern :5065
4 Defines Unified CM source signaling IP and VIA port for PSTN trunk:

pattern 192.168.80.60:5060
2 Configure the following voice class server-groups:
1 Defines Unified CM trunk’s target host IP address and port number for Unified CM group 1 (5
nodes). Unified CM uses port 5065 for inbound traffic on the Webex Calling trunk (Webex
Calling <-> LGW --> Unified CM).

ipv4 192.168.80.60 port 5065
2 Defines Unified CM trunk’s target host IP address and port number for Unified CM Group 2 if
applicable:

ipv4 192.168.80.60 port 5065
3 Defines Unified CM trunk’s target host IP address for Unified CM Group 1 (5 nodes). Unified
CM uses default port 5060 for inbound traffic on the PSTN trunk. Use the default 5060 port, if
you do not specify the port number. (PSTN <-> LGW --> Unified CM)

ipv4 192.168.80.60
4 Defines Unified CM trunk’s target host IP address for Unified CM Group 2, if applicable.

ipv4 192.168.80.60

dtmf-relay rtp-nte
no vad

Allows selection of dial peer 121. However, we invoke this outgoing dial-peer directly from
criteria. We're using an arbitrary pattern based on alphanumeric digits that are allowed by
the destination-pattern CLI. For more information, see destination-pattern (interface) in
Cisco IOS Voice Command Reference - D through I.
The session protocol sipv2 section specifies that dial-peer 121 handles SIP call legs.
For more information, see session protocol (dial peer) in Cisco IOS Voice Command
Reference - S Commands.
Provide the destination’s target IPv4 address to send the call leg. (In this case, ITSP’s IP
address.) For more information, see session target (VoIP dial peer). in Cisco IOS Voice
Command Reference - S Commands
Indicates codec preference list 100 you use for dial-peer 121.
For more information, see voice class codec.
2 Outbound dial-peer toward Webex Calling:

description Outgoing dial-peer to Webex Calling
session target dns:<insert peering1 address from Control Hub>:5062
dtmf-relay rtp-nte
srtp
!

dtmf-relay rtp-nte
srtp
!
dtmf-relay rtp-nte
srtp
!

dtmf-relay rtp-nte
srtp
!

Defines a VoIP dial-peer with a tag of 200201, 200202, 200203, 200204 and gives a
meaningful description for ease of management and troubleshooting.
Send locally generated stun request over the negotiated media path. Stun opens the
pinhole in the firewall.
srtp
3 Outbound dial-peer toward Unified CM's Webex Calling trunk:

description Outgoing dial-peer to CUCM-Group-1 for inbound from Webex
Calling - Nodes 1 to 5
dtmf-relay rtp-nte
no vad

Calling – Nodes 1 to 5
Defines the session target of the multiple Unified CM nodes (server-group 301 for dial-
peer 301) though the example only shows a single node.
Server group in outbound dial peer
Achieves random distribution of calls over all Unified CM call processing subscribers or
hunt based on a defined preference with multiple dial-peers in the DPG and multiple
servers in the dial-peer server group. Each server group can have up to five servers
(IPv4/v6 with or without port). You can only use a second dial-peer and second server
group for more than five call processing subscribers.
For more information, see Server Groups in Outbound Dial Peers in Cisco Unified Border
Element Configuration Guide Through Cisco IOS XE 17.5.
4 Second outbound dial-peer toward Unified CM's Webex Calling trunk if you have more than
5 Unified CM nodes:

Calling - Nodes 6 to 10
dtmf-relay rtp-nte
no vad
5 Outbound dial-peer toward Unified CM's PSTN trunk:

Nodes 1 to 5
dtmf-relay rtp-nte
no vad
6 Second outbound dial-peer toward Unified CM’s PSTN trunk if you have more than 5 Unified
CM nodes:

Nodes 6 to 10
dtmf-relay rtp-nte
no vad
4 Configure the following dial-peer group (DPG):
1 Defines DPG 121. Outbound dial-peer 121 is the target for any incoming dial-peer that
invokes DPG 121. Apply DPG 121 to incoming dial-peer 302 defined later for the Unified
CM --> LGW --> PSTN path:
voice class dpg 121

2 Define DPG 100 with outbound dial-peer 200201, 200202, 200203, 200204 as the target for
Unified CM --> LGW --> Webex Calling path:
Ensure that preference changes are based on the location of the configured Local
Gateway. See Step 7, and Step 8 in the procedure Configure Certificate-Based
Trunk for more information.
voice class dpg 100

3 Define DPG 300 for outbound dial-peers 301 or 303 for the Webex Calling --> LGW -->
Unified CM path:
voice class dpg 300

4 Define DPG 302 for outbound dial-peers 305 or 307 for the PSTN --> LGW --> Unified CM
path:
voice class dpg 302


destination dpg 302
dtmf-relay rtp-nte
no vad

Specifies the voice class uri 100 to match all incoming traffic from IP PSTN to Local
Gateway on an incoming VIA header’s host IP address. For more information, see
incoming uri in Cisco IOS Voice Command Reference - D through I.
destination dpg 302
configuring dial peer groups, see voice class dpg in Cisco IOS Voice Command Reference -
T through Z.

description Incoming dial-peer from Webex Calling
destination dpg 300
voice-class sip bind control source-interface GigabitEthernet1
voice-class sip bind media source-interface GigabitEthernet1
srtp

description Incoming dial-peer from Webex Calling
Updates a VoIP dial-peer with a tag of 110 and gives a meaningful description for ease of
destination dpg 300
configuring dial peer groups, see voice class dpg in Cisco IOS Voice Command Reference
- T through Z.
Configures the preferred cipher-suites for the SRTP call leg (connection). For more
information, see voice class srtp-crypto.
Configures a source IP address for signaling source interface facing Webex Calling.
For more information on the bind command, see bind.
3 Inbound dial-peer for incoming Unified CM call legs with Webex Calling as the destination:
destination dpg 100
dtmf-relay rtp-nte
no vad

Specifies the voice class URI 300 to all incoming traffic from Unified CM to LGW on the via
source port (5065). For more information, see incoming uri in Cisco IOS Voice Command
destination dpg 100
- T through Z.
4 Inbound dial-peer for incoming Unified CM call legs with PSTN as the destination:

destination dpg 100
dtmf-relay rtp-nte
no vad

Specifies the voice class URI 300 to match all incoming traffic from Unified CM to a Local
Gateway for a PSTN destination on VIA port. You can use the 5060 port as a standard SIP
port. For more information, see incoming uri in Cisco IOS Voice Command Reference - D
through I.
destination dpg 100
- T through Z for more information on configuring dial peer groups.
Monitor and Troubleshoot Local Gateway with Diagnostic Signatures
Diagnostic Signatures (DS) proactively detects commonly observed issues in the Cisco IOS XE-based Local
Gateway and generates email, syslog, or terminal message notification of the event. You can also install the
DS to automate diagnostics data collection and transfer collected data to the Cisco TAC case to accelerate
resolution time.
Diagnostic Signatures (DS) are XML files that contain information about problem trigger events and actions to
inform, troubleshoot, and remediate the issue. Use syslog messages, SNMP events and through periodic
monitoring of specific show command outputs to define the problem detection logic. The action types include:
Collecting show command outputs
Generating a consolidated log file
Uploading the file to a user provided network location such as HTTPS, SCP, FTP server
TAC engineers author DS files and digitally sign it for integrity protection. Each DS file has the unique
numerical ID assigned by the system. Diagnostic Signatures Lookup Tool (DSLT) is a single source to find
applicable signatures for monitoring and troubleshooting various problems.
Before you begin:
Do not edit the DS file that you download from DSLT. The files that you modify fail installation due to
the integrity check error.
A Simple Mail Transfer Protocol (SMTP) server you require for the Local Gateway to send out email
notifications.
Ensure that the Local Gateway is running IOS XE 17.6.1 or higher if you wish to use the secure SMTP
server for email notifications.
Prerequisites
Local Gateway running IOS XE 17.6.1 or higher
1 Diagnostic Signatures is enabled by default.
2 Configure the secure email server that you use to send proactive notification if the device is running
IOS XE 17.6.1 or higher.
configure terminal
call-home
mail-server <username>:<pwd>@<email server> priority 1 secure tls
end
3 Configure the environment variable ds_email with the email address of the administrator to you
notify.
configure terminal
call-home
LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address>
end
Local Gateway running 17.6.1 version
1 Enter the following commands to enable Diagnostic Signatures.
configure terminal
call-home reporting contact-email-addr [email protected]
end
2 Configure the email server to send proactive notifications if the device is running a version earlier
than 17.6.1.
configure terminal
call-home
end
3 Configure the environment variable ds_email with the email address of the administrator that you
notify
configure terminal
call-home
LocalGateway(cfg-call-home-diag-sign)environment ds_email <email address>
end
The following shows an example configuration of a Local Gateway running on Cisco IOS XE 17.6.1 to send
the proactive notifications to [email protected] using Gmail as the secure SMTP server:
call-home
mail-server tacfaststart:[email protected] priority 1 secure tls
environment ds_email "[email protected]"
Local Gateway running on Cisco IOS XE Software is not a typical web-based Gmail client that supports
OAuth, so we must configure a specific Gmail account setting and provide specific permission to have
the email from the device processed correctly:
1 Go to Manage Google Account > Security and turn on Less secure app access setting.
2 Answer “Yes, it was me” when you receive an email from Gmail stating “Google prevented someone
from signing into your account using a non-Google app.”
Install Diagnostic Signatures for Proactive Monitoring
Monitoring high CPU utilization
This DS tracks 5-seconds CPU utilization using the SNMP OID 1.3.6.1.4.1.9.2.1.56. When the
utilization reaches 75% or more, it disables all debugs and uninstalls all diagnostic signatures that you install in
the Local Gateway. Use these steps below to install the signature.
1 Ensure that you enabled SNMP using the command show snmp. If SNMP is not enabled, then
configure the “snmp-server manager” command.
show snmp
config t
snmp-server manager
end
show snmp
0 Encoding errors
138 Get-next PDUs
2 Set-request PDUs
0 Bad values errors
0 General errors
7998 Response PDUs
10280 Trap PDUs

3 Copy the DS XML file to the Local Gateway flash.
The following example shows copying the file from an FTP server to the Local Gateway.
copy ftp://user:[email protected]/DS_64224.xml bootflash:

Accessing ftp://*:*@ 192.0.2.12/DS_64224.xml...!
[OK - 3571/4096 bytes]
3571 bytes copied in 0.064 secs (55797 bytes/sec)

5 Use the show call-home diagnostic-signature command to verify that the signature is successfully
installed. The status column must have a “registered” value.

Downloading URL(s):
Download DSes:
When triggered, this signature uninstalls all running DSs including itself. If necessary, please
reinstall DS 64224 to continue monitoring high CPU utilization on the Local Gateway.
Monitoring Abnormal Call Disconnects
This DS uses SNMP polling every 10 minutes to detect abnormal call disconnect with SIP errors 403, 488 and
503. If the error count increment is greater than or equal to 5 from the last poll, it generates a syslog and
email notification. Please use the steps below to install the signature.
1 Ensure that SNMP is enabled using the command show snmp. If SNMP is not enabled, configure
the “snmp-server manager” command.
show snmp
config t
snmp-server manager
end
show snmp
0 Encoding errors
138 Get-next PDUs
2 Set-request PDUs
0 Bad values errors
0 General errors
7998 Response PDUs
10280 Trap PDUs
Problem Type SIP abnormal call disconnect detection with Email and Syslog Notification.


5 Use the command show call-home diagnostic-signatureto verify that the signature is successfully
installed. The status column should have a “registered” value.
Install diagnostic Signatures to Troubleshoot a Problem
You can also use Diagnostic Signatures (DS) to resolve issues quickly. Cisco TAC engineers have authored
several signatures that enable the necessary debugs that are required to troubleshoot a given problem, detect
the problem occurrence, collect the right set of diagnostic data and transfer the data automatically to the Cisco
TAC case. This eliminates the need to manually check for the problem occurrence and makes troubleshooting
of intermittent and transient issues a lot easier.
You can use the Diagnostic Signatures Lookup Tool to find the applicable signatures and install them to
selfsolve a given issue or you can install the signature that is recommended by the TAC engineer as part of
the support engagement.
Here is an example of how to find and install a DS to detect the occurrence “%VOICE_IEC-3-GW: CCAPI:
Internal Error (call spike threshold): IEC=1.1.181.1.29.0" syslog and automate diagnostic data collection using
the following steps:
1 Configure another DS environment variable ds_fsurl_prefix as the Cisco TAC file server path
(cxd.cisco.com) to upload the diagnostics data. The username in the file path is the case number and
the password is the file upload token which can be retrieved from Support Case Manager as shown in
the following. The file upload token can be generated in the Attachments section of the Support
Case Manager, as required.
configure terminal
call-home
LocalGateway(cfg-call-home-diag-sign)environment ds_fsurl_prefix "scp://<case
number>:<file upload token>@cxd.cisco.com"
end
Example:
call-home
environment ds_fsurl_prefix " environment ds_fsurl_prefix
"scp://612345678:[email protected]"
2 Ensure that SNMP is enabled using the command show snmp. If SNMP not enabled, configure the
show snmp
config t
snmp-server manager
end
3 We recommend installing the High CPU monitoring DS 64224 as a proactive measure to disable all
debugs and diagnostics signatures during the time of high CPU utilization. Download DS 64224
using the following options in Diagnostic Signatures Lookup Tool:

Problem
Syslogs
Scope
Syslog - %VOICE_IEC-3-GW: CCAPI: Internal Error (Call spike threshold):

Problem Type
IEC=1.1.181.1.29.0
5 Copy the DS XML files to the Local Gateway.

6 Install the High CPU monitoring DS 64224 and then DS 65095 XML file in the Local Gateway.

status column should have a “registered” value.

Downloading URL(s):
Downloaded DSes:
Last Update
(GMT+00:00)
Last Update
(GMT+00:00)
64224
DS_LGW_CPU_MON75 0.0.10 Registered 2020-11-08:00:07:45
00:07:45
65095
DS_LGW_IEC_Call_spike_threshold 0.0.12 Registered 2020-11-08:00:12:53
00:12:53
Verify Diagnostic Signatures Execution
In the following command, the “Status” column of the command show call-home diagnostic-signature
changes to “running” while the Local Gateway executes the action defined within the signature. The output of
show call-home diagnostic-signature statistics is the best way to verify whether a diagnostic signature
detects an event of interest and executed the action. The “Triggered/Max/Deinstall” column indicates the
number of times the given signature has triggered an event, the maximum number of times it is defined to
detect an event and whether the signature deinstalls itself after detecting the maximum number of triggered
events.

Downloading URL(s):
Downloaded DSes:
65095 DS_LGW_IEC_Call_spike_threshold 0.0.12 Running 2020-11-08 00:12:53
show call-home diagnostic-signature statistics

64224 DS_LGW_CPU_MON75 0/0/N 0.000 0.000

65095 DS_LGW_IEC_Call_spike_threshold 1/20/Y 23.053 23.053
The notification email that is sent during Diagnostic Signature execution contains key information such as
issue type, device details, software version, running configuration and show command outputs that are
relevant to troubleshoot the given problem.
Uninstall Diagnostic Signatures
Use the diagnostic signatures for troubleshooting purposes are typically defined to uninstall after detection of
some problem occurrences. If you wish to uninstall a signature manually, retrieve the DS ID from the output of
show call-home diagnostic-signature and run the following command:
call-home diagnostic-signature deinstall <DS ID>
Example:
call-home diagnostic-signature deinstall 64224
New signatures are added to the Diagnostics Signatures Lookup Tool periodically, based on issues that
are observed in deployments. TAC currently doesn’t support requests to create new custom signatures.
Was this article helpful?

Yes, thank you! Not really

Configure Local Gateway On Cisco IOS XE For Webex Calling

Uploaded by

Copyright:

Available Formats

Configure Local Gateway On Cisco IOS XE For Webex Calling

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure Local Gateway On Cisco IOS XE For Webex Calling

Uploaded by

Copyright:

Available Formats

Product: Platform: For:

Webex Calling Web Browser Administrator, Partner

Configure Local Gateway on Cisco IOS XE for Webex Calling

Local Gateway Configuration Task Flow

Registration-Based Local Gateway

Perform Reference Platform Configuration

Before you begin

1 Create a placeholder PKI trustpoint and call it sampleTP.

2 Assign the trustpoint as the default signaling trustpoint under sip-ua.

Ensure that a cn-san-validate server establishes the Local Gateway

3 Enable v1.2 exclusivity to disable TLS v1.0 and v1.1.

4 Set tcp-retry count to 1000 (5-msec multiples = 5 seconds).

Cisco IOS XE 17.3.2 and later version is applicable.

1 Check if the DigiCert Room CA and IdenTrust Commercial certificates exist:

show crypto pki trustpool | include DigiCert

crypto pki trustpool import clean url flash:ios_core.p7b

show crypto pki trustpool | include DigiCert

show crypto pki trustpool | include IdenTrust Commercial

Before you begin

Here's an explanation of the fields for the configuration:

voice service voip

voice service voip

Enables media monitoring on the Local Gateway.

SIP-to-SIP basic functionality

allow-connections sip to sip

Allow SIP-to-SIP connections.

For more information on this command, see Allow connections.

no supplementary-service sip refer

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

Allows all variants of G729.

For more information, see g729 annexb-all.

For more information on this command, see early-offer.

voice class sip-profiles 200

Here's an explanation of the fields for the configuration:

voice class codec 99

Here's an explanation of the fields for the configuration:

Voice class codec 99

For more information, see voice class codec.

Voice class srtp-crypto 200

voice class srtp-crypto 200

Voice class stun-usage 200

voice class stun-usage 200

4 Map Control Hub parameters to Local Gateway configuration.

Global configuration (voice service VoIP / sip-ua)

voice class tenant 200

Here's an explanation of the fields for the configuration:

voice class tenant 200

Converts SIPS url back to SIP.

Configure Local Gateway Without IP PBX

This deployment requires the following configuration on the Local Gateway:

PSTN SIP trunk termination on LGW

voice class tenant 100

voice class tenant 300

2 Configure the following voice class uri:

1 Define ITSP’s host IP address:

voice class uri 100 sip

voice class uri 200 sip

1 Outbound dial-peer toward IP PSTN:

dial-peer voice 101 voip