Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Cisco Unified Communications Trusted Firewall Control - Version III

  • Ensure that you have the correct platform to support this feature. Cisco Unified Communications Trusted Firewall Control is supported on the Cisco 1861, 2801, 2811, 2821, 2851, 3825, and 3845 platforms.

  • Cisco IOS Release 15.1(2)T

  • All k9 images with voice support. Session Timer feature can run on any voice image and does not support the firewall traversal.

  • uc-base and securityk9 licenses on Cisco 29xx and 39xx platforms. Session Timer feature does not require securityk9 licenses.

Configuration Prerequisites

The trusted firewall traversal for Cisco Unified CME SIP line side endpoints can be configured using TRP. The TRP must be configured under voice service voip> stun with the following information:

  • Authorization agent-id

  • Shared secret

  • CAT ife

  • Keepalive interval

The authorization agent-id and shared secret are mandatory commands and the CATlife and Keepalive interval are optional commands and can have default values

In addition, the stun-usage command must to be configured as firewall traversal by using CISCO-STUN-FLOWDATA under voice class stun-usage

For detail configuration steps, see: http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/feature/guide/EnhancedTrustedFirewallControll.html

Restrictions for Enhanced Firewall Traversal for Cisco Unified Communications

Cisco IOS Release 15.1(2)T implements firewall traversal for media using STUN on TRP and is not supported for:

  • RSVP flow support through the Firewall

  • Traditional SRST mode

  • H.323 trunk support for Unified Communication Trusted Firewall

  • Media flow around on Cisco Unified Border Element

  • IPv6

  • IP Multicast

  • Video calls on SCCP and SIP line side

Information About Cisco Unified Communications Trusted Firewall Control - Version III

Before you configure Enhanced Firewall Traversal using STUN, you should understand the following concepts:

Overview of Firewall Traversal for Cisco Unified Communications

In previous releases, firewall traversal implemented a new framework for IOS firewall traversal on Cisco Unified CME and Cisco Unified Border Element for SIP trunks.

For more information on Cisco trusted firewall traversal, see: www.cisco.com/en/US/docs/voice_ip_comm/cucme/feature/guide/EnhancedTrustedFirewallControll.html

SIP Session Timer

The SIP Session Timer (RFC 4028) is the standard SIP keepalive mechanism that keeps the SIP session active. The SIP user agents send periodic re-INVITE or UPDATE requests (referred to as session refresh requests) to keep the session alive. The interval for the session refresh request is determined through a negotiation mechanism. Session Timer is used to allow SIP signaling through the IOS firewall. You must configure Access Control List (ACL) or partial SIP-Application Layer Gateway (ALG) on the Cisco IOS firewall to allow SIP signaling.

After signaling, a pinhole is created. The firewall starts an inactivity timer, so that in case the user agents crashes or reboots during the call or the BYE message is lost, it can remove its states when the timer starts.

For the Cisco Unified CME SIP line side, by default, the endpoint sends periodic REGISTER messages on port 5060.

  • A partial SIP-ALG keeps track of the endpoint registration and keeps the signaling pinhole open as far as the registration is active.

  • An ACL tracks the User Datagram Protocol (UDP) / Transmission Control Protocol (TCP) messages that travel across the signaling port and keeps the signaling pinhole open.

However, the Cisco Unified CME SIP trunks do not exchange periodic SIP messages.The Cisco IOS firewall control sessions times out if no SIP messages are exchanged. The timed out SIP over UDP sessions are re-established with the next SIP message (for example, BYE). Timed out SIP over TCP sessions are not re-established and the subsequent SIP messages (for example, BYE) will be dropped.

Restrictions and Limitations for SIP Session Timer

SIP session timer does not support the following:

  • Media modifications in responses to locally sent ReINVITE for session refresh

  • Session timer in early dialog UPDATE

SIP Session Timer on CUBE for SIP-SIP Call Flows

The following table shows who will be sending the session refresh requests for all combinations of User Agent Clients (UAC) / User Agent Server (UAS) support for session timer

Table 1 Session Timer on CUBE for SIP-SIP Call Flows

S.No

UAC Support

UAS Support

Command Line Interface Enabled on lN leg

Command Line Interface Enabled on OUT leg

Action

1

Yes

Yes

Yes

Yes

UAC/UAS will send the session refresh requests and the Call Control Agent will pass it across.

2

Yes

Yes

No

Yes

3

Yes

Yes

Yes

No

4

Yes

Yes

No

No

UAC/UAS may send session refresh requests and the Call Control Agent will pass it across.

5

Yes

No

Yes

Yes

If the incoming INVITE has no "refresher" or "refresher=uac", UAC will send the session refresh requests and the Call Control Agent will pass it across. The Call Control Agent will also start the session expiration timer on the IN LEG.

If the incoming INVITE has "refresher=uas", the Call Control Agent will send the session refresh requests on the appropriate leg(s).

6

Yes

No

No

Yes

7

Yes

No

Yes

No

8

Yes

No

No

No

UAC may send the session refresh requests and the Call Control Agent will pass it across.

9

No

Yes

Yes

Yes

If the 2xx response from UAS has "refresher=uas", UAS will send the session refresh requests and the Call Control Agent will pass it across. The Call Control Agent will also start the session expiration timer on the OUT LEG.

If the 2xx response from UAS has no "refresher" or has "refresher=uac", the Call Control Agent will the send session refresh requests on the appropriate call leg(s).

10

No

Yes

No

Yes

11

No

Yes

Yes

No

12

No

Yes

No

No

UAS may send the session refresh requests and the Call Control Agent will pass it across.

13

No

No

Yes

Yes

Call Control Agent will send the session refresh requests on the appropriate call leg(s).

14

No

No

No

Yes

15

No

No

Yes

No

16

No

No

No

No

No session timer.

Firewall Traversal Deployment Scenarios

This section provides the firewall traversal scenarios for the Cisco Unified CME line side endpoints.

Firewall Traversal for Soft Phone

For Cisco Unified CME line side, you can deploy an IOS firewall that can be collocated or non-collocated with the Cisco Unified CME.

This is a typical TRP-based trusted IOS firewall traversal deployment between a soft phone and the desk phones. In this scenario, a soft phone like CIPC in the data segment is registered to a Cisco Unified CME. When this soft phone communicates to a desktop IP phone in the voice segment that is registered to the same or different Cisco Unified CME, you can deploy an IOS firewall for the traffic sent between the desktop phone and the soft phone on the Cisco Unified CME line side.

Firewall Traversal for Wireless Phone

In this scenario, the TRP-based trusted IOS firewall traversal is deployed between a wireless phone and desktop phones. A wireless (WiFi) phone like Cisco 792xG is registered to a Cisco Unified CME. When the wireless phone communicates to a wired phone that is registered to the same or different Cisco Unified CME, you can deploy an IOS firewall for the traffic sent between the wired and the wireless phone on the Cisco Unified CME line side.

Firewall Traversal for Teleworker

In this scenario, the teleworker phone is registered to a central or branch office and the Cisco Unified CME communicates to a phone which resides inside the central or branch office. You can deploy an IOS firewall for the traffic sent between the central/branch office and the teleworker phone on the Cisco Unified CME line side.

The teleworker can use the Transport Layer Security (TLS) and Secure Real-Time Protocol (SRTP) for making VoIP calls or establish a Virtual Private Network (VPN) tunnel to the central or branch office for making VoIP calls. In TLS/ SRTP case, the VPN engine/concentrator decrypts the signaling packets and passes the packets to the firewall for inspection. Hence, either a partial SIP ALG or ACL, along with TRP, can be deployed. In VPN case, the firewall will not have the key to decrypt the signaling packets. Hence, only ACL along with TRP can be deployed

How to Configure Cisco Unified Communications Trusted Firewall Control - Version III

To configure Firewall traversal for Cisco Unified CME SIP line side endpoints, enable the stun-usage under:

  • Voice-register pool or voice-register template and apply under the voice register pool for SIP line side

Configuring Firewall Traversal for Cisco Unified CME SIP Line Side Endpoints

Perform these tasks to configure firewall traversal.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    voice register poolphone-tag

    4.    voice-class stun-usagetag

    5.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted

     
    Step 2configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 voice register poolphone-tag


    Example:
    Device(config)# voice register pool 3
     

    Enters voice register pool configuration mode to set the phone-specific parameters for an SIP phone.

    • phone-tag-Unique sequence number that identifies the phone. Range is version and platform-dependent; type ? to display range.

     
    Step 4 voice-class stun-usagetag


    Example:
    Device(config-voice-register-pool)# voice-class stun-usage 1
     

    Enables voice-class stun-usage on the voice-register pool.

    • This command can also be configured in voice-register-template configuration mode and applied to one or more SIP phones. The voice-register pool configuration has priority over the voice-register-template configuration.

     
    Step 5 end


    Example:
    Device(config-voice-register-pool)# end
     

    Exits configuration mode and returns to privileged EXEC mode.

     

    Example: Cisco Unified CME SIP Line Side EndPoints

    This section provides the following sample configuration: 

    Device# show run
Building configuration...
!
! Last configuration change at 14:20:02 IST Thu Mar 25 2010 by cisco
! NVRAM config last updated at 15:10:47 IST Wed Mar 24 2010 by cisco
!
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname fidessrst
!
boot-start-marker
boot system tftp://9.13.40.15/kartk/c3845-adventerprisek9_ivs-mz.0_2_0_20091205
boot-end-marker
!
logging buffered 1000000
no logging console
enable secret 5 $1$GbsI$Ah0BLBHzFx4w/Hu7kyhrs1
enable password cisco
!
no aaa new-model
!
no process cpu autoprofile hog
clock timezone IST 5
!
dot11 syslog
ip source-route
!
no ip cef
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
template 10
!
voice-card 0
 dspfarm
 dsp services dspfarm
!
voice service voip
 notify redirect ip2pots
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 stun
  stun flowdata agent-id 1 boot-count 45
  stun flowdata shared-secret 7 14141B180F0B7B79772B3A26211C564450
  stun flowdata catlife 70 keepalive 30
 sip
  session transport tcp
  registrar server expires max 600 min 60
!
voice class stun-usage 1
 stun usage firewall-traversal flowdata
!
voice register global
 mode cme
 source-address 192.168.0.1 port 5060
 max-dn 100
 max-pool 100
 load 7971 SIP70.8-5-2SR1S
 load 7970 SIP70.8-5-2SR1S
 load 7961 SIP41.8-5-2SR1S
 load 7960-7940 P0S3-8-12-00
 authenticate realm cisco.com
 tftp-path flash:
 create profile sync 0221764396482329
!
voice register dn  2
 number 999999
 pickup-group 333
 name 7970-2
 mwi
!
voice register dn  3
 number 777777
 pickup-group 333
 name 7970-3
 mwi
!
voice register dn  5
 number 2222
 name 7960-Camelot1
 mwi
!
voice register dn  6
 number 4444
 name 7960-Camelot2
 mwi
!
voice register dn  7
 number 6666
 name 7960-Camelot3
 mwi
!
voice register dn  8
 number 8888
 call-forward b2bua all 6666  
 name 7960-Camelot4
 mwi
!
voice register dn  9
 number 101010
 call-forward b2bua all 1111  
 name 7960-Camelot5
 mwi
!
voice register dn  10
 number 121212
 call-forward b2bua noan 6666 timeout 3
 name 7960-Camelot6
 mwi
!
voice register dn  11
 number 141414
 call-forward b2bua busy 1111  
 name 7960-Camelot7
 huntstop channel 1
 mwi
!
voice register dn  50
number 15253545
name callgen-sip1
mwi
!
voice register dn  51
number 16263646
name callgen-sip2
mwi
voice register template  10
 voice-class stun-usage 1
 softkeys connected  Park Confrn Endcall Hold Trnsfer
!
voice register pool  2
 park reservation-group 1111
 id mac 0022.9059.81D9
 type 7970
 number 1 dn 2
 template 10
 codec g711ulaw
!
voice register pool  50
 id mac 0011.209F.5D60
 type 7960
 number 1 dn 50
 voice-class stun-usage 1
 codec g711ulaw
!
voice register pool  51
 id mac 0011.209F.5D60
 type 7960
 number 1 dn 51
  voice-class stun-usage 1
 codec g711ulaw
license udi pid CISCO3845-MB sn FOC12373868
archive
 log config
  hidekeys
username cisco password 0 cisco
!
redundancy
!
ip ftp username test
ip ftp password test123
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 7.9.9.120 255.255.0.0
 duplex auto
 speed auto
 media-type rj45
 no keepalive
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 7.9.0.1
ip route 9.13.7.0 255.255.255.0 9.13.7.1
ip route 9.13.7.0 255.255.255.0 9.13.38.1
ip route 9.13.40.0 255.255.255.0 9.13.38.1
ip route 10.104.56.0 255.255.255.0 192.168.0.35
!
arp 10.104.56.54 0024.81b5.3302 ARPA
!
!
control-plane
!
call treatment on
!
voice-port 0/0/0
!
voice-port 0/0/1
!
!
mgcp fax t38 ecm
!
gateway 
 timer receive-rtp 1200
!
sip-ua 
!
!
alias exec showrtp show policy-map type inspect zone-pair sessions
!
line con 0
 exec-timeout 0 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
end

    Configuring Firewall Traversal for Cisco Unified CME SCCP Line Side Endpoints

    To configure Firewall traversal for Cisco Unified CME SCCP line side endpoints, enable the stun-usage under:

    • Ephone or ephone-template and apply under the ephone for SCCP line side

    Before You Begin

    Note

    MTP should be enabled under ephones for SCCP CME line side endpoints

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ephonephone-tag

      4.    mtp

      5.    voice-class stun-usagetag

      6.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted

       
      Step 2configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3ephonephone-tag


      Example:
      Device(config)# ephone 2
       

      Enters ephone configuration mode to set phone-specific parameters for an SCCP phone.

      • phone-tag —Unique sequence number that identifies the phone. Range is version and platform-dependent; type ?to display range.

       
      Step 4 mtp


      Example:
      Device(config-ephone)# mtp
       

      Enables Media Termination Points (MTP) on this ephone.

       
      Step 5 voice-class stun-usagetag


      Example:
      Device(config-ephone)# voice-class stun-usage 10000
       

      This command can also be configured in ephone-template configuration mode and applied to one or more SCCP phones. The ephone configuration has priority over the ephone-template configuration.

       
      Step 6 end


      Example:
      Device(config-ephone)# end
       

      Exits ephone configuration mode and returns to privileged EXEC mode.

       

      Example: Cisco Unified CME SCCP Line Side EndPoints

      This section provides the following sample configuration: 

      Device#show run
Building configuration...
!
! Last configuration change at 14:20:02 IST Thu Mar 25 2010 by cisco
! NVRAM config last updated at 15:10:47 IST Wed Mar 24 2010 by cisco
!
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname fidessrst
!
boot-start-marker
boot system tftp://9.13.40.15/kartk/c3845-adventerprisek9_ivs-mz.0_2_0_20091205
boot-end-marker
!
logging buffered 1000000
no logging console
enable secret 5 $1$GbsI$Ah0BLBHzFx4w/Hu7kyhrs1
enable password cisco
!
no aaa new-model
!
no process cpu autoprofile hog
clock timezone IST 5
!
dot11 syslog
ip source-route
!
no ip cef
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
template 10
!
voice-card 0
 dspfarm
 dsp services dspfarm
!
voice service voip
 notify redirect ip2pots
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 stun
  stun flowdata agent-id 1 boot-count 45
  stun flowdata shared-secret 7 14141B180F0B7B79772B3A26211C564450
  stun flowdata catlife 70 keepalive 30
 sip
  session transport tcp
  registrar server expires max 600 min 60
!
voice class stun-usage 1
 stun usage firewall-traversal flowdata
!
!
license udi pid CISCO3845-MB sn FOC12373868
archive
 log config
  hidekeys
username cisco password 0 cisco
!
redundancy
!
ip ftp username test
ip ftp password test123
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 7.9.9.120 255.255.0.0
 duplex auto
 speed auto
 media-type rj45
 no keepalive
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 7.9.0.1
ip route 9.13.7.0 255.255.255.0 9.13.7.1
ip route 9.13.7.0 255.255.255.0 9.13.38.1
ip route 9.13.40.0 255.255.255.0 9.13.38.1
ip route 10.104.56.0 255.255.255.0 192.168.0.35
!
arp 10.104.56.54 0024.81b5.3302 ARPA
!
control-plane
!
call treatment on
!
voice-port 0/0/0
!
voice-port 0/0/1
!
!
mgcp fax t38 ecm
!
sccp local GigabitEthernet0/1
sccp ccm 192.168.0.1 identifier 1 version 7.0 
sccp
!
gateway 
 timer receive-rtp 1200
!
sip-ua 
!
telephony-service
 sdspfarm units 3
 sdspfarm transcode sessions 12
 sdspfarm tag 2 HwConference
 sdspfarm tag 3 mtp00230471e381
 video
 srst mode auto-provision all
 srst ephone template 1
 srst dn line-mode dual
 max-ephones 262
 max-dn 500
 ip source-address 192.168.0.1 port 2000
 service directed-pickup gpickup
 max-conferences 8 gain -6
 call-park system application
 moh music-on-hold.au
 transfer-system full-consult
 create cnf-files version-stamp 7960 Mar 24 2010 15:09:20
!
ephone-template  1
voice-class stun-usage 1
 mtp
!
ephone-template  3
 voice-class stun-usage 1
!
ephone-dn  1  dual-line
 number 1000
 name vg1port1
!
ephone-dn  2  dual-line
 number 2000
 name vg1port2
!
ephone-dn  3  dual-line
 number 3000
 name vg2port1
!
ephone-dn  4  dual-line
 number 4000
 name vg2port2
 call-forward all 3000
!
ephone-dn  5  dual-line
 number 1111
 name sccpcamelot1
!
ephone-dn  6  dual-line
 number 3333
 name sccpcamelot2
!
ephone-dn  7  dual-line
 number 717818919
 description 717818919
 name 717818919
!
ephone-dn  8  dual-line
 number 6000
 label 6000
 description 6000
 name 6000
!
ephone-dn  9  dual-line
 number 5000
 label 5000
 description 5000
 name 5000
!
ephone-dn  10  dual-line
!
ephone-dn  11  dual-line
!
ephone-dn  13  dual-line
 number 919886087486
 name blacforestvg0
!
ephone-dn  14  dual-line
 number 919886087487
 name blacforestvg1
!
ephone-dn  15  dual-line
 number 919886087488
 name blacforestvg2
!
ephone-dn  16  dual-line
 number 919886087489
 name blacforestvg3
!
ephone-dn  41  dual-line
 number 9876
 conference meetme
 preference 1
 no huntstop
!
ephone-dn  42  dual-line
 number 9876
 conference meetme
 preference 2
 no huntstop
!
ephone-dn  43  dual-line
 number 9876
 conference meetme
 preference 3
 no huntstop
!
ephone  1
 voice-class stun-usage 1
 device-security-mode none
 mac-address FCAC.3BAE.0000
 max-calls-per-button 2
 mtp
 type anl
 button  1:1
!
ephone  2
 voice-class stun-usage 1
 device-security-mode none
 mac-address FCAC.3BAE.0001
 max-calls-per-button 2
 mtp
 type anl
 button  1:2
!
ephone  3
 voice-class stun-usage 1
 device-security-mode none
 mac-address FCAC.3BAC.0000
 max-calls-per-button 2
 type anl
 button  1:3
!
ephone  4
 voice-class stun-usage 1
 device-security-mode none
 mac-address FCAC.3BAC.0001
 max-calls-per-button 2
 mtp
 type anl
 button  1:4
!
ephone  5
 voice-class stun-usage 1
 device-security-mode none
 mac-address 1234.1234.1111
 max-calls-per-button 2
 mtp
 type 7960
 button  1:5
!
ephone  6
 voice-class stun-usage 1
 device-security-mode none
 mac-address 1234.1234.3333
 ephone-template 3
 max-calls-per-button 2
 codec g729r8 dspfarm-assist
 mtp
 type 7960
 button  1:6
!
ephone  7
 device-security-mode none
 mac-address FCAC.3B79.0001
 ephone-template 1
 max-calls-per-button 2
 type anl
 button  1:14
!
ephone  8
 device-security-mode none
 mac-address 001B.D584.E274
 ephone-template 1
 button  1:7
!
ephone  9
 device-security-mode none
 mac-address FCAC.3B7F.0001
 ephone-template 1
 button  1:8
!
ephone  10
 device-security-mode none
 mac-address FCAC.3B7F.0000
 ephone-template 1
 button  1:9
!
ephone  11
 device-security-mode none
 mac-address FCAC.3B79.0002
 ephone-template 1
 max-calls-per-button 2
 type anl
 button  1:15
!
ephone  13
 device-security-mode none
 mac-address FCAC.3B79.0000
 ephone-template 1
 max-calls-per-button 2
 type anl
 button  1:13
!
ephone  14
 device-security-mode none
 mac-address FCAC.3B79.0003
 ephone-template 1
 max-calls-per-button 2
 type anl
 button  1:16
!
alias exec showrtp show policy-map type inspect zone-pair sessions
!
line con 0
 exec-timeout 0 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
end

      Configuring SIP Session Timers

      Configuring SIP Sesion Timer Globally

      Perform these tasks to configure SIP session timer globally.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    voice service voip

        4.    sip

        5.    min-sestringsession-expiresstring

        6.    session refresh

        7.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted

         
        Step 2configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3voice service voip


        Example:
        Device(config)# voice service voip
         

        Enters voice-service configuration mode and specifies a voice-encapsulation type.

         
        Step 4sip


        Example:
        Device(config-voi-serv)# sip
         

        Enters SIP configuration mode.

         
        Step 5 min-sestringsession-expiresstring


        Example:
        Device(conf-serv-sip)# min-se 90 session-expires 100
         

        Configures the minimum session expires (min-se) and session-expires

        • min-se —90 to 86400

         
        Step 6session refresh


        Example:
        Device(conf-serv-sip)# session refresh
         

        Enables SIP session timer globally.

         
        Step 7 end


        Example:
        Device (conf-serv-sip)# end
         

        Exits SIP configuration mode and returns to privileged EXEC mode.

         
        Example: SIP Session Timer

        This section provides the following sample configuration: 

        Device# show run
show running-config
Building configuration...
Current configuration : 2284 bytes
! 
! Last configuration change at 13:50:48 IST Sun Mar 14 2010
! NVRAM config last updated at 16:21:46 IST Fri Mar 12 2010
! 
version 15.1 
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption 
! 
hostname CUBE1-Fides3 
! 
boot-start-marker 
boot-end-marker 
! 
! 
logging buffered 1000000
no logging console 
! 
no aaa new-model 
no process cpu autoprofile hog
clock timezone IST 5 
! 
ip source-route 
! 
ip cef
! 
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
!
voice service voip
allow-connections sip to sip
sip
min-se 90 session-expires 100
session refresh
!
voice-card 0
!
license udi pid CISCO2821 sn FHK1143F0UK
archive
log config
hidekeys
no memory lite
username cisco privilege 15 secret 5 $1$p0H/$eUuiG4gFjfFQFVvUzoDd3/
!
redundancy
!
ip ftp username test
ip ftp password test123
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 7.9.9.106 255.255.0.0
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 7.9.0.1
!
control-plane
!
mgcp fax t38 ecm
!
!
dial-peer voice 100 voip
huntstop
destination-pattern 1000000000
b2bua
session protocol sipv2
session target ipv4:7.9.9.9
incoming called-number 2000000000
voice-class sip session refresh
codec g711ulaw
!
sip-ua 
retry invite 2
!
!
gatekeeper
shutdown
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
end

        Configuring SIP Session Timer on a Dial-Peer

        Perform these tasks to configure SIP session timer at the dial peer level.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    dial-peer voicetagvoip

          4.    voice-class sip session refresh

          5.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted

           
          Step 2configure terminal


          Example:
          Device# configure terminal
           

          Enters global configuration mode.

           
          Step 3dial-peer voicetagvoip


          Example:
          Device(config)# dial-peer voice 1 voip
           

          Enters dial peer configuration mode to define a VoIP dial peer.

           
          Step 4voice-class sip session refresh


          Example:
          Device(config-dial-peer)# voice-class sip session refresh
           

          Enables SIP session refresh at dial-peer level.

           
          Step 5end


          Example:
          Device(config-ephone)# end
           

          Exits dial-peer configuration mode and returns to privileged EXEC mode.

           

          Feature Information for Cisco Unified Communications Trusted Firewall Control - Version III

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 2 Feature Information for Cisco Unified Communications Trusted Firewall Control - Version III

          Feature Name

          Releases

          Feature Information

          Cisco Unified Communications Trusted Firewall Control - Version III

          15.1(2)T

          Cisco Unified Communications Trusted Firewall Control using STUN pushes intelligent services into the network through Trust Relay Point (TRP).

          The following commands were introduced or modified: session refresh, and voice-class sip session refresh.

          Cisco Unified Communications Trusted Firewall Control - Version III

          Cisco IOS XE Release 3.6S

          Cisco Unified Communications Trusted Firewall Control using STUN pushes intelligent services into the network through Trust Relay Point (TRP).

          In Cisco IOS XE Release 3.6S, this feature was implemented on the Cisco Unified Border Element (Enterprise)

          The following commands were introduced or modified: session refresh, and voice-class sip session refresh.