I did an upgrade for the IOS of my voice gateway / CME from 12.4T(24) to 15.1(2). I have noticed couple of features introduced related to Toll Fraud Prevention which changed the way how VGW handles incoming calls.
IP Address Trust List
IP address trusted authentication process blocks unauthorized calls to be made through VGW. VoIP (SIP/H.323) calls will succeed only if the remote IP address of an incoming VoIP call is successfully validated from the system IP address trusted list. System IP address trusted list is built automatically based on session target addresses of VoIP dial-peers (assuming that dial-peer status is UP). Addresses can be added manually as well to trusted list to be used for validation of incoming calls.
If the IP address trusted authentication fails, an incoming VoIP call is then disconnected by the application with a user- defined cause code and a new application Internal Error Code 31 message (TOLL_FRAUD_CALL_BLOCK) is logged.
Note: The voice IEC error messages are logged to syslog if “voice iec syslog” option is enabled.
%VOICE_IEC-3-GW: Application Framework Core: Internal Error (Toll fraud call rejected): IEC=126.96.36.199.31.0 on callID 3 GUID=AE5066C5883E11DE8026A96657501A09
- This feature is enabled by default.
- Duplicate addresses aren't allowed
- IP address trusted list authentication will be suspended if VGW is registered with GK.
- IP address trusted authentication is skipped if an incoming SIP call is originated from a SIP phone.
- IP address trusted authentication is skipped if an incoming call is an IPv6 call.
- For an incoming VoIP call, IP trusted authentication must be invoked when the IP address trusted authentication is in “UP” operational state.
Configuration & Verification Commands
voice service voip
ip address trusted authenticate
ip-address trusted call-block cause
ip address trusted list
ipv4 ipv4 address network maskRouter #show ip address trusted listIP Address Trusted AuthenticationAdministration State: UPOperation State: UPIP Address Trusted Call Block Cause: call-reject (21)VoIP Dial-peer IPv4 Session Targets:Peer Tag Oper State Session Target-------- ---------- --------------11 DOWN ipv4:188.8.131.52 UP ipv4:184.108.40.206IP Address Trusted List:ipv4 172.19.245.1ipv4 172.19.247.1ipv4 172.19.243.1ipv4 220.127.116.11ipv4 172.19.245.0 255.255.255.0''Disconnecting ISDN Calls With no Matching Dial-peerIn case no inbound dial-peer is matched for incoming POTS calls on ISDN, the call will be disconnected instead of matching default dial-peer. The cause code of this disconnected can be modified using the command dial-peer no-match disconnect-cause.Disconnecting ISDN Calls With no Matching Dial-peerThe direct-inward-dial isdn feature in enabled to prevent the toll fraud for incoming ISDN calls even if direct-inward-dial option is disabled from a selectedInbound POTS dial-peer. The called number of an incoming ISDN enbloc dialing call is used to match the outbound dial-peers and incase no outbound dial-peer matched the call will disconnect with cause code “unassigned-number (1)”.Blocking Two-stage Dialing Service on Analog and Digital FXO PortsThis is enabled by default on FXO ports using the command no secondary dialtone. In this case, no digits are collected from the port and no outbound dial-peer lookup is performed when the call is answered without PLAR configured on voice-port. The call will be disconnected with cause code “unassigned-number (1)”.Hope this was useful. I will let you know if something interesting pops in between ...