|
Table Of Contents
Settlements for Packet Voice, Phase 2
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Configuring the Public Key Infrastructure
Configuring the Originating Gateway
Configuring the Settlement Provider
Configuring the Inbound POTS Dial Peer
Configuring the Outbound VoIP Dial Peer
Configuring the Terminating Gateway
Configuring the Settlement Provider
Configuring the Inbound VoIP Dial Peer
Configuring the Outbound POTS Dial Peer
Verifying Settlement Configuration
Configuring Settlement with Roaming
Configuring Settlement with Multiple Roots
Configuring Settlement with Suggested Route
Example Configuration of Settlement on the Originating Gateway
Example Configuration of Settlement on the Terminating Gateway
Example Configuration of Settlement with Roaming
Example Configuration of Settlement with Multiple Roots
Comprehensive Configuration Guidelines
Settle-call and Session Target
Actions When Session Target is "Settlement"
Actions When Session Target is IP/DNS
Actions When Session Target is RAS with No Token
Actions When Session Target is RAS with Token
Actions When Receiving Inbound Calls
Common Problems when Setting up Settlement
debug voip settlement security
debug voip settlement transaction
Settlements for Packet Voice, Phase 2
Feature History
This feature is also known as "Settlement Plus Roaming and PKI Multiple Roots on Cisco Access Platforms."
The Cisco Settlement Plus Roaming and PKI Multiple Roots feature is introduced in Cisco IOS Release 12.1(1)T. These features are new additions to the Open Settlement Protocol (OSP) which was previously released in Cisco IOS Release 12.0(4)XH and 12.0(7)T. The feature overview describes both new features in the following sections:
• Roaming
This document includes the following sections:
• Benefits
• Related Features and Technologies
• Supported Standards, MIBs, and RFCs
• Comprehensive Configuration Guidelines
• Common Problems when Setting up Settlement
• Glossary
Feature Overview
This is the second release of Cisco's Open Settlement Protocol (OSP) features. Some settlement vendors have required roaming users to be authenticated and accounted for by the settlement clearinghouse. Therefore, this IOS Release 12.1.(1) introduces two new features, roaming and multiple roots.
What is settlement? When you make a telephone call, the cost charged can be divided between different carriers involved in the completion of the call. Settlement is the method used to divide the cost between carriers. Traditionally, settlement agreements have been arranged between the carriers in a pairwise fashion. With the advance of voice and video conferencing over IP, pairwise settlement agreements have become cumbersome. A number of companies have entered the market offering settlement on a subscription basis. As a result, the settlement process becomes a more manageable, many-to-one system, with a set of public interfaces that service providers must implement.
The Cisco gateway-based settlement protocol (OSP) interacts between carriers to create a single authentication at initialization. The authentication is the basis for the establishment of a secure communication channel between the settlement system and the infrastructure component. This channel then allows the following three types of transactions to be handled.
•Call routing—The settlement system can either accept a gateway endpoint from the requestor or assign one for the requester.
•Call authorization—Based on the terminating endpoint address, the settlement system determines whether the requesting gateway is permitted to originate calls for the terminating gateway. If the call is authorized, the settlement system generates a token that allows the terminating gateway to accept the call.
•Call detail reporting—Each endpoint in a call leg reports when the call stops, along with the usual call details. The settlement system reconciles the different reports of the calling and called parties and generates billing information. Call details are reported on a call-by-call basis.
Figure 1 shows a typical gateway based settlement network topology. A voice or fax call is originated and routed through the gateway (Cisco AS5300 access server, or Cisco 2600 or 3600 series routers) to a database server (RADIUS, TACACS+) for user authentication and intra-ISP call accounting. Using TCL IVR interactive voice response scripts to gather and manipulate the caller's data, the gateway forwards the call to the settlement server, which authorizes the call and adds settlement details in a token. The call, now carrying its unique settlement token, passes through the originating gateway to the terminating gateway. The terminating gateway uses TCL IVR to validate the settlement token and forwards the call to the receiving telephone or fax machine.
Note For a complete description of the Cisco Interactive Voice Respons (IVR) software feature, refer to the online documentation located in Cisco Connection Online (CCO).
When the call is completed, both the terminating and originating gateways communicate the call details to the settlement server. The settlement server then reconciles the information it receives about the call from both gateways.
Figure 1
Gateway-Based Settlement
Roaming
A caller is roaming when dialing into a gateway which is not the home gateway. A home gateway belongs to the user's service provider. Usually, the subscriber is billed with additional charges when making roaming calls The settlement server and the service provider need to know when a caller is or is not roaming in order to create accurate billing statements.
A roaming caller has to be authenticated before the call can go through the gateway. Both AAA and the settlement server can authenticate a roaming user. If AAA fails to authenticate a roaming caller, the roaming call has to be routed to a settlement server. If the settlement server can not authenticate the caller, the call is terminated.
The roaming feature is configured by the following:
•Setting the roaming patterns to determine if a caller is roaming
•Setting the roaming capability in the settlement provider
•Setting the roaming capability in the dial peer
•Forcing a call to be routed via a settlement server in a dial peer
Roaming User Identification
The gateway can specify a list of patterns to be matched with a user's account number to see if that user is roaming or not. The user enters the account number and PIN as part of the interaction with the TCL IVR prompts.
The roaming patterns are configured using the Global configuration mode command settlement roam-pattern. See settlement roam-pattern.
For additional information about the IVR or AAA and the E.164 addressing scheme, refer to the following Cisco IOS documents:
•Cisco Interactive Voice Response
•Service Provider Features for Voice over IP
Roaming Settlement Provider
Some settlement providers want to know if a user is roaming so the appropriate charge is applied to the user's account. Some settlement providers do not distinguish between local and roaming users.
The settlement provider interested in roaming users is configured with the roam command in the Settlement submode. See "Command Reference" on page 42.
If a user is roaming and the settlement provider is also enabled for roaming, the gateway sends the user's account number and PIN to the settlement server so that the user could be properly authenticated.
Roaming Dial Peer
A gateway can dictate if a particular outbound dial peer can terminate roaming calls or local calls only. This can be configured with the no roam command. See Command Reference.
•The default of the dial peer is not to support roaming. Therefore, this feature must be explicitly enabled in the dial peer.
•The gateway allows a roaming call to go through only if both the dial peer associated with that call and the settlement provider support roaming. In other words, a call fails if the dial peer has roaming enabled but the settlement provider doesn't. A call also fails if the settlement provider has roaming enabled but the dial peer does not.
Dial Peer Settlement Option
The command settle-call forces the call to go through a settlement server regardless of the session target type. If the session target type is ipv4, dns or RAS, the gateway resolves the terminating gateway address using one of these methods and asks the settlement server to authorize that terminating gateway. (TGW).
Note In Cisco IOS Release 12.1(1)T the session target command configuration can not combine the target of RAS with the settle-call command option. When configuring the VoIP dial peers for a settlement server, if session target type is settlement, the provider-number parameter in session target and settle-call should be identical.
The restrictions and behaviors associated with use of the settle-call command with outbound dial peers are described in another section of this document. See "Common Problems when Setting up Settlement" section for examples of the gateway behavior using different session target types and the settle-call flag.
PKI Multiple Roots
Cisco devices have the capability to share public keys using digital certificates. Digital certificates are normally issued by trusted third parties, who are called certificate Authorities (CA). Every participating router should enroll its public key with the CA server. During enrollment the Certificate Administrator (human) will manually verify if the requesting router is authentic and grant the certificate (some CA servers have the capability to authenticate the routers automatically).
A certificate has many fields which include a serial number, fingerprint and expiry date. Certificate can get revoked before its expiry because of key compromise or an other security reasons. The CA server maintains a list of revoked certificates, which is called Certificate Revocation List (CRL). Routers can be configured not to accept a peer certificate that is revoked. Router downloads CRL from the CA server for this purpose.
Cisco routers use a proprietary protocol CEP (Certificate Enrollment Protocol) to communicate with the CA server. The CA server should understand CEP.
The Multiple Roots feature is based on the Cisco security and public key infrastructure (PKI) technology. For in depth information about Security, see the Cisco Security Configuration Guide.
The multiple roots feature allows a settlement server to use one certificate for a Secure Socket Layer (SSL) handshake and a different certificate for token signing.
•For SSL handshake with the settlement server, the gateway uses the certificate obtained through the CLI command crypto ca identity name.
•For token verification, the gateway can use one of the root certificates configured with the command crypto ca trusted-root name.
•To specify which root certificate is used for token validation, use the command token-root-name in the settlement submode.
Note For a description of these new commands, see the "Command Reference" on page 42.
Benefits
•Enables Cisco Access platforms to provide Open Settlement Protocol (OSP) to Internet service providers
•Gives Internet service providers the ability to bid for the originating and terminating fee because the settlement software complies with OSP
•Offers a single authentication for the actual gateway or platform at initialization time
•Provides a secure interface between the settlement client and server
•Offers a choice of languages; therefore, the ISP can specify the currency with which to perform the transaction
Restrictions
•The Cisco Settlement for Packet Telephony feature requires Cisco IOS Release 12.1(1)T and the correct version of VCWare that is compatible with this version of the Cisco IOS software.
•The settlement feature cannot be enabled on dial peers that use RAS as the session target.
•The settlement software is offered only in crypto images and therefore is under export controls.
Related Features and Technologies
The Settlement for Packet Voice feature is dependent upon the interoperability of the following features:
•Interactive Voice Response (IVR)
The IVR feature uses audio files that manage the voice prompting and digit collection to gather caller information for authenticating the user and identifying the destination.
Refer to the Cisco Connection Online for Cisco IOS Release 12.0(7)T software features for the documentation.
•Certification Authority Interoperability
Ensure that this feature is functioning properly and configured as described in the task list. See "Configuration Tasks" on page 8. Additional configuration information is available in the Certification Authority Interoperability feature documentation on Cisco Connection Online (CCO).
Related Documents
Cisco Customer Documentation:
•Voice Features for Cisco 3600 Series Routers
•Certification Authority Interoperability
•Cisco Security Configuration Guide
•Cisco IP Security and Encryption Overview
Other Documentation:
•Token Card and Cisco Secure Authentication Support
•The SSL Protocol Version 3.0 as amended SSL 3.0 Errata of August 26, 1996
Supported Platforms
•Cisco AS5300 universal access servers
•Cisco AS5800 universal access servers
•Cisco 2600 series routers
•Cisco 3600 series routers
Supported Standards, MIBs, and RFCs
Standards
European Telecommunication Standards Institute (ETSI) Technical Specification (TS) 101 321
MIBS
No new or modified MIBSs are supported by this feature.
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
•Ensure that your access platform has the following memory requirement:
16 MB Flash and 64 MB DRAM memory minimum.
•In Cisco IOS Release 12.0(4)XH or later release, both the originating and terminating gateways must be using the Integrated Voice Response TCL IVR scripts to perform settlement successfully. If a terminating gateway that is not configured with a TCL script receives settlement calls, it will not recognize the tokens added to those calls by the settlement server; therefore, those calls will pass through without being audited or charged.
•Ensure that the correct version of VCWare is downloaded to the Cisco AS5300 and Cisco Access Path platforms.
•Before configuring the settlement feature, you must have configured the Public Key Infrastructure (PKI) for secured communication between the access platform (or router) and the settlement server. For detailed information about Certificates and secure devices see the Cisco IOS Release 12.0 documentation titled Certification Authority Interoperability.
•Requires Cisco IOS Release 12.1(5)T for Cisco AS5800 support.
Note The Cisco AS5800 universal access server uses portware, not VCWare, with its modems.
Configuration Tasks
Before starting the settlement server configuration tasks, ensure that the Cisco Enrollment Protocol (CEP) router has obtained a security certificate. For detailed information, see the Certification Authority Interoperability documentation in the Cisco IOS Release 12.0 documentation set, or go to the online version.
Configuring Settlement for Packet Voice on Cisco access servers requires the following tasks:
• Configuring the Public Key Infrastructure
• Configuring the Originating Gateway
– Configuring the Settlement Provider
– Configuring the Inbound POTS Dial Peer
– Configuring the Outbound VoIP Dial Peer
• Configuring the Terminating Gateway
– Configuring the Settlement Provider
– Configuring the Inbound VoIP Dial Peer
– Configuring the Outbound POTS Dial Peer
• Configuring Settlement with Roaming
• Configuring Settlement with Multiple Roots
• Configuring Settlement with Suggested Route
Note When configuring a voice port use the following configuration designations:
For the Cisco AS5300 access server, port designation is port.
For the Cisco AS5800 access server, port designation is shelf/slot/port.
Configuring the Public Key Infrastructure
Note Ensure that you have secure communication between the access platform or router and the settlement server.
To configure the Public Key Infrastructure (PKI) use the following commands:
Configuring the Originating Gateway
Three tasks are actually involved in configuring the originating gateway:
•Configure the settlement provider so that the gateway knows where to direct the call authorization and call detail record.
•Configure the inbound POTS dial peer so that a TCL application will process the call (only TCL applications can settle the call).
•Configure the outbound VoIP dial peer so that the gateway will settle the call if necessary.
Configuring the Settlement Provider
To configure the service provider to authorize calls, use the following commands:
Note If you are configuring a TransNexus server, first enter the url <url>; then enter the customer-id and the device-id command.
Configuring the Inbound POTS Dial Peer
To configure the inbound POTS dial peer, enter the following commands:
Note In Step 3, do not use the default session application. The default "Session" application does not support settlement. Calls handled by the default session application are not routed to a settlement server. Settlement tokens are not validated in the default session application.
Configuring the Outbound VoIP Dial Peer
To configure the outbound VoIP dial peer, use the following commands:
Command PurposeStep 1
Router(config)#dial-peer voice number voip
Enters the dial-peer configuration mode to configure the outbound VoIP dial peer.
Step 2
Router(config-dial-peer)# destination-pattern [+]string[T]
Configurse the dial peer's destination pattern. Enter the number or pattern of the outbound called number.
The string is a series of digits that specify the E.164 or private dialing plan telephone number. Valid entries are the digits 0-9 and the letters A-D. The following special characters can be entered in the string:
•The plus symbol (+) can be used to indicate an E.164 standard number.
•The star character (*) and the pound sign (#) that appear on standard touch-tone dial pads can be used in any dial string. However, these characters cannot be used as leading characters in a string (for example, *650).
•The period (.) can be used as a trailing character, and is used as a wildcard character. Multiple periods as trailing characters indicate multiple wildcard digits, such as for the 789... wildcard.
•The comma (,) can be used only in prefixes, and is used to insert a one-second pause or delay.
The timer (T) character can be used to configure variable length dial plans
Step 3
Router(config-dial-peer)# session target settlement [provider-number]
Enters settlement as the session target to resolve the terminating gateway address.
Note The provider-number value should match one of the number values previously configured in the task "Configuring the Settlement Provider" section .
Note The originating gateway's system clock must synchronize with the settlement server clock. Use the clock or ntp command to set the router clock.
Configuring the Terminating Gateway
Caution If the terminating gateway is not configured by using TCL IVR application scripts, the settlement tokens are bypassed, calls can get through, and settlement calls will not be audited; therefore, you will not be notified that the calls are not going through the billing service.
To configure the terminating gateway, complete the following tasks:
•Configure the Service Provider
•Configure the Inbound VoIP Dial Peer
•Configure the outbound POTS Dial Peer
Configuring the Settlement Provider
To configure the settlement provider, enter the following commands:
Note If you are configuring a TransNexus server, enter the url <url> command; then enter the customer-id and device-id command.
Configuring the Inbound VoIP Dial Peer
To configure the inbound VoIP dial peer, enter the following commands:
Note The default "Session" application does not support settlement. Calls handled by the default session application are not routed to a settlement server. Settlement tokens are not validated in the default session application.
Command PurposeStep 1
Router#configure terminal
Enters the global configuration mode.
Step 2
Router(config)
#
dial-peer voice number voipEnters the dial-peer configuration mode to configure a VoIP dial peer.
Step 3
Router(config-dial-peer)# application app-name
Enters the application command; then enter the desired TCL application name.
Step 4
Router(config-dial-peer)# incoming called-number string
Specifies the telephone number of the voice port associated with this dial peer. Characters include wildcards to create the number or pattern.
Step 5
Router(config-dial-peer)#
session target settlement [provider-number]
Enters settlement as the session target to resolve the terminating gateway address.
Note The <provider-number> value should match one of the <number> values previously configured in the "Configuring the Settlement Provider" section.
Configuring the Outbound POTS Dial Peer
To configure the outbound POTS dial peer, enter the following commands:
Note The terminating gateway system clock must synchronize with the settlement server clock. Use the clock or ntp command to set the router clock.
Verifying Settlement Configuration
Use the show running configuration command to verify your configuration. See Example of Settlement Configurations for Originating and Terminating Gateways.
Configuring Settlement with Roaming
To configure settlement with the roaming capability, three configuration tasks must be completed:
•On the originating gateway (OGW), configure the roaming patterns. See Table 1.
•On the OGW, turn on the roaming feature for the settlement provider configuration. See Table 2.
•On the OGW, turn on the roaming feature in the outbound dial peer servicing the numbers matching the roaming patterns. Table 3.
Table 1
Configure the Roaming Patterns on the OGW
Table 2
Turn on the Roaming Feature for the Settlement Provider
Table 3
Turn on the Roaming Feature in the Outbound Dial Peer
See " Example Configuration of Settlement with Roaming," page 26.
Configuring Settlement with Multiple Roots
To configure the Multiple Roots capability, three configuration tasks must be completed:
•On the OGW, configure a settlement provider that uses one certificate for SSL and one certificate for token signing. See Table 4.
•On the TGW, configure the root certificate used by the server to sign the settlement token. See Table 5.
•On the TGW, specify which root certificate to validate the settlement token. See Table 6.
Table 4
Configure a Settlement Server with Multiple Roots on the OGW
Table 5
Configure the Root Certificate for Token Validation on the TGW
Table 6
Define the Token Validation on the TGW
See "Example Configuration of Settlement with Multiple Roots" section.
Configuring Settlement with Suggested Route
The session target command in the dial peer dictates how the gateway resolves the terminating address to complete the call. Besides settlement, the gateway could use the ipv4 or dns options if it knows the exact address of the TGW, or it could use the ras option to consult a gatekeeper.
To force a call to be authorized by a settlement server, configure the following:
Configuration Examples
Figure 2 shows example settlement configurations for both the originating and terminating gateways.
Note All IP addresses and patterns are examples only.
Figure 2 Example of Settlement Configurations for Originating and Terminating Gateways
See samples of screen output displays for running configurations:
• Example Configuration of Settlement on the Originating Gateway
• Example Configuration of Settlement on the Terminating Gateway
• Example Configuration of Settlement with Roaming
• Example Configuration of Settlement with Multiple Roots
Example Configuration of Settlement on the Originating Gateway
See the following output by using the running configuration command. Figure 2 is a graphic representation of the configuration.
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service internal
service udp-small-servers
service tcp-small-servers
!
hostname c3620-px15
!
ip subnet-zero
!
settlement 0
type osp
url http://1.14.115.100
!
voice-port 1/0/0
alerting audible
!
voice-port 1/0/1
alerting audible
!
dial-peer voice 1 pots
application session
destination-pattern 5551111
port 1/0/0
!
dial-peer voice 2 voip
destination-pattern 5552222
session target settlement:0
!
interface Ethernet0/0
ip address 172.22.65.131 255.255.255.224
no ip directed-broadcast
ip route-cache same-interface
standby 1 priority 110
!
interface Serial0/0
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/1
no ip address
no ip directed-broadcast
shutdown
!
router eigrp 109
network 172.22.0.0
!
router rip
network 172.22.0.0
!
ip default-gateway 172.22.65.129
no ip classless
ip route 0.0.0.0 0.0.0.0 172.22.65.129
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password
login
!
end
Example Configuration of Settlement on the Terminating Gateway
See the following output by using the running configuration command. See Figure 2 for a graphic representation of the configuration.
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service internal
service udp-small-servers
service tcp-small-servers
!
hostname 3620-px16
!
ip subnet-zero
ip domain-name cisco.com
ip name-server 198.92.30.32
!
settlement 0
type osp
url http://1.14.115.100
!
voice-port 1/0/0
alerting audible
!
voice-port 1/0/1
alerting audible
!
dial-peer voice 1 pots
destination-pattern 5552222
port 1/0/0
!
dial-peer voice 2 voip
application session
incoming called-number 5552222
session target settlement:0
!
interface Ethernet0/0
ip address 172.22.65.143 255.255.255.224
no ip directed-broadcast
ip route-cache same-interface
!
interface Serial0/0
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/1
no ip address
no ip directed-broadcast
shutdown
!
router eigrp 109
network 172.22.0.0
!
router rip
network 172.22.0.0
!
ip default-gateway 172.22.65.129
no ip classless
ip route 0.0.0.0 0.0.0.0 172.22.65.129
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password
login
!
end
Example Configuration of Settlement with Roaming
The following output is displayed when you enter the show running config command with roaming configured in the settlement server.
!
version 12.0
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service internal
!
hostname as5300-05
!
enable secret 5 $1$lFSH$khsm3jB1lldHfXNlxqmaN1
enable password lab1
!
!
!
resource-pool disable
!
!
!
ip subnet-zero
ip host pkiserver 1.14.115.100
ip domain-name fieldlabs.cisco.com
ip name-server 172.16.1.4
!
isdn switch-type primary-5ess
isdn voice-call-failure 0
cns event-service server
mta receive maximum-recipients 1024
!
!
crypto cisco algorithm des
crypto cisco algorithm 40-bit-des
!
crypto ca identity transnexus
enrollment retry count 100
enrollment retry period 2
enrollment url http://pkiserver:80
crypto ca certificate chain transnexus
certificate ca 0171
3082024C 308201B5 02020171 300D0609 2A864886 F70D0101 04050030 6E310B30
09060355 04061302 55533110 300E0603 55040813 0747656F 72676961 31183016
06035504 0A130F54 72616E73 4E657875 732C204C 4C433114 30120603 55040B13
0B446576 656C6F70 6D656E74 311D301B 06035504 03131454 52414E53 4E455855
53204245 54412043 41203130 1E170D39 39303332 32313334 3630395A 170D3030
30333231 31333436 30395A30 6E310B30 09060355 04061302 55533110 300E0603
55040813 0747656F 72676961 31183016 06035504 0A130F54 72616E73 4E657875
732C204C 4C433114 30120603 55040B13 0B446576 656C6F70 6D656E74 311D301B
06035504 03131454 52414E53 4E455855 53204245 54412043 41203130 819F300D
06092A86 4886F70D 01010105 0003818D 00308189 02818100 B1B8ACFC D78F0C95
0258D164 5B6BD8A4 6F5668BD 50E7524B 2339B670 DC306537 3E1E9381 DE2619B4
4698CD82 739CB251 91AF90A5 52736137 658DF200 FAFEFE6B 7FC7161D 89617E5E
4584D67F F018EDAB 2858DDF9 5272F108 AB791A70 580F994B 4CA54F08 38C32DF5
B44077E8 79830F95 96F1DA69 4CAE16F2 2879E07B 164F5F6D 02030100 01300D06
092A8648 86F70D01 01040500 03818100 2FDCB580 C29E557C 52201151 A8DB5F47
C06962D5 8FDA524E A69DE3EE C3FE166A D05C8B93 2844CD66 824A8859 974F22E0
46F69F7E 8027064F C19D28BC CA750E4E FF2DD68E 1AA9CA41 8BB89C68 7A61E9BF
49CBE41E E3A42B16 AAEDAEC7 D3B4F676 4F1A817B A5B89ED8 F03A15B0 39A6EBB9
0AFA6968 17A9D381 FD62BBB7 A7D379E5
quit
certificate 8697B659C0E190E1A8D48961EBED0DB1
30820247 308201B0 A0030201 02021100 8697B659 C0E190E1 A8D48961 EBED0DB1
300D0609 2A864886 F70D0101 04050030 6E310B30 09060355 04061302 55533110
300E0603 55040813 0747656F 72676961 31183016 06035504 0A130F54 72616E73
4E657875 732C204C 4C433114 30120603 55040B13 0B446576 656C6F70 6D656E74
311D301B 06035504 03131454 52414E53 4E455855 53204245 54412043 41203130
1E170D39 39303430 36313833 3430315A 170D3030 30343036 31383334 30315A30
81873181 84300F06 03550405 13083131 38313833 37393018 06092A86 4886F70D
01090813 0B312E31 342E3131 352E3835 302A0609 2A864886 F70D0109 02161D61
73353330 302D3035 2E666965 6C646C61 62732E63 6973636F 2E636F6D 302B0603
55040314 245B7472 616E736E 65787573 2E636F6D 20475749 443D3230 30302043
5349443D 31303030 5D305C30 0D06092A 864886F7 0D010101 0500034B 00304802
4100AF40 5CC8E37D 7211E3C4 2D036E52 70B5DA88 96600C12 8654B85E 7CEFE204
27A9B9DD B0F6B85C 1EB561BB 0F3481A2 D4661087 2B0B403A 5A65B7E0 ED9A0165
EBC10203 010001A3 0F300D30 0B060355 1D0F0404 030205A0 300D0609 2A864886
F70D0101 04050003 8181005C 1E379447 C0FCBC3F 0ABC75FA ADF79A26 770419A4
02BEC849 ECB7BDB1 58EA815B 48844DB3 4E8934E8 397F4762 F04EB716 8413C418
4289AA64 6E2EAFE1 9C9F1F31 3A5BE996 AF749623 18FBFD36 569732BF 8335C522
4ACA0BCA CFCC27C6 294AD416 15472F07 C1609E93 E1FEDA66 B69DA603 1A99699E
86937EC5 609A3D52 72A45B
quit
!
!
xgcp snmp sgcp
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
clock source line secondary 1
!
controller T1 2
!
controller T1 3
!
!
voice-port 0:D
!
!
dial-peer voice 1 pots
application session
destination-pattern 5710877
port 0:D
!
dial-peer voice 5 voip
application session
incoming called-number +1404.......
session target settlement:0
!
dial-peer voice 2 pots
destination-pattern +255....
port 0:D
prefix 255
!
! Enable roaming for this dialpeer
!
dial-peer voice 6 voip
roaming
destination-pattern 1512.......
session target settlement
!
dial-peer voice 7 pots
destination-pattern +1650.......
port 0:D
prefix 1650
!
dial-peer voice 8 voip
application session
incoming called-number +1650.......
session target settlement:0
!
dial-peer voice 3 voip
application session
incoming called-number +1408.......
session target settlement:0
!
dial-peer voice 12 pots
destination-pattern 1404.......
port 0:D
prefix 1404
!
dial-peer voice 13 pots
destination-pattern 1512.......
port 0:D
prefix 1512
!
! User with account number matching 875.... is a roaming caller
!
settlement roam-pattern 875.... roam
!
! Enable roaming for this settlement provider using the "roaming" attribute
!
settlement 0
type osp
url https://1.14.115.100:8443/
device-id 2000
customer-id 1000
roaming
no shutdown
!
!
interface Ethernet0
ip address 1.14.115.85 255.255.0.0
no ip directed-broadcast
no ip mroute-cache
no cdp enable
!
interface Serial0:23
no ip address
no ip directed-broadcast
dialer-group 1
isdn switch-type primary-5ess
isdn protocol-emulate user
isdn incoming-voice modem
fair-queue 64 256 0
no cdp enable
!
interface FastEthernet0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
router igrp 200
network 1.0.0.0
!
ip default-gateway 1.14.0.1
ip classless
ip route 172.16.0.0 255.255.0.0 1.14.115.65
no ip http server
!
no cdp run
!
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
password lab
login
!
scheduler interval 1000
end
Example Configuration of Settlement with Multiple Roots
The following is the configuration file from the alice.cisco.com settlement server. The console output is displayed after executing the CLI commands show crypto ca roots, show crypto ca certificate, and show crypto key pub rsa. The router alice.cisco.com has been enrolled under VeriSign TestDerive CA. It has confided Netscape CMS as a trusted root. The Netscape CMS is installed on the server Ciscoca-ultra.
version 12.0
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service internal
!
hostname as5300-04
!
enable secret 5 $1$Ld7z$CapnZCfz2kMSh8sMHh2hy0
enable password lab1
!
!
!
resource-pool disable
!
!
!
!
!
ip subnet-zero
ip domain-name fieldlabs.cisco.com
ip name-server 171.69.2.132
!
isdn switch-type primary-5ess
isdn voice-call-failure 0
cns event-service server
mta receive maximum-recipients 1024
!
!
crypto cisco algorithm des
crypto cisco algorithm des cfb-8
crypto cisco algorithm 40-bit-des
!
! Configure the second root to be downloaded from tftp server
!
crypto ca trusted-root transnexus2
root tftp 1.14.115.100 onsite_ca.der
!
crypto ca identity transnexus
enrollment retry count 100
enrollment retry period 2
enrollment url http://hostname
crypto ca certificate chain transnexus
certificate ca 0171
3082024C 308201B5 02020171 300D0609 2A864886 F70D0101 04050030 6E310B30
09060355 04061302 55533110 300E0603 55040813 0747656F 72676961 31183016
06035504 0A130F54 72616E73 4E657875 732C204C 4C433114 30120603 55040B13
0B446576 656C6F70 6D656E74 311D301B 06035504 03131454 52414E53 4E455855
53204245 54412043 41203130 1E170D39 39303332 32313334 3630395A 170D3030
30333231 31333436 30395A30 6E310B30 09060355 04061302 55533110 300E0603
55040813 0747656F 72676961 31183016 06035504 0A130F54 72616E73 4E657875
732C204C 4C433114 30120603 55040B13 0B446576 656C6F70 6D656E74 311D301B
06035504 03131454 52414E53 4E455855 53204245 54412043 41203130 819F300D
06092A86 4886F70D 01010105 0003818D 00308189 02818100 B1B8ACFC D78F0C95
0258D164 5B6BD8A4 6F5668BD 50E7524B 2339B670 DC306537 3E1E9381 DE2619B4
4698CD82 739CB251 91AF90A5 52736137 658DF200 FAFEFE6B 7FC7161D 89617E5E
4584D67F F018EDAB 2858DDF9 5272F108 AB791A70 580F994B 4CA54F08 38C32DF5
B44077E8 79830F95 96F1DA69 4CAE16F2 2879E07B 164F5F6D 02030100 01300D06
092A8648 86F70D01 01040500 03818100 2FDCB580 C29E557C 52201151 A8DB5F47
C06962D5 8FDA524E A69DE3EE C3FE166A D05C8B93 2844CD66 824A8859 974F22E0
46F69F7E 8027064F C19D28BC CA750E4E FF2DD68E 1AA9CA41 8BB89C68 7A61E9BF
49CBE41E E3A42B16 AAEDAEC7 D3B4F676 4F1A817B A5B89ED8 F03A15B0 39A6EBB9
0AFA6968 17A9D381 FD62BBB7 A7D379E5
quit
certificate B7DD210B9BFE007E41EEB177AF39F78C
30820247 308201B0 A0030201 02021100 B7DD210B 9BFE007E 41EEB177 AF39F78C
300D0609 2A864886 F70D0101 04050030 6E310B30 09060355 04061302 55533110
300E0603 55040813 0747656F 72676961 31183016 06035504 0A130F54 72616E73
4E657875 732C204C 4C433114 30120603 55040B13 0B446576 656C6F70 6D656E74
311D301B 06035504 03131454 52414E53 4E455855 53204245 54412043 41203130
1E170D39 39303430 36313833 3635325A 170D3030 30343036 31383336 35325A30
81873181 84300F06 03550405 13083131 37363837 37353018 06092A86 4886F70D
01090813 0B312E31 342E3131 352E3834 302A0609 2A864886 F70D0109 02161D61
73353330 302D3034 2E666965 6C646C61 62732E63 6973636F 2E636F6D 302B0603
55040314 245B7472 616E736E 65787573 2E636F6D 20475749 443D3130 30302043
5349443D 31303030 5D305C30 0D06092A 864886F7 0D010101 0500034B 00304802
4100C82B 8E4CBD44 06C763FB 1DC1A78F 8D71F1DA 110EDAC3 C9AA6256 6E1BF15B
79E48BEF 741D26CF DEBEACCC FA09D420 F54B76A1 F6CDCE33 02C8D9F7 5873E012
AFC90203 010001A3 0F300D30 0B060355 1D0F0404 030205A0 300D0609 2A864886
F70D0101 04050003 81810056 C05E1151 BE2D5515 624010AE 22F03D58 8BD9F2D3
E037EBC8 376E321A 5C53D4C6 770CE32F CF1CB0F4 2FD44C0D CA8EE22C 2372EE64
349FF062 137A6780 DC554F6A 3BA9F17C 85A7F390 D5B99E35 D7FBF927 75910E9E
992C7052 54AE0887 ED1DEEA0 C6BCA9C4 49F3D98E 4835A5E2 0FD470B6 F6D727A8
8AA0F923 5D60985B F8DD19
quit
crypto ca certificate root transnexus2 DB3882D37891B597970BF0F18B008F13
308201F4 3082015D A0030201 02021100 DB3882D3 7891B597 970BF0F1 8B008F13
300D0609 2A864886 F70D0101 04050030 15311330 11060355 040A130A 5472616E
734E6578 7573301E 170D3939 30333138 30303030 30305A17 0D303930 33313832
33353935 395A3015 31133011 06035504 0A130A54 72616E73 4E657875 7330819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AB91 E2123C3F
E83DE86A 3B8A18DF 750FB756 3034D692 2A363692 721F9E59 6CDB046F AAF9A212
6B4B1033 9DDE94DB B132E768 085376EC 9EC7E2FD 0BB92B43 8FEC1243 35A33F89
41390517 AF2D6D46 2FAAC116 8AE55865 C326C77A 3381C944 5BE107B1 E66CA111
B3560313 A29A0081 201D84C5 FE24E452 6338C52C EFDE6B95 4A570203 010001A3
44304230 22060355 1D11041B 3019A417 30153113 30110603 55040313 0A4F6E73
69746532 2D363230 0F060355 1D130408 30060101 FF020100 300B0603 551D0F04
04030201 06300D06 092A8648 86F70D01 01040500 03818100 481E4F13 79EB3B5F
D9BCEED9 9C756BF7 B42167B1 4DE11B8C 240D3446 5A14E2E1 A79D2454 1EA84109
17EF6E8E 8AFD06C7 8209753B F760761C EC13A2D6 95348D69 4F73F0D5 9211DD95
0FE00D23 4583002A 242C769E 695FAFD4 EE12D014 580C5DFC F377F3FF F20F25D6
831E4F2B 253DFA9C 8B3E00A8 002F03D7 BC0C19D8 7EA134A6
quit
!
!
xgcp snmp sgcp
!
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
!
controller T1 1
clock source line secondary 1
!
controller T1 2
!
controller T1 3
!
!
voice-port 0:D
!
!
dial-peer voice 1 pots
application session
destination-pattern 5710876
port 0:D
!
dial-peer voice 7 voip
destination-pattern +255....
session target settlement:0
!
dial-peer voice 13 pots
destination-pattern 1770.......
port 0:D
prefix 1770
!
dial-peer voice 1770 voip
incoming called-number 1770.......
ip precedence 7
session target settlement:0
!
dial-peer voice 1650 voip
destination-pattern +1650.......
session target settlement:0
!
dial-peer voice 10 voip
destination-pattern 1408.......
session target settlement
!
dial-peer voice 1404 voip
destination-pattern 1404.......
session target settlement
!
dial-peer voice 1512 voip
destination-pattern 1512.......
session target settlement
!
! Specify which root to use to validate the settlement token
! via token-root-name attribute
!
settlement 0
type osp
url https://1.14.115.100:8443/
retry-delay 2
device-id 1000
customer-id 1000
token-root-ca transnexus2
no shutdown
!
!
interface Ethernet0
ip address 1.14.115.84 255.255.0.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Serial0:23
no ip address
no ip directed-broadcast
dialer-group 1
isdn switch-type primary-5ess
isdn protocol-emulate user
isdn incoming-voice modem
fair-queue 64 256 0
no cdp enable
!
interface FastEthernet0
no ip address
no ip directed-broadcast
shutdown
duplex auto
speed auto
no cdp enable
!
router igrp 200
network 1.0.0.0
!
ip default-gateway 1.14.0.1
ip classless
no ip http server
!
no cdp run
!
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
password lab
login
!
ntp clock-period 17180879
ntp update-calendar
ntp server 1.14.42.23
scheduler interval 1000
end
Comprehensive Configuration Guidelines
This section contains a set of matrixes that describe exactly how settlement will proceed for various combinations of Cisco IOS command options, based on whether the caller is Roaming or not.
Settle-call and Session Target
There is a minor ambiguity between the session target settlement dial-peer command and the settle-call command. The following matrix describes whether settlement is enabled on a dial peer or not, based on various combinations of session targets and the settle-call command.
Note If the session target settlement tag and settle-call tag options are used, the tags must be the same or an error is generated. If one IOS command specifies a tag and the other does not, the specified tag becomes the only clearinghouse used. If neither specifies a tag, all clearinghouses can be searched.
Actions When Session Target is "Settlement"
Actions When Session Target is IP/DNS
Actions When Session Target is RAS with No Token
Note Settlement and RAS session targets are illegal in the first release, which was Cisco IOS Release 12.0(4)XH. This matrix applies to a future release where RAS ARQ/ACF can be performed prior to calling settlement.
The gateway needs a way to decide whether the GK has done settlement authorization or not. This is determined by checking to see whether the returned ACF contains a settlement token or not. This matrix applies to the case where no token is returned.
Actions When Session Target is RAS with Token
In these scenarios, the ACF returns a valid token, indicating that the call has already been authorized and routed by settlement.
Note The roaming scenarios require that the ARQ sourceAlternative field be formatted with the user credentials.
Actions When Receiving Inbound Calls
This matrix describes what happens when a incoming voip call is detected, based on whether the setup message contains a token or not.
Troubleshooting Tips
This section offers helpful hints and reminders users may need while resolving problems with their feature configuration.
Common Problems when Setting up Settlement
The following section is provided to assist in determining if your OSP network is set up correctly. The problems listed have been reported as the most common errors made when configuring settlement in a network.
Settlement Database Not Set Up Properly
Problem:
Calls are routed through a settlement server, but the OGW gets no response, or negative response.
Solution:
Check with settlement provider, make sure the router is properly registered with that provider. Router registration with settlement provider is normally done outside of OSP.
TCL/IVR Script Not Called
Problem::
TCL/IVR script is not used on the OGW or TGW.
Solution:
Configure a TCL/IVR script for the dial peer using application <session app name>.
Note TCL/IVR scripts are required for settlement, and classic IVR 1.0 does not support settlement.
–Use show call app voice summary to list all the available scripts on the router.
–Default is classic SESSION app, which can't do settlement.
–Fax_hop_on.tcl doesn't work with settlement.
as5300-04#sho call app voi sum
name description
session Basic app to do DID, or supply dialtone.
fax_hop_on Script to talk to a fax redialer
clid_authen Authenticate with (ani, dnis)
clid_authen_collect Authenticate with (ani, dnis), collect if that fails
clid_authen_npw Authenticate with (ani, NULL)
clid_authen_col_npw Authenticate with (ani, NULL), collect if that fails
clid_col_npw_3 Authenticate with (ani, NULL), and 3 tries collecting
clid_col_npw_npw Authenticate with (ani, NULL) and 3 tries without pw
SESSION Default system session application
No "destination-pattern" Set
Problem:
The OGW inbound POTS dial peer has no "destination-pattern" set.
Solution:
Since some PBX does not pass along the calling number in the setup message, the router uses the "destination-pattern" number or "answer-address" as an alternative. Calling number is a required field for settlement.
No "session target settlement" Set On OGW
Problem:
The OGW outbound VoIP dial peer doesn't have "session target settlement".
The router could make successful calls, but not through a settlement server. Session target attribute dictates how the router resolves the TGW's address for a particular called number.
Solution:
Configure session target settlement [: provider-num].
No VoIP Inbound Dial Peer On TGW
Problem:
TGW has no VoIP inbound dial peer. The settlement token in the incoming setup message from the OGW can't be validated, the TGW rejects the call.
Solution:
Create an inbound dial peer with session target settlement [: provider-num].
No "application" Attribute on TGW
Problem:
TGW has an inbound dial peer configured, but with no "application" attribute, so the default session application, SESSION processes the call but it does not support settlement.
Solution:
The default application, SESSION does not support the settlement feature. Therefore, you must configure the application application name attribute in the inbound dial peer.
TGW Not In Sync With Settlement Server
Problem:
TGW clock is not in sync with the server. The TGW rejects the call because it's too soon or too late to use the settlement token in the incoming set-up message.
Solution:
Use ntp or clock set command to sync the clocks between the TGW and the settlement server.
Settlement Provider Not Running
Problem:
The settlement provider on the OGW or TGW is not up. No settlement transaction processing is allowed unless the provider is up.
Solution:
Bring up settlement using no shutdown command in Settlement submode. Use show settlement command to verify the provider status.
Router and Server Not Using SSL to Communicate
Problem:
Router can not use SSL to communicate with the server. Two possibilities:
•The server URL should be "https", not "http".
Solution: Configure a secured URL using "https".
•The certificates of the server or router was not properly obtained.
Solution: Check the certificate enrollment process for both the server and the router.
Multiple Dial Peers Have Random Order
Problem:
OGW has multiple dial peers for the same called number, and settlement is never used. The order for rotary dial peers is random, unless a preference is specified. The dial peer with lower preference is chosen first.
Solution:
Define dial peer preference using preference num command.
H.323 Setup Connection Timeout Workaround
Problem:
The OGW can not successfully setup a call with the first TGW that is returned from the OSP server. This occurs when a gateway attempts to setup the call with thee terminating gateways in the order they are received. If for some reason, the H.323 call setup is not successful, there is a 15 second timeout (by default, before the next terminating gateway on the list is contacted.
Solution:
The H.323 call setup timeout can be tuned using the Cisco IOS command "h225 timeout"
For example:
voice class h323 1
h225 timeout tcp etablish <value 0 to 30 seconds>
dial-peer voice 919 voip
application session
destination-pattern 919555....
voice-class codec 1
voice-class h323 1
session target settlement
Problem Isolations
•Check OGW and TGW configuration for dial peers, settlement providers, certificates.
•Check the network between the OGW, TGW and the server. Ping each other to make sure that the machines are up.
•Verify if IP calls can be made successfully. If so, the problem is specific to settlement.
•Turn on debug voip ivr settlement on the OGW to see if the TCL/IVR script initiates a settlement request to the server.
•Turn on debug voip settlement network on the OGW to capture the HTTP requests sent to the server and the response from the server.
•If the OGW gets no response from the server, contact the settlement provider.
•Turn on debug voip settlement misc to see the list of TOW's returned from the server. If this list is incorrect, contact the settlement provider.
•If the TGW rejects the settlement token because it is too soon or too late to use it, sync the TGW clock with the server.
Command Reference
This section documents only the following new commands. The asterisk (*) indicates the commands developed for the second phase of the settlement feature introduced in Cisco IOS Release 12.1(1)T. All other commands for this feature are documented in the Cisco IOS Release 12.0(4)XH, 12.0(7)T and the Cisco IOS Release 12.1 command references.
• settle-call *
• token-root-name *
• type
• url
connection-timeout
To configure the time in seconds that a connection is maintained after completing a communication exchange, enter the connection-timeout command in the settlement configuration mode. The router maintains the connection for this period in anticipation of future communication exchanges to the same server. Use the no form of this command to reset to the default value of this command.
connection timeout number
no connection timeout number
Syntax Description
Defaults
The default connection timeout is 3600 seconds (1 hour).
Command Modes
Settlement configuration
Command History
Release Modification12.0(4)XH1
This command was introduced.
12.0(7)T
First released on the T train.
Examples
settlement 0
connection timeout 3600
Related Commands
crypto ca authenticate
To authenticate the CA (by getting the CA's certificate), enter the crypto ca authenticate Global configuration command. Use the no form of this command to clear the CA authentication.
crypto ca authenticate identify-name | trust-point-name
no crypto ca authenticate identify-name
Syntax Description
identify-name
Specify the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
trust-point-name
Specify the name of the
Defaults
There are no defaults for this command.
Command Modes
Global configuration
Command History
Release Modification11.3 T
This command was introduced.
12.1(1)T
The option to authenticate the CA Root is introduced in Cisco IOS Release 12.1(1)T.
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the CA's self-signed certificate contains the CA's public key. Because the CA signs its own certificate, you should manually authenticate the CA's public key by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then RA signing and encryption certificates will be returned from the CA in addition to the CA certificate.
This command is not saved to the router configuration; however, the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command.
Examples
In this example, the router requests the CA's certificate. The CA sends its certificate and the router prompts the administrator to verify the CA's certificate by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router# crypto ca authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y
router#
This example displays the usage of the command with ca root identity.
!Root CA identity
crypto ca trusted-root my_root_identity
root CEP http://my_root
..
exit
Related Commands
crypto ca trusted-root
To configure a root with a selected name use the crypto ca trusted-root Global configuration command. Use the no form of this command to reset to the default value of this command.
crypto ca trusted-root identity
no crypto ca trusted-root ident
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The root which signs the OSP settlement tokens can be set as a private root. Performing this command allows you to enter additional conditions:
•root TFTP (Specifies the router to obtain a root certificate using TFTP at the specified server hostname. Enter root tftp serve rname hostname filename.)
•root CEP identity URL( Specifies to get the root certificate using CEP or another desired protocol.Enter root cep identity URL )
•crl query URL (Points to the LDAP URL to query the CRL published by the configured root.)
Examples
!Root CA identity
crypto ca trusted-root my_root_identity
root CEP http://my_root
..
exit
Related Commands
Command DescriptionAuthenticates the CA (by getting the CA's certificate).
crypto ca identity
Declares the CA your router should use.
Shows the roots confided in the router.
customer-id
To identify a carrier or ISP with a settlement provider, enter the customer-id command in the settlement configuration mode. This is an optional attribute. Use the no form of this command to reset to the default value of this command.
customer-id number
no customer-id number
Syntax Description
Defaults
The default customer ID is 0.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
custom id 1000
Related Commands
device-id
To identify a gateway associated with a settlement provider, enter the device-id command in the settlement configuration mode. This is an optional attribute. Use the no form of this command to reset to the default value of this command.
device-id number
no device-id number
Syntax Description
Defaults
The default device ID is 0.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
device-id 1000
Related Commands
encryption
To set the algorithm to be negotiated with the provider, enter the encryption command in the Settlement configuration mode. For Cisco IOS Release 12.0(4)XH, only one encryption method is allowed for each provider. Use the no form of this command to reset to the default value of this command.
encryption {des-cbc-sha | des40-cbc-sha | dh-des-cbc-sha | dh-des40-cbc-sha | null-md5 | null-sha}
no encryption {des-cbc-sha | des40-cbc-sha | dh-des-cbc-sha | dh-des40-cbc-sha | null-md5 | null-sha}
Syntax Description
Defaults
The default encryption method is all. If none of the encryption methods are configured, then the system configures to use all of the encryption methods in the SSL session negotiation.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
encryption des-cbc-sha
Related Commands
max-connection
To set the maximum number of simultaneous connections to be used for communication with a settlement provider, enter the max-connection command in the Settlement configuration mode. Use the no form of this command to reset to the default value of this command.
max-connection number
no max-connection number
Syntax Description
Defaults
The default is 10 maximum connections.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
max-connections 10
Related Commands
response-timeout
To configure the maximum time, in milliseconds, to wait for a response from a server, enter the response-timeout command in the Settlement configuration mode. If no response is received within this time limit, the current connection ends and the router attempts to contact the next service point. Use the no form of this command to reset to the default value of this command.
response-timeout number
no response-timeout number
Syntax Description
Defaults
The default response timeout is one (1) second.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
response-timeout 1
Related Commands
retry-delay
To set the time in seconds between attempts to connect with the settlement provider, enter the retry-delay command in the Settlement configuration mode. After exhausting all service points for the provider, the router is delayed for this length of time before resuming connection attempts. Use the no form of this command to reset to the default value of this command.
retry-delay number
no retry-delay number
Syntax Description
number
Length of time (in seconds) between attempts to connect with the settlement provider. The valid range for retry-delay is 1-600 seconds.
Defaults
The default retry delay is 2 seconds.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
relay-delay 15
Related Commands
retry-limit
To set the maximum number of connection attempts to the provider, enter the retry-limit command in the Settlement configuration mode. If no connection is established after the configured retries, the router ceases connection attempts. The retry limit number does not count the initial connection attempt. A retry limit of one (default) results in a total of two connection attempts to every service point. Use the no form of this command to reset to the default value of this command.
retry-limit number
no retry-limit number
Syntax Description
Defaults
The default retry limit is one (1) retry.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
relay-limit 1
Related Commands
roaming (dial-peer mode)
To enable the roaming capability for the dial peer, enter the roaming command in the Dial-peer submode. Use the no form of this command to disable the roaming capability.
roaming
no roaming
Defaults
Roaming is off by default.
Command Modes
Dial-peer configuration
Command History
Usage Guidelines
•Enable the roaming capability of a dial peer if that dial peer can terminate roaming calls.
•If a dial peer is dedicated to local calls only disable the roaming capability.
•The roaming dial peer needs to work with a roaming service provider.
•If the dial peer allows a roaming user to go through, and the service provider is not roaming enabled, the call fails.
Examples
dial-peer voice 10 voip
roaming
Related Commands
roaming (settlement mode)
To enable the roaming capability for a settlement provider, enter the roaming command in the Settlement submode. Use the no form of this command to disable the roaming capability.
roaming
no roaming
Defaults
No roaming
Command Modes
Settlement configuration
Command History
Usage Guidelines
Enable roaming capability of a settlement provider if that provider can authenticate a roaming user and route roaming calls.
A roaming call is successful only if both the settlement provider and the outbound dial peer for that call are both roaming-enabled.
Examples
settlement 0
roaming
Related Commands
session target (VoIP)
To specify a network-specific address for a specified dial peer, use the session target command in dial-peer configuration mode. To restore default values for this parameter, use the no form of this command.
Note This command applies to all dial peers except for POTS dial peers.
session target {ipv4:destination-address | dns:[$s$. | $d$. | $e$. | $u$.] host-name | loopback:rtp | loopback:compressed | loopback:uncompressed | ras | settlement}
no session target {ipv4:destination-address | dns:[$s$. | $d$. | $e$. | $u$.] host-name | loopback:rtp | loopback:compressed | loopback:uncompressed | ras | settlement}
Syntax Description
Defaults
The default for this command is enabled with no IP address or domain name defined.
Command Modes
Dial-peer configuration
Command History
Usage Guidelines
•In Cisco IOS Release 12.1(1)T the session target command configuration can not combine the target of RAS with the settle-call command option. When configuring the VoIP dial peers for a settlement server, if session target type is settlement, the provider-number parameter in session target and settle-call should be identical.
•When configuring the VoIP dial peers for a settlement server, if session target type is settlement, the provider-number parameter in session target and settle-call should be identical.
•Use the session target command to specify a network-specific address or domain name for a dial peer. Whether you select a network-specific address or a domain name depends on the session protocol you select.
•The session target loopback command is used for testing the voice transmission path of a call. The loopback point will depend on the call origination and the loopback type selected.
•The session target dns command can be used with or without the specified wildcards. Using the optional wildcards can reduce the number of VoIP dial peer session targets you need to configure if you have groups of numbers associated with a particular router.
•Use the session target ras command to specify that the RAS protocol is being used to determine the IP address of the session target.
Examples
The following example configures a session target using DNS for a host, "voice_router," in the domain "cisco.com":
dial-peer voice 10 voip
session target dns:voice_router.cisco.com
The following example configures a session target using DNS, with the optional $u$. wildcard. In this example, the destination pattern has been configured to allow for any four-digit extension, beginning with the numbers 1310222. The optional wildcard $u$. indicates that the router will use the unmatched portion of the dialed number—in this case, the four-digit extension, to identify the dial peer. As in the previous example, the domain is "cisco.com."
dial-peer voice 10 voip
destination-pattern 1310222....
session target dns:$u$.cisco.com
The following example configures a session target using dns, with the optional $d$. wildcard. In this example, the destination pattern has been configured for 13102221111. The optional wildcard $d$. indicates that the router will use the destination pattern to identify the dial peer in the "cisco.com" domain.
dial-peer voice 10 voip
destination-pattern 13102221111
session target dns:$d$.cisco.com
The following example configures a session target using DNS, with the optional $e$. wildcard. In this example, the destination pattern has been configured for 12345. The optional wildcard $e$. indicates that the router will reverse the digits in the destination pattern, add periods between the digits, and then use this reverse-exploded destination pattern to identify the dial peer in the "cisco.com" domain.
dial-peer voice 10 voip
destination-pattern 12345
session target dns:$e$.cisco.com
The following example configures a session target using RAS:
dial-peer voice 11 voip
destination-pattern 13102221111
session target ras
The following example configures a session target using settlement:
session target settlement:0
Related Commands
session-timeout
To configure the lifetime, in seconds, of a single SSL session key, enter the session-timeout command in the Settlement configuration mode. When this time limit is exceeded, the router negotiates a new session key. Communication exchanges in progress are not interrupted when this time limit expires. Use the no form of this command to reset to the default value of this command.
session-timeout number
no session-timeout number
Syntax Description
Defaults
The default session timeout is 86,400 seconds (one day).
Command Modes
Settlement configuration
Command History
Examples
settlement 0
session timeout 86400
Related Commands
settle-call
To force a call to be authorized with a settlement server that uses the address resolution method specified in the session target type command, enter the settle-call attribute in the dial peer configuration command. Use the no form of this command to have the terminating gateway address resolved by the method specified in the session target type command, no authorization will be performed by a settlement server.
settle-call [<provider-number>]
no settle-call [<provider-number>]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Dial-peer sub-mode
Command History
Usage Guidelines
•Using session target command, a dial peer can determine the address of the terminating gateway through ipv4, dns, ras and settlement.
•If the session target is not "settlement", and the settle-call flag is set, the gateway resolves the terminating gateway's address using the specified method, and then requests the settlement server to authorize that address and create a settlement token for that particular address. If the server can not authorize the terminating gateway address suggested by the gateway, the call fails.
•For Cisco IOS Release 12.1T, the combination of session target ras and settle-call is not supported.
Examples
dial-peer voice 10 voip
destination-pattern 1408.......
session target ipv4:172.22.95.14
settle-call 0
Related Commands
settlement
To enter the Settlement mode and specify the attributes specific to a settlement provider, enter the settlement global configuration command. For Cisco IOS Release 12.0(4)XH, only one clearinghouse per system is allowed, and the only valid value for provider-number is 0. Use the no form of this command to reset to the default value of this command.
settlement provider-number
no settlement provider-number
Syntax Description
Defaults
The default is 0.
Command Modes
Global configuration
Command History
Examples
settlement 0
Related Commands
settlement roam-pattern
To configure a pattern to match against when determining if a user is roaming or not, enter the settlement roam-pattern Global configuration command. Multiple "roam-patterns" could be entered on one gateway. Use the no form of this command to delete a particular pattern.
settlement [<provider-number>] roam-pattern pattern {roaming|noroaming}
no settlement [<provider-number>] roam-pattern pattern {roaming|noroaming}
Syntax Description
provider-number
Digit defining the ID of particular settlement server. The only valid entry is 0.
pattern
Specify a user account pattern.
roaming|noroaming
Determines if user is roaming or not.
Defaults
No default pattern
Command Modes
Global configuration mode.
Command History
Examples
settlement 0 roam-pattern 1222 roam
settlement 0 roam-pattern 1333 noroam
settlement roam-pattern 1444 roam
settlement roam-pattern 1555 noroam
Related Commands
Command DescriptionEnables the roaming capability for a settlement provider.
Enters the Settlement configuration mode.
show crypto ca roots
To show the roots confided in the router, enter the show crypto ca roots command.
show crypto ca roots
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
The example that follows is the configuration file from alice.cisco.com, and the console output after executing the CLI command show crypto ca roots, show crypto ca cert, and show crypto key pub rsa. The router alice.cisco.com has been enrolled under VeriSign TestDerive CA. It has confided Netscape CMS as a trusted root. The Netscape CMS is installed on the server Ciscoca-ultra.
version 12.0
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname alice
!
hostname#
hostname#show crypto ca roots
Root netscape:
Subject Name:
CN = Certificate Manager
OU = On 07/01
O = cisco
C = US
Serial Number: 01
Certificate configured.
Root identity: netscape
CEP URL: http://cisco-ultra
CRL query url: ldap://cisco-ultra
hostname#
Related Commands
Command DescriptionAuthenticates the CA (by getting the CA's certificate).
Configures the root certificate the server uses to sign the settlement tokens.
show settlement
To display the configuration for all settlement servers see the specific provider and transactions, enter the show settlement privileged EXEC command. Use the no form of this command to reset to the default value of this command.
show settlement [<provider-number> [transactions]]
no show settlement [<provider-number> [transactions]]
Syntax Description
provider number
Displays the attributes of a specific provider.
transactions
Displays the transaction status of a specific provider.
Defaults
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
See Table 7 "Show Settlement Output" for a description of the fields that appear with the show settlement command.
The provider attributes not configured are not shown.
Examples
Router# show settlement
Settlement Provider 0
Type = osp
Address url = https://1.14.115.100:6556/
Encryption = all (default)
Max Concurrent Connections = 20 (default)
Connection Timeout = 3600 (s) (default)
Response Timeout = 1 (s) (default)
Retry Delay = 2 (s) (default)
Retry Limit = 1 (default)
Session Timeout = 86400 (s) (default)
Customer Id = 1000
Device Id = 1000
Roaming = Disabled (default)
Signed Token = on
Number of Connections = 0
Number of Transactions = 7
Example Output with Key Words
Router# show settlement 0 transactions
Transaction ID=8796304133625270342
state=OSPC_GET_DEST_SUCCESS, index=0
callingNumber=5710868, calledNumber=15125551212
Example Settlement Output with Token Root Name
Router# show settlement
Settlement Provider 0
Operation Status = UP
Type = osp
Address url = https://1.14.115.100:xxxx/
Encryption = all (default)
Token Root Name = transnexus2
Max Concurrent Connections = 20 (default)
Connection Timeout = 3600 (s) (default)
Response Timeout = 1 (s) (default)
Retry Delay = 2 (s)
Retry Limit = 1 (default)
Session Timeout = 86400 (s) (default)
Customer Id = 1000
Device Id = 1000
Roaming = Disabled (default)
Signed Token = On
Number of Connections = 0
Number of Transactions = 0
Related Commands
shutdown/no shutdown
To activate a settlement provider, enter the no shutdown command in the Settlement configuration mode. To deactivate the settlement provider, enter the shutdown command. Otherwise, transactions will not go through the provider to be audited and charged.
shutdown
no shutdown
Defaults
The default status of a settlement provider is deactivated.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
shutdown
Related Commands
token-root-name
To specify which root or CA certificate the router should use to validate the settlement token in the incoming setup message, enter the token-root-name command. Use the no form of this command to reset to the default value of this command.
token-root-name name
no token-root-name name
Syntax Description
name
Specify the name that is the certificate identification as configured through the crypto ca identity <name> command or crypto ca trusted-root <name> command.
Defaults
None. The terminating gateway uses the CA certificate to validate the settlement token.
Command Modes
Settlement configuration
Command History
Examples
token-root-name foo
Example Output
There is new output for the show settlement command to display the value of the token-root-name attribute:
Settlement Provider 0
Operation Status = UP
Type = osp
Address url = https://1.14.115.100:8444/
Encryption = all (default)
Token Root Name = foo
Max Concurrent Connections = 20 (default)
Connection Timeout = 3600 (s) (default)
Response Timeout = 1 (s) (default)
Retry Delay = 2 (s) (default)
Retry Limit = 1 (default)
Session Timeout = 86400 (s) (default)
Customer Id = 1000
Device Id = 2000
Roaming = Disabled (default)
Signed Token = On
Number of Connections = 1
Number of Transactions = 0
Related Commands
type
To point to the provider type and the specific settlement server, enter the type command in the Settlement configuration mode. This command line defines the settlement server that is doing the accounting, and enables the server to do the accounting. In Cisco IOS Release 12.0(4)XH, osp is the only settlement server type supported. Use the no form of this command to disable this command.
type {osp}
no type
Syntax Description
Defaults
The default is osp.
Command Modes
Settlement configuration
Command History
Examples
settlement 0
type osp
Related Commands
url
To configure the Internet service provider (ISP) address, enter the url command in the Settlement configuration mode. You can configure the address type multiple times. If you configure multiple URLs for the settlement server, the gateway attempts to send the request to each URL in the order that you configured these addresses. Use the no form of this command to disable this command.
url url-address
no url url-address
Syntax Description
Defaults
None
Command Modes
Settlement configuration
Command History
Examples
settlement 0
url http://1.2.3.4/
url http://1.2.3.4:80/
url https://1.2.3.4:4444/
url https://yourcompany.com:443/
Related Commands
Debug Commands
This section documents new and modified debug commands associated with the settlement feature. All other commands used with this feature are documented in the Cisco Release 12.0 command references. All debug commands are EXEC commands.
• debug voip settlement security
• debug voip settlement network
• debug voip settlement security
• debug voip settlement transaction
debug voip ivr settlement
The debug voip ivr command is used to debug the IVR application. IVR debug messages appear when a call is being actively handled by the IVR scripts. Error outputs only occurs if something is not working or an error condition has been raised. The output when the keyword states is used, supplies information about the current status of the IVR script and the different events, that occur in that state. This document, for Cisco IOS Release 12.0(4)XH shows the debug voip ivr settlement command using the output for the keyword settlement only. Use the no form of this command to disable this command.
Note To see the complete description of the debug voip ivr command, refer to "Configuring Interactive Voice Response for Cisco Access Platforms" in "Related Documents" section.
debug voip ivr [states | error | settlement | dynamic| all]
no debug voip ivr [states | error | settlement | dynamic| all]
Syntax Description
Defaults
Not enabled
Usage Guidelines
IVR debug messages appear when a call is handled by the IVR scripts. Error output should only occur if something is not working or an error condition is indicated. States output supplies information about the current status of the IVR script and the different events that occur in that state.
Settlement output logs activities related to settlement when a call is processed.
Command History
Examples
Example On the Originating Gateway
Router # debug voip ivr settlement
ivr settlement activities debugging is on
as5300-04#
00:00:52:settlement_validate_token:cid(1), target=, tokenp=0x0
00:00:54:pcSettlementAuthorize:cid(1) authorizing using calling=408,
called=15125551212
00:00:54:pcSettlementAuthorize:cid(1) sending authorize request type=1
00:00:57:pcSettlementSetup:cid(1) settlement_curr_dest=0, num_dest=3
00:00:57:pcSettlementGetDestination:trans=0 gets error=0,
credit_time=14400
00:00:57:pcSettlementSetup:cid(1) placing call through
ip(1.14.115.85), calling(408),called(15125551212), digits(15125551212)
00:00:57:pcSettlementSetup:set settlement acct for cid(2) on
ip=1.14.115.85
as5300-04#
Example On the Terminating Gateway
Router # debug voip ivr settlement
ivr settlement activities debugging is on
as5300-05#
00:10:02:settlement_validate_token:cid(1), target=settlement,
tokenp=0x618386B
4
00:10:02:settlement_validate_token:cid(1) return 1, credit_time=14400
00:10:02:Set settlement acct on cid(1) for trans=0, prov=0
as5300-05#
debug voip settlement all
To enable debugging in all settlement areas, enter the debug voip settlement all EXEC command. Use the no form of this command to disable debugging output.
[no] debug voip settlement all
Syntax Description
Defaults
Not enabled
Command History
Usage Guidelines
The debug voip settlement all EXEC command enables the following debug settlement commands:
• debug voip settlement security
• debug voip settlement network
• debug voip settlement security
• debug voip settlement transaction
debug voip settlement enter
To show all the settlement function entrances, enter the debug voip settlement enter command. Use the no form of this command to disable debugging output.
[no] debug voip settlement enter
Defaults
Not enabled.
Command History
Examples
00:43:40:OSP:ENTER:OSPPMimeMessageCreate()
00:43:40:OSP:ENTER:OSPPMimeMessageInit()
00:43:40:OSP:ENTER:OSPPMimeMessageSetContentAndLength()
00:43:40:OSP:ENTER:OSPPMimeMessageBuild()
00:43:40:OSP:ENTER:OSPPMimeDataFree()
00:43:40:OSP:ENTER:OSPPMimePartFree()
00:43:40:OSP:ENTER:OSPPMimePartFree()
00:43:40:OSP:ENTER:OSPPMsgInfoAssignRequestMsg()
00:43:40:OSP:ENTER:osppHttpSelectConnection
00:43:40:OSP:ENTER:OSPPSockCheckServicePoint() ospvConnected = <1>
00:43:40:OSP:ENTER:OSPPSockWaitTillReady()
00:43:40:OSP:ENTER:osppHttpBuildMsg()
00:43:40:OSP:ENTER:OSPPSSLSessionWrite()
00:43:40:OSP:ENTER:OSPPSockWrite()
00:43:40:OSP:ENTER:OSPPSockWaitTillReady()
debug voip settlement error
To show all the settlement errors, enter the debug voip settlement error command. Use the no form of this command to disable debugging output.
[no] debug voip settlement error
Defaults
Not enabled
Command History
Examples
00:45:50:OSP:OSPPSockProcessRequest:http recv init header failed
00:45:50:OSP:osppHttpSetupAndMonitor:attempt#0 on http=0x6141A514, limit=1 error=14310
Usage Guidelines
See "Error Code Definitions" section.
Error Code Definitions
-1:OSP internal software error.
16:A bad service was chosen.
17:An invalid parameter was passed to OSP.
9010:Attempted to access an invalid pointer.
9020:A time related error occurred.
10010:OSP provider module failed initialization.
10020:OSP provider tried to access a NULL pointer.
10030:OSP provider could not fine transaction collection.
10040:OSP provider failed to obtain provider space.
10050:OSP provider tried to access an invalid handle.
10060:OSP provider has reached the maximum number of providers.
11010:OSP transaction tried to delete a transaction which was not allowed.
11020:OSP transaction tried a transaction which does not exist.
11030:OSP transaction tried to start a transaction, but data had already been delivered.
11040:OSP transaction could not identify the response given.
11050:OSP transaction failed to obtain transaction space.
11060:OSP transaction failed (possibly ran out) to allocate memory.
11070:OSP transaction tried to perform a transaction which is not allowed.
11080:OSP transaction found no more responses.
11090:OSP transaction could not find a specified value.
11100:OSP transaction did not have enough space to copy.
11110:OSP transaction - call id did not match destination.
11120:OSP transaction encountered an invalid entry.
11130:OSP transaction tried to use a token too soon.
11140:OSP transaction tried to use a token too late.
11150:OSP transaction - source is invalid.
11160:OSP transaction - destination is invalid.
11170:OSP transaction - calling number is invalid.
11180:OSP transaction - called number is invalid.
11190:OSP transaction - call id is invalid.
11200:OSP transaction - authentication id is invalid.
11210:OSP transaction - call id was not found
11220:OSP transaction - The IDS of the called number was invalid.
11230:OSP transaction - function not implemented.
11240:OSP transaction tried to access an invalid handle.
11250:OSP transaction returned an invalid return code.
11260:OSP transaction reported an invalid status code.
11270:OSP transaction encountered an invalid token.
11280:OSP transaction reported a status which could not be identified.
11290:OSP transaction in now valid after it was not found.
11300:OSP transaction could not find the specified destination.
11310:OSP transaction is valid until not found.
11320:OSP transaction - invalid signaling address.
11330:OSP transaction could not find the ID of the transmitter.
11340:OSP transaction could not find the source number.
11350:OSP transaction could not find the destination number.
11360:OSP transaction could not find the token.
11370:OSP transaction could not find the list.
11380:OSP transaction was not allowed to accumulate.
11390:OSP transaction - transaction usage was already reported.
11400:OSP transaction could not find statistics.
11410:OSP transaction failed to create new statistics.
11420:OSP transaction made an invalid calculation.
11430:OSP transaction was not allowed to get the destination.
11440:OSP transaction could not fine the authorization request.
11450:OSP transaction - invalid transmitter ID.
11460:OSP transaction could not find any data.
11470:OSP transaction found no new authorization requests.
12010:OSP security did not have enough space to copy.
12020:OSP security received and invalid argument.
12030:OSP security could not find the private key.
12040:OSP security encountered an un-implemented function.
12050:OSP security ran out of memory.
12060:OSP security received an invalid signal.
12065:OSP security could not initialize the SSL database.
12070:OSP security could not find space for the certificate.
12080:OSP security has no local certificate info defined.
12090:OSP security encountered a zero length certificate.
12100:OSP security encountered a certificate that is too big.
12110:OSP security encountered an invalid certificate.
12120:OSP security encountered a NULL certificate.
12130:OSP security has too many certificates.
12140:OSP security has no storage provided.
12150:OSP security has no private key.
12160:OSP security encountered an invalid context.
12170:OSP security was unable to allocate space.
12180:OSP security - CA certificates do not match.
12190:OSP security found no authority certificates
12200:OSP security - CA certificate index overflow.
13010:OSP error message - failed to allocate memory.
13110:OSP MIME error - buffer is too small.
13115:OSP MIME error - failed to allocate memory.
13120:OSP MIME error - could not find variable.
13125:OSP MIME error - no input was found.
13130:OSP MIME error - invalid argument.
13135:OSP MIME error - no more space.
13140:OSP MIME error - received an invalid type.
13145:OSP MIME error - received an invalid subtype.
13150:OSP MIME error - could not find the specified protocol.
13155:OSP MIME error - could not find MICALG.
13160:OSP MIME error - boundary was not found.
13165:OSP MIME error - content type was not found.
13170:OSP MIME error - message parts were not found.
13301:OSP XML error - received incomplete XML data.
13302:OSP XML error - bad encoding of XML data.
13303:OSP XML error - bad entity in XML data.
13304:OSP XML error - bad name in XML data.
13305:OSP XML error - bad tag in XML data.
13306:OSP XML error - bad attribute in XML data.
13307:OSP XML error - bad CID encoding in XML data.
13308:OSP XML error - bad element found in XML data.
13309:OSP XML error - no element found in XML data.
13310:OSP XML error - no attribute found in XML data.
13311:OSP XML error - OSP received invalid arguments.
13312:OSP XML error - failed to create a new buffer.
13313:OSP XML error - failed to get the size of a buffer.
13314:OSP XML error - failed to send the buffer.
13315:OSP XML error - failed to read a block from the buffer.
13316:OSP XML error - failed to allocate memory.
13317:OSP XML error - could not find the parent.
13318:OSP XML error - could not find the child.
13319:OSP XML error - data type not found in XML data.
13320:OSP XML error - failed to write a clock to the buffer.
13410:OSP data error - no call id preset.
13415:OSP data error - no token present.
13420:OSP data error - bad number presented.
13425:OSP data error - no destination found.
13430:OSP data error - no usage indicator present.
13435:OSP data error - no status present.
13440:OSP data error - no usage configured.
13445:OSP data error - no authentication indicator.
13450:OSP data error - no authentication request.
13455:OSP data error - no authentication response.
13460:OSP data error - no authentication configuration.
13465:OSP data error - no re-authentication request.
13470:OSP data error - no re-authentication response.
13475:OSP data error - invalid data type present.
13480:OSP data error - no usage information available.
13485:OSP data error - no token info present.
13490:OSP data error - invalid data present.
13500:OSP data error - no alternative info present.
13510:OSP data error - no statistics available.
13520:OSP data error - no delay present.
13610:OSP certificate error - memory allocation failed.
14010:OSP communications error - invalid communication size.
14020:OSP communications error - bad communication value.
14030:OSP communications error - parser error.
14040:OSP communications error - no more memory available.
14050:OSP communications error - communication channel currently in use.
14060:OSP communications error - invalid argument passed.
14070:OSP communications error - no service points present.
14080:OSP communications error - no service points available.
14085:OSP communications error - thread initialization failed.
14086:OSP communications error - communications is shutdown.
14110:OSP message queue error - no more memory available.
14120:OSP message queue error - failed to add a request.
14130:OSP message queue error - no event queue present.
14140:OSP message queue error - invalid arguments passed.
14210:OSP HTTP error - 100 - bad header.
14220:OSP HTTP error - 200 - bad header.
14221:OSP HTTP error - 400 - bad request.
14222:OSP HTTP error - bas service port present.
14223:OSP HTTP error - failed to add a request.
14230:OSP HTTP error - invalid queue present.
14240:OSP HTTP error - bad message received.
14250:OSP HTTP error - invalid argument passed.
14260:OSP HTTP error - memory allocation failed.
14270:OSP HTTP error - failed to create a new connection.
14280:OSP HTTP error - server error.
14290:OSP HTTP error - HTTP server is shutdown.
14292:OSP HTTP error - failed to create a new SSL connection.
14295:OSP HTTP error - failed to create a new SSL context.
14297:OSP HTTP error - service unavailable.
14300:OSP socket error - socket select failed.
14310:OSP socket error - socket receive failed.
14315:OSP socket error - socket send failed.
14320:OSP socket error - failed to allocate memory for the receive buffer.
14320:OSP socket error - socket reset.
14330:OSP socket error - failed to create the socket.
14340:OSP socket error - failed to close the socket.
14350:OSP socket error - failed to connect the socket.
14360:OSP socket error - failed to block I/O on the socket.
14370:OSP socket error - failed to disable nagle on the socket.
14400:OSP SSL error - failed to allocate memory.
14410:OSP SSL error - failed to initialize the context.
14420:OSP SSL error - failed to retrieve the version.
14430:OSP SSL error - failed to initialize the session.
14440:OSP SSL error - failed to attach the socket.
14450:OSP SSL error - handshake failed.
14460:OSP SSL error - failed to close SSL.
14470:OSP SSL error - failed to read from SSL.
14480:OSP SSL error - failed to write to SSL.
14490:OSP SSL error - could not get certificate.
14495:OSP SSL error - no root certificate found.
14496:OSP SSL error - failed to set the private key.
14497:OSP SSL error - failed to parse the private key.
14498:OSP SSL error - failed to add certificates.
14499:OSP SSL error - failed to add DN.
15410:OSP utility error - not enough space for copy.
15420:OSP utility error - no time stamp has been created.
15430:OSP utility error - value not found.
15440:OSP utility error - failed to allocate memory.
15450:OSP utility error - invalid argument passed.
15500:OSP buffer error - buffer is empty.
15510:OSP buffer error - buffer is incomplete.
15980:OSP POW error.
15990:OSP Operating system conditional variable timeout.
16010:OSP X509 error - serial number undefined.
16020:OSP X509 error - certificate undefined.
16030:OSP X509 error - invalid context.
16040:OSP X509 error - decoding error.
16050:OSP X509 error - unable to allocate space.
16060:OSP X509 error - invalid data present.
16070:OSP X509 error - certificate has expired.
16080:OSP X509 error - certificate not found.
17010:OSP PKCS1 error - tried to access invalid private key pointer
17020:OSP PKCS1 error - unable to allocate space.
17030:OSP PKCS1 error - invalid context found.
17040:OSP PKCS1 error - tried to access NULL pointer.
17050:OSP PKCS1 error - private key overflow.
18010:OSP PKCS7 error - signer missing.
18020:OSP PKCS7 error - invalid signature found.
18020:OSP PKCS7 error - unable to allocate space.
18030:OSP PKCS7 error - encoding error.
18040:OSP PKCS7 error - tried to access invalid pointer.
18050:OSP PKCS7 error - buffer overflow.
19010:OSP ASN1 error - tried to access NULL pointer.
19020:OSP ASN1 error - invalid element tag found.
19030:OSP ASN1 error - unexpected high tag found.
19040:OSP ASN1 error - invalid primitive tag found.
19050:OSP ASN1 error - unable to allocate space.
19060:OSP ASN1 error - invalid context found.
19070:OSP ASN1 error - invalid time found.
19080:OSP ASN1 error - parser error occurred.
19090:OSP ASN1 error - parsing complete.
19100:OSP ASN1 error - parsing defaulted.
19110:OSP ASN1 error - length overflow.
19120:OSP ASN1 error - unsupported tag found.
19130:OSP ASN1 error - object ID not found.
19140:OSP ASN1 error - object ID mismatch.
19150:OSP ASN1 error - unexpected int base.
19160:OSP ASN1 error - buffer overflow.
19170:OSP ASN1 error - invalid data reference ID found.
19180:OSP ASN1 error - no content value for element found.
19190:OSP ASN1 error - integer overflow.
20010:OSP Crypto error - invalid parameters found.
20020:OSP Crypto error - unable to allocate space.
20030:OSP Crypto error - could not verify signature.
20040:OSP Crypto error - implementation specific error.
20050:OSP Crypto error - tried to access invalid pointer.
20060:OSP Crypto error - not enough space to perform operation.
21010:OSP PKCS8 error - invalid private key pointer found.
21020:OSP PKCS8 error - unable to allocate space for operation.
21030:OSP PKCS8 error - invalid context found.
21040:OSP PKCS8 error - tried to access NULL pointer.
21050:OSP PKCS8 error - private key overflow.
22010:OSP Base 64 error - encode failed.
22020:OSP Base 64 error - decode failed.
22510:OSP audit error - failed to allocate memory.
156010:OSP RSN failure error - no data present.
156020:OSP RSN failure error - data is invalid.
debug voip settlement exit
To show all the settlement function exits, enter the debug voip settlement exit command. Use the no form of this command to disable debugging output.
[no] debug voip settlement exit
Defaults
Not enabled
Command History
Examples
01:21:10:OSP:EXIT :OSPPMimeMessageInit()
01:21:10:OSP:EXIT :OSPPMimeMessageSetContentAndLength()
01:21:10:OSP:EXIT :OSPPMimeMessageBuild()
01:21:10:OSP:EXIT :OSPPMimePartFree()
01:21:10:OSP:EXIT :OSPPMimePartFree()
01:21:10:OSP:EXIT :OSPPMimeDataFree()
01:21:10:OSP:EXIT :OSPPMimeMessageCreate()
01:21:10:OSP:EXIT :OSPPMsgInfoAssignRequestMsg()
01:21:10:OSP:EXIT :osppHttpSelectConnection
01:21:10:OSP:EXIT :OSPPSockCheckServicePoint() isconnected(1)
01:21:10:OSP:EXIT :osppHttpBuildMsg()
01:21:10:OSP:EXIT :OSPPSockWrite() (0)
01:21:10:OSP:EXIT :OSPPSSLSessionWrite() (0)
01:21:10:OSP:EXIT :OSPPSSLSessionRead() (0)
01:21:10:OSP:EXIT :OSPPSSLSessionRead() (0)
01:21:10:OSP:EXIT :OSPPHttpParseHeader
01:21:10:OSP:EXIT :OSPPHttpParseHeader
01:21:10:OSP:EXIT :OSPPSSLSessionRead() (0)
01:21:10:OSP:EXIT :OSPPUtilMemCaseCmp()
debug voip settlement misc
To show the details on the code flow of each settlement transaction, enter the debug voip settlement misc command. Use the no form of this command to disable debugging output.
[no] debug voip settlement misc
Defaults
Not enabled
Command History
Examples
00:52:03:OSP:osp_authorize:callp=0x6142770C
00:52:03:OSP:OSPPTransactionRequestNew:ospvTrans=0x614278A8
00:52:03:OSP:osppCommMonitor:major:minor=(0x2:0x1)
00:52:03:OSP:HTTP connection:reused
00:52:03:OSP:osppHttpSetupAndMonitor:HTTP=0x6141A514, QUEUE_EVENT from eventQ=0x6141A87C, comm=0x613F16C4, msginfo=0x6142792C
00:52:03:OSP:osppHttpSetupAndMonitor:connected = <TRUE>
00:52:03:OSP:osppHttpSetupAndMonitor:HTTP=0x6141A514, build msginfo=0x6142792C, trans=0x2
00:52:04:OSP:osppHttpSetupAndMonitor:HTTP=0x6141A514, msg built and sent:error=0, msginfo=0x6142792C
00:52:04:OSP:osppHttpSetupAndMonitor:monitor exit. errorcode=0
00:52:04:OSP:osppHttpSetupAndMonitor:msginfo=0x6142792C, error=0, shutdown=0
00:52:04:OSP:OSPPMsgInfoProcessResponse:msginfo=0x6142792C, err=0, trans=0x614278A8, handle=2
00:52:04:OSP:OSPPMsgInfoChangeState:transp=0x614278A8, msgtype=12 current state=2
00:52:04:OSP:OSPPMsgInfoChangeState:transp=0x614278A8, new state=4
00:52:04:OSP:OSPPMsgInfoProcessResponse:msginfo=0x6142792C, context=0x6142770C, error=0
00:52:04:OSP:osp_get_destination:trans_handle=2, get_first=1, callinfop=0x614275E0
00:52:04:OSP:osp_get_destination:callinfop=0x614275E0 get dest=1.14.115.51, validafter=1999-01-20T02:04:32Z, validuntil=1999-01-20T02:14:32Z
00:52:04:OSP:osp_parse_destination:dest=1.14.115.51
00:52:04:OSP:osp_get_destination:callinfop=0x614275E0, error=0, ip_addr=1.14.115.51, credit=60
00:52:06:OSP:stop_settlement_ccapi_accounting:send report for callid=0x11, transhandle=2
00:52:06:OSP:osp_report_usage:transaction=2, duration=0, lostpkts=0, lostfrs=0, lostpktr=0, lostfrr=0
debug voip settlement network
To show all the messages exchanged between a router and a settlement provider, enter the debug voip settlement network command. Use the no form of this command to disable debugging output.
[no] debug voip settlement network
Defaults
Not enabled
Command History
Usage Guidelines
Using the debug voip settlement network command shows the messages, in detail, in HTTP and XML formats.
Examples
00:47:25:OSP:HTTP connection:reused
00:47:25:OSP:OSPPSockWaitTillReady:HTTPCONN=0x6141A514, fd=0
00:47:25:OSP:OSPPSockWaitTillReady:read=0, timeout=0, select=1
00:47:25:OSP:osppHttpBuildAndSend():http=0x6141A514 sending:
POST /scripts/simulator.dll?handler HTTP/1.1
Host:1.14.115.12
content-type:text/plain
Content-Length:439
Connection:Keep-Alive
Content-Type:text/plain
Content-Length:370
<?xml version="1.0"?><Message messageId="1" random="8896">
<AuthorisationRequest componentId="1">
<Timestamp>
1993-03-01T00:47:25Z</Timestamp>
<CallId>
<![CDATA[12]]></CallId>
<SourceInfo type="e164">
5551111</SourceInfo>
<DestinationInfo type="e164">
5552222</DestinationInfo>
<Service/>
<MaximumDestinations>
3</MaximumDestinations>
</AuthorisationRequest>
</Message>
00:47:25:OSP:OSPPSockWaitTillReady:HTTPCONN=0x6141A514, fd=0
00:47:25:OSP:OSPPSockWaitTillReady:read=0, timeout=1, select=1
00:47:25:OSP:OSPM_SEND:bytes_sent = 577
00:47:25:OSP:OSPPSockProcessRequest:SOCKFD=0, Expecting 100, got
00:47:25:OSP:OSPPSockWaitTillReady:HTTPCONN=0x6141A514, fd=0
00:47:25:OSP:OSPPSockWaitTillReady:read=1, timeout=1, select=1
00:47:25:OSP:OSPPSSLSessionRead() recving 1 bytes:
HTTP/1.1 100 Continue
Server:Microsoft-IIS/4.0
Date:Wed, 20 Jan 1999 02:01:54 GMT
00:47:25:OSP:OSPPSockProcessRequest:SOCKFD=0, Expecting 200, got
00:47:25:OSP:OSPPSockWaitTillReady:HTTPCONN=0x6141A514, fd=0
00:47:25:OSP:OSPPSockWaitTillReady:read=1, timeout=1, select=1
00:47:25:OSP:OSPPSSLSessionRead() recving 1 bytes:
HTTP/1.1 200 OK
Server:Microsoft-IIS/4.0
Date:Wed, 20 Jan 1999 02:01:54 GMT
Connection:Keep-Alive
Content-Type:multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary=bar
Content-Length:1689
00:47:25:OSP:OSPPSockProcessRequest:SOCKFD=0, error=0, HTTP response
00:47:25:OSP:OSPPSockWaitTillReady:HTTPCONN=0x6141A514, fd=0
00:47:25:OSP:OSPPSockWaitTillReady:read=1, timeout=1, select=1
00:47:25:OSP:OSPPSSLSessionRead() recving 1689 bytes:
--bar
Content-Type:text/plain
Content-Length:1510
<?xml version="1.0"?><Message messageId="1" random="27285">
<AuthorisationResponse componentId="1">
<Timestamp>
1999-01-20T02:01:54Z</Timestamp>
<Status>
<Description>
success</Description>
<Code>
200</Code>
</Status>
<TransactionId>
101</TransactionId>
<Destination>
<AuthorityURL>
http://www.myauthority.com</AuthorityURL>
<CallId>
<![CDATA[12]]></CallId>
<DestinationInfo type="e164">
5552222</DestinationInfo>
<DestinationSignalAddress>
1.14.115.51</DestinationSignalAddress>
<Token encoding="base64">
PD94bWwgdmVyc2lvbj0xLjA/PjxNZXNzYWdlIG1lc3NhZ2VJZD0iMSIgcmFuZG9tPSIxODM0OSI+PFRva2VuSW5mb z48U291cmNlSW5mbyB0eXBlPSJlMTY0Ij41NTUxMTExPC9Tb3VyY2VJbmZvPjxEZXN0aW5hdGlvbkluZm8gdHlwZT 0iZTE2NCI+NTU1MjIyMjwvRGVzdGluYXRpb25JbmZvPjxDYWxsSWQ+PCFbQ0RBVEFbMV1dPjwvQ2FsbElkPjxWYWx pZEFmdGVyPjE5OTgtMTItMDhUMjA6MDQ6MFo8L1ZhbGlkQWZ0ZXI+PFZhbGlkVW50aWw+MTk5OS0xMi0zMVQyMzo1 OTo1OVo8L1ZhbGlkVW50aWw+PFRyYW5zYWN0aW9uSWQ+MTAxPC9UcmFuc2FjdGlvbklkPjxVc2FnZURldGFpbD48Q W1vdW50PjE0NDAwPC9BbW91bnQ+PEluY3JlbWVudD4xPC9JbmNyZW1lbnQ+PFNlcnZpY2UvPjxVbml0PnM8L1VuaX Q+PC9Vc2FnZURldGFpbD48L1Rva2VuSW5mbz48L01lc3NhZ2U+</Token>
<UsageDetail>
<Amount>
60</Amount>
<Increment>
1</Increment>
<Service/>
<Unit>
s</Unit>
</UsageDetail>
<ValidAfter>
1999-01-20T01:59:54Z</ValidAfter>
<ValidUntil>
1999-01-20T02:09:54Z</ValidUntil>
</Destination>
<transnexus.com:DelayLimit critical="False">
1000</transnexus.com:DelayLimit>
<transnexus.com:DelayPreference critical="False">
1</transnexus.com:DelayPreference>
</AuthorisationResponse>
</Message>
--bar
Content-Type:application/pkcs7-signature
Content-Length:31
This is your response signature
--bar--
debug voip settlement security
To show all the tracing related to security, such as SSL or S/MIME, enter the debug voip settlement security command. Use the no form of this command to disable debugging output.
[no] debug voip settlement security
Defaults
Not enabled
Command History
Examples
Not available due to security issues.
debug voip settlement transaction
To see all the attributes of the transactions on the settlement gateway, enter the debug voip settlement transaction command. Use the no form of this command to disable debugging output.
[no] debug voip settlement transaction
Defaults
Not enabled
Command History
Examples
Sample output from the originating gateway:
00:44:54:OSP:OSPPTransactionNew:trans=0, err=0
00:44:54:OSP:osp_authorize:authorizing trans=0, err=0
as5300-04>
00:45:05:OSP:stop_settlement_ccapi_accounting:send report for
callid=7, trans
=0, calling=5710868, called=15125551212, curr_Dest=1
00:45:05:OSP:OSPPTransactionDelete:deleting trans=0
Sample output from the terminating gateway:
00:44:40:OSP:OSPPTransactionNew:trans=0, err=0
00:44:40:OSP:osp_validate:validated trans=0, error=0, authorised=1
Glossary
AAA—Authentication Authorization and Accounting. A Cisco IOS Security feature.
ACF—Admission Confirmation.
ARQ—Admission Request
CA—Certificate Authority.
CDR—Call detail record.
CEP—Cisco Enrollment Protocol.
ETSI— European Telecommunication Standards Institute.
ISP—Internet service provider.
IVR—Interactive Voice Response. A Cisco IOS software voice feature for internet telephony service providers.
MD 5—Message Digest 5. The algorithm used for message authentication in SNMP v.2; MDS verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
OGW—originating gateway.
OSP—Open Settlement Protocol.
PKCS7—Public Key Cryptography Standard No.7.
PKI—Public key infrastructure.
RADIUS—Database for authenticating modem and ISDN connections and for tracking connections.
RAS—Registration, admission, and status. RAS is the protocol that is used between endpoints and the gatekeeper to perform management functions.
ROOT—The ultimate CA which signs the certificates of the sub CA.
RSA—Rivest, Shamir, and Aldeman. Inventors of the public-key cryptographic system used for encryption and authentication.
SSL—Secure Socket Layer. Encryption technology for the Web used to provide secure transactions, such as the transmission of credit card numbers for e-commerce.
TACACS—Terminal access controller access control system.
TCL—Tool command language. TCL is an interpreted script language developed by Dr. John Ousterhout of the University of California, Berkeley, and is now developed and maintained by Sun Microsystems Laboratories.
TCP—Transmission Control Protocol.
TGW—terminating gateway.
VoIP—Voice over IP. The ability to carry normal telephone-style voice over an IP-based Internet with POTs-like functionality, reliability, and voice quality. VoIP is a blanket term, which generally refers to Cisco's standards based (for example H.323) approach to IP voice traffic.
Posted: Thu Dec 15 14:41:22 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.