Platform Guide
Cisco CUCM SIP Trunk Configuration
9 min read · Updated April 2026
Cisco CUCM SIP trunk configuration is more complex than most PBX platforms — security profiles, codec regions, partitions, and calling search spaces all interact. When calls fail, the CUCM trace logs tell the story if you know where to look.
1. CUCM SIP trunk overview
In CUCM, a SIP trunk is a logical connection to an external SIP entity — a carrier, an SBC, another PBX, or a Microsoft Teams SBC. Unlike traditional ISDN PRI trunks, SIP trunks in CUCM carry signaling and media separately and can be configured with rich security profiles.
Key CUCM objects involved in a SIP trunk:
- SIP Trunk — defines the remote endpoint IP/FQDN, port, and security profile
- SIP Trunk Security Profile — controls TLS, digest auth, and accepted SIP methods
- SIP Profile — controls SIP timer values, supported methods, and header handling
- Device Pool — assigns the trunk to a region, location, and SRST reference
- Route Pattern — defines which dialed numbers route to this trunk
- Codec Region — controls which codecs are negotiated on this trunk
2. Configuring a CUCM SIP trunk
Basic SIP trunk configuration
- CUCM Admin → Device → Trunk → Add New
- Trunk Type: SIP Trunk
- Device Protocol: SIP
- Device Name: meaningful name (e.g., SIP-CARRIER-PRIMARY)
- Device Pool: select appropriate device pool
- SIP Trunk Security Profile: select or create (see below)
- SIP Profile: Standard SIP Profile (or custom)
- Destination Address: IP or FQDN of SIP peer
- Destination Port: 5060 (unencrypted) or 5061 (TLS)
Route pattern to send calls to the trunk
- Call Routing → Route/Hunt → Route Pattern → Add New
- Route Pattern: 9.1XXXXXXXXXX (or appropriate pattern)
- Gateway/Route List: select your SIP trunk
- Calling Search Space: select appropriate CSS
Inbound from trunk
For inbound calls from the SIP trunk, CUCM matches on the called number to route to the correct DN or translation pattern. Configure Inbound Calling Search Space on the trunk and Translation Patterns for DID mapping.
3. SIP Trunk Security Profiles and TLS
The SIP Trunk Security Profile controls transport security:
Non-Secure Profile
UDP or TCP, port 5060
Use for internal trunks on trusted networks or when the remote end doesn't support TLS. Device Security Mode = Non Secure. Outgoing Transport Type = UDP or TCP.
Secure Profile
TLS, port 5061
Use for external trunks to carriers or Microsoft Teams. Device Security Mode = Encrypted. Outgoing Transport Type = TLS. Requires importing the remote certificate into CUCM OS Administration → Security → Certificate Management.
Configuring TLS on CUCM SIP trunk
- System → Security → SIP Trunk Security Profile → Add New
- Name: TLS-CARRIER-PROFILE
- Device Security Mode: Encrypted
- Outgoing Transport Type: TLS
- Enable Digest Authentication: check if carrier requires it
- Import carrier TLS certificate: OS Admin → Security → Certificate Management → Upload Certificate
; Verify CUCM TLS certificate from carrier side
openssl s_client -connect cucm.example.com:5061 -tls1_2
; Check CUCM certificate expiry
; OS Administration → Security → Certificate Management
; Look for CallManager.pem and cup.pem expiry dates
4. Codec regions and SIP trunk codec configuration
CUCM controls codecs through Codec Regions. The region assigned to the trunk's Device Pool determines which codecs are offered in the SDP:
- System → Region Information → Region → Add New
- Name: CARRIER-REGION
- Max Audio Bit Rate: select codecs — G.711 for maximum compatibility
- Assign region to the Device Pool used by your trunk
The Region Matrix controls codec negotiation between two regions. If calls between your phones (in Internal-Region) and the trunk (in Carrier-Region) use G.729 when you want G.711, check the Region Matrix entry between those two regions:
System → Region Information → Region → select Internal-Region → scroll to regions list → set Carrier-Region codec to G.711.
Checking codec negotiation
In CUCM traces, look for the INVITE SDP — the m=audio line shows offered codecs (payload type numbers). 0 = PCMU (G.711u), 8 = PCMA (G.711a), 18 = G.729. If the wrong codec appears, the Region Matrix needs adjustment.
5. Common CUCM SIP trunk issues
Issue 01
Trunk shows "Unknown" or "None" status
CUCM can't reach the remote SIP peer. Check network connectivity from CUCM server to trunk destination IP. Verify firewall allows SIP from CUCM IP. Check that the correct IP is configured as Destination Address on the trunk. Use SIP OPTIONS test from CUCM to verify reachability.
Issue 02
Calls fail with "Cause Code 38 — Network Out of Order"
CUCM received no response from the SIP trunk. Route Pattern is hitting the trunk but the trunk isn't responding. Check trunk status, firewall rules, and whether the carrier is receiving the INVITE (check carrier portal or SBC logs).
Issue 03
One-way audio on trunk calls
CUCM is sending RTP to a wrong address. This often happens when the carrier is behind NAT and CUCM is sending RTP to the private IP in the SDP. Configure an SBC between CUCM and the carrier to handle NAT and SDP rewriting.
Issue 04
Wrong number format causing routing failures
Number normalization mismatch between CUCM and carrier. Carrier may send +12025551234 but CUCM route patterns expect 12025551234 or 2025551234. Configure Translation Patterns on the inbound route to normalize number formats before matching to DNs.
6. Capturing and reading CUCM SIP traces
Enable SIP trace in Cisco RTMT
- Open Cisco RTMT (Real-Time Monitoring Tool)
- Trace → Configuration → Service Groups → CallManager
- Enable Detailed Level logging for Cisco CallManager service
- Set SIP trace level to Detailed
Collect traces via RTMT
- RTMT → Trace → Collect Files
- Select CUCM nodes and time range
- Download and open in Cisco Trace Analysis or text editor
- Search for Call-ID of the failing call
Reading CUCM SIP trace format
; CUCM trace format (search for SIP messages)
; Look for lines starting with:
; SIP/2.0 (responses)
; INVITE sip: (requests)
; Correlate by Call-ID field
; Key error indicators:
; "Cause value = 38" = network out of order
; "Cause value = 21" = call rejected
; "SIP/2.0 503" = service unavailable from carrier
; "SIP/2.0 403" = forbidden (auth/routing issue)
For detailed SIP analysis, export the trace to PCAP format using Cisco's trace decoder, or capture network traffic on the CUCM server NIC with tcpdump and import to SIPSymposium.
Frequently asked questions
How do I configure a SIP trunk in Cisco CUCM?
In CUCM Admin go to Device → Trunk → Add New, select SIP Trunk as trunk type, enter the destination IP/FQDN and port (5060 for UDP/TCP, 5061 for TLS), assign a SIP Trunk Security Profile, Device Pool, and SIP Profile. Then create a Route Pattern pointing to the trunk and configure the Codec Region in the Device Pool to control which codecs are offered.
How do I troubleshoot CUCM SIP trunk call failures?
For CUCM SIP trunk failures: check trunk status in CUCM Admin (Device → Trunk), enable detailed SIP traces via RTMT, and search logs by Call-ID. Cause Code 38 means no response from carrier — check network connectivity and firewall. 403 means auth/routing issue. 488 means codec mismatch — check Region Matrix. For one-way audio, deploy an SBC between CUCM and the carrier.
How do I configure TLS on a CUCM SIP trunk?
Create a SIP Trunk Security Profile with Device Security Mode = Encrypted and Outgoing Transport Type = TLS. Import the carrier's TLS certificate into CUCM OS Administration → Security → Certificate Management. Set the trunk Destination Port to 5061. Ensure the CUCM CallManager certificate is valid and not expired — check in OS Administration → Security → Certificate Management.
Having CUCM SIP trunk issues?
Paste your CUCM SIP trace into SIPSymposium. The analyzer identifies codec mismatches, TLS failures, authentication issues, and routing problems in Cisco CUCM SIP trunk configurations.