[cisco-voip] Phone VPN

Tue Nov 12 10:55:33 EST 2013

Do you have ip phone VPN licenses on the ASA?

On Mon, Nov 11, 2013 at 10:55 AM, James Dust <
james.dust at charles-stanley.co.uk> wrote:

>  I have managed to get a little further and am now seeing inbound
> requests on my asa from the 9951 trying to form a connection,
>
>
>
> However the connection is immediately being torn down with the below error
> message:
>
>
>
> 6
>
> Nov 11 2013
>
> 16:30:18
>
> *(external 9951 address)*
>
> *49580*
>
> *(external asa address)*
>
> 443
>
> Teardown TCP connection 7982 for outside:*external 9951 address*/49580 to
> identity:*(external asa address)*/443 duration 0:00:30 bytes 0 SYN Timeout
>
>
>
> I have replaced IP addresses with descriptions and highlighted.
>
>
>
>
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* James Dust
> *Sent:* 08 November 2013 16:19
> *To:* 'Chris Ward (chrward)'; Erick Wellnitz
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* RE: [cisco-voip] Phone VPN
>
>
>
> Thanks for clarifying Chris and yes I did get what you meant although I
> worded my response somewhat poorly,
>
>
>
> I am planning on completely redoing the whole config as I don’t seem to be
> getting anywhere trouble shooting this issue.
>
>
>
> Thanks again for yours and everyone’s help.
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Chris Ward (chrward) [mailto:chrward at cisco.com <chrward at cisco.com>]
>
> *Sent:* 08 November 2013 16:13
> *To:* James Dust; Erick Wellnitz
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* RE: [cisco-voip] Phone VPN
>
>
>
> James, just to make sure you understand, I am only referring to the
> “System-Server” configuration in the main CCMAdmin pages, nothing VPN or
> CAPF specific. Also, hostnames are fine, it just can’t be the FQDN.
>
>
>
> For example:
>
> cucm1 = GOOD
>
> 10.1.1.110 = GOOD
>
> cucm1.domain.com = BAD
>
>
>
> +Chris
>
> TME - Unity Connection and MediaSense
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Friday, November 08, 2013 10:50 AM
> *To:* Chris Ward (chrward); Erick Wellnitz
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* RE: [cisco-voip] Phone VPN
>
>
>
> Thanks Chris,
>
>
>
> I am going to strip everything out and start again, so I will ensure I
> don’t use hostnames only IP’s.
>
>
>
> Kind Regards
>
>
>
> James Dust
> Technical Infrastructure Engineer
> Charles Stanley & Co Ltd
> Tel: 020 7149 6314
> Mob: 07989 491136
> mailto: james.dust at charles-stanley.co.uk
>
>
>
> *From:* Chris Ward (chrward) [mailto:chrward at cisco.com <chrward at cisco.com>]
>
> *Sent:* 08 November 2013 15:47
> *To:* Erick Wellnitz; James Dust
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* RE: [cisco-voip] Phone VPN
>
>
>
> Another TME and I recently found an issue where if you define your servers
> (System – Servers in the menu)  as FQDN, the CAPF cert won’t populate. Are
> you perchance using FQDNs in the System – Server fields? If so, these would
> need to be changed to IPs or just hostnames.
>
>
>
> +Chris
>
> TME - Unity Connection and MediaSense
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *Erick Wellnitz
> *Sent:* Friday, November 08, 2013 10:34 AM
> *To:* James Dust
> *Cc:* cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Phone VPN
>
>
>
> Check your VPN Feature Configuration and VPN Profile.  Client
> Authentication Mehtod should be Certificate if you aren't using manual
> login.  I also disabled Host ID Check.
>
>
>
> What I have noticed is that if settnigs between the profile and the
> Feature configuration are not consistent you will see inconsistent results.
>
>
>
> On Fri, Nov 8, 2013 at 4:15 AM, James Dust <
> james.dust at charles-stanley.co.uk> wrote:
>
> Morning Erick,
>
>
>
> Yes I have done what you suggested and it still hasn’t worked.
>
>
>
> Today I might strip all the config off and start again.
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* 07 November 2013 20:38
> *To:* Brian Meade (brmeade)
> *Cc:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Phone VPN
>
>
>
> Have you gone to settings -> administrator settings -> Security Setup ->
> LSC and selected update?  Also, check the ITL file under trust list to make
> sure the CAPF Server is listed.  The CAPF certificate also needs to be
> installed on the ASA.
>
>
>
> If the CAPF Server is not listed. restart the CAPF service and it should
> appear.
>
>
>
> On Thu, Nov 7, 2013 at 12:08 PM, Brian Meade (brmeade) <brmeade at cisco.com>
> wrote:
>
> Check the Group URL you are using on the VPN Gateway configuration.  On
> the ASA, see which tunnel-group that URL is configured under and make sure
> it has “authentication certificate”.
>
>
>
> tunnel-group CertOnlyTunnelGroup webvpn-attributes
>
> authentication certificate
>
> group-url https://10.89.79.135/CertOnly enable
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk]
> *Sent:* Thursday, November 07, 2013 12:59 PM
> *To:* Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> Hi Brian,
>
>
>
> I have completely reset the phone and left it plugged into the lan to
> register for some time,
>
>
>
> Now when I plug the phone back into the external connection and connect
> the vpn setting I get a username and password box present itself.
>
>
>
> Where is this referencing?
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 16:53
> *To:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> Try downloading the phone’s config file:
> http://x.x.x.x:6970/SEP3CCE73AD2EE2.cnf.xml and look for the CAPF entry
> to make sure it is there.  Also download the ITL and make sure the CAPF
> entry is there and matches the CAPF.pem from the publisher.
>
>
>
> Brian
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Thursday, November 07, 2013 11:43 AM
> *To:* Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> Hi Brian,
>
>
>
> The phone is a 9951 and interestingly enough I am getting the following
> messages, so It appears we have a CAPF problem.
>
>
>
> The service is running, I have just checked.
>
>
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 16:34
> *To:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> Way model phone is it?  Do you see anything in the console logs/status
> messages when you reset the phone after setting the Operation to
> Install/Upgrade?  The Operation should switch back to No Pending Operation
> if the install was successful so it looks like it is not successful.
>
>
>
> Brian
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Thursday, November 07, 2013 11:06 AM
> *To:* Heim, Dennis; Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> This is the CAPF information from the test phone,
>
>
>
> When I go onto the test phone and add the authorisation string, it accepts
> the string when I submit it but does not install anything onto the phone.
>
>
>
>
>
>
>
>
>
> *From:* Heim, Dennis [mailto:Dennis.Heim at wwt.com <Dennis.Heim at wwt.com>]
> *Sent:* 07 November 2013 15:43
> *To:* James Dust; Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> You will need to go to each phone you want to have the lsc and have it
> install/generate if you are using LSC. If you hit security menu on the
> phone and look, it should say the lsc is installed.
>
>
>
> *Dennis Heim | Solution Architect (Collaboration)*
>
> World Wide Technology, Inc. | 314-212-1814
>
>
>
> *PS Engineering: ** Innovate & Ignite.*
>
>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *James Dust
> *Sent:* Thursday, November 07, 2013 10:41 AM
> *To:* Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Phone VPN
>
>
>
> Thank you Brian,
>
>
>
> We believe we have done all of that so I will work back through the config.
>
>
>
>
>
> Kind Regards
>
>
>
> James Dust
> Technical Infrastructure Engineer
> Charles Stanley & Co Ltd
> Tel: 020 7149 6314
> Mob: 07989 491136
> mailto: james.dust at charles-stanley.co.uk
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 15:11
> *To:* James Dust; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> The ASA certificate needs to be added as a Phone-VPN-Trust under OS
> Administration->Security->Certificate Management.  You then select that
> certificate under the VPN Gateway configuration in CUCM.  You then
> associate the VPN Group and VPN Profile to the Common Phone Profile and
> associate the Common Phone Profile to the phone.
>
>
>
> If you’re doing username/password authentication, that’s all you have to
> do.  The certificate for the ASA will be in the phone’s config file.  Just
> need to reset the phone on-site so it can download it.
>
>
>
> If you want to do MIC-based authentication, you need to add the
> Manufacturing CA Trust certificate from OS Administration to the ASA as a
> trustpoint.
>
>
>
> If you want to do LSC-based authentication, you need to add the
> Publisher’s CAPF.pem certificate as a trustpoint on the ASA and Install the
> LSC on the phone.
>
>
>
> Good IP Phone Anyconnect documentation-
> https://supportforums.cisco.com/docs/DOC-9124
>
>
>
> Brian
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *James Dust
> *Sent:* Thursday, November 07, 2013 9:24 AM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] Phone VPN
>
>
>
> Afternoon all,
>
>
>
> We are trying a proof of concept here for Cisco IP phone VPN and are
> stuck, as we don’t seem to be able to update the 9951 SIP phone we are
> using with the certificate needed to build the VPN tunnel.
>
>
>
> The phone has been added with a ‘common phone profile’ but we cannot see
> where the certificate has been installed (if at all)
>
>
>
> Versions are as so:
>
>
>
> Cucm: 8.6.2
>
> Asa ver 9.1(2)
>
> 9951 phone load: sip9951.9-3-4-24
>
>
>
> Can anyone shed any light on what the correct process is to update the
> phone?
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131112/558cf783/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 23438 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131112/558cf783/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 14426 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131112/558cf783/attachment.png>