[cisco-voip] Phone VPN

Chris Ward (chrward) chrward at cisco.com
Tue Nov 12 12:58:05 EST 2013


Maybe an ACL or firewall rule then... A SYN timeout simply means that there is no response to SYN packet that is trying to start the session. And since the ASA is supposed to be responding here, its blocking itself.

+Chris
TME - Unity Connection and MediaSense

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of James Dust
Sent: Tuesday, November 12, 2013 12:56 PM
To: Erick Wellnitz
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Phone VPN

Hi Erick,

Yes I do have those installed.

Kind Regards

James

From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
Sent: 12 November 2013 15:56
To: James Dust
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Phone VPN

Do you have ip phone VPN licenses on the ASA?

On Mon, Nov 11, 2013 at 10:55 AM, James Dust <james.dust at charles-stanley.co.uk<mailto:james.dust at charles-stanley.co.uk>> wrote:
I have managed to get a little further and am now seeing inbound requests on my asa from the 9951 trying to form a connection,

However the connection is immediately being torn down with the below error message:

6

Nov 11 2013

16:30:18

(external 9951 address)

49580

(external asa address)

443

Teardown TCP connection 7982 for outside:external 9951 address/49580 to identity:(external asa address)/443 duration 0:00:30 bytes 0 SYN Timeout


I have replaced IP addresses with descriptions and highlighted.



Kind Regards

James

From: James Dust
Sent: 08 November 2013 16:19
To: 'Chris Ward (chrward)'; Erick Wellnitz
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] Phone VPN

Thanks for clarifying Chris and yes I did get what you meant although I worded my response somewhat poorly,

I am planning on completely redoing the whole config as I don't seem to be getting anywhere trouble shooting this issue.

Thanks again for yours and everyone's help.

Kind Regards

James

From: Chris Ward (chrward) [mailto:chrward at cisco.com]
Sent: 08 November 2013 16:13
To: James Dust; Erick Wellnitz
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] Phone VPN

James, just to make sure you understand, I am only referring to the "System-Server" configuration in the main CCMAdmin pages, nothing VPN or CAPF specific. Also, hostnames are fine, it just can't be the FQDN.

For example:
cucm1 = GOOD
10.1.1.110 = GOOD
cucm1.domain.com<http://cucm1.domain.com> = BAD

+Chris
TME - Unity Connection and MediaSense

From: James Dust [mailto:james.dust at charles-stanley.co.uk]
Sent: Friday, November 08, 2013 10:50 AM
To: Chris Ward (chrward); Erick Wellnitz
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] Phone VPN

Thanks Chris,

I am going to strip everything out and start again, so I will ensure I don't use hostnames only IP's.

Kind Regards

James Dust
Technical Infrastructure Engineer
Charles Stanley & Co Ltd
Tel: 020 7149 6314
Mob: 07989 491136
mailto: james.dust at charles-stanley.co.uk<mailto:james.dust at charles-stanley.co.uk>

From: Chris Ward (chrward) [mailto:chrward at cisco.com]
Sent: 08 November 2013 15:47
To: Erick Wellnitz; James Dust
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: [cisco-voip] Phone VPN

Another TME and I recently found an issue where if you define your servers (System - Servers in the menu)  as FQDN, the CAPF cert won't populate. Are you perchance using FQDNs in the System - Server fields? If so, these would need to be changed to IPs or just hostnames.

+Chris
TME - Unity Connection and MediaSense

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Erick Wellnitz
Sent: Friday, November 08, 2013 10:34 AM
To: James Dust
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Phone VPN

Check your VPN Feature Configuration and VPN Profile.  Client Authentication Mehtod should be Certificate if you aren't using manual login.  I also disabled Host ID Check.

What I have noticed is that if settnigs between the profile and the Feature configuration are not consistent you will see inconsistent results.

On Fri, Nov 8, 2013 at 4:15 AM, James Dust <james.dust at charles-stanley.co.uk<mailto:james.dust at charles-stanley.co.uk>> wrote:
Morning Erick,

Yes I have done what you suggested and it still hasn't worked.

Today I might strip all the config off and start again.

Kind Regards

James

From: Erick Wellnitz [mailto:ewellnitzvoip at gmail.com<mailto:ewellnitzvoip at gmail.com>]
Sent: 07 November 2013 20:38
To: Brian Meade (brmeade)
Cc: James Dust; Heim, Dennis; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Phone VPN

Have you gone to settings -> administrator settings -> Security Setup -> LSC and selected update?  Also, check the ITL file under trust list to make sure the CAPF Server is listed.  The CAPF certificate also needs to be installed on the ASA.

If the CAPF Server is not listed. restart the CAPF service and it should appear.

On Thu, Nov 7, 2013 at 12:08 PM, Brian Meade (brmeade) <brmeade at cisco.com<mailto:brmeade at cisco.com>> wrote:
Check the Group URL you are using on the VPN Gateway configuration.  On the ASA, see which tunnel-group that URL is configured under and make sure it has "authentication certificate".

tunnel-group CertOnlyTunnelGroup webvpn-attributes
authentication certificate
group-url https://10.89.79.135/CertOnly enable

From: James Dust [mailto:james.dust at charles-stanley.co.uk<mailto:james.dust at charles-stanley.co.uk>]
Sent: Thursday, November 07, 2013 12:59 PM
To: Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

Hi Brian,

I have completely reset the phone and left it plugged into the lan to register for some time,

Now when I plug the phone back into the external connection and connect the vpn setting I get a username and password box present itself.

Where is this referencing?

Kind Regards

James

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: 07 November 2013 16:53
To: James Dust; Heim, Dennis; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

James,

Try downloading the phone's config file: http://x.x.x.x:6970/SEP3CCE73AD2EE2.cnf.xml and look for the CAPF entry to make sure it is there.  Also download the ITL and make sure the CAPF entry is there and matches the CAPF.pem from the publisher.

Brian

From: James Dust [mailto:james.dust at charles-stanley.co.uk]
Sent: Thursday, November 07, 2013 11:43 AM
To: Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

Hi Brian,

The phone is a 9951 and interestingly enough I am getting the following messages, so It appears we have a CAPF problem.

The service is running, I have just checked.

[cid:image001.jpg at 01CEDFA6.D31A1470]

Kind Regards

James

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: 07 November 2013 16:34
To: James Dust; Heim, Dennis; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

James,

Way model phone is it?  Do you see anything in the console logs/status messages when you reset the phone after setting the Operation to Install/Upgrade?  The Operation should switch back to No Pending Operation if the install was successful so it looks like it is not successful.

Brian

From: James Dust [mailto:james.dust at charles-stanley.co.uk]
Sent: Thursday, November 07, 2013 11:06 AM
To: Heim, Dennis; Brian Meade (brmeade); cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

This is the CAPF information from the test phone,

When I go onto the test phone and add the authorisation string, it accepts the string when I submit it but does not install anything onto the phone.


[cid:image002.png at 01CEDFA6.D31A1470]


From: Heim, Dennis [mailto:Dennis.Heim at wwt.com]
Sent: 07 November 2013 15:43
To: James Dust; Brian Meade (brmeade); cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

You will need to go to each phone you want to have the lsc and have it install/generate if you are using LSC. If you hit security menu on the phone and look, it should say the lsc is installed.

Dennis Heim | Solution Architect (Collaboration)
World Wide Technology, Inc. | 314-212-1814<tel:314-212-1814>

PS Engineering:  Innovate & Ignite.


From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of James Dust
Sent: Thursday, November 07, 2013 10:41 AM
To: Brian Meade (brmeade); cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Phone VPN

Thank you Brian,

We believe we have done all of that so I will work back through the config.


Kind Regards

James Dust
Technical Infrastructure Engineer
Charles Stanley & Co Ltd
Tel: 020 7149 6314
Mob: 07989 491136
mailto: james.dust at charles-stanley.co.uk<mailto:james.dust at charles-stanley.co.uk>

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: 07 November 2013 15:11
To: James Dust; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone VPN

James,

The ASA certificate needs to be added as a Phone-VPN-Trust under OS Administration->Security->Certificate Management.  You then select that certificate under the VPN Gateway configuration in CUCM.  You then associate the VPN Group and VPN Profile to the Common Phone Profile and associate the Common Phone Profile to the phone.

If you're doing username/password authentication, that's all you have to do.  The certificate for the ASA will be in the phone's config file.  Just need to reset the phone on-site so it can download it.

If you want to do MIC-based authentication, you need to add the Manufacturing CA Trust certificate from OS Administration to the ASA as a trustpoint.

If you want to do LSC-based authentication, you need to add the Publisher's CAPF.pem certificate as a trustpoint on the ASA and Install the LSC on the phone.

Good IP Phone Anyconnect documentation- https://supportforums.cisco.com/docs/DOC-9124

Brian

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of James Dust
Sent: Thursday, November 07, 2013 9:24 AM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] Phone VPN

Afternoon all,

We are trying a proof of concept here for Cisco IP phone VPN and are stuck, as we don't seem to be able to update the 9951 SIP phone we are using with the certificate needed to build the VPN tunnel.

The phone has been added with a 'common phone profile' but we cannot see where the certificate has been installed (if at all)

Versions are as so:

Cucm: 8.6.2
Asa ver 9.1(2)
9951 phone load: sip9951.9-3-4-24

Can anyone shed any light on what the correct process is to update the phone?

Kind Regards

James


Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/


Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


Consider the environment - Think before you print

The contents of this email are confidential to the intended recipient and may not be disclosed. Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

You are advised that urgent, time-sensitive communications should not be sent by email. We hereby give you notice that a delivery receipt does not constitute acknowledgement or receipt by the intended recipient(s).

Details of Charles Stanley group companies and their regulators (where applicable), can be found at this URL http://www.charles-stanley.co.uk/contact-us/disclosure/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131112/67d33ebb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 23438 bytes
Desc: image001.jpg
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131112/67d33ebb/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 14426 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131112/67d33ebb/attachment.png>


More information about the cisco-voip mailing list