[cisco-voip] Phone proxy with ASA

Fred Hunt FHunt at erdman.com
Fri Oct 25 13:17:02 EDT 2013


Brian,
That was it!  I a new policy-map and moved the sec_sccp class to it, rather than the global policy.  Then I made a new service-policy to apply that policy-map to the outside interface.  I overlooked that when reviewing the old config left by my former colleague.
Thanks so much for your assistance!
Fred

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: Friday, October 25, 2013 10:39 AM
To: Fred Hunt; cisco-voip at puck.nether.net
Subject: RE: Phone proxy with ASA

Fred,

It should look something like this to see where it is applied:
service-policy voice_policy interface outside
service-policy global_policy global

Brian

From: Fred Hunt [mailto:FHunt at erdman.com]
Sent: Friday, October 25, 2013 11:34 AM
To: Brian Meade (brmeade); cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone proxy with ASA

Brian,
It should be applying to everything.  Here's how it is applied:
class-map inspection_default
match default-inspection-traffic

Thanks,
Fred

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: Friday, October 25, 2013 9:44 AM
To: Fred Hunt; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone proxy with ASA

Fred,

How do you have these policy-maps applied?

Brian

From: Fred Hunt [mailto:FHunt at erdman.com]
Sent: Friday, October 25, 2013 10:40 AM
To: Brian Meade (brmeade); cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone proxy with ASA

Brian,
This is what we have set under global policy:
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect pptp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ip-options
 class IPS-class
  ips promiscuous fail-open sensor vs0
class sec_sip
  inspect sip phone-proxy asdm_phone-proxy
 class sec_sccp
  inspect skinny phone-proxy asdm_phone-proxy
policy-map netflow_policy
class netflow-export-class
  flow-export event-type all destination 192.168.88.148
class class-default
  user-statistics accounting

Thanks,
Fred

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: Thursday, October 24, 2013 4:49 PM
To: Fred Hunt; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone proxy with ASA

Fred,

That probably means the policy-map isn't applied correctly to intercept the TFTP traffic.

Do you have inspect tftp under your global policy?

Thanks,
Brian

From: Fred Hunt [mailto:FHunt at erdman.com]
Sent: Thursday, October 24, 2013 5:37 PM
To: Brian Meade (brmeade); cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone proxy with ASA

Brian,
Thanks for the reply.

This isn't a mixed-mode cluster.

The CTL config has no shutdown entered:
ctl-file asdm_ctl_file
record-entry cucm-tftp trustpoint UCphoneproxy_trustpoint address XXX.XXX.XXX.XXX
no shutdown

I have the external address for TFTP that is configured in NAT entered as the address above.

Oddly, I don't see anything in the log regarding TFTP activity when I have phone-proxy tftp debugging enabled.  That doesn't make sense, considering I can pull a config file with a TFTP client on my computer.

Fred

From: Brian Meade (brmeade) [mailto:brmeade at cisco.com]
Sent: Thursday, October 24, 2013 4:27 PM
To: Fred Hunt; cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: RE: Phone proxy with ASA

Fred,

Is this on a mixed-mode cluster?

What's your CTL-file config look like on the ASA?  Did you make sure to do a "no shut"?

ctl-file asdm_CTL_File
record-entry capf trustpoint capf_trustpoint address 10.26.100.2
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 10.26.100.2
no shutdown
!
Replace 10.26.100.2 with your external IP address you have the static NAT configured for.

Also, try running "debug phone-proxy tftp" on the ASA to see the CTL file request.

Thanks,
Brian

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Fred Hunt
Sent: Thursday, October 24, 2013 5:18 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] Phone proxy with ASA

I'm trying to use the phone proxy feature on a ASA 5520 running 8.4(3).  We are running CUCM 7.1.3 and I'm trying this with a 7941 phone.  A colleague of mine who is no longer here claims to have set this up successfully and I saw that it was mostly configured with the exception of the CTL not being enabled.  The documentation I've found on this isn't great, but I followed this: https://supportforums.cisco.com/docs/DOC-1364.  It appears that the phone is downloading the phone config file, but it just sits "Registering" before it cycles and tries again.  These are the status messages that I see:
SEP001e4a0bcc00.cnf.xml
No CTL installed
File Not Found: CTLFile.tlv

I've enabled phone-proxy debugging and tls-proxy debugging and I don't see anything indicating an issue.  I've tried a CIPC phone and the result isn't any different.  I can successfully request a phone config file using a TFTP client on a computer.

Any ideas?
Thanks,
Fred Hunt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131025/20089257/attachment.html>


More information about the cisco-voip mailing list