[cisco-voip] Latest Jabber Video for iPAD 9.3.4 and Anyconnect Split tunnel
Anthony Kouloglou
akoul at dataways.gr
Mon Jan 13 03:52:15 EST 2014
Hi all,
i have a very strange behavior on my Jabber Video for iPAD.
Setup:
- CUCM 9.1(X) and IM&P 9.1(X) with real IPs behind firewalled from an ASA.
-CUCMs domain is not resolvable via public DNS in order for on-demand
VPN to work->works fine with iphone
-Anyconnect on ipad with certificate authentication on ASA running 9.0.6
->works fine
-Group Policy with split include: the LAN where CUCM and IMP exists. ALL
DNS requests are sent in a private DNS in the same LAN as CUCM and
IM&Presence
*Case 1: i pad Video and Voice Calling cannot be registered*
At IM&P->Application-> Legacy Client config: _TFTP is configured __as
FQDN (fully resolvable via DNS obtained via Group Policy)_
what i see is that :
Jabber as IM is registered via anyconnect tunnel
then it queries the private DNS for CUCMs fqdn
it gets the IP that is split tunneled
then it _DOES NOT_ use the vpn tunnel but via internet it gets NATEd
from the local router and tries to connect with this IP to TCP 5060 of
the CUCMs IP obtained so it is blocked!
*Case 2: i pad Video and Voice Calling can be registered*
At IM&P->Application-> Legacy Client config: _TFTP is configured __as IP_
what i see is that :
Jabber as IM is registered via anyconnect tunnel
then it uses the IP of the CCUCM that is spli tunneled and
then it DOES use the vpn tunnel and it tries to connect to TCP 5060 of
the CUCMs IP with source IP of the anyconnect and it succeeds!
Also, another way to make it work is tunnel all traffic:
_*unacceptable*__*!*_
i do not want to use IP in the TFTP server field since when i do that, i
have no control on the on-demand-vpn.
So, it is not that case https://supportforums.cisco.com/thread/2177944
since i can make it work through split tunnel when no DNS request is
involved.
But again, the DNS server, replies with the IP that i use in the legacy
client config!
FYI, jabber for iphone running on iPAD does not have this issue! it uses
split tunnel policy correctly.
Any thought are welcomed!
BR
Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140113/3c9f4fa9/attachment.html>
More information about the cisco-voip
mailing list