[cisco-voip] Latest Jabber Video for iPAD 9.3.4 and Anyconnect Split tunnel

Anthony Kouloglou akoul at dataways.gr
Mon Jan 13 03:52:15 EST 2014


Hi all,
i have a very strange behavior on my Jabber Video for iPAD.
Setup:
- CUCM 9.1(X) and IM&P 9.1(X) with real IPs behind firewalled from an ASA.
-CUCMs domain is not resolvable via public DNS in order for on-demand 
VPN to work->works fine with iphone
-Anyconnect on ipad with certificate authentication on ASA running 9.0.6 
->works fine
-Group Policy with split include: the LAN where CUCM and IMP exists. ALL 
DNS requests are sent in a private DNS in the same LAN as CUCM and 
IM&Presence
*Case 1: i pad Video and Voice Calling cannot be registered*
At IM&P->Application-> Legacy Client config: _TFTP is configured __as 
FQDN (fully resolvable via DNS obtained via Group Policy)_
what i see is that :
Jabber as IM is registered via anyconnect tunnel
then it queries the private DNS for CUCMs fqdn
it gets the IP that is split tunneled
then it _DOES NOT_ use the vpn tunnel but via internet it gets NATEd 
from the local router and tries to connect with this IP to TCP 5060 of 
the CUCMs IP obtained so it is blocked!

*Case 2: i pad Video and Voice Calling can be registered*
At IM&P->Application-> Legacy Client config: _TFTP is configured __as IP_
what i see is that :
Jabber as IM is registered via anyconnect tunnel
then it uses the IP of the CCUCM that is spli tunneled and
then it DOES use the vpn tunnel and it tries to connect to TCP 5060 of 
the CUCMs IP  with source IP of the anyconnect and it succeeds!

Also, another way to make it work is tunnel all traffic: 
_*unacceptable*__*!*_
i do not want to use IP in the TFTP server field since when i do that, i 
have no control on the on-demand-vpn.
So, it is not that case https://supportforums.cisco.com/thread/2177944 
since i can make it work through split tunnel when no DNS request is 
involved.
But again, the DNS server, replies with the IP that i use in the legacy 
client config!


FYI, jabber for iphone running on iPAD does not have this issue! it uses 
split tunnel policy correctly.

Any thought are welcomed!

BR
Anthony
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140113/3c9f4fa9/attachment.html>


More information about the cisco-voip mailing list