[cisco-voip] cisco phone-vpn cert expiration

Thu Jan 30 16:56:58 EST 2014

We aren't terribly worried because there are only about 7 of these phones
out there.  We'll let them have their temper tantrum and then they'll bring
their phones back.

We've had really bad luck with these phone vpn setups.

On Thu, Jan 30, 2014 at 3:07 PM, Brian Meade (brmeade) <brmeade at cisco.com>wrote:

>  What you could do to resolve the phones without bringing them in would
> be to temporarily set up a NAT with a static IP for one of your TFTP
> servers just for TFTP traffic and use the Alternate TFTP settings on the
> phones so they can pull the new config files with the new certificate in
> them.  But it may be a little risky opening up the TFTP service on one node
> to the outside world temporarily.
>
>
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* Thursday, January 30, 2014 3:51 PM
> *To:* Brian Meade (brmeade)
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>
>
>
> The old one was expired.  That might make the difference.
>
>
>
>
>
>
>
> On Thu, Jan 30, 2014 at 2:40 PM, Brian Meade (brmeade) <brmeade at cisco.com>
> wrote:
>
> Erick,
>
>
>
> It shouldn't have replaced the other VPN-trust in certificate management.
>   I've done this scenario successfully with many customers.  I'll try this
> in the lab.  It may be due to the same Common Name on the certificate but
> usually it will just rename the new one to like commonname-1.pem.
>
>
>
> Thanks,
>
> Brian
>
>
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* Thursday, January 30, 2014 3:24 PM
> *To:* Brian Meade (brmeade)
> *Cc:* cisco-voip
> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>
>
>
> This dd not work as described.
>
>
>
> The new cert took the place of the old one in certificate management now
> if a VPN phone reboots for any reason they cannot reconnect.
>
>
>
> On Tue, Jan 28, 2014 at 9:27 AM, Brian Meade (brmeade) <brmeade at cisco.com>
> wrote:
>
> Erick,
>
>
>
> You can add a 2nd cert to the VPN Gateway configuration after you add it
> as a VPN-Trust.
>
>
>
> So what you want to do is create a new trustpoint on the ASA with the new
> certificate, upload that to CUCM as a phone-vpn-trust, and then add it as a
> 2nd cert to the VPN Gateway.
>
>
>
> You'll then want to make sure all the VPN phones get reset so they get the
> new certificate as well.
>
>
>
> After all the VPN phones have both certificates, you can then change SSL
> on the ASA to bind to the other trustpoint and start using the new
> certificate.
>
>
>
> If you follow that method, you want have to bring any of the VPN phones
> back in as long as they're connected.  The main problem with this method is
> some people have VPN phones that they rarely connect so you'll need to make
> sure everyone connects their phones to get the new certificate before you
> make the change on the ASA.
>
>
>
> Brian
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Erick Wellnitz
> *Sent:* Tuesday, January 28, 2014 10:20 AM
> *To:* cisco-voip
> *Subject:* [cisco-voip] cisco phone-vpn cert expiration
>
>
>
> I have a situation I'm sure isn't unique.
>
>
>
> What happens when I upload a new phone-vpn cert to the CUCM to replace an
> expired/expiring one?
>
>
>
> Are vpn phones going to freak out and stop authenticating to the VPN or
> should everything be smooth sailing?
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140130/229afdd5/attachment.html>