[cisco-voip] Cisco 8841 VPN phone issue

Brian Meade bmeade90 at vt.edu
Thu Sep 10 11:04:57 EDT 2015


You may need to disable the Host ID Check if your certificate's CN/SAN
doesn't match the VPN URL you're using.

On Wed, Sep 9, 2015 at 11:49 PM, Hank Keleher (AM) <
hank.keleher at dimensiondata.com> wrote:

> I do, yes.
>
> Thanks!
> Hank
>
>
>
> From: <bmeade90 at gmail.com> on behalf of Brian Meade
> Date: Wednesday, September 9, 2015 at 23:42
> To: "Hank.Keleher"
> Cc: Joe Martini, "cisco-voip at puck.nether.net"
>
> Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue
>
> Do you have Host ID Check enabled on the VPN profile?
>
> On Wed, Sep 9, 2015 at 11:27 PM, Hank Keleher (AM) <
> hank.keleher at dimensiondata.com> wrote:
>
>> I did, yes.
>>
>> Thanks!
>> Hank
>>
>> On Sep 9, 2015, at 22:33, Brian Meade <bmeade90 at vt.edu> wrote:
>>
>>
>>
>> You don't need any certificates on the ASA from CUCM for
>> username/password to work.  Did you assign the certificate to the VPN
>> Gateway in CUCM after uploading it to CUCM?
>>
>> On Wed, Sep 9, 2015 at 9:17 PM, Hank Keleher (AM) <
>> hank.keleher at dimensiondata.com> wrote:
>>
>>> Joe, thanks for the recommendation. Here’s what we experienced:
>>>
>>> We set the TFTP address to the local server and restarted the phone. It
>>> sat on registering and never changed or prompted for login. We looked and
>>> noticed we could now tick on the box to enable VPN and that prompted for a
>>> username and password. When we logged in we received an error message
>>> indicating an invalid certificate.
>>>
>>> We uploaded the certificate from ASA to CUCM prior to configuring the
>>> phones. Since we’re using username and password we didn’t import any CUCM
>>> certs to the ASA, do we still need to do that even if we aren’t using
>>> certificate authentication?
>>>
>>> Thanks!
>>> Hank
>>>
>>>
>>> From: Joe Martini
>>> Date: Wednesday, September 9, 2015 at 20:07
>>> To: "Hank.Keleher"
>>> Cc: "cisco-voip at puck.nether.net"
>>> Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue
>>>
>>> The actual internal TFTP server address.  The phone will use it after
>>> the VPN connection is established to download its configuration file.
>>>
>>> Joe
>>>
>>> On Sep 9, 2015, at 8:02 PM, Hank Keleher (AM) <
>>> hank.keleher at dimensiondata.com> wrote:
>>>
>>> What should the TFTP address be set to for the remote VPN phone? The
>>> actual internal TFTP address or the VPN head end?
>>>
>>> Thanks!
>>> Hank
>>>
>>>
>>> From: Joe Martini
>>> Date: Wednesday, September 9, 2015 at 19:57
>>> To: "Hank.Keleher"
>>> Cc: "cisco-voip at puck.nether.net"
>>> Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue
>>>
>>> The prompt you are seeing with Service Name, Username, and Password is
>>> for the Mobile and Remote Access (MRA) feature.  More information about
>>> this can be found here - https://tools.cisco.com/squish/92527f.  In
>>> order for the phone to start the VPN sign-in process instead of the MRA
>>> sign-in process you must have a TFTP set on the phone, either via DHCP or
>>> manually.
>>>
>>> Joe
>>>
>>> On Sep 9, 2015, at 7:10 PM, Hank Keleher (AM) <
>>> hank.keleher at dimensiondata.com> wrote:
>>>
>>> Greetings!
>>>
>>> I’ve setup a new server using 10.5.2 for VPN using 8841’s and username
>>> and password (not certificate). I followed the details in the following
>>> features configuration guide for VPN client.
>>>
>>>
>>> http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/admin/10_5_2/ccmfeat/CUCM_BK_C3A84B33_00_cucm-feature-configuration-guide_rel1052.pdf
>>>
>>> The phones were configured and registered on the local network so they
>>> got the VPN common phone profile information. When we try to use the phone
>>> at home it prompts to supply Service Name, Username and Password. What
>>> should the service name be? We searched for hours and didn’t see anything
>>> that related to a service name and we tried everything we could think of.
>>>
>>> I am able to VPN using username and password with the AnyConnect client
>>> to the URL for the VPN phones that was setup. It’s an ASA 5512 and the
>>> proper licenses are applied. I checked the feature report on CUCM and the
>>> 8841 is supported. Unfortunately I’m not able to access the web server on
>>> the phone (I’ve tried to no avail.)
>>>
>>> Any thoughts or ideas here?
>>>
>>> Thanks!
>>> Hank
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
>>
>> itevomcid
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150910/a1185073/attachment.html>


More information about the cisco-voip mailing list