[cisco-voip] Cisco 8841 VPN phone issue

Hank Keleher (AM) hank.keleher at dimensiondata.com
Fri Sep 11 13:59:22 EDT 2015


I just wanted to follow-up with everyone on this particular issue and thank those who helped, especially Brian Meade!

The initial problem was the bug as mentioned below. Once we manually set the TFTP and recycled the phone we could enable VPN and login. However, there was an issue with the certificate that was issued that was missing such as CN and FQDN so we needed to uncheck the “Enable Host ID Check” under the VPN Profile config. The ssl trust-point config was also set to the wrong interface and after updating that we were able to get the phones to VPN (after registering on the local network.)

However, this broke AnyConnect so now users couldn’t login due to the cert missing information the AnyConnect client required. We ended up reissuing a new cert with the fields required, uploaded it to CUCM, added to the VPN Gateway and reset the phone. After it was up we then changed the trust-point on ASA to the new cert and now the phones and AnyConnect work.

Fun times!

Thanks!
Hank


From: "Ryan Ratliff (rratliff)"
Date: Thursday, September 10, 2015 at 13:35
To: "Hank.Keleher"
Cc: cisco-voip voyp list, "Joe Martini (joemar2)"
Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue

For those following along at home CSCuv49148 is no longer an enhancement.  Hopefully we’ll see a fix in the next release.

-Ryan

On Sep 10, 2015, at 12:03 PM, Joe Martini (joemar2) <joemar2 at cisco.com<mailto:joemar2 at cisco.com>> wrote:

CSCuv49148 is for the phone firmware to allow the VPN to start up if the VPN feature is configured without requiring a TFTP to be set on the phone.

Joe

On Sep 10, 2015, at 11:47 AM, Ryan Ratliff (rratliff) <rratliff at cisco.com<mailto:rratliff at cisco.com>> wrote:

Any updates made to the configuration of the phone in CUCM require that the phone be brought inside the network for them to pick up the changes.

The 8841 should know that it has VPN configured and not switch to MRA mode when it boots on the home network that doesn’t have TFTP configured.  You can hard-code the TFTP on the phone by enabling alt-tftp but that should not be required.

If it works as expected with cert-based VPN but not username/password then this likely a phone bug.  Please open a TAC SR so it can be investigated further.

-Ryan

On Sep 10, 2015, at 11:06 AM, Hank Keleher (AM) <hank.keleher at dimensiondata.com<mailto:hank.keleher at dimensiondata.com>> wrote:

Would that require the phones to be reregistered on the local network before being used? I’ll uncheck the box, it’s possible it doesn’t match but I’m not 100% sure.

Thanks!
Hank


From: <bmeade90 at gmail.com<mailto:bmeade90 at gmail.com>> on behalf of Brian Meade
Date: Thursday, September 10, 2015 at 11:04
To: "Hank.Keleher"
Cc: Joe Martini, "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>"
Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue

You may need to disable the Host ID Check if your certificate's CN/SAN doesn't match the VPN URL you're using.

On Wed, Sep 9, 2015 at 11:49 PM, Hank Keleher (AM) <hank.keleher at dimensiondata.com<mailto:hank.keleher at dimensiondata.com>> wrote:
I do, yes.

Thanks!
Hank


From: <bmeade90 at gmail.com<mailto:bmeade90 at gmail.com>> on behalf of Brian Meade
Date: Wednesday, September 9, 2015 at 23:42
To: "Hank.Keleher"
Cc: Joe Martini, "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>"

Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue

Do you have Host ID Check enabled on the VPN profile?

On Wed, Sep 9, 2015 at 11:27 PM, Hank Keleher (AM) <hank.keleher at dimensiondata.com<mailto:hank.keleher at dimensiondata.com>> wrote:
I did, yes.

Thanks!
Hank

On Sep 9, 2015, at 22:33, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:



You don't need any certificates on the ASA from CUCM for username/password to work.  Did you assign the certificate to the VPN Gateway in CUCM after uploading it to CUCM?

On Wed, Sep 9, 2015 at 9:17 PM, Hank Keleher (AM) <hank.keleher at dimensiondata.com<mailto:hank.keleher at dimensiondata.com>> wrote:
Joe, thanks for the recommendation. Here’s what we experienced:

We set the TFTP address to the local server and restarted the phone. It sat on registering and never changed or prompted for login. We looked and noticed we could now tick on the box to enable VPN and that prompted for a username and password. When we logged in we received an error message indicating an invalid certificate.

We uploaded the certificate from ASA to CUCM prior to configuring the phones. Since we’re using username and password we didn’t import any CUCM certs to the ASA, do we still need to do that even if we aren’t using certificate authentication?

Thanks!
Hank


From: Joe Martini
Date: Wednesday, September 9, 2015 at 20:07
To: "Hank.Keleher"
Cc: "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>"
Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue

The actual internal TFTP server address.  The phone will use it after the VPN connection is established to download its configuration file.

Joe

On Sep 9, 2015, at 8:02 PM, Hank Keleher (AM) <hank.keleher at dimensiondata.com<mailto:hank.keleher at dimensiondata.com>> wrote:

What should the TFTP address be set to for the remote VPN phone? The actual internal TFTP address or the VPN head end?

Thanks!
Hank


From: Joe Martini
Date: Wednesday, September 9, 2015 at 19:57
To: "Hank.Keleher"
Cc: "cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>"
Subject: Re: [cisco-voip] Cisco 8841 VPN phone issue

The prompt you are seeing with Service Name, Username, and Password is for the Mobile and Remote Access (MRA) feature.  More information about this can be found here - https://tools.cisco.com/squish/92527f.  In order for the phone to start the VPN sign-in process instead of the MRA sign-in process you must have a TFTP set on the phone, either via DHCP or manually.

Joe

On Sep 9, 2015, at 7:10 PM, Hank Keleher (AM) <hank.keleher at dimensiondata.com<mailto:hank.keleher at dimensiondata.com>> wrote:

Greetings!

I’ve setup a new server using 10.5.2 for VPN using 8841’s and username and password (not certificate). I followed the details in the following features configuration guide for VPN client.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/admin/10_5_2/ccmfeat/CUCM_BK_C3A84B33_00_cucm-feature-configuration-guide_rel1052.pdf

The phones were configured and registered on the local network so they got the VPN common phone profile information. When we try to use the phone at home it prompts to supply Service Name, Username and Password. What should the service name be? We searched for hours and didn’t see anything that related to a service name and we tried everything we could think of.

I am able to VPN using username and password with the AnyConnect client to the URL for the VPN phones that was setup. It’s an ASA 5512 and the proper licenses are applied. I checked the feature report on CUCM and the 8841 is supported. Unfortunately I’m not able to access the web server on the phone (I’ve tried to no avail.)

Any thoughts or ideas here?

Thanks!
Hank

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip



_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip




itevomcid


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150911/cc2c7ab1/attachment.html>


More information about the cisco-voip mailing list