<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><blockquote type="cite"><blockquote type="cite"><br></blockquote><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div>-Ryan</div></span>
</div>
<br><div><div>On Mar 7, 2011, at 3:27 PM, Jared Mauch wrote:</div><br class="Apple-interchange-newline"><div><br>On Mar 7, 2011, at 2:56 PM, Ryan Ratliff wrote:<br><br><blockquote type="cite">One challenge you'll face is that the 40s and 60s were designed specifically for interoperability.  The later phones were not designed nor tested for the same interoperability that the earlier phones were and as such are not supported with 3rd party PBXs at all.<br></blockquote><br>Yes.  We have noticed :)<br><br>Still has not prevented us from using this excellent hardware with our 3rd party solutions, but also creates barriers when the XML parser rejects strictly valid XML, or when it sees an unknown object from a newer/older firmware revision stops parsing the config...<font class="Apple-style-span" color="#000000"><font class="Apple-style-span" color="#144FAE"><br></font></font></div></div></blockquote><div><br></div><div>There was a big effort around the load you are on now to get a lot stricter at parsing XML.  This of course broke lots of CUCM services that had been sending invalid XML forever but nobody noticed because the phones just took it.  You may have bitten by this (objects that were past the max-length defined in the sdk was the biggest offender).</div><br><blockquote type="cite"><div><div><blockquote type="cite">To that end they don't support the same NAT features that the earlier phones did (coincidentally I didn't know those were there until you mentioned them, so thanks!) and I don't imagine they ever will unless interop with 3rd party PBXs is deemed a requirement by the PTB.<br></blockquote><br>Can you (or someone) share the VPN config bits so I can work on this solution while I'm waiting for the rest of my CCM bundle to ship?<font class="Apple-style-span" color="#000000"><font class="Apple-style-span" color="#144FAE"><br></font></font></div></div></blockquote><div><br></div>I think there's a few pretty good write-ups on CSC (<a href="http://supportforums.cisco.com">supportforums.cisco.com</a>) for this feature.  Unfortunately your testing will only go so far since part of the xml config file is a hash of the certificate used with the SSL VPN.  I don't believe the mechanism to replicate the hash is known (or at least I don't know it).<br><br><blockquote type="cite"><div><div>As a secondary question, when the phones do their TFTP for image upgrade, if the server is not on the local lan, the TFTP is very slow, is there a good workaround for this for our home users, or will they be required to wait ~20-30 minutes to have upgraded firmware delivered?  (ie: can we put this on a HTTP/FTP/HTTPS solution)?<br></div></div></blockquote><div><br></div><div>Newer phones are using TFTP over HTTP which has been supported by the TFTP server for some time.  It's only now being ported back to older devices and I'm not sure if it will make it to the TNP phones.</div><br><blockquote type="cite"><div><div><br>Also, are you aware if the NSSTG team fixed the SIP-ALG implementation that would break non-cisco SIP traversal (eg: apple iChat A/V)?<br></div></div></blockquote><div><br></div><div>I'm a CUCM guy so not familiar with the issue you are referring to.  Was there a TAC SR or bug associated with it?</div><br><blockquote type="cite"><div><div><br>- Jared<br><br><blockquote type="cite"><br></blockquote><blockquote type="cite">-Ryan<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On Mar 7, 2011, at 1:27 PM, Jared Mauch wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I've had good luck with it without NAT.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- Jared<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On Mar 7, 2011, at 12:41 PM, Peter Slow wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">SIP on those phones is basically proprietary in the first place -<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Forgive my ignorance, but has there been any decent amount of success<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">getting newer phones to work with your 3rd party SIP solution<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">_without_ there being a VPN involved in the first place?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">On Mon, Mar 7, 2011 at 12:21 PM, Jared Mauch <<a href="mailto:jared@puck.nether.net">jared@puck.nether.net</a>> wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The 7970, 7965, 7975 lack the natreceivedprocessing support that exist in the 7940/7960 firmware.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I can share some pcaps with you, but what happens is the phone does not see the replies from the SIP proxy, or does not associate them during the SIP register replies.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">- Jared<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Mar 7, 2011, at 12:19 PM, Ryan Ratliff wrote:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I'm curious what makes you feel the phones are horrible at nat traversal.  Is there a particular behavior they do or are not doing that could improve behavior with NAT?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The built-in VPN for the phones is very much tied into the provisioning they get from CUCM.  I don't believe you are going to get very far trying to do it without one, but I'm sure the community would be interested in seeing how you do.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">-Ryan<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Mar 7, 2011, at 10:16 AM, Jared Mauch wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I'm looking to use a 3rd party SIP solution and VPN system and wanted to try to make it work while we wait for our CM to ship.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The java/cnu based phones are horrible at nat traversal and I want to run a PPTP or other vpn solution actually on the IP PBX so the phones can work around the broken nat.  If someone from Cisco wants to contact me off-list (we have TAC support, so I can open a case as well) I'd be happy to work with you to help solve these defects.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I'm working with the 7965 and 7975 phones.  To have VPN support one needs to run the 9.X firmware.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">(Still waiting on my CM to ship -- send me ~30 phones and no CM and i'll make it work with our existing IP PBX :).<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">- Jared<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Mar 7, 2011, at 10:12 AM, Scott Voll wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">What version of ASA / CM are you using?<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I think this is only supported if you have at least ASA FOS 8.2 or 8.3 (I can't remember) AND CM 8.X<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">In the past, I have used a ASA 5505 with a Site to Site VPN and used the PoE ports to power the Phone.  Worked very well and with the cost of a ASA 5505 as low as it is..... It might be a good option.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">YMMV<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Scott<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Fri, Mar 4, 2011 at 4:18 PM, Jared Mauch <<a href="mailto:jared@puck.nether.net">jared@puck.nether.net</a>> wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Can someone please send me a copy of your config file that is using the VPN for a home user?  I'd like to compare these settings to what I am trying to do here.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I would really appreciate it.  You can obfuscate any IP/Name/password configs you want.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Bonus if you are using something like PPTP with a 7965 or 7975 and SIP.<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Much appreciated!<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">- Jared Mauch<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">cisco-voip mailing list<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">cisco-voip mailing list<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">cisco-voip mailing list<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><br></div></div><br></blockquote></body></html>