<div dir="ltr">You may need to disable the Host ID Check if your certificate's CN/SAN doesn't match the VPN URL you're using.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 9, 2015 at 11:49 PM, Hank Keleher (AM) <span dir="ltr"><<a href="mailto:hank.keleher@dimensiondata.com" target="_blank">hank.keleher@dimensiondata.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:13px;font-family:Arial,sans-serif">
<div>
<div>I do, yes.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Hank</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="font-family:Calibri,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0in 0in 0.0001pt">
<br>
</p>
</div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:12pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span><<a href="mailto:bmeade90@gmail.com" target="_blank">bmeade90@gmail.com</a>> on behalf of Brian Meade<br>
<span style="font-weight:bold">Date: </span>Wednesday, September 9, 2015 at 23:42<br>
<span style="font-weight:bold">To: </span>"Hank.Keleher"<br>
<span style="font-weight:bold">Cc: </span>Joe Martini, "<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>"<div><div class="h5"><br>
<span style="font-weight:bold">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br>
</div></div></div><div><div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr">Do you have Host ID Check enabled on the VPN profile?</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 9, 2015 at 11:27 PM, Hank Keleher (AM) <span dir="ltr">
<<a href="mailto:hank.keleher@dimensiondata.com" target="_blank">hank.keleher@dimensiondata.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">
<div>I did, yes.<br>
<br>
</div>
<div>Thanks!</div>
<div>Hank</div>
<div>
<div>
<div><br>
On Sep 9, 2015, at 22:33, Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank">bmeade90@vt.edu</a>> wrote:<br>
<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div><br>
<br>
<div dir="ltr">You don't need any certificates on the ASA from CUCM for username/password to work. Did you assign the certificate to the VPN Gateway in CUCM after uploading it to CUCM?</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 9, 2015 at 9:17 PM, Hank Keleher (AM) <span dir="ltr">
<<a href="mailto:hank.keleher@dimensiondata.com" target="_blank">hank.keleher@dimensiondata.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-family:Arial,sans-serif">
<div style="font-size:13px">
<div>Joe, thanks for the recommendation. Here’s what we experienced:</div>
<div><br>
</div>
<div>We set the TFTP address to the local server and restarted the phone. It sat on registering and never changed or prompted for login. We looked and noticed we could now tick on the box to enable VPN and that prompted for a username and password. When we
logged in we received an error message indicating an invalid certificate.</div>
<div><br>
</div>
<div>We uploaded the certificate from ASA to CUCM prior to configuring the phones. Since we’re using username and password we didn’t import any CUCM certs to the ASA, do we still need to do that even if we aren’t using certificate authentication?</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Hank</div>
<div><br>
</div>
</div>
<div style="font-size:13px"><br>
</div>
<span>
<div style="font-size:12pt;font-family:Calibri;text-align:left;color:black;border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;border-top-color:rgb(181,196,223)">
<span style="font-weight:bold">From: </span>Joe Martini<br>
<span style="font-weight:bold">Date: </span>Wednesday, September 9, 2015 at 20:07<span><br>
<span style="font-weight:bold">To: </span>"Hank.Keleher"<br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>"<br>
<span style="font-weight:bold">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br>
</span></div>
<span>
<div style="font-size:13px"><br>
</div>
<div>
<div style="word-wrap:break-word">The actual internal TFTP server address. The phone will use it after the VPN connection is established to download its configuration file.
<div style="font-size:13px"><br>
</div>
<div>Joe<br>
<div><br>
<div>
<div style="font-size:13px">On Sep 9, 2015, at 8:02 PM, Hank Keleher (AM) <<a href="mailto:hank.keleher@dimensiondata.com" target="_blank">hank.keleher@dimensiondata.com</a>> wrote:</div>
<br>
<div>
<div style="word-wrap:break-word;font-family:Arial,sans-serif">
<div>
<div>
<div style="font-size:13px">What should the TFTP address be set to for the remote VPN phone? The actual internal TFTP address or the VPN head end?</div>
<div style="font-size:13px"><br>
</div>
<div style="font-size:13px">Thanks!</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></span><span><font color="#888888">
<div>Hank</div>
</font></span><span>
<div>
<div style="word-wrap:break-word">
<div>
<div>
<div>
<div>
<div style="word-wrap:break-word;font-family:Arial,sans-serif">
<div>
<div>
<div>
<div>
<div style="font-size:13px">
<div>
<div style="font-family:Calibri,sans-serif;font-size:11pt;margin:0in 0in 0.0001pt">
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<span>
<div style="font-size:13px"><br>
</div>
<span style="font-size:13px">
<div style="font-family:Calibri;font-size:12pt;text-align:left;border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;border-top-color:rgb(181,196,223)">
<span style="font-weight:bold">From: </span>Joe Martini<br>
<span style="font-weight:bold">Date: </span>Wednesday, September 9, 2015 at 19:57<br>
<span style="font-weight:bold">To: </span>"Hank.Keleher"<br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>"<br>
<span style="font-weight:bold">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap:break-word">The prompt you are seeing with Service Name, Username, and Password is for the Mobile and Remote Access (MRA) feature. More information about this can be found here - <a href="https://tools.cisco.com/squish/92527f" target="_blank">https://tools.cisco.com/squish/92527f</a>.
In order for the phone to start the VPN sign-in process instead of the MRA sign-in process you must have a TFTP set on the phone, either via DHCP or manually.
<div><br>
</div>
<div>Joe<br>
<div>
<div>
<div><br>
</div>
<div>On Sep 9, 2015, at 7:10 PM, Hank Keleher (AM) <<a href="mailto:hank.keleher@dimensiondata.com" target="_blank">hank.keleher@dimensiondata.com</a>> wrote:</div>
<br>
<div>
<div style="word-wrap:break-word;font-size:13px;font-family:Arial,sans-serif">
<div>
<div>Greetings!</div>
<div><br>
</div>
<div>I’ve setup a new server using 10.5.2 for VPN using 8841’s and username and password (not certificate). I followed the details in the following features configuration guide for VPN client.</div>
<div><br>
</div>
<div><a href="http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/admin/10_5_2/ccmfeat/CUCM_BK_C3A84B33_00_cucm-feature-configuration-guide_rel1052.pdf" target="_blank">http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/admin/10_5_2/ccmfeat/CUCM_BK_C3A84B33_00_cucm-feature-configuration-guide_rel1052.pdf</a></div>
<div><br>
</div>
<div>The phones were configured and registered on the local network so they got the VPN common phone profile information. When we try to use the phone at home it prompts to supply Service Name, Username and Password. What should the service name be? We searched
for hours and didn’t see anything that related to a service name and we tried everything we could think of.</div>
<div><br>
</div>
<div>I am able to VPN using username and password with the AnyConnect client to the URL for the VPN phones that was setup. It’s an ASA 5512 and the proper licenses are applied. I checked the feature report on CUCM and the 8841 is supported. Unfortunately I’m
not able to access the web server on the phone (I’ve tried to no avail.)</div>
</div>
<div><br>
</div>
<div>Any thoughts or ideas here?</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Hank</div>
<div>
<div>
<div>
<div>
<div style="font-family:Calibri,sans-serif;font-size:11pt;margin:0in 0in 0.0001pt">
<br>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div>
</div>
<br>
</div>
</div>
</div>
</div>
</span></span></div>
</div>
</div>
<br>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<br>
</div>
</div>
<font color="white">itevomcid</font> </div>
</blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></span>
</div>
</blockquote></div><br></div>