<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 13px; font-family: Arial, sans-serif;">
<div>
<div>
<div>I just wanted to follow-up with everyone on this particular issue and thank those who helped, especially Brian Meade!</div>
<div><br>
</div>
<div>The initial problem was the bug as mentioned below. Once we manually set the TFTP and recycled the phone we could enable VPN and login. However, there was an issue with the certificate that was issued that was missing such as CN and FQDN so we needed to
uncheck the “Enable Host ID Check” under the VPN Profile config. The ssl trust-point config was also set to the wrong interface and after updating that we were able to get the phones to VPN (after registering on the local network.)</div>
<div><br>
</div>
<div>However, this broke AnyConnect so now users couldn’t login due to the cert missing information the AnyConnect client required. We ended up reissuing a new cert with the fields required, uploaded it to CUCM, added to the VPN Gateway and reset the phone.
After it was up we then changed the trust-point on ASA to the new cert and now the phones and AnyConnect work.</div>
<div><br>
</div>
<div>Fun times!</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Hank</div>
</div>
<div>
<div id="">
<div>
<div>
<p class="MsoNormal" style="font-family: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0); margin: 0in 0in 0.0001pt;">
<br>
</p>
</div>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>"Ryan Ratliff (rratliff)"<br>
<span style="font-weight:bold">Date: </span>Thursday, September 10, 2015 at 13:35<br>
<span style="font-weight:bold">To: </span>"Hank.Keleher"<br>
<span style="font-weight:bold">Cc: </span>cisco-voip voyp list, "Joe Martini (joemar2)"<br>
<span style="font-weight:bold">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
For those following along at home CSCuv49148 is no longer an enhancement. Hopefully we’ll see a fix in the next release.
<div class=""><br class="">
<div class="">-Ryan </div>
<br class="">
<div>
<div class="">On Sep 10, 2015, at 12:03 PM, Joe Martini (joemar2) <<a href="mailto:joemar2@cisco.com" class="">joemar2@cisco.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">CSCuv49148 is for the phone firmware to allow the VPN to start up if the VPN feature is configured without requiring a TFTP to be set on the phone.</div>
<div class=""><br class="">
</div>
<div class="">Joe</div>
<br class="">
<div class="">
<div class="">On Sep 10, 2015, at 11:47 AM, Ryan Ratliff (rratliff) <<a href="mailto:rratliff@cisco.com" class="">rratliff@cisco.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Any updates made to the configuration of the phone in CUCM require that the phone be brought inside the network for them to pick up the changes.
<div class=""><br class="">
</div>
<div class="">The 8841 should know that it has VPN configured and not switch to MRA mode when it boots on the home network that doesn’t have TFTP configured. You can hard-code the TFTP on the phone by enabling alt-tftp but that should not be required.</div>
<div class=""><br class="">
</div>
<div class="">If it works as expected with cert-based VPN but not username/password then this likely a phone bug. Please open a TAC SR so it can be investigated further.</div>
<div class=""><br class="">
<div class="">-Ryan </div>
<br class="">
<div class="">
<div class="">On Sep 10, 2015, at 11:06 AM, Hank Keleher (AM) <<a href="mailto:hank.keleher@dimensiondata.com" class="">hank.keleher@dimensiondata.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 13px; font-family: Arial, sans-serif;" class="">
<div class="">
<div class="">
<div class="">Would that require the phones to be reregistered on the local network before being used? I’ll uncheck the box, it’s possible it doesn’t match but I’m not 100% sure.</div>
<div class=""><br class="">
</div>
<div class="">Thanks!</div>
<div class="">Hank</div>
<div class="">
<div id="" class="">
<div class="">
<div class="">
<div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;" class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class=""><br class="">
</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="font-family: Calibri; font-size: 12pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span><<a href="mailto:bmeade90@gmail.com" class="">bmeade90@gmail.com</a>> on behalf of Brian Meade<br class="">
<span style="font-weight:bold" class="">Date: </span>Thursday, September 10, 2015 at 11:04<br class="">
<span style="font-weight:bold" class="">To: </span>"Hank.Keleher"<br class="">
<span style="font-weight:bold" class="">Cc: </span>Joe Martini, "<a href="mailto:cisco-voip@puck.nether.net" class="">cisco-voip@puck.nether.net</a>"<br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div dir="ltr" class="">You may need to disable the Host ID Check if your certificate's CN/SAN doesn't match the VPN URL you're using.</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Wed, Sep 9, 2015 at 11:49 PM, Hank Keleher (AM) <span dir="ltr" class="">
<<a href="mailto:hank.keleher@dimensiondata.com" target="_blank" class="">hank.keleher@dimensiondata.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite">
<div style="word-wrap: break-word; font-size: 13px; font-family: Arial, sans-serif;" class="">
<div class="">
<div class="">I do, yes.</div>
<div class=""><br class="">
</div>
<div class="">Thanks!</div>
<div class="">Hank</div>
<div class="">
<div class="">
<div class="">
<div class="">
<div style="font-family: Calibri, sans-serif; font-size: 11pt; margin: 0in 0in 0.0001pt;" class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
<div class=""><br class="">
</div>
<span class="">
<div style="font-family: Calibri; font-size: 12pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span><<a href="mailto:bmeade90@gmail.com" target="_blank" class="">bmeade90@gmail.com</a>> on behalf of Brian Meade<br class="">
<span style="font-weight:bold" class="">Date: </span>Wednesday, September 9, 2015 at 23:42<br class="">
<span style="font-weight:bold" class="">To: </span>"Hank.Keleher"<br class="">
<span style="font-weight:bold" class="">Cc: </span>Joe Martini, "<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a>"
<div class="">
<div class="h5"><br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br class="">
</div>
</div>
</div>
<div class="">
<div class="h5">
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div dir="ltr" class="">Do you have Host ID Check enabled on the VPN profile?</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Wed, Sep 9, 2015 at 11:27 PM, Hank Keleher (AM) <span dir="ltr" class="">
<<a href="mailto:hank.keleher@dimensiondata.com" target="_blank" class="">hank.keleher@dimensiondata.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite">
<div dir="auto" class="">
<div class="">I did, yes.<br class="">
<br class="">
</div>
<div class="">Thanks!</div>
<div class="">Hank</div>
<div class="">
<div class="">
<div class=""><br class="">
On Sep 9, 2015, at 22:33, Brian Meade <<a href="mailto:bmeade90@vt.edu" target="_blank" class="">bmeade90@vt.edu</a>> wrote:<br class="">
<br class="">
</div>
</div>
</div>
<blockquote type="cite" class="">
<div class="">
<div class="">
<div class=""><br class="">
<br class="">
<div dir="ltr" class="">You don't need any certificates on the ASA from CUCM for username/password to work. Did you assign the certificate to the VPN Gateway in CUCM after uploading it to CUCM?</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Wed, Sep 9, 2015 at 9:17 PM, Hank Keleher (AM) <span dir="ltr" class="">
<<a href="mailto:hank.keleher@dimensiondata.com" target="_blank" class="">hank.keleher@dimensiondata.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite">
<div style="word-wrap: break-word; font-family: Arial, sans-serif;" class="">
<div style="font-size:13px" class="">
<div class="">Joe, thanks for the recommendation. Here’s what we experienced:</div>
<div class=""><br class="">
</div>
<div class="">We set the TFTP address to the local server and restarted the phone. It sat on registering and never changed or prompted for login. We looked and noticed we could now tick on the box to enable VPN and that prompted for a username and password.
When we logged in we received an error message indicating an invalid certificate.</div>
<div class=""><br class="">
</div>
<div class="">We uploaded the certificate from ASA to CUCM prior to configuring the phones. Since we’re using username and password we didn’t import any CUCM certs to the ASA, do we still need to do that even if we aren’t using certificate authentication?</div>
<div class=""><br class="">
</div>
<div class="">Thanks!</div>
<div class="">Hank</div>
<div class=""><br class="">
</div>
</div>
<div style="font-size:13px" class=""><br class="">
</div>
<span class="">
<div style="font-size: 12pt; font-family: Calibri; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Joe Martini<br class="">
<span style="font-weight:bold" class="">Date: </span>Wednesday, September 9, 2015 at 20:07<span class=""><br class="">
<span style="font-weight:bold" class="">To: </span>"Hank.Keleher"<br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a>"<br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br class="">
</span></div>
<span class="">
<div style="font-size:13px" class=""><br class="">
</div>
<div class="">
<div style="word-wrap:break-word" class="">The actual internal TFTP server address. The phone will use it after the VPN connection is established to download its configuration file.
<div style="font-size:13px" class=""><br class="">
</div>
<div class="">Joe<br class="">
<div class=""><br class="">
<div class="">
<div style="font-size:13px" class="">On Sep 9, 2015, at 8:02 PM, Hank Keleher (AM) <<a href="mailto:hank.keleher@dimensiondata.com" target="_blank" class="">hank.keleher@dimensiondata.com</a>> wrote:</div>
<br class="">
<div class="">
<div style="word-wrap:break-word;font-family:Arial,sans-serif" class="">
<div class="">
<div class="">
<div style="font-size:13px" class="">What should the TFTP address be set to for the remote VPN phone? The actual internal TFTP address or the VPN head end?</div>
<div style="font-size:13px" class=""><br class="">
</div>
<div style="font-size:13px" class="">Thanks!</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></span><span class=""><font color="#888888" class="">
<div class="">Hank</div>
</font></span><span class="">
<div class="">
<div style="word-wrap:break-word" class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div style="word-wrap:break-word;font-family:Arial,sans-serif" class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div style="font-size:13px" class="">
<div class="">
<div style="font-family:Calibri,sans-serif;font-size:11pt;margin:0in 0in 0.0001pt" class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<span class="">
<div style="font-size:13px" class=""><br class="">
</div>
<span style="font-size:13px" class="">
<div style="font-family:Calibri;font-size:12pt;text-align:left;border-width:1pt medium medium;border-style:solid none none;padding:3pt 0in 0in;border-top-color:rgb(181,196,223)" class="">
<span style="font-weight:bold" class="">From: </span>Joe Martini<br class="">
<span style="font-weight:bold" class="">Date: </span>Wednesday, September 9, 2015 at 19:57<br class="">
<span style="font-weight:bold" class="">To: </span>"Hank.Keleher"<br class="">
<span style="font-weight:bold" class="">Cc: </span>"<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a>"<br class="">
<span style="font-weight:bold" class="">Subject: </span>Re: [cisco-voip] Cisco 8841 VPN phone issue<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div style="word-wrap:break-word" class="">The prompt you are seeing with Service Name, Username, and Password is for the Mobile and Remote Access (MRA) feature. More information about this can be found here - <a href="https://tools.cisco.com/squish/92527f" target="_blank" class="">https://tools.cisco.com/squish/92527f</a>.
In order for the phone to start the VPN sign-in process instead of the MRA sign-in process you must have a TFTP set on the phone, either via DHCP or manually.
<div class=""><br class="">
</div>
<div class="">Joe<br class="">
<div class="">
<div class="">
<div class=""><br class="">
</div>
<div class="">On Sep 9, 2015, at 7:10 PM, Hank Keleher (AM) <<a href="mailto:hank.keleher@dimensiondata.com" target="_blank" class="">hank.keleher@dimensiondata.com</a>> wrote:</div>
<br class="">
<div class="">
<div style="word-wrap:break-word;font-size:13px;font-family:Arial,sans-serif" class="">
<div class="">
<div class="">Greetings!</div>
<div class=""><br class="">
</div>
<div class="">I’ve setup a new server using 10.5.2 for VPN using 8841’s and username and password (not certificate). I followed the details in the following features configuration guide for VPN client.</div>
<div class=""><br class="">
</div>
<div class=""><a href="http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/admin/10_5_2/ccmfeat/CUCM_BK_C3A84B33_00_cucm-feature-configuration-guide_rel1052.pdf" target="_blank" class="">http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/admin/10_5_2/ccmfeat/CUCM_BK_C3A84B33_00_cucm-feature-configuration-guide_rel1052.pdf</a></div>
<div class=""><br class="">
</div>
<div class="">The phones were configured and registered on the local network so they got the VPN common phone profile information. When we try to use the phone at home it prompts to supply Service Name, Username and Password. What should the service name be?
We searched for hours and didn’t see anything that related to a service name and we tried everything we could think of.</div>
<div class=""><br class="">
</div>
<div class="">I am able to VPN using username and password with the AnyConnect client to the URL for the VPN phones that was setup. It’s an ASA 5512 and the proper licenses are applied. I checked the feature report on CUCM and the 8841 is supported. Unfortunately
I’m not able to access the web server on the phone (I’ve tried to no avail.)</div>
</div>
<div class=""><br class="">
</div>
<div class="">Any thoughts or ideas here?</div>
<div class=""><br class="">
</div>
<div class="">Thanks!</div>
<div class="">Hank</div>
<div class="">
<div class="">
<div class="">
<div class="">
<div style="font-family:Calibri,sans-serif;font-size:11pt;margin:0in 0in 0.0001pt" class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br class="">
cisco-voip mailing list<br class="">
<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a><br class="">
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br class="">
</div>
</div>
<br class="">
</div>
</div>
</div>
</div>
</span></span></div>
</div>
</div>
<br class="">
</div>
</div>
</div>
</div>
</span></div>
<br class="">
_______________________________________________<br class="">
cisco-voip mailing list<br class="">
<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a><br class="">
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br class="">
<br class="">
</blockquote>
</div>
<br class="">
</div>
<br class="">
<br class="">
</div>
</div>
<font color="white" class="">itevomcid</font> </div>
</blockquote>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</span></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</span></div>
_______________________________________________<br class="">
cisco-voip mailing list<br class="">
<a href="mailto:cisco-voip@puck.nether.net" class="">cisco-voip@puck.nether.net</a><br class="">
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br class="">
</div>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
cisco-voip mailing list<br class="">
<a href="mailto:cisco-voip@puck.nether.net" class="">cisco-voip@puck.nether.net</a><br class="">
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br class="">
</div>
</div>
<br class="">
</div>
</div>
</div>
<br class="">
</div>
</div>
</div>
</span>
</body>
</html>