12-31-2012 08:36 AM - edited 03-16-2019 02:56 PM
Hi, I have a 7965 phone outside the trusted network. The user had a failed connecting to the ASA when attempting to login with their username and password and was presented with softkeys "retry" and "disable". The user selected "disable". Now when I go to settings > security configuration > VPN configuration on the user's phone, I see "VPN Disabled" but no "enable" option.
This phone VPN connection worked previously. From the administration guide the "enable VPN" option should be available from the phone unless the VPN configurations are not enabled in CUCM, which they are:
Auto Network Detection is disabled. Would this user need to bring the phone back into the office to reconnect the VPN?
CUCM version 8.5.1.13900-5
ASA 5505 version 8.4(2)
Phone load SCCP45.9-2-1SR2S
Thanks.
03-07-2013 11:10 AM
Did you find a resolution for this?
03-07-2013 11:36 AM
On the phone that you cannot enable the phone VPN if auto network detect is not enabled, is there something liked under "Concentrator 1" on the phone under Settings > Security Settings > VPN Configuration? If there is nothing listed under Concentrator 1, the phone is unaware of the VPN URL so it will not allow the VPN to be accessed. To fix this the phone would need to be brought back inside. The phone though should not lose it's VPN configuation once it has it and then is brought outside.
03-07-2013 11:40 AM
I'll have to check with the user. They just said that the phone says "VPN disabled". The phone was working in our test lab on the internet before the user took it home yesterday.
I super copied the phone and in the lab it shows the address under concentrator 1.
03-07-2013 05:22 PM
Thanks Joe. I'll remember to check that if we encounter this again. We ended up having shipping the phone back and reconfiguring it behind the fw.
03-08-2013 08:05 AM
The user does have the address in Concentrator 1. However, VPN is disabled on the phone and the Enable button is greyed out.
03-08-2013 08:13 AM
That almost sounds as if auto detect is enabled on the phone. Does the phone show Auto Network Detection enabled or disabled?
03-08-2013 09:21 AM
In CUCM, the VPN Profile, Enable Auto Network Detect is checked.
On my test phone, under VPN Configuration, it shows Auto Network Detection Enabled. Should it not be like that?
03-08-2013 09:28 AM
It is ok to have that checked. That just means that if the phone can ping the TFTP server IP address the VPN option will be disabled because the phone thinks that it is internal.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_1/secugd/secvppro.html
If the TFTP IP address is a common home IP like 192.168.1.1, the phone will always think it's internal because some device likely will reply to the ping test to check if the phone is internal or external.
03-08-2013 10:19 AM
Thanks Joe. The TFTP address is not common. Any ideas on how to enable the VPN?
04-16-2013 07:53 PM
Not sure if anyone answered this for you but when looking at the VPN Configuration from the phone, press **# (star, star, pound) to unlock the settings. You should then be able to choose Enable.
04-16-2013 08:48 PM
You're probably hitting an issue with the phone getting its TFTP option via the home router's DHCP. Try turning on Alternate TFTP and hard-set the TFTP server address. That should fix your auto-network-detect issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide