Hi, I have a 7965 phone outside the trusted network. The user had a failed connecting to the ASA when attempting to login with their username and password and was presented with softkeys "retry" and "disable". The user selected "disable". Now when I go to settings > security configuration > VPN configuration on the user's phone, I see "VPN Disabled" but no "enable" option.
This phone VPN connection worked previously. From the administration guide the "enable VPN" option should be available from the phone unless the VPN configurations are not enabled in CUCM, which they are:
Auto Network Detection is disabled. Would this user need to bring the phone back into the office to reconnect the VPN?
CUCM version 126.96.36.19900-5
ASA 5505 version 8.4(2)
Phone load SCCP45.9-2-1SR2S
On the phone that you cannot enable the phone VPN if auto network detect is not enabled, is there something liked under "Concentrator 1" on the phone under Settings > Security Settings > VPN Configuration? If there is nothing listed under Concentrator 1, the phone is unaware of the VPN URL so it will not allow the VPN to be accessed. To fix this the phone would need to be brought back inside. The phone though should not lose it's VPN configuation once it has it and then is brought outside.
I'll have to check with the user. They just said that the phone says "VPN disabled". The phone was working in our test lab on the internet before the user took it home yesterday.
I super copied the phone and in the lab it shows the address under concentrator 1.
Thanks Joe. I'll remember to check that if we encounter this again. We ended up having shipping the phone back and reconfiguring it behind the fw.
In CUCM, the VPN Profile, Enable Auto Network Detect is checked.
On my test phone, under VPN Configuration, it shows Auto Network Detection Enabled. Should it not be like that?
It is ok to have that checked. That just means that if the phone can ping the TFTP server IP address the VPN option will be disabled because the phone thinks that it is internal.
If the TFTP IP address is a common home IP like 192.168.1.1, the phone will always think it's internal because some device likely will reply to the ping test to check if the phone is internal or external.
Not sure if anyone answered this for you but when looking at the VPN Configuration from the phone, press **# (star, star, pound) to unlock the settings. You should then be able to choose Enable.
You're probably hitting an issue with the phone getting its TFTP option via the home router's DHCP. Try turning on Alternate TFTP and hard-set the TFTP server address. That should fix your auto-network-detect issue.