7965 VPN option unvailable

mcdonovan · ‎12-31-2012

Hi, I have a 7965 phone outside the trusted network. The user had a failed connecting to the ASA when attempting to login with their username and password and was presented with softkeys "retry" and "disable". The user selected "disable". Now when I go to settings > security configuration > VPN configuration on the user's phone, I see "VPN Disabled" but no "enable" option.

This phone VPN connection worked previously. From the administration guide the "enable VPN" option should be available from the phone unless the VPN configurations are not enabled in CUCM, which they are:

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7975G_7971g-ge_7970g_7965g_7945g/8_0/english/administration/guide/7970set.html#wp1271763

Auto Network Detection is disabled. Would this user need to bring the phone back into the office to reconnect the VPN?

CUCM version 8.5.1.13900-5

ASA 5505 version 8.4(2)

Phone load SCCP45.9-2-1SR2S

Thanks.

tbarden-gmo · ‎03-07-2013

Did you find a resolution for this?

Joseph Martini · ‎03-07-2013

On the phone that you cannot enable the phone VPN if auto network detect is not enabled, is there something liked under "Concentrator 1" on the phone under Settings > Security Settings > VPN Configuration? If there is nothing listed under Concentrator 1, the phone is unaware of the VPN URL so it will not allow the VPN to be accessed. To fix this the phone would need to be brought back inside. The phone though should not lose it's VPN configuation once it has it and then is brought outside.

tbarden-gmo · ‎03-07-2013

I'll have to check with the user. They just said that the phone says "VPN disabled". The phone was working in our test lab on the internet before the user took it home yesterday.

I super copied the phone and in the lab it shows the address under concentrator 1.

mcdonovan · ‎03-07-2013

Thanks Joe. I'll remember to check that if we encounter this again. We ended up having shipping the phone back and reconfiguring it behind the fw.

tbarden-gmo · ‎03-08-2013

The user does have the address in Concentrator 1. However, VPN is disabled on the phone and the Enable button is greyed out.

Joseph Martini · ‎03-08-2013

That almost sounds as if auto detect is enabled on the phone. Does the phone show Auto Network Detection enabled or disabled?

tbarden-gmo · ‎03-08-2013

In CUCM, the VPN Profile, Enable Auto Network Detect is checked.

On my test phone, under VPN Configuration, it shows Auto Network Detection Enabled. Should it not be like that?

Joseph Martini · ‎03-08-2013

It is ok to have that checked. That just means that if the phone can ping the TFTP server IP address the VPN option will be disabled because the phone thinks that it is internal.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_1/secugd/secvppro.html

If the TFTP IP address is a common home IP like 192.168.1.1, the phone will always think it's internal because some device likely will reply to the ping test to check if the phone is internal or external.

tbarden-gmo · ‎03-08-2013

Thanks Joe. The TFTP address is not common. Any ideas on how to enable the VPN?

Steve Davis · ‎04-16-2013

Not sure if anyone answered this for you but when looking at the VPN Configuration from the phone, press **# (star, star, pound) to unlock the settings. You should then be able to choose Enable.

brmeade · ‎04-16-2013

You're probably hitting an issue with the phone getting its TFTP option via the home router's DHCP. Try turning on Alternate TFTP and hard-set the TFTP server address. That should fix your auto-network-detect issue.