11-05-2010 06:57 PM - edited 03-16-2019 01:46 AM
Dear NetPro gurus,
One of my customers have purchased a brand new Cisco ASA 5510 firewall. They have also bought a large number of Cisco 7975G IP Phones.
For some of their 7975G phones, they would like to use it as 'VPN Phones' and remote login from home.
What they found is that on the Cisco 7975G phone, whenever they try to login to 5510 ASA with the following address, it will fail on the 7975G phone. But if they tried on their PC with exactly the same login details, it can login perfectly fine from their PC.
https://210.177.249.x/phonevpn
U: phone1
P: 12345678
The home topology is as follows:
Internet ---- Dlink DIR-300 router ---- 7975G on port1 & Home PC on port2
And home PC can ping perfectly fine to the 7975G
The ASA 5510 firewall is equiped with AnyConnect for Cisco VPN Phone license as below:-
Serial #: JMX1135XXXX
Product Authorization Key : 2851J2XXXXX
Failover : Enabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : Default
GTP/GPRS : Disabled
SSL VPN Peers : Default
Total VPN Peers : Default
Advanced Endpoint Assessment : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Enabled
Shared License : Disabled
UC Phone Proxy Sessions : Default
Total UC Proxy Sessions : Default
AnyConnect Essentials : Disabled
Botnet Traffic Filter : Disabled
Intercompany Media Engine : Disabled
Platform = asa
JMX1135XXXX: 2707cd78 8ca46573 a8e32144 85146848 XXXXXXXX
The 7975G phone will keeps on saying VPN login failed. And if I looked under the status message, the log keeps saying 'All concentrator failed'.
Cheers,
Hunt
11-06-2010 03:38 AM
Check these (from https://supportforums.cisco.com/docs/DOC-9124):
11-06-2010 06:56 AM
Hello joemar,
I have done exactly those but still not working. Here is the config of my Cisco ASA config abstract.
group-policy VPNPHONE_GroupPolicy1 internal
group-policy VPNPHONE_GroupPolicy1 attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
svc dtls enable
I have attached the full config as well.
Please help as I have spent countless days on this but still not working, would appreciated if anyone can shed some light on this.
Cheers,
Hunt
11-06-2010 04:46 PM
Hi Hunt,
I don't see any trustpoint created on your ASA. Try the following procedure for configuring the ASA.
Download the Cisco_Manufacturing_CA and CAPF certs from CUCM. This is only needed for device level certificate authentication. If the cluster is in Mixed Mode, you’ll need to add the CallManager cert as well.
Download certificates from CUCM
1. Go to the Cisco UCM Operating System Administration web page.
2. Choose Security > Certificate Management. (this location may change based on the UCM version)
3. Find the certificates CallManager, Cisco_Manufacturing_CA, and CAPF. Download the .pem file and save as .txt file
Import certificates into the ASA
1. Create the CallManager trustpoint.
hostname(config)# crypto ca trustpoint CallManager
hostname(config-ca-trustpoint)# enrollment terminal
hostname(config)# crypto ca authenticate CallManager
When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded CallManager.pem file along with the BEGIN and END lines.
2. Create the Cisco_Manufacturing_CA trustpoint.
hostname(config)# crypto ca trustpoint Cisco_Manufacturing_CA
hostname(config-ca-trustpoint)# enrollment terminal
hostname(config)# crypto ca authenticate Cisco_Manufacturing_CA
When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded Cisco_Manufacturing_CA.pem file along with the BEGIN and END lines.
3. Create the CAPF trustpoint.
hostname(config)# crypto ca trustpoint CAPF
hostname(config-ca-trustpoint)# enrollment terminal
hostname(config)# crypto ca authenticate CAPF
When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded CAPF.pem file along with the BEGIN and END lines.
Create the VPN trustpoint and generate self-signed certificate
1. Create ssl keypair.
hostname(config)# crypto key generate rsa label sslvpnkeypair modulus 1024
2. Create the VPN trustpoint.
hostname(config)# crypto ca trustpoint ASA_VPN
hostname(config-ca-trustpoint)# enrollment self
hostname(config-ca-trustpoint)# keypair sslvpnkeypair
!---For the CallManager certificate to work with host-id check enabled on the VPN profile in CUCM, the following should be added.
hostname(config-ca-trustpoint)# fqdn
hostname(config-ca-trustpoint)# subject-name CN=
hostname(config)# crypto ca enroll ASA_VPN
3. Assign trustpoint to outside interface.
ssl trust-point ASA_VPN outside
Export the VPN certificate and upload to CUCM.
1. Export the VPN certificate.
hostname(config)#crypto ca export ASA_VPN identity-certificate
2. Upload certificate to CUCM.
Go to the Cisco UCM Operating System Administration web page.
Choose Security > Certificate Management. (this location may change based on the UCM version)
Click Upload Certificate and select the Phone-VPN-Trust store.
Browse to the exported VPN certificate file and click Upload File.
Once this is complete configure the CUCM side as specified here.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_1/secugd/secuvpn.html
After all this, register the phone locally so that it can download the cert associated with the VPN gateway. Nowconnect the phone to your outside network and test the vpn . Let me know if this helps. If this still fails, attach the new ASA config and console logs from the phone. To get the console logs, browse to the phone's IP and click the Console Logs link on the left.
John
11-19-2010 05:21 PM
Hello John,
I managed to get the 7975G phone connect to the VPN now, and the phone can also get an IP address from the ASA 5510 as well as the Default Gateway IP.
However, once connected, the phone is still not working and i can't ping it within the network from anywhere... i suspect the DTLS is not working.
I have attached the ASA debugs when the IP Phone is connecting, I have also include the Phone's console logs when it is connecting.
Cheers,
Hunt
11-19-2010 05:24 PM
Hi John,
The IP address that the phone gets is 172.16.100.102 under the Username phone1.
Cheers,
Hunt
11-21-2010 08:46 AM
It looks like DTLS is not working properly like you said.
1568: WRN 18:17:01.700186 VPNC: protocol_handler: DTLS dpd response not rcvd, # 2
1569: ERR 18:17:01.700843 VPNC: protocol_handler: DTLS DPD timeout, cleanup
Make sure both TCP and UDP ports 443 are open on the ASA.
Can you attach the updated ASA 'sh run' as well.
John
11-22-2010 12:57 AM
Dear John,
Please find attached the config for Cisco ASA.
Would appreciated your help.
Cheers,
Hunt
11-22-2010 09:26 AM
Hi Hunt,
I don't see any trustpoints configured on your ASA. What certificate did you load in the VPN Gateway config in CUCM? I would expect to see something like the following in your ASA config.
crypto ca trustpoint phonevpn
enrollment terminal
keypair sslvpnkeypair
crl configure
crypto ca certificate chain phonevpn
certificate 2509c62b000000000021
ssl trust-point phonevpn outside
The phonevpn cert should should be exported using the following procedure.
crypto ca export phonevpn identity-certificate
That cert should be uploaded to CUCM and added to the VPN Gateway config in CUCM. The phone then needs to be registered internally so it can download the cert.
John
11-22-2010 08:31 PM
Hello John,
Thanks for your reply but I have the following question:-
1) The cert i got currently is a 'self-signed certificate' from the ASA. It is not those 'Verisign' cert so would those commands allow me to put the 'self-signed cert' for SSLVPN use??
crypto ca certificate chain phonevpn
certificate 2509c62b000000000021
2) Since I have normal PC users which needs cert to SSLVPN via ASA. If I do the commands and setup this cert as suggested, would this creates a problem where all my customer's PC will need to get this new cert from the ASA?? Coz they won't be able to connect to the SSLVPN if at any one time, only 1 cert is allowed.
Cheers,
Hunt
11-23-2010 02:49 AM
Hi Hunt,
You can use a self signed cert. Use the following commands to create the truspoint on the ASA with the self signed cert.
hostname(config)# crypto key generate rsa label sslvpnkeypair modulus 1024
hostname(config)# crypto ca trustpoint phonevpn
hostname(config-ca-trustpoint)# enrollment self
hostname(config-ca-trustpoint)# keypair sslvpnkeypair
!--this generates the cert
hostname(config)# crypto ca enroll phonevpn
!--assign the trustpoint to the outside interface
hostname(config)# ssl trust-point phonevpn outside
!--use the following to export the cert. This is what needs to be uploaded to CUCM and assigned to te VPN Gateway.
hostname(config)#crypto ca export phonevpn identity-certificate
This shouldn't cause a problem for users using the client from their PC. They will just get a warning stating that the cert is from an unknown CA, click Yes to continue.
John
11-22-2010 10:29 PM
Hello John,
Also, where to find the certificate string of 2509c62b000000000021?? Shouldnt it be 69DB0F29FAC8699F062FEC036EFD1680FA9E3EA2??
Cheers,
Hunt
11-23-2010 02:50 AM
Hi Hunt,
2509c62b000000000021 was just an example from my lab. The serial number generated for your cert will look much different.
John
11-24-2010 06:25 PM
Hello John,
I believe I have finally got it to work... just have to double-confirm tongiht.
Is there any way we can make the VPN session for VPN phones to infinite so that it will 'never time out'?? Reason is that the VPN phones will be placed at the sitting rooms at the house of the customer's executives, and they will want to be able to make calls whenever they want without having to authenticate into the VPN every now and then.
Cheers,
Hunt
11-27-2010 10:44 AM
The VPN session will use a keepalive mechanism that will not timeout (possibly config dependent) but you can get the anyconnect client which is what the phone does to never timeout the connection. Also the best option for you is to use certificate based authentication so that if the phone is powered off, reset, or loses connection, the phone will automatically connect back to the VPN on it's own. That way the user doesn't have to type in a username or password if the phone is reset or powered off.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide