Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
6
Replies

Cisco 7962 over VPN using ASA

shraavan07
Level 1
Level 1

‎10-14-2013 10:14 AM - edited ‎03-16-2019 07:52 PM

Hello Everyone,

I am running into an issue with configuring 7962 connecting to Call Manager over VPN Connection. I get VPN Authentication Failed with "All Concentrators Failed" error in Status messages.. Please look at the following config on ASA:

crypto ca trustpoint VpnPhone

enrollment self

subject-name CN=Firewall

crl configure

crypto ca trustpoint CallManager.pem

enrollment terminal

crl configure

crypto ca trustpoint CAPF.pem

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA.pem

tnrollment terminal

crl configure

I have uploaded certificates from ASA to Call Manager and from Call Manager to ASA.

ssl trust-point VpnPhone Outside

webvpn

enable Outside

anyconnect ....path to image file

anyconnect enable

tunnel-group-list enable

group-policy PhoneVPN internal

group-policy PhoneVPN attributes

vpn-tunnel-protocol ssl-client ssl-clientless

address-pools value VPN_Phone

tunnel-group VPNPhone type remote-access

tunnel-group VPNPhone general-attributes

address-pool VPN_Phone

default-group-policy PhoneVPN

tunnel-group VPNPhone webvpn-attributes

group-url https://x.x.x.x/VPNphone enable

username.....password..... for local authentication

Thank you,

Hardik

Labels:
0 Helpful
6 Replies 6

Joseph Martini
Cisco Employee
Cisco Employee

‎10-14-2013 11:07 AM

The first place to look would be the phone's console logs when trying to connect to the VPN.  From there you will see if the phone is failing to connect or if it's a certificate problem between what the phone knows of and what the ASA is using.

0 Helpful

shraavan07
Level 1
Level 1
In response to Joseph Martini

‎10-14-2013 11:53 AM

Hello Joseph,

Thank  you for responding. I disconnect my phone from outside connection and  plug it into LAN so I can pull logs. Once I pulled logs, I don't know  much, but here is what I found might be useful? Please advise. Anything  in perticular i should be looking for?

I see my login credentials:

Then I see this:

Thank You,

Hardik

0 Helpful

Joseph Martini
Cisco Employee
Cisco Employee
In response to shraavan07

‎10-14-2013 12:04 PM

I look for the URL first as a starting point in the logs, search for HTTPS://.  Then look for something about CERT HASH to see if there is a certificate issue.

0 Helpful

shraavan07
Level 1
Level 1
In response to Joseph Martini

‎10-14-2013 12:25 PM

Hello Joseph,

I do not see any "CERT HASH" in Console Logs. I see following https:// sites:

But then I see this:

This is what I see for HTTP://

Thank You,

0 Helpful

Joseph Martini
Cisco Employee
Cisco Employee
In response to shraavan07

‎10-14-2013 12:29 PM

Do you have host ID check disabled in CUCM for the VPN configuration?  The URL being an IP address will not match the certificate Common Name (CN).  You should see if this is a problem from the phone console log too.

0 Helpful

shraavan07
Level 1
Level 1
In response to Joseph Martini

‎10-14-2013 01:08 PM

Yes, I have already disabled Host ID Check option.

0 Helpful
Customers Also Viewed These Support Documents