cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
0
Helpful
6
Replies

Cisco 7962 over VPN using ASA

shraavan07
Level 1
Level 1

Hello Everyone,

I am running into an issue with configuring 7962 connecting to Call Manager over VPN Connection. I get VPN Authentication Failed with "All Concentrators Failed" error in Status messages.. Please look at the following config on ASA:

crypto ca trustpoint VpnPhone

enrollment self

subject-name CN=Firewall

crl configure

crypto ca trustpoint CallManager.pem

enrollment terminal

crl configure

crypto ca trustpoint CAPF.pem

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA.pem

tnrollment terminal

crl configure

I have uploaded certificates from ASA to Call Manager and from Call Manager to ASA.

ssl trust-point VpnPhone Outside

webvpn

enable Outside

anyconnect ....path to image file

anyconnect enable

tunnel-group-list enable

group-policy PhoneVPN internal

group-policy PhoneVPN attributes

vpn-tunnel-protocol ssl-client ssl-clientless

address-pools value VPN_Phone

tunnel-group VPNPhone type remote-access

tunnel-group VPNPhone general-attributes

address-pool VPN_Phone

default-group-policy PhoneVPN

tunnel-group VPNPhone webvpn-attributes

group-url https://x.x.x.x/VPNphone enable

username.....password..... for local authentication

Thank you,

Hardik

6 Replies 6

Joseph Martini
Cisco Employee
Cisco Employee

The first place to look would be the phone's console logs when trying to connect to the VPN.  From there you will see if the phone is failing to connect or if it's a certificate problem between what the phone knows of and what the ASA is using.

Hello Joseph,

Thank  you for responding. I disconnect my phone from outside connection and  plug it into LAN so I can pull logs. Once I pulled logs, I don't know  much, but here is what I found might be useful? Please advise. Anything  in perticular i should be looking for?

I see my login credentials:

Then I see this:

Thank You,

Hardik

I look for the URL first as a starting point in the logs, search for HTTPS://.  Then look for something about CERT HASH to see if there is a certificate issue.

Hello Joseph,

I do not see any "CERT HASH" in Console Logs. I see following https:// sites:

But then I see this:

This is what I see for HTTP://

Thank You,

Do you have host ID check disabled in CUCM for the VPN configuration?  The URL being an IP address will not match the certificate Common Name (CN).  You should see if this is a problem from the phone console log too.

Yes, I have already disabled Host ID Check option.