Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1533
Views
0
Helpful
1
Replies

Cisco IP Phone VPN Failed

cheeseburger
Level 1
Level 1

‎05-13-2019 02:42 PM

I'm attempting to create a VPN for a Cisco 7962. The phone says VPN Authentication Failed when attempting to connect. I downloaded console logs and I think this is relevant information bolded:

 

918: NOT 02:57:09.836553 VPNC: cert_vfy_cb: depth:1 of 1, subject:</unstructuredName=phonevpn.<DOMAIN>/C=US/ST=<MY STATE>/L=<MY CITY>/O=<MY COMPANY>/OU=Information Services/CN=phonevpn.<DOMAIN>/emailAddress=security@<DOMAIN>
 919: NOT 02:57:09.837247 VPNC: cert_vfy_cb: depth:1 of 1, pre_err: 20 (unable to get local issuer certificate)
 920: NOT 02:57:09.841202 VPNC: cert_vfy_cb: peer cert saved: /tmp/leaf.crt
 921: NOT 02:57:09.852051 SECD: Leaf cert hash = 88F299CB82310A79F0770150CFC7D787FE8F2B9C
 922: ERR 02:57:09.853266 SECD: EROR:secLoadFile: file not found </tmp/issuer.crt>
 923: ERR 02:57:09.853819 SECD: Unable to open file /tmp/issuer.crt
 924: ERR 02:57:09.890189 VPNC: VPN cert chain verification failed, issuer certificate not found and leaf not trusted
 925: ERR 02:57:09.891888 VPNC: ssl_state_cb: TLSv1: write: alert: fatal:unknown CA
 926: ERR 02:57:09.892710 VPNC: alert_err: SSL write alert: code 48, unknown CA
 927: ERR 02:57:09.893991 VPNC: create_ssl_connection: SSL_connect ret -1 error 1
 928: ERR 02:57:09.894790 VPNC: SSL: SSL_connect: SSL_ERROR_SSL (error 1)
 929: ERR 02:57:09.895495 VPNC: SSL: SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 930: ERR 02:57:09.896286 VPNC: create_ssl_connection: SSL setup failure
 931: ERR 02:57:09.897881 VPNC: do_login: create_ssl_connection failed
 932: NOT 02:57:09.898603 VPNC: vpn_stop: de-activating vpn
 933: NOT 02:57:09.899348 VPNC: vpn_set_auto: auto -> auto
 934: NOT 02:57:09.899829 VPNC: vpn_set_active: activated -> de-activated

 

 

Here is what I believe is the relevant config on the ASA. If I'm missing something please let me know:

ip local pool IPPOOL 10.69.69.10-10.69.69.254 mask 255.255.255.0

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.242.69.69 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.243.69.69 255.255.0.0

 

route outside 0.0.0.0 0.0.0.0 10.243.0.1 1
route inside 10.201.14.0 255.255.255.0 10.242.0.1 1
route inside 192.168.30.0 255.255.255.0 10.242.0.1 1

 

crypto ca trustpoint CALLMANAGER
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint CISCO_MANUFACTURING_CA
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint CAPF
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint PHONE_VPN
enrollment terminal
fqdn phonevpn.<MY DOMAIN>
subject-name CN=phonevpn.<MY DOMAIN>,OU=Information Services,O=<MY COMPANY>,C=US,St=<MY STATE>,L=<MY CITY>,EA=security@<MY DOMAIN>
keypair KEY
no ca-check
crl configure

 

webvpn
enable outside
anyconnect image disk0:/anyconnect.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

group-policy CLIENTPOLICY internal
group-policy CLIENTPOLICY attributes
dns-server value 10.175.254.10
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol ssl-client
group-lock value TUNNELPROF
split-tunnel-policy tunnelall
default-domain value <MY DOMAIN>
address-pools value IPPOOL
dynamic-access-policy-record DfltAccessPolicy

vpn-group-policy CLIENTPOLICY
service-type remote-access

tunnel-group TUNNELPROF type remote-access
tunnel-group TUNNELPROF general-attributes
default-group-policy CLIENTPOLICY
tunnel-group TUNNELPROF webvpn-attributes
authentication certificate
group-url https://phonevpn.<MY DOMAIN>/TUNNELPROF enable
group-url https://phonevpn.<MY DOMAIN>/phonevpn enable
without-csd

 

I've uploaded the identity certificate into CUCM that was generated on the ASA. I've configured the VPN Gateway and groups in CUCM. I almost feel like CUCM isn't sending the certificate down to the phone. I do a debug on the ASA and when the phone attempts to connect to the ASA, I see no messages.It almost appears as the phone is not even trying. 

 

I did get the VPN working with username and password on a laptop. This work is being done inside our network and once I get it working, I'll get external DNS and NAT setup and do a final test. 

 

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

fgasimzade
Level 4
Level 4

‎10-14-2021 03:58 AM

Hello mate,

I getting the same error after replacing Cisco ASA

 

VPNC: SSL: SSL_connect: SSL_ERROR_SYSCALL (error 5)

 

Did you find a solution?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents