Showing results for 
Search instead for 
Did you mean: 

Cisco IP Phone VPN Failed

I'm attempting to create a VPN for a Cisco 7962. The phone says VPN Authentication Failed when attempting to connect. I downloaded console logs and I think this is relevant information bolded:


918: NOT 02:57:09.836553 VPNC: cert_vfy_cb: depth:1 of 1, subject:</unstructuredName=phonevpn.<DOMAIN>/C=US/ST=<MY STATE>/L=<MY CITY>/O=<MY COMPANY>/OU=Information Services/CN=phonevpn.<DOMAIN>/emailAddress=security@<DOMAIN>
 919: NOT 02:57:09.837247 VPNC: cert_vfy_cb: depth:1 of 1, pre_err: 20 (unable to get local issuer certificate)
 920: NOT 02:57:09.841202 VPNC: cert_vfy_cb: peer cert saved: /tmp/leaf.crt
 921: NOT 02:57:09.852051 SECD: Leaf cert hash = 88F299CB82310A79F0770150CFC7D787FE8F2B9C
 922: ERR 02:57:09.853266 SECD: EROR:secLoadFile: file not found </tmp/issuer.crt>
 923: ERR 02:57:09.853819 SECD: Unable to open file /tmp/issuer.crt
 924: ERR 02:57:09.890189 VPNC: VPN cert chain verification failed, issuer certificate not found and leaf not trusted
 925: ERR 02:57:09.891888 VPNC: ssl_state_cb: TLSv1: write: alert: fatal:unknown CA
 926: ERR 02:57:09.892710 VPNC: alert_err: SSL write alert: code 48, unknown CA
 927: ERR 02:57:09.893991 VPNC: create_ssl_connection: SSL_connect ret -1 error 1
 928: ERR 02:57:09.894790 VPNC: SSL: SSL_connect: SSL_ERROR_SSL (error 1)
 929: ERR 02:57:09.895495 VPNC: SSL: SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 930: ERR 02:57:09.896286 VPNC: create_ssl_connection: SSL setup failure
 931: ERR 02:57:09.897881 VPNC: do_login: create_ssl_connection failed
 932: NOT 02:57:09.898603 VPNC: vpn_stop: de-activating vpn
 933: NOT 02:57:09.899348 VPNC: vpn_set_auto: auto -> auto
 934: NOT 02:57:09.899829 VPNC: vpn_set_active: activated -> de-activated



Here is what I believe is the relevant config on the ASA. If I'm missing something please let me know:

ip local pool IPPOOL mask

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address


route outside 1
route inside 1
route inside 1


crypto ca trustpoint CALLMANAGER
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint CISCO_MANUFACTURING_CA
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint CAPF
enrollment terminal
no ca-check
crl configure
crypto ca trustpoint PHONE_VPN
enrollment terminal
fqdn phonevpn.<MY DOMAIN>
subject-name CN=phonevpn.<MY DOMAIN>,OU=Information Services,O=<MY COMPANY>,C=US,St=<MY STATE>,L=<MY CITY>,EA=security@<MY DOMAIN>
keypair KEY
no ca-check
crl configure


enable outside
anyconnect image disk0:/anyconnect.pkg 1
anyconnect enable
tunnel-group-list enable
error-recovery disable

group-policy CLIENTPOLICY internal
group-policy CLIENTPOLICY attributes
dns-server value
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol ssl-client
group-lock value TUNNELPROF
split-tunnel-policy tunnelall
default-domain value <MY DOMAIN>
address-pools value IPPOOL
dynamic-access-policy-record DfltAccessPolicy

vpn-group-policy CLIENTPOLICY
service-type remote-access

tunnel-group TUNNELPROF type remote-access
tunnel-group TUNNELPROF general-attributes
default-group-policy CLIENTPOLICY
tunnel-group TUNNELPROF webvpn-attributes
authentication certificate
group-url https://phonevpn.<MY DOMAIN>/TUNNELPROF enable
group-url https://phonevpn.<MY DOMAIN>/phonevpn enable


I've uploaded the identity certificate into CUCM that was generated on the ASA. I've configured the VPN Gateway and groups in CUCM. I almost feel like CUCM isn't sending the certificate down to the phone. I do a debug on the ASA and when the phone attempts to connect to the ASA, I see no messages.It almost appears as the phone is not even trying. 


I did get the VPN working with username and password on a laptop. This work is being done inside our network and once I get it working, I'll get external DNS and NAT setup and do a final test. 








Hello mate,

I getting the same error after replacing Cisco ASA


VPNC: SSL: SSL_connect: SSL_ERROR_SYSCALL (error 5)


Did you find a solution?

Recognize Your Peers
Content for Community-Ad