Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5025
Views
5
Helpful
3
Replies

Enable Any Connect VPN on 88xx

csedlmeier
Level 1
Level 1

‎04-23-2018 03:04 AM - edited ‎03-17-2019 12:40 PM

Dear all.

We want to enable Cisco Any Connect VPN client on our Cisco 8865.

To do this we follow the following process:
https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

We export cert. from AS and import it in to CUCM. After this it was possible to do the VPN Gateway configuration on CUCM and do VPN Profile and VPN Group configuration. After this we copy an Phone Profile and add the VPN configuration and assinge this profile to a phone and restart phone.

 

But we still have an issue to connect the phone by VPN to ASA.

 

We did some troubleshooting and it seem we have to export cert. from CUCM and import it to ASA and we have to create CAPF on the phone ?

 

Would be nice if yome one can help me out of this issue.

 

Thanks in advanced !

Christian

Labels:
0 Helpful
3 Replies 3

Jinto Alakkal
Level 1
Level 1

‎04-23-2018 06:59 AM - edited ‎04-23-2018 11:40 AM

Hello,

 

You can use either MIC (Manufacture signed) or LSC (CAPF signed), you only have to use one authentication method not both, in any of this case you have to export it from CUCM and needs to be added it as a trustpoint in ASA. Similiarly the SSL cert also needs to be exported from ASA to CUCM as VPN trust (Unified OS Administration > Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust)

https://supportforums.cisco.com/t5/ip-telephony/mic-lsc-ctl-confusion/td-p/2658377 this thread is a good read about the trust certs.

csedlmeier
Level 1
Level 1
In response to Jinto Alakkal

‎04-24-2018 05:28 AM

Hello all.

Thanks for help it help. After checking our configuration we found out that CAPF service is not enabled on our cluster because we have no mixed mode (no encryption).

 

I guess it should not be an issue to enable CAPF service on the publisher to create LSC for phone ?

Or are they any issue if we do it if we have no encryption in our cluster ?

Kind regards

Christian

0 Helpful

Jinto Alakkal
Level 1
Level 1
In response to csedlmeier

‎04-24-2018 06:40 AM

Hi There,

 

https://supportforums.cisco.com/t5/ip-telephony/understanding-capf/td-p/1556529 this link is your answer, phone finds the CAPF server through CTL installed on it and CTL files will only be generated when you place the cluster in mixed mode, you may use MIC for authentication if the cluster is not in mixed mode. 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents