I can ping and connect on the CME router from my laptop. I have checked the routing table and everything seems ok.

I have recreated the CIPC ephone but still no luck

If i change the tftp server on the ip communicator preferences and put something completely different it popus an error message saying wrong tftp server.

Is there any sort of debugging i can do to trace the source of the problem?

Thanks

What is the EPHONE mac address you are using.   I usually set it to use 1 mac address at all times.  I sometime see that people have a 1 mac when connected from one place, and another mac when connected from another place.  I would hard code the CIPC to use the same mac address no matter how its connected.

As for debugging you can do a debug tftp events, term mon to find out if the phone is making it back to your UC500 system.  

debug tftp events doesnt show anything

Here is a part of the CME config

Below is a screenshot of the network settings on the ip communicator and last the mac address of the laptop i am using.

ip inspect name ACL_OUT dns

ip inspect name ACL_OUT ftp

ip inspect name ACL_OUT h323

ip inspect name ACL_OUT https

ip inspect name ACL_OUT icmp

ip inspect name ACL_OUT imap

ip inspect name ACL_OUT pop3

ip inspect name ACL_OUT tftp

ip inspect name ACL_OUT tcp router-traffic

ip inspect name ACL_OUT udp router-traffic

ip inspect name ACL_OUT sip

ip inspect name ACL_OUT sip-tls

ip inspect name ACL_OUT ssh

ip dhcp pool phone

   network 10.1.1.0 255.255.255.0

   default-router 10.1.1.1

   option 150 ip 10.1.1.1

!

ip dhcp pool data

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 192.168.1.120 217.27.32.196

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPN_GROUP_1

key xxxxxxxxx

dns 217.27.32.196

pool SDM_POOL_1

acl VPN

save-password

max-users 10

crypto isakmp profile sdm-ike-profile-1

   match identity group EZVPN_GROUP_1

   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1

   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

   client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

interface FastEthernet0/0

ip address 46.21.56.193 255.255.255.248

ip access-group INBOUND in

ip nat outside

ip inspect ACL_OUT out

ip virtual-reassembly in

duplex auto

speed auto

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface BVI100

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip local pool SDM_POOL_1 192.168.60.15 192.168.60.25

ip access-list extended INBOUND

permit tcp any any eq 2000

permit tcp any any established

permit tcp any any eq 3390

permit tcp any any eq 3389

permit gre any any

permit tcp any any eq 1723

permit tcp any any eq smtp

permit tcp any any eq 443

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

deny   ip any any log

ip access-list extended VPN

permit ip 192.168.1.0 0.0.0.255 any

permit ip 10.1.1.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255

permit ip 10.1.1.0 0.0.0.255 192.168.60.0 0.0.0.255

ephone-dn  5

number 565

label SOFTPHONE 565

description SOFTPHONE 565

name SOFTPHONE

hold-alert 30 originator

ephone  1

device-security-mode none

mac-address 001A.4B6B.C5C4

type CIPC

button  1:5

Could you do this for me?

1. Make your Primary TFTP server IP as 10.1.1.1 and leave Secondary TFTP server empty.

- OR -

I encountered an issue in CIPC v2.x wherein I need to configure both Primary and Secondary TFTP server IPs to same IP address, in your case this will be 10.1.1.1. This is worth trying.

2. Under the Device Name use the option USE THIS DEVICE NAME and enter 001A4B6BC5C4.

Just tried your above suggestions but still no luck

I think the problem is that the vpn pool 192.168.60.0 is being blocked from accessing the 192.168.1.0 or 10.1.1.0 network.

Windows firewall is off . i have no other network security or antivirus security on the laptop.

Howerver as i said, from the same laptop  i can succesfully connect on another 2900 series router running CME and the CIPC works just fine.

It will drive me crazy

EzVPN client bypasses the inbound ACL configured under interface FastEthernet0/0. You also stated in your first post

"When i establish the vpn connection with the cisco vpn client i can see that i have complete access on the remote network."

To make sure this is true, connect to the VPN and telnet CME IP address on port 2000 (considering your using the defaut port under the Telephony-service).

Yes you are right. actually i meant that i can access all resouces from the windows laptop throught the vpn but something might blocking the CIPC from accessing the remote resources and since the CIPC gets the vpn-pool ip address thats why i made this thought but it was a silly thought.

Ok i telnet 192.168.1.1 2000 and 10.1.1.1 2000 and then i had a blank screen which means i suppose that i can succesfully telnet.

The new strange thing i found out yesterday is that i have exactly the same problem when i am tring to connect on another uc540 on a different customer side. since now this customer hasn't asked me to setup a softphone for him but i have set it up last night and i am facing the same issue. Could it be a compatibility issue between windows 7 , CIPC ver 7.0.6.0,cisco vpn client 5.0.07 64bit and uc540 with software pack 8.1?

I have just used a laptop running windows xp 32 bit and the CIPC worked immediatelly!!

I think the problem is due to compatibility

Good to hear you resolved your issue.

I recommend using Cisco AnyConnect VPN for 64bit machine.