Hello. I'm trying to enable IP phone VPN Client on 7965G IP PHONE connected to ASA5506 SSL VPN. But the authentication Failed error keeps occurring. I have followed this guide https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/manual/cmeadm/cmevpn.html.

Could you give me a some advice?

My CME server is ISR4321 all license actived and ASA5506-X all license actived.

Here's my startup config of CME server and ASA5506.

Saved

:
: Serial Number: JAD222707HT
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)15
!
hostname ADV-FW
enable password $sha512$5000$u0JOpvzp3FEfNN7+FvkfIw==$oudXyBHzb0Idtb0Dilt7kg== pbkdf2
multicast-routing
names
no mac-address auto
ip local pool SSLVPN_POOL 172.16.0.10-172.16.0.20 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif Client
security-level 70
ip address 192.168.0.254 255.255.255.128
!
interface GigabitEthernet1/2
nameif DMZ
security-level 50
ip address 192.168.0.125 255.255.255.128
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif Management
security-level 55
ip address 1.1.1.4 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone KST 9
dns domain-lookup Client
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 192.168.0.1
access-list DMZ_Client extended permit ip 192.168.0.0 255.255.255.128 192.168.0.128 255.255.255.128
access-list DMZ_Client extended permit ip any any
pager lines 24
mtu Client 1500
mtu DMZ 1500
mtu Management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group DMZ_Client in interface DMZ
access-group DMZ_Client global
router ospf 1
network 192.168.0.0 255.255.255.128 area 0
network 192.168.0.128 255.255.255.128 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RAD protocol radius
aaa-server RAD (DMZ) host 192.168.0.1
key *****
authentication-port 1812
user-identity default-domain LOCAL
aaa authentication serial console RAD LOCAL
aaa authentication telnet console RAD LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
snmp-server location JeonNam, Korea
snmp-server contact admin@advshow.com
snmp-server community *****
auth-prompt reject qwe
no service password-recovery
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint vpnshow
crl configure
crypto ca trustpoint vpn
enrollment protocol scep url http://192.168.0.126:80
subject-name cn=vpn.advshow.com
serial-number
keypair vpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate 04
308202b1 3082021a a0030201 02020104 300d0609 2a864886 f70d0101 04050030
omit the  certificate value 

telnet 1.1.1.0 255.255.255.0 Management
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcprelay server 192.168.0.1 DMZ
dhcprelay enable Client
dhcprelay timeout 60
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default all
ssl cipher tlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC-SHA:NULL-SHA"
ssl cipher dtlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC-SHA:NULL-SHA"
ssl trust-point vpn
ssl trust-point vpn Client
ssl trust-point vpn DMZ
ssl certificate-authentication interface Client port 443
webvpn
enable Client
enable DMZ
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
anyconnect enable
cache
disable
error-recovery disable
group-policy SSLVPN_policy internal
group-policy SSLVPN_policy attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
address-pools value SSLVPN_POOL
webvpn
anyconnect ssl dtls enable
anyconnect ssl keepalive 120
anyconnect ask none
group-policy SSLVPNphone internal
group-policy SSLVPNphone attributes
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value SSLVPN_POOL
webvpn
anyconnect ssl dtls enable
anyconnect ssl keepalive 120
anyconnect ask none
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$6IkEYMvBrfIF8Dy0wm5n/A==$7QzwgC2ptNK27Kaz2IuMqg== pbkdf2 privilege 15
username cisco password $sha512$5000$db7dyJxqooeE1yRYj1cidQ==$e13HlXmWh1rQ9ZToxz4jow== pbkdf2
username cisco attributes
vpn-group-policy SSLVPNphone
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect ssl dtls enable
anyconnect ask none
username itnsa password $sha512$5000$b1o73VItCRhHkNGd0e7HPA==$crgmuheBOBPkWwL/jcZD/Q== pbkdf2 privilege 15
tunnel-group SSLVPN_tunnel type remote-access
tunnel-group SSLVPN_tunnel general-attributes
address-pool SSLVPN_POOL
default-group-policy SSLVPNphone
tunnel-group SSLVPN_tunnel webvpn-attributes
group-url https://192.168.0.254/SSLVPNphone enable

CME SERVER

!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ADV-R
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password 7 107E080A160042190840
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization console
aaa authorization exec default group radius local
!
!
!
!
!
!
aaa session-id common
clock timezone KST 9 0
!
ip name-server 192.168.0.1
ip domain name advshow.com
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
ipv6 unicast-routing
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki server CA
no database archive
grant auto
!
crypto pki trustpoint qwe
revocation-check crl
!
crypto pki trustpoint CA
revocation-check crl
rsakeypair CA
!
crypto pki trustpoint cert
enrollment url http://192.168.0.126:80
serial-number
revocation-check none
!
crypto pki profile enrollment www
enrollment url http://192.168.0.126
!
!
crypto pki certificate chain qwe
crypto pki certificate chain CA
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3231 30313236 30373238 32315A17
0D323430 31323630 37323832 315A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C1C5 7D8D92F8
D50AA725 70B41A6C 7FAA8338 BF5BD952 41BCB5B0 A4BB916C EAB45AA8 072C1F1B
2888F4B4 068451DE E3F921CA E5D93795 1EC9D9CD 94B70CCB F458667A 472304CC
FF94BED3 CAD9E20E 2F14470F 9C68801E CD2FE19E A319D4D7 14F95628 6EECA3D9
11446190 543F4502 9C3B9A63 7A334F7F 39755F0E FBFF1E64 230F0203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14C04D5D BDDA75F1 626CB42B F635E41D
8E366BBE 79301D06 03551D0E 04160414 C04D5DBD DA75F162 6CB42BF6 35E41D8E
366BBE79 300D0609 2A864886 F70D0101 04050003 81810045 15A5037B F56856BF
EB93FEDC 1AB897CC 5FBF60F3 9CFA55B9 A6823023 80259618 99B55B97 1F382849
D6E3B002 9030C85B 5874BC3B 5C700630 5512BC76 38C33284 1B692A8E 077C8F41
832BE7DF 31B72D1F 381C6811 01181A53 6FF6E5BD 582E2540 C684CB8D 230CE58A
2DCB4C9A 929E68E4 2416D37A 37224051 A450469A F85894
quit
crypto pki certificate chain cert
certificate 03
30820208 30820171 A0030201 02020103 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3231 30313236 30383039 35395A17
0D323230 31323630 38303935 395A3036 31343012 06035504 05130B46 444F3232
34314132 4747301E 06092A86 4886F70D 01090216 11414456 2D522E61 64767368
6F772E63 6F6D3081 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902
818100B6 DB56649B A05A889A A853852B D6CFE39B 5D0F868B E8687896 7173D1B4
A9DFADFB 243701BE 30FCB566 A7C6C845 865C1E1C 36949E4A B5FE72DB 040B01E1
0D23B570 88BD7F53 D931D033 69CE3EE9 4D637908 C7C597EA 24975379 8D270C56
3969C2F9 1B2D2969 9FC43B44 F82D5121 E7E2D0D3 6ED448D1 9741BE53 0309C3C2
4959E702 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06 03551D23
04183016 8014C04D 5DBDDA75 F1626CB4 2BF635E4 1D8E366B BE79301D 0603551D
0E041604 14396293 303ED955 B4383126 0E6B70FE 6F280F43 AC300D06 092A8648
86F70D01 01050500 03818100 B0EF3229 D990D6C8 EFECB24F 82072CD3 94954968
6939016C EC0D9ED4 AD41BFE0 57A69CED EE9DF268 37E2964F A2A91312 4E9F0031
337C321D 0F9A5D3A 05D7984E 5D0103F1 D3BDD80E 1C55930F B46E4033 308D388F
E3C9961E DC72C35E F82729E7 264982EF AD23A444 88F4E944 B5BD8353 5041017D
A520229F DF606C62 E7111693
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3231 30313236 30373238 32315A17
0D323430 31323630 37323832 315A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C1C5 7D8D92F8
D50AA725 70B41A6C 7FAA8338 BF5BD952 41BCB5B0 A4BB916C EAB45AA8 072C1F1B
2888F4B4 068451DE E3F921CA E5D93795 1EC9D9CD 94B70CCB F458667A 472304CC
FF94BED3 CAD9E20E 2F14470F 9C68801E CD2FE19E A319D4D7 14F95628 6EECA3D9
11446190 543F4502 9C3B9A63 7A334F7F 39755F0E FBFF1E64 230F0203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 14C04D5D BDDA75F1 626CB42B F635E41D
8E366BBE 79301D06 03551D0E 04160414 C04D5DBD DA75F162 6CB42BF6 35E41D8E
366BBE79 300D0609 2A864886 F70D0101 04050003 81810045 15A5037B F56856BF
EB93FEDC 1AB897CC 5FBF60F3 9CFA55B9 A6823023 80259618 99B55B97 1F382849
D6E3B002 9030C85B 5874BC3B 5C700630 5512BC76 38C33284 1B692A8E 077C8F41
832BE7DF 31B72D1F 381C6811 01181A53 6FF6E5BD 582E2540 C684CB8D 230CE58A
2DCB4C9A 929E68E4 2416D37A 37224051 A450469A F85894
quit
!
!
!
voice service voip
ip address trusted list
ipv4 172.16.0.0 255.255.255.0
no supplementary-service sip handle-replaces
vpn-group 1
vpn-gateway 1 https://192.168.0.254/SSLVPNphone
vpn-trustpoint 1 trustpoint cert root
vpn-hash-algorithm sha-1
vpn-profile 1
host-id-check disable
!
!
!
voice moh-group 1
moh enable-g711 "flash:/music2.wav"
multicast moh 239.50.20.1 port 5000
extension-range 1000 to 1002
!
!
voice moh-group 2
moh enable-g711 "flash:/music.wav"
multicast moh 239.1.1.1 port 2000
extension-range 1003 to 1010
!
!
voice logout-profile 1
number 1001 type normal
speed-dial 1 1003 label "qwe" blf
privacy-button
!
voice user-profile 1
max-idle-time 10
user 1004 password 1004
number 1004 type normal
!
!
voice translation-rule 100
rule 1 reject /1002/
!
!
voice translation-profile Reject-1002
translate calling 100
!
voice translation-profile reject
!
!
!
license udi pid ISR4321/K9 sn FDO22390JK2
license accept end user agreement
license boot level securityk9
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
archive
path ftp://ftpuser:Passw0rd$@192.168.0.1/backup/$h-$t.cfg
write-memory
!
!
restconf
!
username itnsa privilege 15 password 7 13351601181B54382F60
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 192.168.0.126 255.255.255.128
ip pim sparse-dense-mode
nat64 enable
!
interface GigabitEthernet0/0/0.99
encapsulation dot1Q 99
ip address 1.1.1.3 255.255.255.0
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
nat64 enable
ipv6 address 2001:DB8:1::1/64
ipv6 enable
ipv6 eigrp 1
ipv6 traffic-filter HTTPBLOCK in
!
interface GigabitEthernet0/0/1.10
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/1/1
no ip address
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
network 192.168.0.126 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Null0
!
!
!
ip access-list extended Management
permit ip 1.1.1.0 0.0.0.255 any
deny ip any any
ip access-list extended qwd
ip access-list extended test
deny icmp any any log-input
logging facility local6
logging host 192.168.0.1
ipv6 route ::/0 Null0
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
redistribute static
!
!
!
snmp-server community snmp_ro RO
snmp-server location JeonName, Korea
snmp-server contact admin@advshow.com
tftp-server Desktops/320x212x16/List.xml
tftp-server flash:/Desktops/320x212x16/List.xml
tftp-server flash:Desktops
tftp-server flash:/Desktops
tftp-server flash:Desktops/320x212x16
tftp-server flash:List.xml
tftp-server flash:Desktops/320x212x16/Cisco-nail.png
tftp-server flash:Desktops/320x212x16/Cisco-logo.png
tftp-server flash:music.wav
!
!
!
radius server RADIUS
!
radius server RAD
address ipv4 192.168.0.1 auth-port 1812 acct-port 1646
key 7 097C4F1A0A1247000F48
!
!
ipv6 access-list HTTPBLOCK
deny tcp any any eq www log-input
permit ipv6 any any
!
ipv6 access-list ipv6
permit ipv6 any any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
ccm-manager music-on-hold
!
!
telephony-service
moh-file-buffer 10000
authentication credential admin cisco
em logout 19:0
max-ephones 6
max-dn 10
ip source-address 192.168.0.126 port 2000
max-redirect 5
service phone webAccess 0
system message ADVSHOW.COM
url authentication http://192.168.0.126/CCMCIP/authenticate.asp admin cisco
cnf-file location flash:
cnf-file perphone
voicemail 3000
max-conferences 8 gain -6
call-park system application
transfer-system full-consult
after-hours block pattern 1 1...
after-hours block pattern 2 2... 7-24
after-hours day Thu 20:00 23:59
after-hours day Sat 12:00 23:59
night-service day Thu 20:00 23:59
fac custom dpark-retrieval ##25
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
dial-peer voice 1 voip
destination-pattern 3...
session protocol sipv2
session target ipv4:192.168.0.1
dtmf-relay rtp-nte
codec g711ulaw
!
!
presence
!
sip-ua
mwi-server ipv4:192.168.0.1 expires 86400 port 5060 transport udp
presence enable
!
!
ephone-dn-template 1
call-forward busy 1006
!
!
ephone-template 1
url-button 1 http://www.advshow.com www.advshow.com
!
!
ephone-dn 1
number 1001
call-forward noan 3001 timeout 5
!
!
ephone-dn 2
number 1002
call-forward noan 3002 timeout 5
!
!
ephone-dn 3
number 1004
label test
description test
name test
call-forward noan 1006 timeout 5
!
!
ephone 1
park reservation-group 1
device-security-mode none
transfer-park blocked
mac-address 5478.1AE0.BE2C
type 7965
vpn-group 1
vpn-profile 1
button 1:1
!
!
!
ephone 2
park reservation-group 1
device-security-mode none
transfer-park blocked
mac-address 5478.1AE0.C1C6
button 1:2
!
!
!
ephone 3
device-security-mode none
mac-address 000C.2906.B86D
ephone-template 1
type CIPC
!
!
!
ephone 22
device-security-mode none
!
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class Management in
transport input telnet
line vty 5 15
access-class Management in
transport input telnet
!
ntp authentication-key 1 md5 01230717481C561D2508 7
ntp authenticate
ntp trusted-key 1
ntp server 2001:DB8:1::2
nat64 prefix stateful 2001:DB8:4::/96
nat64 v4 pool ipv4 10.20.30.1 10.20.30.254
nat64 v4v6 static 192.168.0.1 2001:DB8:4::2
nat64 v4v6 static 192.168.0.125 2001:DB8:4::3
nat64 v6v4 list ipv6 pool ipv4
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end