11-04-2008 08:48 AM - edited 03-15-2019 02:20 PM
i am trying to get he phone proxy working on our ASA and our UCM 6.x cluster. we have 2 UCM servers. From a phone that is remote even though i have the ctl file set up on the phone proxy i am unable to download the ctl file to my phone even though i give it to tftp address 67.109.xx.254 and 67.109.xx.253. I understand the CTL-File is handed out by the ASA and not the UCM so this should happen before any nat takes place. Below is my relevant config.
static (inside,XO) 67.109.xx.254 172.20.2.10
static (inside,XO) 67.109.xx.253 172.20.2.11
access-list outside_in extended permit udp any host 67.109.xx.xx eq 69
access-list outside_in extended permit udp any host 67.109.xx.xx eq 69
crypto key generate rsa label cucmtftp1_kp modulus 1024
crypto key generate rsa label cucmtftp2_kp modulus 1024
crypto ca trustpoint cucm_tftp_server1
enrollment self
keypair cucmtftp1_kp
crypto ca enroll cucm_tftp_server1
crypto ca trustpoint cucm_tftp_server2
enrollment self
keypair cucmtftp2_kp
crypto ca enroll cucm_tftp_server2
ctl-file dcpctl1
record-entry cucm-tftp trustpoint cucm_tftp_server1 address 67.109.xx.254
record-entry cucm-tftp trustpoint cucm_tftp_server2 address 67.109.xx.253
no shutdown
tls-proxy dcptls1
server trust-point _internal_PP_dcpctl1
phone-proxy dcp_pp1
media-termination address 67.109.xx.252
tftp-server address 172.20.2.10 interface inside
tftp-server address 172.20.2.11 interface inside
tls-proxy dcptls1
ctl-file dcpctl1
class-map sec_sccp
match port tcp eq 2443
class-map sec_sip
match port tcp eq 5061
policy-map qos_voice_vpn
class sec_sccp
inspect skinny phone-proxy dcp_pp1
class sec_sip
inspect sip phone-proxy dcp_pp1
access-list outside_in extended permit tcp any host 67.109.xx.254 eq 2000 log
access-list outside_in extended permit tcp any host 67.109.xx.254 eq 2443 log
access-list outside_in extended permit tcp any host 67.109.xx.254 eq 3801 log
access-list outside_in extended permit udp any host 67.109.xx.254 eq tftp log
access-list outside_in extended permit udp any host 67.109.xx.254 range 1024 65535 log
access-list outside_in extended permit icmp any host 67.109.xx.254 log
access-list outside_in extended permit tcp any host 67.109.xx.253 eq 2000 log
access-list outside_in extended permit tcp any host 67.109.xx.253 eq 2443 log
access-list outside_in extended permit tcp any host 67.109.xx.253 eq 3801 log
access-list outside_in extended permit udp any host 67.109.xx.253 eq tftp log
access-list outside_in extended permit udp any host 67.109.xx.253 range 1024 65535 log
access-list outside_in extended permit icmp any host 67.109.xx.253 log
11-05-2008 08:53 AM
I had this same issue. There is a bug that cisco is currently trying to fix. If you change your TFTP addresses to an outside address in this section it should work.
phone-proxy dcp_pp1
media-termination address 67.109.xx.252
tftp-server address 172.20.2.10 interface inside
tftp-server address 172.20.2.11 interface inside
tls-proxy dcptls1
ctl-file dcpctl1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide