Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
1
Replies

Phone Proxy Questionm CTL file not downloading

dbakula01
Level 1
Level 1

‎11-04-2008 08:48 AM - edited ‎03-15-2019 02:20 PM

i am trying to get he phone proxy working on our ASA and our UCM 6.x cluster. we have 2 UCM servers. From a phone that is remote even though i have the ctl file set up on the phone proxy i am unable to download the ctl file to my phone even though i give it to tftp address 67.109.xx.254 and 67.109.xx.253. I understand the CTL-File is handed out by the ASA and not the UCM so this should happen before any nat takes place. Below is my relevant config.

static (inside,XO) 67.109.xx.254 172.20.2.10

static (inside,XO) 67.109.xx.253 172.20.2.11

access-list outside_in extended permit udp any host 67.109.xx.xx eq 69

access-list outside_in extended permit udp any host 67.109.xx.xx eq 69

crypto key generate rsa label cucmtftp1_kp modulus 1024

crypto key generate rsa label cucmtftp2_kp modulus 1024

crypto ca trustpoint cucm_tftp_server1

enrollment self

keypair cucmtftp1_kp

crypto ca enroll cucm_tftp_server1

crypto ca trustpoint cucm_tftp_server2

enrollment self

keypair cucmtftp2_kp

crypto ca enroll cucm_tftp_server2

ctl-file dcpctl1

record-entry cucm-tftp trustpoint cucm_tftp_server1 address 67.109.xx.254

record-entry cucm-tftp trustpoint cucm_tftp_server2 address 67.109.xx.253

no shutdown

tls-proxy dcptls1

server trust-point _internal_PP_dcpctl1

phone-proxy dcp_pp1

media-termination address 67.109.xx.252

tftp-server address 172.20.2.10 interface inside

tftp-server address 172.20.2.11 interface inside

tls-proxy dcptls1

ctl-file dcpctl1

class-map sec_sccp

match port tcp eq 2443

class-map sec_sip

match port tcp eq 5061

policy-map qos_voice_vpn

class sec_sccp

inspect skinny phone-proxy dcp_pp1

class sec_sip

inspect sip phone-proxy dcp_pp1

access-list outside_in extended permit tcp any host 67.109.xx.254 eq 2000 log

access-list outside_in extended permit tcp any host 67.109.xx.254 eq 2443 log

access-list outside_in extended permit tcp any host 67.109.xx.254 eq 3801 log

access-list outside_in extended permit udp any host 67.109.xx.254 eq tftp log

access-list outside_in extended permit udp any host 67.109.xx.254 range 1024 65535 log

access-list outside_in extended permit icmp any host 67.109.xx.254 log

access-list outside_in extended permit tcp any host 67.109.xx.253 eq 2000 log

access-list outside_in extended permit tcp any host 67.109.xx.253 eq 2443 log

access-list outside_in extended permit tcp any host 67.109.xx.253 eq 3801 log

access-list outside_in extended permit udp any host 67.109.xx.253 eq tftp log

access-list outside_in extended permit udp any host 67.109.xx.253 range 1024 65535 log

access-list outside_in extended permit icmp any host 67.109.xx.253 log

Labels:
0 Helpful
1 Reply 1

matrox24
Level 1
Level 1

‎11-05-2008 08:53 AM

I had this same issue. There is a bug that cisco is currently trying to fix. If you change your TFTP addresses to an outside address in this section it should work.

phone-proxy dcp_pp1

media-termination address 67.109.xx.252

tftp-server address 172.20.2.10 interface inside

tftp-server address 172.20.2.11 interface inside

tls-proxy dcptls1

ctl-file dcpctl1

0 Helpful
Customers Also Viewed These Support Documents