cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2152
Views
19
Helpful
9
Replies

Phone VPN & Auto Network Detect

Gordon Ross
Level 9
Level 9

Exactly how does auto network detect work for phones configured for VPN ? What logic does the phone use to decide if it's inside or outside the corporate network ?

GTG

Please rate all helpful posts.
9 Replies 9

Aaron Harrison
VIP Alumni
VIP Alumni

Hi Gordon

It uses the high-tech mechanism of 'pinging the TFTP server' - no response, it starts the VPN.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

I'm not seeing that in the WireSharks :-/

I can see it ping the DHCP server - but any DHCP server should be PINGable. It then tries to use the DHCP server as a TFTP server (Option 150 is *NOT* being sent to the phone - Just IP Address, Subnet mask, router & DNS Servers), and after failing to download a config, it then tries to register to the last CUCM servers it used.

The daft thing is, is that it used to work on this network. I wondering if it's another wonderful firmware bug :-(

GTG

Please rate all helpful posts.

Hi Gordon

No, that would be expected. What's happening is that the phones are defaulting to DHCP-as-TFTP as there is no option 150 being handed out. You wouldn't expect op150 on a home network, so part of the configuration for a VPN phone is to hard-code the TFTP, via the alternate TFTP setting. Those pings will then go there instead...

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevpn.html#wp1013325

(yep, that guide is for CME but for the purposes of this thread it's fine....)

It seems a little silly to hard code TFTP in some ways, but for a phone that will be semi-permanently at someone's house it's not too much of an issue. Before setting it up I kind of imagined it would get the setting from the ASA or something, but that's not how it has been implemented.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

But alternative TFTP is only needed for Phone Proxy, not VPN. With Phone proxy, the ASA pretends to be a CUCM server, so the phone TFTPs from the ASA and registers with the ASA, thinking it's a CUCM server.

With Phone VPN, the Phone sets up a VPN tunnel to the ASA, and then contacts the CUCM cluster on the normal IP address via the tunnel. No need for changing configured IP addresses anywhere.

GTG

Please rate all helpful posts.

Hi Gordon

Where did you see that documented, or who told you it?

Everywhere I look I see the same notes; it pings the TFTP server (

https://supportforums.cisco.com/docs/DOC-9124)... therefore it needs the TFTP server assigning.

I think the main advantage this setup has over Phone Proxy is that it's not Phone Proxy :-)

I.e. it's more or less a standard SSL VPN that anyone can understand, that tunnels all the endpoint traffic (so services, midlets, and stuff that connects to phones for the corporate network) will all work nicely.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Aaron Harrison wrote:

Where did you see that documented, or who told you it?

That I can't remember: But it was working like that !

I hadn't put alternative TFTP server addresses into any of my VPN phones and they were working. Now, they're not. I'm wondering if something's changed in a firmware rev... (As a bit of background, I screwed up the cert on the ASA, so needed to bring the phones back "inside" to get the fresh cert credentials. All the phones so far that I plugged back in, inside, immediately did a firmware upgrade)

Of course, you can now guess my next question (and I think I know the answer): Is there a way to automatically/centrally populate/update these alternative TFTP addresses, without having to manually enter them into the phones ?

GTG

Please rate all helpful posts.

Hmm... not that I'm aware of. I guess they've not really considered how someone might administer this thing in bulk.

I suspect as you say you might have been seeing a bug previously; I would expect the phones to have upgraded their firmware as the other phones do if all was well.

When I've deployed this I've used the CUCM CAPF service to deploy certs, but you still need that manual step of setting alternate TFTP on the phone.

I've been working on a wee application to do various things, one of the functions allows configuration of macros that you could then point at phones to automate the keystrokes. Let me know if you are interested in trying it...

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Hi Aaron,

Did you ever release/finish the phone keystroke automation app anywhere?

Hi Cliff

Sure - IPCommute Phone Operations Manager.

www.ipcommute.co.uk

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!