Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2200
Views
15
Helpful
5
Replies

SSL VPN for 8800 phones

Go to solution
tato386
Level 6
Level 6

‎11-05-2018 11:47 AM - edited ‎03-17-2019 01:40 PM

I have this working for 7900 and 9900 series phones but 8800 is a  no go.  The working phones are using a LSC and CAPF cert on the ASA and connect well.  I tried adding Cisco manufacturing certs from CUCM to ASA but didn't have any effect.  I have also read about disabling MRA but don't know where to do that.  Anything else that 8800 phones need that others don't?

 

Thanks,

Diego

 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tato386
Level 6
Level 6

‎11-06-2018 01:17 PM

Problem fixed by disabling DTLS for the phone VPN group policy.

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-05-2018 01:04 PM

what is the version running in 8800 phones.

have you looked any settings you missing ( i know you mentioned all working old phones).

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
tato386
Level 6
Level 6
In response to balaji.bandi

‎11-05-2018 01:59 PM - edited ‎11-05-2018 02:39 PM

I was running 11.7 at first then upgraded to 12.1 but no change. I noticed the doc only shows 8861. I have 8841 and 8851. 

0 Helpful

Go to solution
tato386
Level 6
Level 6

‎11-06-2018 01:17 PM

Problem fixed by disabling DTLS for the phone VPN group policy.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to tato386

‎11-06-2018 01:19 PM

Glad that it all working as expected.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
SiobhanSaragusa
Level 1
Level 1

‎03-19-2020 04:15 PM

I wanted to add, there is a Cisco bug CSCvn43335 related to this.  In summary, if the TLSv1.2 GCM ciphers are enabled in an ASA, the 8800 series phones will make a Parent Connection with them, and then the DTLS connection will fail to negotiate.  You can work around this one of two ways:  disable DTLS in group-policy PhoneVpnGroup attributes->webvpn->anyconnect ssl dtls none, or remove the GCM ciphers from the global ssl cipher tlsv1.2 custom "list:of:ciphers:without:gcm:here".

 

Also, I hope those at Cisco get around to resolving this. It's incredibly inconvenient to be charged with either lowering security across the board for all AnyConnect sessions in a given ASA, or disabling DTLS for phones which makes calls sound awful when there is the slightest bit of latency.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents