11-05-2018 11:47 AM - edited 03-17-2019 01:40 PM
I have this working for 7900 and 9900 series phones but 8800 is a no go. The working phones are using a LSC and CAPF cert on the ASA and connect well. I tried adding Cisco manufacturing certs from CUCM to ASA but didn't have any effect. I have also read about disabling MRA but don't know where to do that. Anything else that 8800 phones need that others don't?
Thanks,
Diego
Solved! Go to Solution.
11-06-2018 01:17 PM
Problem fixed by disabling DTLS for the phone VPN group policy.
11-05-2018 01:04 PM
what is the version running in 8800 phones.
have you looked any settings you missing ( i know you mentioned all working old phones).
11-05-2018 01:59 PM - edited 11-05-2018 02:39 PM
I was running 11.7 at first then upgraded to 12.1 but no change. I noticed the doc only shows 8861. I have 8841 and 8851.
11-06-2018 01:17 PM
Problem fixed by disabling DTLS for the phone VPN group policy.
11-06-2018 01:19 PM
Glad that it all working as expected.
03-19-2020 04:15 PM
I wanted to add, there is a Cisco bug CSCvn43335 related to this. In summary, if the TLSv1.2 GCM ciphers are enabled in an ASA, the 8800 series phones will make a Parent Connection with them, and then the DTLS connection will fail to negotiate. You can work around this one of two ways: disable DTLS in group-policy PhoneVpnGroup attributes->webvpn->anyconnect ssl dtls none, or remove the GCM ciphers from the global ssl cipher tlsv1.2 custom "list:of:ciphers:without:gcm:here".
Also, I hope those at Cisco get around to resolving this. It's incredibly inconvenient to be charged with either lowering security across the board for all AnyConnect sessions in a given ASA, or disabling DTLS for phones which makes calls sound awful when there is the slightest bit of latency.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide