cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2417
Views
15
Helpful
5
Replies

SSL VPN for 8800 phones

tato386
Level 6
Level 6

I have this working for 7900 and 9900 series phones but 8800 is a  no go.  The working phones are using a LSC and CAPF cert on the ASA and connect well.  I tried adding Cisco manufacturing certs from CUCM to ASA but didn't have any effect.  I have also read about disabling MRA but don't know where to do that.  Anything else that 8800 phones need that others don't?

 

Thanks,

Diego

 

1 Accepted Solution

Accepted Solutions

tato386
Level 6
Level 6

Problem fixed by disabling DTLS for the phone VPN group policy.

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

what is the version running in 8800 phones.

have you looked any settings you missing ( i know you mentioned all working old phones).

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I was running 11.7 at first then upgraded to 12.1 but no change. I noticed the doc only shows 8861. I have 8841 and 8851. 

tato386
Level 6
Level 6

Problem fixed by disabling DTLS for the phone VPN group policy.

Glad that it all working as expected.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SiobhanSaragusa
Level 1
Level 1

I wanted to add, there is a Cisco bug CSCvn43335 related to this.  In summary, if the TLSv1.2 GCM ciphers are enabled in an ASA, the 8800 series phones will make a Parent Connection with them, and then the DTLS connection will fail to negotiate.  You can work around this one of two ways:  disable DTLS in group-policy PhoneVpnGroup attributes->webvpn->anyconnect ssl dtls none, or remove the GCM ciphers from the global ssl cipher tlsv1.2 custom "list:of:ciphers:without:gcm:here".

 

Also, I hope those at Cisco get around to resolving this. It's incredibly inconvenient to be charged with either lowering security across the board for all AnyConnect sessions in a given ASA, or disabling DTLS for phones which makes calls sound awful when there is the slightest bit of latency.