Showing results for 
Search instead for 
Did you mean: 

SSL VPN TFTP address issue

We are running CM 8.6 and have 7942s with 9.3.1 firmware. I recently started deploying about 20 of these phones to home users all over the world and I have another 50 or so to build. However, a number of users are having difficulty with the phones not even prompting to log in to the VPN. Of course everything work just fine in our test lab, but once I send the phones out we run into this problem.

The VPN profiles are set with Auto Network Detect enabled. This is supposed to allow the phone to start the VPN client when it detects it is outside the corporate network. Our corporate phone system runs on 10.10.x.x.

What I am seeing is that the phones are somehow getting the user's default gateway address in the TFTP field, like So the phone can ping that address and then thinks it is internal when it really is not. The phone just gets in a cycle of trying to register to the default gateway.

Why are the phones doing this and how can I make them try the real address? 




I am working with TAC. I have changed one of the four VPN Profile we are using to auto detect disabled. The phones in the field however have the enabled auto detect stored on the device. So until they connect, it won't change the setting.

I have confirmed on a couple of phones that setting it to disabled and getting the phone updated does allow the VPN to work, even though TFTP prior to VPN login is still the default gateway.

I would still like to know why it is working like this and to be able to fix the problem without requiring all of these users to ship the phones back.


I got an answer from TAC and the Development Team: "when populated, the phones are using the "Next server IP address" field in the DHCP Offer as their tftp server. This is legacy behavior and the development team is considering removing this is future releases, however at the moment this is working as designed. The solution is to put the alternate tftp on the phone".

I confirmed that after putting the internal TFTP server address on the phone it presented the login screen. I was then able to connect the phohe to the VPN and the phone chaged the Network Auto Detect from Enabled to Disabled.

Content for Community-Ad