Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
0
Helpful
2
Replies

VoIP over SSL VPN - Home user DHCP "next server ip address" field breaking phones

Beau Clark
Level 1
Level 1

‎01-06-2017 11:42 AM - edited ‎03-17-2019 09:07 AM

Ok, so I setup a Cisco SSL IP Phone VPN to an ASA5550.


It works great, except for in 90% of my users houses, they have a DHCP server that is giving them "next server ip address" with the address of their Default gateway.


The Cisco Phones are interpreting this as the TFTP server, so the phone pings the TFTP server, verifies connectivity, and does not initiate the VPN
because the TFTP server responded.

So the fix is to manually enter the TFTP server address on the phone, which means it is hard coded to a single CUCM server (or 2), so if that CUCM goes down, they are dead.

And, this makes it so the TLV configuration file is now ignored completely and the directory can no longer be used on the phone.


Is there a way to get the phones to ignore this "next server ip address" in the DHCP offering from their home linksys/dlink/netgear router? I went all through a netgear and there is no option to stop this advertisement from the DHCP, there is no configuration option for this at all. 

I did a packet capture of the DHCP offering on a connection that did not work and one that did work, and this "next server ip address" is the only difference. On the connection that had "next server ip address" 0.0.0.0, VPN worked fine and there was no server listed in the TFTP server field. On the failing connections, the router is giving this "next server ip address" 192.168.1.1 which is the address of the users router and it is being filled into the TFTP field on the Phone. 

Labels:
0 Helpful
2 Replies 2

Adarsh Chauhan
Level 3
Level 3

‎01-06-2017 12:13 PM

Hi,

you might want to be aware of CSCuj71475.

Phone using next server ip address is legacy behavior. What is the phone model and firmware?

Please rate and mark correct if helpful

Regards,

Adarsh Chauhan


Please rate and mark correct if helpful
Regards,
Adarsh Chauhan
0 Helpful

Beau Clark
Level 1
Level 1
In response to Adarsh Chauhan

‎01-08-2017 11:48 AM

Thank you for your prompt response.

I am using a 9971 phone on sip9971.9-4-1-9 on CUCM running 10.5.1.10000-7.

I do not think this bug is my issue because the phones on a connection that does not advertise the "next server ip address" or option 150 are logging into the VPN just fine and do log phone calls. It is only effecting phones where the DHCP server is advertising "next server ip address". But manually entering a TFTP server does resolve the connectivity issue, but it breaks the corporate directory, which is my other issue. 

0 Helpful
Customers Also Viewed These Support Documents