Re: Cisco ASA VPN Setup for Avaya Phone

dsm600rr · ‎09-27-2021

Hello all,

Bear with me, as I am VERY new to Firewalls, just messing around with a old ASA5520 in my lab.

I am trying to set up the firewall so my Avaya IP Phone can VPN Back to it.

Here is where its getting stuck:

The only Phase 2 settings I can input in my phone are:
- IPsec PFS DH Group: Set to No PFS
- IPsec Encryption Alg: Set to AES-128
- IPsec Auth. Alg.: Set to SHA-1

Phone is showing "IKE Phase 2 no response"

Suggestions?

Georg Pauwen · ‎09-27-2021

Hello,

can you post your ASA config ? Without knowing which Avaya models you actually have, take a look at the document linked below:

https://finkotek.com/cisco-asa-vpn-on-avaya-ip-phone-with-certificate-authentication-and-scep/

dsm600rr · ‎09-28-2021

@Georg PauwenSee Below:

: Saved
: 
: Serial Number: JMX1002K04V
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)4 
!
hostname dsm-asa
domain-name www.xxx.com
enable password wdTpp2T9PTYfBG49 encrypted
names
ip local pool Avaya_VPN_Phones 10.10.20.5-10.10.20.15 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.213 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif mgmt
 security-level 100
 ip address 10.10.15.50 255.255.255.0 
!
banner login Unauthorized access makes me :(
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 208.67.222.222
 domain-name www.xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Internat
 subnet 10.10.10.0 255.255.255.0
 description Access to Internet
object network NETWORK_OBJ_10.10.20.0_28
 subnet 10.10.20.0 255.255.255.0
object network obj_192.168.1.252
 host 192.168.1.252
access-list OUTSIDE-IN extended permit icmp any any 
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
pager lines 24
logging enable
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.20.0_28 NETWORK_OBJ_10.10.20.0_28 no-proxy-arp route-lookup
!
object network Internat
 nat (any,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.214 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
http server enable
http 10.10.15.0 255.255.255.0 mgmt
http 10.10.10.0 255.255.255.0 inside
http 69.XXX.XXX.XXX 255.255.255.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set AES128-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 69.xxx.xxx.0 255.255.255.0 outside
ssh 69.xxx.xxx.0 255.255.255.0 inside
ssh 10.10.10.0 255.255.255.0 inside
ssh 10.10.15.0 255.255.255.0 mgmt
ssh 10.10.10.0 255.255.255.0 mgmt
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain www.xxx.com
dhcpd option 3 ip 10.10.10.1
!
dhcpd address 10.10.10.100-10.10.10.150 inside
dhcpd enable inside
!
dhcpd address 10.10.15.100-10.10.15.105 mgmt
dhcpd enable mgmt
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelall
 default-domain value www.xxx.com
 split-tunnel-all-dns disable
username vpnphone4 password xRoxWaRq28O7oRty encrypted
username vpnphone5 password xRoxWaRq28O7oRty encrypted
username vpnphone2 password xRoxWaRq28O7oRty encrypted
username vpnphone3 password xRoxWaRq28O7oRty encrypted
username vpnphone1 password xRoxWaRq28O7oRty encrypted
username cisco password QoZZ4p8qBUKyWxpF encrypted
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
 address-pool Avaya_VPN_Phones
 default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:9add31dab79f9984b9407867afdf4b27
: end
no asdm history enable

Georg Pauwen · ‎09-28-2021

Hello,

try and use the transform set below:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA

dsm600rr · ‎09-28-2021

Appreciate the reply, I ran that command, same issue with Phase 2

Side note, when I was following some documents trying to get this set up, my ASA did not have this option shown:

Is that the same as this spot on the ASA? Sorry for the stupid questions. Just a Senior Telecom Engineer getting my feet wet.

Georg Pauwen · ‎09-28-2021

Hello,

that looks like it is the same option.

So still no phase 2...I'll see what I can find...

Georg Pauwen · ‎09-28-2021

Hello,

I am not sure if PFS is needed or not, try and set it on your phone, and on the ASA:

crypto map outside_map 1 set pfs group2

Also, check if on the ASA, under the crypto map, you can set:

reverse-route

dsm600rr · ‎09-28-2021

When I had Cisco Admins set up these VPN's in the past, we never used PFS.

dsm600rr · ‎09-28-2021

dsm600rr · ‎09-29-2021

Someone from my Avaya Forum mentioned: "I believe you may need to check and match the group name." - I am not sure what they mean 100% however I am sure someone here does.

Georg Pauwen · ‎09-29-2021

Hello,

they could be referring to the default group name for the Avaya phones;

mscep

I don't think it makes much of a difference, as that group name should only be locally significant (to the ASA), but you could change it anyway:

tunnel-group mscep type remote-access
tunnel-group mscep general-attributes
address-pool Avaya_VPN_Phones
default-group-policy mscep
tunnel-group mscep ipsec-attributes
ikev1 pre-shared-key *****

Georg Pauwen · ‎09-29-2021

Hello,

can you post the *settings.txt file for the Avaya ?

dsm600rr · ‎09-29-2021

Here you go:

## IPOFFICE/11.1.1.1.0 build 18 10.10.10.5 AUTOGENERATED
IF $MODEL4 SEQ 1603 GOTO 16XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 1608 GOTO 16XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 1616 GOTO 16XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9620 GOTO 96XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9630 GOTO 96XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9640 GOTO 96XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9650 GOTO 96XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9608 GOTO 96X1AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9611 GOTO 96X1AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9621 GOTO 96X1AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9641 GOTO 96X1AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J129 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J139 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J169 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J179 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J159 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J189 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K175 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K165 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K155 GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aca GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aci GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acm GOTO SIPXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acw GOTO SIPXAUTOGENERATEDSETTINGS
GOTO NONAUTOGENERATEDSETTINGS
# SIPXAUTOGENERATEDSETTINGS
IF $SIG_IN_USE SEQ H323 GOTO 96X1AUTOGENERATEDSETTINGS
SET RTP_PORT_LOW 46750
SET RTP_PORT_RANGE 4002
SET TLSSRVRID 0
SET ENABLE_G711U 1
SET ENABLE_G711A 1
SET ENABLE_G729 1
SET ENABLE_G722 0
SET ENABLE_G726 0
SET ENABLE_OPUS 0
SET DTMF_PAYLOAD_TYPE 101
SET SIPDOMAIN 10.10.10.5
SET ENFORCE_SIPS_URI 0
SET DSCPAUD 46
SET DSCPSIG 34
SET HTTPPORT 8411
SET TRUSTCERTS WebRootCA.pem
SET COUNTRY USA
SET ISO_SYSTEM_LANGUAGE en_US
IF $MODEL4 SEQ J129 GOTO J1X9AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J139 GOTO J1X9AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J169 GOTO J1X9AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J179 GOTO J1X9AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J159 GOTO J1X9AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J189 GOTO J1X9AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K175 GOTO K1EXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K165 GOTO K1EXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K155 GOTO K1EXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aca GOTO K1EXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aci GOTO K1EXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acm GOTO K1EXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acw GOTO K1EXAUTOGENERATEDSETTINGS
# J1X9AUTOGENERATEDSETTINGS
SET RTCPMON 10.10.10.5
SET RTCPMONPORT 5005
IF $MODEL4 SEQ J129 GOTO J129AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J139 GOTO STIMULUSPHONECOMMONSETTINGS
IF $MODEL4 SEQ J169 GOTO STIMULUSPHONECOMMONSETTINGS
IF $MODEL4 SEQ J179 GOTO STIMULUSPHONECOMMONSETTINGS
IF $MODEL4 SEQ J159 GOTO STIMULUSPHONECOMMONSETTINGS
IF $MODEL4 SEQ J189 GOTO STIMULUSPHONECOMMONSETTINGS
GOTO NONAUTOGENERATEDSETTINGS
# J129AUTOGENERATEDSETTINGS
SET USER_STORE_URI "http://10.10.10.5:8411/user"
SET MWISRVR "10.10.10.5"
SET SIP_CONTROLLER_LIST 10.10.10.5:5060;transport=tcp
SET CONFERENCE_FACTORY_URI "ConfServer@10.10.10.5"
SET AUTH 0
SET ENCRYPT_SRTCP 0
SET GMTOFFSET -4:00
SET SNTPSRVR ""
SET DSTOFFSET 0
SET DAYLIGHT_SAVING_SETTING_MODE 2
SET DSTSTART 2SunMar2L
SET DSTSTOP 1SunNov2L
SET PHNMOREEMERGNUMS "911"
SET PHNEMERGNUM "911"
SET LANGUAGES Mlf_J129_LatinAmericanSpanish.xml,Mlf_J129_CanadianFrench.xml,Mlf_J129_BrazilianPortuguese.xml,Mlf_J129_Italian.xml
SET MEDIAENCRYPTION 9
GOTO NONAUTOGENERATEDSETTINGS
# STIMULUSPHONECOMMONSETTINGS
SET SIP_CONTROLLER_LIST 10.10.10.5:5060;transport=tcp
SET AUTH 0
SET MEDIA_PRESERVATION 1
SET PRESERVED_CONNECTION_DURATION 120
SET MEDIAENCRYPTION 9
IF $MODEL4 SEQ J139 GOTO J139AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J169 GOTO J169J179AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J179 GOTO J169J179AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J159 GOTO J159AUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J189 GOTO J189AUTOGENERATEDSETTINGS
GOTO NONAUTOGENERATEDSETTINGS
# J139AUTOGENERATEDSETTINGS
SET LANGUAGES Mlf_J139_LatinAmericanSpanish.xml,Mlf_J139_CanadianFrench.xml,Mlf_J139_BrazilianPortuguese.xml,Mlf_J139_Italian.xml
GOTO NONAUTOGENERATEDSETTINGS
# J169J179AUTOGENERATEDSETTINGS
SET LANGUAGES Mlf_J169_J179_LatinAmericanSpanish.xml,Mlf_J169_J179_CanadianFrench.xml,Mlf_J169_J179_BrazilianPortuguese.xml,Mlf_J169_J179_Italian.xml
GOTO NONAUTOGENERATEDSETTINGS
# J159AUTOGENERATEDSETTINGS
SET LANGUAGES Mlf_J159_LatinAmericanSpanish.xml,Mlf_J159_CanadianFrench.xml,Mlf_J159_BrazilianPortuguese.xml,Mlf_J159_Italian.xml
GOTO NONAUTOGENERATEDSETTINGS
# J189AUTOGENERATEDSETTINGS
SET LANGUAGES Mlf_J189_LatinAmericanSpanish.xml,Mlf_J189_CanadianFrench.xml,Mlf_J189_BrazilianPortuguese.xml,Mlf_J189_Italian.xml
GOTO NONAUTOGENERATEDSETTINGS
# K1EXAUTOGENERATEDSETTINGS
SET ENABLE_AVAYA_CLOUD_ACCOUNTS 0
SET ENABLE_IPO_PORTAL_MESSAGING  0
SET SIP_CONTROLLER_LIST 10.10.10.5:5060;transport=tcp
SET CONFERENCE_FACTORY_URI "ConfServer@10.10.10.5"
SET PSTN_VM_NUM "VM.user@10.10.10.5"
SET SETTINGS_FILE_URL "http://10.10.10.5:8411/46xxsettings.txt"
SET MEDIAENCRYPTION 9
SET ENCRYPT_SRTCP 0
SET DSCPVID 46
IF $MODEL4 SEQ acm GOTO EQNXCOMMONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acw GOTO EQNXCOMMONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aci GOTO EQNXCOMMONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aca GOTO EQNXCOMMONAUTOGENERATEDSETTINGS
# EQNXCOMMONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K175 GOTO K1XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K165 GOTO K1XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ K155 GOTO K1XXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acm GOTO EQNXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ acw GOTO EQNXAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ aci GOTO EQNXIOSSPECIFICSETTINGS
GOTO NONAUTOGENERATEDSETTINGS
# K1XXAUTOGENERATEDSETTINGS
SET USER_STORE_URI "http://10.10.10.5:8411"
SET SNTPSRVR "10.10.10.5"
SET INTER_DIGIT_TIMEOUT 2
SET NO_DIGITS_TIMEOUT 30
SET ENABLE_PUBLIC_CA_CERTS 0
SET AUDIO_DEVICE_CALL_CONTROL_ENABLED 1
SET BUTTON_MODULE_ENABLE 2
GOTO NONAUTOGENERATEDSETTINGS
# EQNXAUTOGENERATEDSETTINGS
SET AUDIO_DEVICE_CALL_CONTROL_ENABLED 1
GOTO NONAUTOGENERATEDSETTINGS
# EQNXIOSSPECIFICSETTINGS
SET PUSH_NOTIFICATION_ENABLED 0
GOTO NONAUTOGENERATEDSETTINGS
# 16XXAUTOGENERATEDSETTINGS
SET LANG1FILE "mlf_Sage_v502_spanish_latin.txt"
SET LANG2FILE "mlf_Sage_v502_french_can.txt"
SET LANG3FILE "mlf_Sage_v502_portuguese.txt"
SET LANG4FILE "mlf_Sage_v502_italian.txt"
SET BRURI "http://10.10.10.5:8411/user/backuprestore/"
SET HTTPPORT "8411"
GOTO NONAUTOGENERATEDSETTINGS
# 96XXAUTOGENERATEDSETTINGS
IF $SIG SEQ 2 GOTO NONAUTOGENERATEDSETTINGS
SET SCREENSAVERON 240
SET SCREENSAVER 96xxscr.jpg
SET LANG1FILE "mlf_S31_v76_spanish_latin.txt"
SET LANG2FILE "mlf_S31_v76_french_can.txt"
SET LANG3FILE "mlf_S31_v76_portuguese.txt"
SET LANG4FILE "mlf_S31_v76_italian.txt"
SET BRURI "http://10.10.10.5:8411/user/backuprestore/"
SET HTTPPORT "8411"
GOTO NONAUTOGENERATEDSETTINGS
# 96X1AUTOGENERATEDSETTINGS
SET TRUSTCERTS "Root-CA-021430D3.pem"
SET TLSSRVRVERIFYID 1
IF $SIG SEQ 2 GOTO NONAUTOGENERATEDSETTINGS
SET BRURI "http://10.10.10.5:8411/user/backuprestore/"
SET HTTPPORT "8411"
SET SCREENSAVERON 240
IF $MODEL4 SEQ 9608 GOTO BRANDINGSCR9608
SET SCREENSAVER 96xxscr.jpg
GOTO BRANDINGSCREND
# BRANDINGSCR9608
SET SCREENSAVER 9608scr.jpg
GOTO BRANDINGSCREND
# BRANDINGSCREND
SET LANG1FILE "mlf_96x1_v204_spanish_latin.txt"
SET LANG2FILE "mlf_96x1_v204_french_can.txt"
SET LANG3FILE "mlf_96x1_v204_portuguese.txt"
SET LANG4FILE "mlf_96x1_v204_italian.txt"
IF $MODEL4 SEQ 9608 GOTO NONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ 9611 GOTO NONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J169 GOTO NONAUTOGENERATEDSETTINGS
IF $MODEL4 SEQ J179 GOTO NONAUTOGENERATEDSETTINGS
SET WEATHERAPP ""
SET WORLDCLOCKAPP ""
SET WMLHELPSTAT 0
GOTO NONAUTOGENERATEDSETTINGS
# NONAUTOGENERATEDSETTINGS
SET USBLOGINSTAT 0
SET ENHDIALSTAT 0
# PRODUCT_LINE_SETTINGS
IF $MODEL4 SEQ 1603 GOTO SETTINGS16XX
IF $MODEL4 SEQ 1608 GOTO SETTINGS16XX
IF $MODEL4 SEQ 1616 GOTO SETTINGS16XX
IF $MODEL4 SEQ 9620 GOTO SETTINGS96X0
IF $MODEL4 SEQ 9630 GOTO SETTINGS96X0
IF $MODEL4 SEQ 9640 GOTO SETTINGS96X0
IF $MODEL4 SEQ 9650 GOTO SETTINGS96X0
IF $MODEL4 SEQ 9608 GOTO SETTINGS96X1
IF $MODEL4 SEQ 9611 GOTO SETTINGS96X1
IF $MODEL4 SEQ 9621 GOTO SETTINGS96X1
IF $MODEL4 SEQ 9641 GOTO SETTINGS96X1
IF $MODEL4 SEQ J129 GOTO SETTINGSJ1X9
IF $MODEL4 SEQ J139 GOTO SETTINGSJ1X9
IF $MODEL4 SEQ J169 GOTO SETTINGSJ1X9
IF $MODEL4 SEQ J179 GOTO SETTINGSJ1X9
IF $MODEL4 SEQ J159 GOTO SETTINGSJ1X9
IF $MODEL4 SEQ J189 GOTO SETTINGSJ1X9
IF $MODEL4 SEQ K175 GOTO SETTINGSK1EX
IF $MODEL4 SEQ K165 GOTO SETTINGSK1EX
IF $MODEL4 SEQ K155 GOTO SETTINGSK1EX
IF $MODEL4 SEQ aca GOTO SETTINGSK1EX
IF $MODEL4 SEQ aci GOTO SETTINGSK1EX
IF $MODEL4 SEQ acm GOTO SETTINGSK1EX
IF $MODEL4 SEQ acw GOTO SETTINGSK1EX
GOTO PER_MODEL_SETTINGS
# SETTINGS96X1
SET UNNAMEDSTAT 0
IF $SIG_IN_USE SEQ H323 GOTO SETTINGS96X1H323
SET TLSSRVRID 0
SET SUBSCRIBE_SECURITY 0
SET ENFORCE_SIPS_URI 0
GOTO PER_MODEL_SETTINGS
# SETTINGS96X1H323
GOTO PER_MODEL_SETTINGS
# SETTINGS96X0
IF $SIG SEQ 2 GOTO SETTINGSSIP96xx
GOTO PER_MODEL_SETTINGS
# SETTINGSSIP96xx
SET TLSSRVRID 0
SET SUBSCRIBE_SECURITY 0
SET ENFORCE_SIPS_URI 0
GOTO PER_MODEL_SETTINGS
# SETTINGS16XX
GOTO PER_MODEL_SETTINGS
# SETTINGSJ1X9
IF $SIG_IN_USE SEQ H323 GOTO PER_MODEL_SETTINGS
SET SIMULTANEOUS_REGISTRATIONS 1
SET ENABLE_AVAYA_ENVIRONMENT 0
SET SIPREGPROXYPOLICY "alternate"
SET DISCOVER_AVAYA_ENVIRONMENT 0
SET FAILBACK_POLICY admin
SET SEND_DTMF_TYPE 2
SET SYMMETRIC_RTP 1
SET SIG_PORT_LOW 1024
SET SIG_PORT_RANGE 64511
SET TCP_KEEP_ALIVE_STATUS 1 
SET ENABLE_PRESENCE 0
SET ENABLE_SHOW_EMERG_SK 0
SET ENABLE_SHOW_EMERG_SK_UNREG 0
SET TCP_KEEP_ALIVE_TIME 30
SET ENABLE_OOD_RESET_NOTIFY 1
SET IPV6STAT 0
IF $MODEL4 SEQ J139 GOTO STIMULUSSETTINGS
IF $MODEL4 SEQ J169 GOTO STIMULUSSETTINGS
IF $MODEL4 SEQ J179 GOTO STIMULUSSETTINGS
IF $MODEL4 SEQ J159 GOTO STIMULUSSETTINGS
IF $MODEL4 SEQ J189 GOTO STIMULUSSETTINGS
GOTO PER_MODEL_SETTINGS
# STIMULUSSETTINGS
SET ENABLE_IPOFFICE 2
SET SDPCAPNEG 1
SET CONNECTION_REUSE 1
SET ENCRYPT_SRTCP 0
SET INGRESS_DTMF_VOL_LEVEL -1
GOTO PER_MODEL_SETTINGS
# SETTINGSK1EX
SET SSOENABLED 0
SET EWSSSO 0
SET SIPREGPROXYPOLICY "alternate"
SET IPO_PRESENCE_ENABLED 1
SET IPO_CONTACTS_ENABLED 1
SET DND_SAC_LINK 1
SET POUND_KEY_AS_CALL_TRIGGER 0
SET OBSCURE_PREFERENCES
"ESMENABLED,ESMSRVR,ESMPORT,ESMREFRESH,ESMUSERNAME,ESMPASSWORD,ACSENABLED,ACSSRVR,ACSPORT,ACSUSERNAME,ACSPASSWORD,DIRENABLED,DIRSRVR,DIRSRVRPRT,DIRTOPDN,DIRSECURE,DIRUSERNAME,DIRPASSWORD,SSOENABLED,WINDOWS_IMPROVIDER,AUTO_AWAY_TIME"
SET ENABLE_PPM 0
SET ENABLE_OPUS 1
SET SIMULTANEOUS_REGISTRATIONS 1
SET ENABLE_AVAYA_ENVIRONMENT 0
SET DISCOVER_AVAYA_ENVIRONMENT 0
SET ENABLE_IPOFFICE 1
SET ENABLE_IPO_CALL_LOG 1
SET SUBSCRIBE_LIST_NON_AVAYA "reg,message-summary,avaya-ccs-profile"
SET SDPCAPNEG 1
SET SIPENABLED 1
IF $MODEL4 SEQ K175 GOTO SETTINGSK1XX
IF $MODEL4 SEQ K165 GOTO SETTINGSK1XX
IF $MODEL4 SEQ K155 GOTO SETTINGSK1XX
IF $MODEL4 SEQ aca GOTO SETTINGSEQNX
IF $MODEL4 SEQ aci GOTO SETTINGSEQNX
IF $MODEL4 SEQ acm GOTO SETTINGSEQNX
IF $MODEL4 SEQ acw GOTO SETTINGSEQNX
GOTO PER_MODEL_SETTINGS
# SETTINGSK1XX
SET UPGRADE_POLICY 0
SET REGISTERWAIT 300
SET ENABLE_PHONE_LOCK 0
SET ENABLE_PRESENCE 1
GOTO END
# PER_MODEL_SETTINGS
IF $MODEL4 SEQ 1603 GOTO SETTINGS1603
IF $MODEL4 SEQ 1608 GOTO SETTINGS1608
IF $MODEL4 SEQ 1616 GOTO SETTINGS1616
IF $MODEL4 SEQ 9620 GOTO SETTINGS9620
IF $MODEL4 SEQ 9630 GOTO SETTINGS9630
IF $MODEL4 SEQ 9640 GOTO SETTINGS9640
IF $MODEL4 SEQ 9650 GOTO SETTINGS9650
IF $MODEL4 SEQ 9608 GOTO SETTINGS9608
IF $MODEL4 SEQ 9611 GOTO SETTINGS9611
IF $MODEL4 SEQ 9621 GOTO SETTINGS9621
IF $MODEL4 SEQ 9641 GOTO SETTINGS9641
IF $MODEL4 SEQ J129 GOTO SETTINGSJ129
IF $MODEL4 SEQ J169 GOTO SETTINGSJ169
IF $MODEL4 SEQ J179 GOTO SETTINGSJ179
IF $MODEL4 SEQ J159 GOTO SETTINGSJ159
IF $MODEL4 SEQ J189 GOTO SETTINGSJ189
GOTO END
# SETTINGSEQNX
SET SETTINGS_CHECK_INTERVAL 1
SET ENABLE_BROWSER_EXTENSION 0
SET WINDOWS_IMPROVIDER 0
SET ENABLE_OUTLOOK_ADDON 1
SET OUTLOOK_CALL_CONTACT 1
SET IPO_CONFERENCE_CONTROLS_ENABLED 1
SET CALL_DECLINE_POLICY 2
SET IPO_ADHOC_CONFERENCE_NAME "Conf fa"
GOTO END
# SETTINGS1603
GOTO END
# SETTINGS1608
GOTO END
# SETTINGS1616
GOTO END
# SETTINGS9620
GOTO END
# SETTINGS9630
GOTO END
# SETTINGS9640
GOTO END
# SETTINGS9650
GOTO END
# SETTINGS9608
GOTO END
# SETTINGS9611
GOTO END
# SETTINGS9621
GOTO END
# SETTINGS9641
GOTO END
# SETTINGSJ129
SET CONFERENCE_TYPE 1
SET ENABLE_IPOFFICE 1
SET SUBSCRIBE_LIST_NON_AVAYA "reg,message-summary,avaya-ccs-profile"
SET MUTE_ON_REMOTE_OFF_HOOK 0  
SET PSTN_VM_NUM "VM.user"
SET BLUETOOTHSTAT 1 
SET INSTANT_MSG_ENABLED 0
SET SIPCONFERENCECONTINUE 0
SET ENABLE_CONTACTS 1
SET SUBSCRIBE_SECURITY 0
SET RTCPCONT 1
SET RTCP_XR 1
SET USE_QUAD_ZEROES_FOR_HOLD 0
SET ENABLE_EARLY_MEDIA 1 
SET PHY1STAT 1
SET PHY2STAT 1
SET PHY2TAGS 0
SET DHCPSTD 0
SET ICMPDU 1
SET ICMPRED 0
SET AUDASYS 3
SET AUDIOENV 1
SET PHONE_LOCK_IDLETIME 0
SET LOCALLY_ENFORCE_PRIVACY_HEADER 0
SET PHNMUTEALERT_BLOCK 0
SET ENABLE_PHONE_LOCK 1
SET CONTROLLER_SEARCH_INTERVAL 4
SET FAST_RESPONSE_TIMEOUT 4
SET RINGTONES ""
SET RINGTONESTYLE 0
SET G726_PAYLOAD_TYPE 110
SET NO_DIGITS_TIMEOUT 50
SET INTER_DIGIT_TIMEOUT 5
SET SECURECALL 0
SET SSH_BANNER_FILE ""
SET SSH_IDLE_TIMEOUT 10
SET LLDP_ENABLED 1
SET PLUS_ONE 1
SET INSTANT_MSG_ENABLED 0
SET ENABLE_MODIFY_CONTACTS 1
SET ENABLE_MULTIPLE_CONTACT_WARNING 0
SET ENABLE_REDIAL 1
SET ENABLE_REDIAL_LIST 1
SET ENABLE_CALL_LOG 1
SET PROVIDE_LOGOUT 0
SET SOFTKEY_CONFIGURATION 0,1,3
SET POE_CONS_SUPPORT 1
SET SUBSCRIBE_SECURITY 0
SET PHNNUMOFSA 2
SET DATESEPARATOR /  
SET DATETIMEFORMAT 0 
SET DIALWAIT 5
SET RTCPMONPERIOD 5
SET APPSTAT 0
SET PROCSTAT 0
SET ENHDIALSTAT 0
SET PHNCC 1
SET PHNDPLENGTH 7
SET PHNIC 011
SET PHNLD 1
SET PHNLDLENGTH 10
SET PHNOL ""
SET QKLOGINSTAT 1
SET VLANTEST 60
GOTO END
# SETTINGSJ169
GOTO END
# SETTINGSJ179
GOTO END
# SETTINGSJ159
GOTO END
# SETTINGSJ189
GOTO END
# END
GET 46xxspecials.txt

dsm600rr · ‎09-29-2021

Apologize about the ignorance, however what is "mscep"

Georg Pauwen · ‎09-29-2021

Hello,

it is the default tunnel group name Avaya phones use.

I am looking at the original debug output:

phase 2 failure mismatched attribute types for class encapsulation mode: rcv'd: udp tunnel (NAT-T) Cfg'd: Tunnel

There seems to be a mismatch. On the ASA, try and actually enable NAT-T:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-enable