03-03-2009 07:49 PM - edited 03-11-2019 08:00 AM
Hello all,
I'm trying to test new phone-proxy feature and I can't make it work.
Phone shows registering and nothing happens.
I've attached config, it's a copy from Cisco website
Here the debug from debug phone-proxy:
PP: 192.168.1.5/49162 requesting CTLSEP001A6DE7CB1C.tlv
PP: opened 0x4213e156
PP: Data Block 1 forwarded from 192.168.1.10/15995 to 192.168.1.5/49162 ingress ifc Outside
PP: Received ACK Block 1 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: Data Block 2 forwarded to 192.168.1.5/49162
PP: Received ACK Block 2 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: Data Block 3 forwarded to 192.168.1.5/49162
PP: Received ACK Block 3 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: Data Block 4 forwarded to 192.168.1.5/49162
PP: Received ACK Block 4 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: Data Block 5 forwarded to 192.168.1.5/49162
PP: Received ACK Block 5 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: Data Block 6 forwarded to 192.168.1.5/49162
PP: Received ACK Block 6 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: Data Block 7 forwarded to 192.168.1.5/49162
PP: Received ACK Block 7 from Outside:192.168.1.5/49162 to inside:172.18.224.37
PP: TFTP session complete, all data sent
PP: 192.168.1.5/49163 requesting SEP001A6DE7CB1C.cnf.xml.sgn
PP: opened 0x42195542
PP: Received Data Block 1 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 1
PP: Acked Block #1 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 2 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 2
PP: Acked Block #2 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 3 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 3
PP: Acked Block #3 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 4 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 4
PP: Acked Block #4 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 5 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 5
PP: Acked Block #5 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 6 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 6
PP: Acked Block #6 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 7 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 7
PP: Acked Block #7 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 8 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 8
PP: Acked Block #8 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 9 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 9
PP: Acked Block #9 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Received Data Block 10 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
Received Block 10
PP: Acked Block #10 from 172.22.161.21/49163 to 172.18.224.37/33820
PP: Unable to get dns response for id 7
PP: Callback, error modifying config file
PP: Unable to CM name addr
PP: Callback required for parsing config file
PP: 192.168.1.5/49163 requesting SEP001A6DE7CB1C.cnf.xml.sgn
PP: Client Outside:192.168.1.5/49163 retransmitting request for Config file SEP001A6DE7CB1C.cnf.xml.sgn
PP: opened 0x421fc98e
PP: Received Data Block 1 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
PP: Received Data Block 1 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163
03-05-2009 11:30 PM
Config:
interface Vlan1
nameif inside
security-level 100
ip address 172.22.161.15 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
access-list pp extended permit udp any host 192.168.1.10 eq tftp
access-list pp extended permit tcp any any eq 2000 log
access-list pp extended permit tcp any any eq 2443 log
pager lines 24
logging console debugging
logging buffered debugging
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
static (inside,Outside) 192.168.1.10 172.18.224.37 netmask 255.255.255.255
static (Outside,inside) 172.22.161.21 192.168.1.5 netmask 255.255.255.255
static (inside,Outside) 172.18.224.37 192.168.1.10 netmask 255.255.255.255
static (inside,Outside) 172.22.161.21 192.168.1.5 netmask 255.255.255.255
access-group pp in interface Outside
route inside 0.0.0.0 0.0.0.0 172.22.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint cucm_tftp_server
enrollment self
serial-number
keypair cucmtftp_kp
crl configure
crypto ca trustpoint _internal_myctl_SAST_0
enrollment self
fqdn none
subject-name cn="_internal_myctl_SAST_0";ou="STG";o="Cisco Inc"
keypair _internal_myctl_SAST_0
crl configure
crypto ca trustpoint _internal_myctl_SAST_1
enrollment self
fqdn none
subject-name cn="_internal_myctl_SAST_1";ou="STG";o="Cisco Inc"
keypair _internal_myctl_SAST_1
crl configure
crypto ca trustpoint _internal_PP_myctl
enrollment self
fqdn none
subject-name cn="_internal_PP_myctl";ou="STG";o="Cisco Inc"
keypair _internal_PP_myctl
crl configure
crypto ca certificate chain cucm_tftp_server
certificate crypto ca certificate chain _internal_myctl_SAST_0
certificate _internal_myctl_SAST_1
certificate quit
crypto ca certificate chain _internal_PP_myctl
certificate
quit
telnet timeout 5
ssh timeout 5
console timeout 0
!
tls-proxy mytls
server trust-point _internal_PP_myctl
ctl-file myctl
record-entry cucm-tftp trustpoint cucm_tftp_server address 172.18.224.37
no shutdown
!
phone-proxy mypp
media-termination address 172.16.161.20
tftp-server address 192.168.1.10 interface Outside
tls-proxy mytls
cipc security-mode authenticated
ctl-file myctl
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map sec_sip
match port tcp eq 5061
class-map sec_sccp
match port tcp eq 2443
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map pp_policy
class sec_sccp
inspect skinny phone-proxy mypp
class sec_sip
inspect sip phone-proxy mypp
!
service-policy global_policy global
service-policy pp_policy interface Outside
03-06-2009 02:58 PM
There is a portion of your debug that suggests that the CM is unable to be resolved:
PP: Unable to get dns response for id 7
PP: Callback, error modifying config file
PP: Unable to CM name addr
Do you publish your CCM/CUCM by hostname or by IP?
03-08-2009 05:36 PM
Thanks for the point, I've changed hostname to IP address, but the issue still the same.
Phone still shows "Registering".
ASA debug (debug inspect tls-proxy)
Setting SERVER_CLEAR flag in conn
TLSP d4f9bb10: Set up proxy for Client Outside:192.168.1.5/43381 <-> Server inside:192.168.1.10/2443
TLSP d4f9bb10: Using trust point '_internal_PP_myctl' with the Client, RT proxy d4f58f38
TLSP d4f9bb10: Waiting for SSL handshake from Client Outside:192.168.1.5/43381.
TLSP d4f9bb10: --> Proxy Rx 52 bytes
TLSP d4f9bb10: <== Proxy Tx 7 bytes
TLSP d4f9bb10: new event: KILL_FLOW
TLSP d4f9bb10: new event: KILL_FLOW
TLSP d4f9bb10: Tear down proxy for Client Outside:192.168.1.5/43381.
TLSP d4f9bb10: Tear down proxy for Server inside:172.18.224.37/2000.
Any ideas?
03-08-2009 06:18 PM
Try to debug the tftp (debug phone-proxy tftp).
this link maybe helpful...
03-08-2009 08:58 PM
After the deepest troubleshooting, I've found that ASA didn't have 3DES license. After 3DES activation and updating parameters for ssl, it started to work.
Many thanks to all !!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide