Showing results for 
Search instead for 
Did you mean: 


Phone Proxy on ASA .. CUCM cluster setup query

I am currently experimenting with getting the phone proxy feature to work on our ASA firewalls using these documents..

These all deal with a single server/tftp setup…

I have been trying to apply this to our cluster consisting of 4 call managers … Publisher and also the tftp   ( our current homeworkers using a vpn tunnel setup, point back to this address ). … Sub ( tftp disabled ) … Sub ( tftp disabled ) … Sub ( tftp disabled )

Upon registration, our phones eventually register against one of the Subs based on the CM group configured in CUCM.

ASA 8.2(1)

ASDM 6.4

Our ASA has the default 2x Phone Proxy Sessions licenses installed.. ( We know that we will have to purchase more licenses once we proved that this work how we want it to. ! )

Can anyone with a similar Call Manager cluster setup please clarify the following for me please..

1/ As we only have the one tftp server in our cluster, do we still only require 2x public facing addresses ? .. One for the tftp address ( which gets translated to ) and one for the MTA

2/ Ive currently only got the one phoneproxy_trustpoint configured which is associated against the Publisher in the CTL file section of ASDM ( of type… tftp-cucm )

Do I need to create further phoneproxy_trustpoints for the other Call Managers and associate each of them against a new CTL file ( type .. cucm ).

3/ For the moment, I am only testing with a 7965 phone which has a MIC installed.. I have downloaded the following certificates off the PUBLISHER and installed on the ASA and created trustpoints.




Will I need to download the equalivalent certificates off the Subs and install them on the ASA also ?.

At present, I am seeing the tftp requests from a remote phone hitting our firewall on the external tftp address… It is getting translated to the internal address, but nothing else is happening after..

The phone display is showing as trying to register but looking in Status Message it says..

No Trust List Installed

TFTP Time out SEPxxxxxxxx.cnf.xml

As the CTL is not installing onto the remote phone, do I need to revisit my CTL file and trustpoints created on the ASA ?

Any advice would be much appreciated.



Julio Carvajal


I am not an expert ( yet ) on the phone proxy side but I do have some experience on this:

So hope this helps:


Media Termination Address

The Media Termination Address is an address that the firewall uses to perform the phone proxy function. It is a special address that is used to terminate secure media streams to and from remote phones. This address needs to be a unique, publicly routeable address on the outside of the firewall, and must adhere to the following guidelines:

  • It must not be the same as any global address for any translation on the firewall
  • It must be a different address than the outside interface address of the firewall (or any other firewall interface)
  • It must reside in the same ip subnet as the outside interface of the firewall
  • No other device on the outside subnet can also be assigned this IP address

So your answer is YES, got to be a different one

2- I would say yes, if not the communication between them will not be valid as the authentication will not be valid.

3-Now regarding the registration issues the following will help you:

Please read that and if you have any question just let us know


Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist

Hi Julio..

Thank you for your reply.. I had already read through the sample documents you have provided prior to posting and although they mention other CMs in a cluster briefly, I felt they did not clear up my first two queries..

In regards to your answers to my questions..

1/ Sorry, I probably wasnt being very clear.. I am aware that I require 2 different public facing IPs for the tftp and MTA.. My query was whether I required further public IPs for the other CMs in the cluster even though they do not have the tftp service enabled.

Upon sucessful tftp download of its config file from the PUB, our phones will primarily register against one of the SUBs. So will the phone know how to to reach the other SUBs even though they are not defined on the ASA, or is that where the trustpoints to the other CMs in the cluster come into play ?..

I would be interest to know how this has been set up in your CUCM cluster environment ?




In Your blog, i am checking u are very close to your solution .  Your Version is Ok 

ASA 8.2(1)

ASDM 6.4

Now, You Will  need to download the equalivalent certificates off the Subs and install them on the ASA also

callmanager.pem ,& capf.pem  in your asa .

No Trust List Installed

TFTP Time out SEPxxxxxxxx.cnf.xml , reason may be these certificates.

Do the same . & send ur configuration details & i will reply you with better output.)

I have implemented the same . (ASA UC PROXY SETUP ).Over the internet .

Thanks & regards


Content for Community-Ad