cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6896
Views
0
Helpful
19
Replies

Jabber and Cisco AnyConnect VPN

jaydien1358
Level 3
Level 3

Hello,

I've gone through the setup instructions for configuring a jabber iOS client with my UC520. I've successfully configured 2 phones with the jabber client that work great when connected to the local WiFi.

I've also been able to get the 2 phones to register over 3G with the Cisco AnyConnect VPN app as well. However, when I go to place a call, I immediately get a busy signal.

How can I troubleshoot this?

Thanks.

-Brian

19 Replies 19

nalbert
Level 4
Level 4

Any Connect works only with an ASA. Did you terminate the VPN on an ASA or on the UC500?

I am not using an ASA. My endopint is the UC500.

My AnyConnect client establishes the VPN and I can ping CME and CUE no problem. The Jabber client even connects. But it just can't make any calls.

-BRian

Unfortunately, an ASA is required to terminate the VPN from any Connect Mobile Client.  This is a technical constraint.

Excited to see the release of Jabber if even in limited form - Thank you! 

Is it possible to expand on the technical constraints to ASA only?  Also wondering if anyone has any working concepts where to deploy the ASA (before UC, or parallel as VPN entry point only).   Thanks.

Ditto.

I got it working over Wifi and 3G without the ASA just webvpn - it works perfect. And I didn't have to buy the ASA.... Thanks..

jonathan.davis
Level 1
Level 1

I got the vpn working with the iPhone with the software from the cisco file exchange CCA 3.2.1 and the software pack 8.6.

I had to add a few things though... I fixed the fast busy with no outbound-proxy, on the voice register global and I also added dtmf-relay rtp-nte sip-kpml in the voice register pool (associated with the CiscoMobile-iOS).

Not sure if this is correct but after setting up the WEB VPN in CCA 3.2.1 (using an ip pool that is not VLAN 1 or Voice VLAN) i added under:

voice service voip

sip

  bind control source-interface Vlan100

  bind media source-interface Vlan100

And that fixed some voice issues i had dialing internal extensions.

Also i deleted the codec line that CCA 3.2.1 puts in to specify g711 so i could enable low-bandwidth CODECS in the iPhone.

It all works perfect i can connect the ANYCONNECT client on the iPhone over Wifi make calls. Goto settings on the iPhone shut off the Wifi completly the make calls over 3g.

Awesome post!

Just a quick question:

Also i deleted the codec line that CCA 3.2.1 puts in to specify g711 so i could enable low-bandwidth CODECS in the iPhone. 

Is this where you deleteced the codec entry?:

voice class codec 1

codec preference 1 g711ulaw

codec preference 2 g729r8

-Brian

I've been doing some testing on iPhone. It connects to the vpn and Jabber also connect, but when I try to make a call, the phone shows connecting and then just ends the call. No busy signal or any tones.

But from a desk phone, I can call the Jabber client and it connects and I hear 2 way audio... ???

What do you think is the casue for that?

-Brian

Thanks for the info.

I might try the reboot, but it kind of feels more like a firewall issue or access list issue, but reboots never hurt.

I see you are using a split tunnel in your SSL VPN. Are you using a different subnet for your WebVPN pool. something like 172.16.xxx.xxx or are you  using Vlan1?

-Brian

Brian,

the codec was in the : voice register pool (for the iPhone)

but in your example you have a voice class so in the; voice register pool ; line you might just have a voice class codec 1 where the device could use both. i haven't tried that but i like g729 better and without the codec line it defaults to g729 in the config assistant...

I dont know what to say about the second email - restart the UC5X0 maybe.

I screwed it up after i posted that today and deleted the firewall, deleted the SSLVPN and readded them first the firewall then the SSL VPN and it seems to work now.

Couple of things... when i dial from my 7971 phone the extension of the iphone when the app is not active but running in the background it fails the call, when the app is active it rings ( i havent tested throughly yet).

Also i use my vonage line for calls to the USA and world and i use local lines (i live in Honduras - long story) for local calls so i dont need the SIP trunk option although i found siptub to get my google voice to work with the uc520 so that is cool but i deleted the sip account to test this config...

this is my voice service voice:

voice service voip

ip address trusted list

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

supplementary-service h450.12

no fax-relay sg3-to-g3

sip

bind control source-interface Vlan100

bind media source-interface Vlan100

registrar server expires max 3600 min 3600

voice register global

mode cme

source-address 10.1.1.1 port 5060

no outbound-proxy

max-dn 56

max-pool 14

load 9971 sip9971.9-2-2

load 9951 sip9951.9-2-2

load 8961 sip8961.9-2-2

authenticate register

hold-alert

voicemail 289

tftp-path flash:

create profile sync xxxxxxxxxxxxxxxxxx

!

voice register dn 1

number 204

call-forward b2bua busy 289

call-forward b2bua noan 289 timeout 20

call-forward b2bua unregistered 289

name jonathan davis

no-reg

label iPhone Jonathan Davis

!

voice register pool 1

registration-timer max 720 min 660

id mac xxx.xxx.xxx

session-transport tcp

type CiscoMobile-iOS

number 1 dn 1

dtmf-relay rtp-nte sip-kpml

username iphone password 1234

Jonathan Davis

Operations Manager

Worldxchange Telecom, LLC

email: jonathan@jonathandavis.net

usa pbx: 1.786.879.7986

usa cell: 1.410.948.6480

honduras: +504.9982.2749

skype: catelco007

BRIAN,

THIS IS MY WEB VPN...

webvpn gateway SDM_WEBVPN_GATEWAY_1

ip address XXX.XXX.XXX.XXX port 443

ssl trustpoint TP-self-signed-

inservice

!

webvpn install svc flash:/webvpn/anyconnect-dart-win-2.4.1012-k9.pkg sequence 1

!

webvpn context SDM_WEBVPN_CONTEXT_1

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group SDM_WEBVPN_POLICY_1

functions svc-enabled

svc address-pool "SDM_WEBVPN_POOL_1" netmask 255.255.255.0

svc split include 192.168.10.0 255.255.255.0

svc split include 10.1.1.0 255.255.255.0

svc split include 10.1.10.0 255.255.255.252

svc dns-server primary 8.8.8.8

svc dns-server secondary 8.8.4.4

virtual-template 1

default-group-policy SDM_WEBVPN_POLICY_1

aaa authentication list sdm_vpn_xauth_ml_1

gateway SDM_WEBVPN_GATEWAY_1

max-users 10

Jonathan Davis

Operations Manager

Worldxchange Telecom, LLC

email: jonathan@jonathandavis.net

usa pbx: 1.786.879.7986

usa cell: 1.410.948.6480

honduras: +504.9982.2749

skype: catelco007

pennautomotive
Level 1
Level 1

Brian I have the same issue and I believe it is by design. I have a question for you though. What licenses do you currently have for your ASA to support mobile AnyConnect?

Sent from my iPhone

You can also use the native IPhone VPN client if you set-up IPSec VPN on the UC or SR-520 etc.  It appears to work fine from my testing, though I've had issues with it disconnecting after timeout.