Multipart question any answers gratefully recevied

graeme · ‎07-18-2011

Hi,

we are setting up a UC560 for a client, Its a greyfield site, they currently have a working Winodws SBS 2008 netowrk, and the SBS server is providing all the DHCP, DNS etc.

They are running on 192.168.200.x

They have a sattelite office which we are planning on using 2 x SR520FE to provide the VPN tunnel, between sites, and an 8 port swtich at the sattelite, for the 2 iPhones to be used there.

I have the SR520 setup at the main site and the main site can access the internet, through the SR520, with the internal LAN VLAN on the SR520 being VLAN75, and the address range 192.168.75.x, and the remote site seems to want to set itself up the same. I am having dificulty gettting the 2 devices to talk and route traffic, and am unsure if the internal LAN on the remote site should still be left on the 192.168.75.x default VLAN, and if it is how does it route.?

I have had to use CLI to modify the ACL on the SR520 in the main office to allow traffic destined for 192.168.200.x onto VLAN75 so it can get passed back to the UC560 and then onto the rest of the network. to get the internet access working, Is this something I should of had to do, or is it something that has to be done on all the SR520s if the data VLAN is changed?

I have lookd at the Smart designs and the only difference is we have the data vlan on 192.168.200, though the setup guides are for CCA 2. and some of the windows dont translate the same.

I know these questions are answered somewhere but I can for the life of me find them.

Second question, in this setup, is it better to leave the WIndows SBS server dealing with DHCP on the DATA Vlan, as we setup our own system by disabling DHCP on the Data VLAN on the UC560, or is it better, to let the UC560 deal with it or what problems can we expect either way.

I would be eternaly gratefull if someone could point me to a guide on how to setup SR520-SR520 Site to Site VPN, in a UC560 system, in the situation we have.

thanks

Graeme

Message was edited by: Graeme Carstairs

graeme · ‎07-18-2011

Update.

I have UC560 Data VLAN 192.168.200.1

Internal SR520 VLAN75 192.168.75.1

UC560 WAN on 192.168.75.2

SR520 on static public IP

This is head office, and working fine, can communicate with internet etc.

Sattelite Office

Internal Data LAN (VLAN75 on SR520) 192.168.199.1

Public Static IP.

Site has access to the internet from internal LAN without VPN enabled.

Using either full or split tunnel, when I setup remote VPN it connects and establishes a VPN, but no traffice goes between the sites.

Please help as I am not sure what to check.

Do I need to start using CLI to look at ACL's

Thanks

Graeme

mcasimirc63 · ‎07-18-2011

Hello Graeme,

I would stay away from non CLI TAC workarounds for this situation. I would also take a look at this document for the SR520/UC500 configuration

https://supportforums.cisco.com/docs/DOC-15031

I would leave the Microsoft server as the DHCP server but you could set the the UC500 to be the DHCP server also. Just make sure the DNS entry is set as the Microsoft server. I would make a quick call to STAC to disable DHCP Server on the UC500. This feature should be available on the latest release 3.1

graeme · ‎07-19-2011

Excellent,

thanks for that,

I have followed the instructions and set this up.

From the remote site with a laptop connected to ESW520 switch on the lan side of the SR520, I can ping the HQ site UC560 on 192.168.200.1, I can ping 10.1.1.1 and ping 10.1.10.2

But when I connect a phone to the ESW520 it gets and IP of 10.1.1.25 but wont download the software, it just cycles through all the downloading screens.

Any suggestions on what I have missed?

Thanks

Graeme

Darren DeCroock · ‎07-19-2011

Graeme,

You said that you can ping 10.1.10.2, but can you ping 10.1.10.1? The reason I ask, is that the UC560 uses 10.1.10.1 as the TFTP source address. If you can not access that, TFTP downloads would fail.

Thank you,

Darren

graeme · ‎07-19-2011

HI There,

yes from the remote site I can ping 10.1.10.1

But from the main site I cannot ping any address on the remote site even from within the UC50 diagnostics, selcting the 10.1.1.1 port as the source.

Including the 10.1.1.25 adress the phone picks up

and the 192.168.75.102 address the PC is on.

though I can ping 192.168.200.1 from the PC

Its a routing table thing somewhere,

I have sent my show techs in to STAC and am awaiting a response, how long does that normally take?

Thanks

graeme · ‎07-20-2011

This is my reply from STAC.

Not overly impressed.

It seems the SR520 is blocking some access there,

But to establish a SSL VPN from a phone you don’t need to establish a VPN tunnel between the UC and the SR,

as long as the phone is supporting SSL VPN (like the SPA525G), and you can use the VPN Setup Wizard to configure this.

What kind of tunnel did you configure on the SR520? It doesn’t seem to be a Site to Site Tunnel?

You configured the SR520 as client of the UC560?

By the way, the SR520-FE is not supported by us.

All the kit was bought through advise form our distributor, and we have purchased SBS Pro warranties on all the SR520's this is the the first phase of a clients setup, the second phase is a 2 site with UC540 and UC560 on each and 1 remote site working of the UC560, and agian we were told to get SR520FE for setting up the VPN's tehre.

I have used CCA only setting these up, and followed the TEL documents mentioned up the post.

This does not work and I do not know who I can go to for support, and to add to that we have got over £1,000 of routers and warranties that STAC say they dont support.

thanks

Darren DeCroock · ‎07-20-2011

Graeme,

I am sorry that you were not able to get this working yet. Just to clear things up a little. The combination of the UC560 and SR520-FE is a supported configuration. The individual devices are just supported by different groups. The UC560 is supported by STAC, and the SR520-FE is supported by TAC. If you contacted STAC, they should assist you with this configuration, unless they get to a point where it appears to be an issue with the configuation of the SR520-FE. In that instance, they may transfer the case to TAC to assist with configuration of the SR520-FE.

So, you should be contacting STAC for support with this setup. (Do you have, or were you given a case number?)

Thank you,

Darren

graeme · ‎07-20-2011

HI Darren,

Yes I contacted STAC and was not given a case number, I was asked to send through my show techs, and network digram, ascreen shots of pings etc.

The reply was use SPA 525G phones without the router, and you have set up the SR520 as a vpn client of the UC560, and oh by the way we do not support the SR520.

In a nutshell.

I have since called STAC again and was informed that the engineer was writing me another e-mail but got interrupted by another client, and will be getting back to me tomorrow perhaps with a fix/workaround.

Not overly impressed at the moment.

I have followed all CIsco setup guides given, and nothing is working, my colleague who is a classic cisco wizzard is gagging to get at the CLI and fix it, and I know he will in about 5 minutes, but I need this to be a fully CCA fully supported setup.

Hopefully I may get more out STAC soon, our Cisco account manager is seeing hwat he can do from his end.

Thanks for your support

Graeme