Remote Phones with UC500

telecastle · ‎02-06-2012

I am trying to come up with the best way to connect remote (teleworker) phones to my client's UC560. I was under the impression that any IP phones supported by UC500 could be used as remote phones. When I was trying to configure a remote phone using the SSL VPN (remote phone) feature, I realized that currently only SPA525G and SPA525G2 phones are supported as remote teleworker phones using SSL VPN.

The IP phones that my client has deployed in the office are Cisco 7965 phones. So, I'd like to make sure that I understand the options that my client and I have for bringing teleworkers into his voice system. In my opinion, the options are:

1. Purchase SPA525G2 phones and use the UC560 Remote Phone Wizard to configure the UC500 and the SPA525G2 phones for the remote phone feature.

2. Purchase routers to terminate the EZVPN tunnels between each teleworker router and the UC560. Then plug existing Cisco 7965 phones behind the teleworker routers.

3. Try to configure the UC560 from CLI for SSL VPN and load the firmware on 7965 phones that supports SSL VPN. This is the most laborious option of the three with questionable success chances.

I will be recommending the first two options to my client. Does anyone know what routers are supported for Option 2 of the options listed above?

I know that Cisco recommends SR520, which are supported by CCA. Are Cisco 800 series routers supported? Can CCA configure Cisco 800 series routers? Are there any routers that use GUI configuration that support EZVPN tunnel termination? My client has an IT person on staff without much knowledge of CLI, and I would rather him use a GUI driven router so that he can provision new teleworkers without having to resort to my help in the future.

Does anyone know when the next release of UC500 series software pack is coming out, and if it contains support for SSL VPN in Cisco 7900 series IP phones?

Final question, if one teleworker uses the SPA525G2 phone as a remote phone (using the SSL VPN tunnel terminated by UC500) and the VPN Client software (used for data and also terminated by UC560), will these count as two VPN tunnels for each teleworker against the maximum of 20 VPN tunnels total allowed by CCA with UC560? Or are only SSL VPN tunnels counted against this maximum (due to licensing restrictions)?

Thanks!

telecastle · ‎02-07-2012

I have just found out that SR520 routers have been announced EOS in January, 2012, with the End-Of-Sale date of July 2, 2012. So, the only routers supported by CCA for the Site-to-Site EZVPN tunnels to UC500 are about to go End Of Sale.

Is it too much to ask for some guidence here as to what equipment is recommended for the teleworker sites to register teleworker phones with UC500 located centrally? If SR520 routers are the only ones supported by CCA, what is the direction that Small Business division is going to take this a few months from now?

My client needs intelligent advice, which I cannot provide due to the lack of any guidence from Cisco Small Business. Calling support is completely useless - most people there don't know what they are talking about. Last Saturday, when I called Cisco Small Business support for UC500, I was told that CCA supports SA540 for VPN termination to UC560. They guy who picked up my call didn't even know that SA540 is a Security Appliance - not a router - and that SA540 does not support EZVPN client solution. Strangely enough, SA540 being a Small Business Pro series product does not support the type of site-to-site VPN (EZVPN) that is the only option in UC500, which is also a Small Busines Pro series product.

If someone wants to laugh, a month ago when I called Cisco Small Busines Support on a Saturday, the guy who answered the phone was completely stoned - he could not even put once sentence together. After speaking with him for 20 minutes, I realized he was completely useless and hung up. When I redialed 10 minutes later, he answered the phone again! I ended up speaking with a manager, and it appears some measures were taken to take that genius off the phone support. Coming from the Cisco enterprise side of business, I am literally shocked at all of this!

I need help here, please.

David Trad · ‎02-07-2012

Hi Telecastle,

Not sure but have a look at what CCA 3.2 supports, If I am not mistaken CCA was going to support standard IPSEC as well as EZ-VPN, I could be wrong but I am sure I heard/read it somewhere.

I understand what you are saying, but to be honest 90% of the SBSC crew are wonderful and would go out of their way to help you and remove some of the stress on us, one thing I was never afraid of was asking for another engineer if I had an issue with the one assigned to my case, and if asked for feedback why I gave it (In a constructive manner to ensure that engineer could improve).

And I would point out that it may not be entirely fair to blame them for some of the decisions that Cisco corporate make, for some reason Cisco has a bad habit of not pushing through the internal channels the information that is important and relevant, their internal communications has been shotty for some time now, almost like the left hand not speaking to the right hand, so don't always blame the front line guys, sadly they are sometimes the last to hear about any news from upstream

FYI: When EZ_VPN is not an option, seek permission to do normal IPSEC on the UC and have it talk to an 800 series router, this is the best methodology, also check and see if the 867/887 routers do actually support EZ_VPN as they might if the SR's have been made EOL/EOS.

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

telecastle · ‎02-08-2012

David Trad wrote:

Hi Telecastle,

Not sure but have a look at what CCA 3.2 supports, If I am not mistaken CCA was going to support standard IPSEC as well as EZ-VPN, I could be wrong but I am sure I heard/read it somewhere.

....

This is exactly what the Cisco Small Business support guy told me. However, when I read the Release Notes for CCA 3.2, I did not see anything about the site-to-site VPN capability. I am apprehensive about using CCA 3.2 with the current UC560 software due to the problems that CCA 3.2 is reportedly causing with the UC560 configuration running the current software release.

David Trad wrote:

...

FYI: When EZ_VPN is not an option, seek permission to do normal IPSEC on the UC and have it talk to an 800 series router, this is the best methodology, also check and see if the 867/887 routers do actually support EZ_VPN as they might if the SR's have been made EOL/EOS.

Cheers,

David.

EZ-VPN is an option on any IOS CLI driven Cisco router, but the problem is that CCA 3.1 (and probably CCA 3.2) does not support any router except SR520, and the IT guy working for my client does not know Cisco CLI.

How do I "seek permission to do normal IPSEC on the UC"?

Thanks!

David Trad · ‎02-08-2012

Hi Telecastle,

I am apprehensive about using CCA 3.2 with the current UC560 software due to the problems that CCA 3.2 is reportedly causing with the UC560 configuration running the current software release.

Sadly I have not had the ability to play with 3.2, I suspect like other releases that it will be riddled with bugs once it is out in the wild, and it actually might be good to wait till 3.2.1 (I tend to live on the edge and always go for the early release, but that is just me).

EZ-VPN is an option on any IOS CLI driven Cisco router, but the problem  is that CCA 3.1 (and probably CCA 3.2) does not support any router  except SR520, and the IT guy working for my client does not know Cisco  CLI.

Correcto-modo

If Cisco does not replace the unit with a CCA manageable one then I suspect they will be read the riot act by the community as has been done in the past, however keep in mind that most of their edge appliances that are coming out now have "On-Appliance" configuration systems (GUI) which might be the direction they are going, although in the past CCA was allowed to configure it when its base code was upgraded to support the appliance, my guess is CCA 3.2 might have support for other devices (Maybe the RV series???).

I don't know of any other way to get your EZ_VPN running other than an 800 series router, to go pure IPSEC you would need to bring support in the picture and see if they would be willing to do the IPSEC tunnel and have it as an approved CLI code (Not sure if that is even possible to be honest).

Options are limited it would seem at this stage, unless someone else chimes in and offers up advice

Cheers,

David.

Cheers, David Trad. **When you rate a persons post, you are indicating a thank you or that it helped, but at the same time you are also helping to maintain the community spirit - You don't have to rate posts and you wont be looked down upon :) *

hallate512 · ‎02-11-2012

I got a remote SPA525G2 phone working with the UC560. All in all, it took 11 hours with about 2 hours on the support call with Cisco. The phone would not establish an SSL VPN tunnel no matter what we did. The solution ended up being to follow this document:

https://supportforums.cisco.com/docs/DOC-18980

and then undo the SSL server configuation and configure it from scratch again. After that was done, the phone finally connected. I am using its Wi-Fi capability, not the wired connection.

There are some interesting points with the SPA525G2 phone connected as a remote phone:

1. Even if G.729 codec is selected in CCA, the G.729 codec is not enforced. This is a known CME issue. The command that CCA puts in the ephone configuration mode is:

ephone 10

codec g729r8

This command (codec g729r8) does not enforce G.729a - to enforce the G.729a codec, the following command must be configured:

ephone 1

codec g729r8 dspfarm-assist

2. So far so good, except that when I configured the "codec g729r8 dspfarm-assist" command and placed a test call, the codec displayed on the SPA525G2 web page was still G.711. Here's the problem - CCA does not configure transcoders in UC500. That's just wrong! UC560 comes with two PVDM2-64 modules. That's 8 DSPs. CCA allows a maximum of 4 hardware conferences - that's 4 DSPs. UC560 comes with 8 POTS ports (4 FXS and 4 FXO) - that's another DSP (provided that some phones are G.729). So, even when all media resources are applied, we still have 3 DSPs left. Granted, if the T1 card is installed, we would consume another DSP, but we would have 2 more DSPs left. Even if we installed two T1 cards, we would still have one DSP left. Why is it not used? To make the long story short, I had to manually congure a dspfarm profile for transcoding and register it with CME.

I only created a maximum of 8 transcoding sessions so that even if my client were to install two T1 ports (not sure if this is even possible) and used all 8 POTS lines, he would not be short on DSPs.

Frankly, it blows my mind that CCA does not provision any transoding resources. I guess the thinking behind this is that if you want to have remote phones, you would be using G.711. The problem is that a G.711 call inside a VPN tunnel consumes about 100 kbps, which is pretty high. In times of Internet congestion, certain residential connections may drop below 100 Kbps upstream, and the voice packets flowing upstream will start dropping. It's a must to run a remote phone utilizing either G.729 or iLBC. By the way, iLBC is also an option, but CCA does not configure it.

So, I ended up having to resort to CLI after all even though I really tried to avoid it in order to continue to enjoy Cisco Small Business Pro support. However, running remote phones on G.711 is not an option. When I was making test calls to my client, he complained that a few minutes into the phone conversation, my speech started dropping packets. This is not usable for a business teleworker.

I am approaching the completion of the project - the last obstilcle is T.38, which also has to be done from the CLI.

P.S. Even though the CCA Administration Guide says that you must have the SPA525G or SPA525G2 phone and have to connect it to the UC560 in the office and run the Remote Phone Configuration Wizard, the Cisco support said you don't really have to do it. You can configure the SSL VPN server on the UC500, and then configure the SPA525G phone at a remote location. Therefore, no certificate exchange has to happen between the UC500 and the SPA525G or SPA525G2 phone prior to the establishment of the SSL VPN connection. This brings me to anothe point - if this is truly the case, nothing prevents one from configuring a Cisco 79XX phone as a SSL VPN client to connect to UC500. All you will need to do is to load the appropriate 79XX phone load on the UC500 (the one that support SSL VPN) and use the "load type " command to upgrade the phone's firmware to that load. Then, use the "no load " command to prevent the office phones of the same type from being upgraded to this load upon the next restart and prevent the downgrade of the remote phone to the same version that the office phones are running. At this point, you should be able to take the phone to a remote site and manually configure it as an SSL VPN client with the username and password assigned in the UC500 SSL VPN server configuation. The phone should register and work similar to the SPA525G or SPA525G2 does, except that you would have to connect it to the home router with a cable instead of wirelessly.