Re: SPA525G SSL VPN Stability Issues

mgallant · ‎02-24-2011

I just upgraded our UC520/32U to 8.1.0 and bought a few SPA525G's to use as our teleworker phones. I've got the SSL piece up and running and the phones come up just as they should in the remote locations. Everything seems to be working just fine. BUT, the remote phones seem to be acting "flakey" every so often. Here are some issues I've run into this week:

Calls dropping....phone locks...phone does the equivalent of a "restart" and then the phone is back to normal
Sometimes, if a phone is power cycled, it will constantly reboot and will never connect to the UC520. I've played with this a little and have found that if I have the user unplug the phone for 5 minutes...and during that time I clear all the SSL tunnels using that username...and have them power it back up, that it will often work. Pretty flakey.
Call quality is often horrible. I'm running G729 on all phones to conserve bandwidth. Most of the time the calls are OK, but I get complaints on call quality. We used to be running IPSEC tunnels to all the remote users and had 7965's as remote phones and they worked perfectly, so I'm inclined to believe that it's NOT a bandwidth issue.

Has only had a lot of experience with these phones using the SSL VPN client? I can alway fall back to doing IPSEC tunnels for most of the users, but that just doesn't seem smart.

Last piece of info...phones are running the load that came with 8.1.0 which is 7.4.6.

Any help will be greatly appreciated!

Thanks in advance!!

Matt

Alberto Montilla · ‎02-25-2011

Dear Matt;

Thanks for the feedback. I have to say that I personally use a SPA525G2 permanently connected via VPN to a UC500 (SPA525G2 from Madrid, Spain to UC500 in San Jose, USA) and have not experienced the issues you mention with one exception, issues when bandwidth is not sufficient. When bandwidth is not good, voice quality is definitively affected but also the VPN connectivity itself.

Do you have the autoconnect feature enabled? I assume yes. If you think bandwidth is not an issue, I suggest you open a case with the Support Center in order to troubleshoot it live.

Regards
Alberto

mgallant · ‎02-25-2011

Hey Alberto,

I don't have the G2 version, but rather the G version. I find it hard to believe that this isn't a widespread issue...unless the number of people using these phones aren't using the SSL VPN feature.

I do have the autoconnect feature turned on.

As fas as bandwidth, we are all on the same cable provider (Comcast) and, like I said, when I was letting the 871's do IPSEC tunnels back to the UC500, everything we just find...which leads me to believe that it's not a connectivity or bandwidth issue.

renato.guimaraes · ‎02-25-2011

You're not alone. I've been working with Cisco support techs for a long time about this issue. I don't know if it's because our phones are the spa525g and not spa525g2, but it's definitely flakey in terms of maintaining its connectivity. We were able to fix most issues with call quality but definitely it's still giving us call drop issues. Make sure you have the latest firmware 7.4.7 and also the latest CCA. Another thing we did was enable "dtls". I don't have time to go into it but supposedly it allows the phone to work better by using UDP packets (I think). If you don't have a Cisco support contract, I can paste up some configuration steps for you to try out.

Good Luck

-Renato

mgallant · ‎02-25-2011

Hey Renato,

Thanks for the reply! It reassuring to know that I'm not the only one having this issue. I'm running 7.4.6 rather than 7.4.7. Did you actually see any significant improvements from 7.4.6 to 7.4.7? I did configure everything with CCA 3.

I do have a support contract, but I'd almost rather gargle broken glass than use it for support. I spent three hours one night letting a guy remote in and muck with a VPN that was up and down. The tunnel was flakey unless I turned off cef on the remote end. I wanted someone to telll me why I had three other remotes configured the same as this one and they worked fine...so what was wrong with this ONE?! After three hours, I ended the call and disconnected him from my laptop. I haven't called back since. I've also had two customers try to call TAC for issues and say they refuse to call them again. :-)

I've not seen anything on the dtls that you're talking about. If you could post a little config, that would be great!!

Thanks,

Matt

renato.guimaraes · ‎02-25-2011

See below on the changes we made. As of today, I'm still having issues with the spa525g phone booting up and connecting right away. It takes a few minutes and sometimes it requires me to do a "reload" in CME for it to work. This is very frustrating, especially if one of these phones is supposed to go to the owner of the company and he expects it to work.

!

interface GigabitEthernet0/0

ip access-group 104 in

!

policy group SDM_WEBVPN_POLICY_1

functions svc-enabled

svc address-pool "SDM_WEBVPN_POOL_1"

svc keep-client-installed

svc dtls

virtual-template 100

default-group-policy SDM_WEBVPN_POLICY_1

aaa authentication list sdm_vpn_xauth_ml_1

gateway SDM_WEBVPN_GATEWAY_1

max-users 20

inservice

!

access-list 104 permit udp any host (your_WAN_IP_address_here) eq 443

mgallant · ‎02-25-2011

Thanks, Renato! I enabled dtls and can see the matches in my access list.

I'll see if that AND the upgrade to 7.4.7 helps out any!!

Oh yeah...when I rebooted my remote phone...twice...the soft buttons don't show up. I've got to go into CME and restart the phone to get the buttons to appear. Must be a new "feature"...like Microsoft!! :^)

Ryan Hardy · ‎02-25-2011

I have seen the button missing issue as well. On my lab system, some times I can not see the softkeys, but if i press it, it works, just the name is not displayed. So you have to remember what the button is. Seems to have happened when I was testing the 7.4.6 Mute Beep issue and upgraded to 7.4.7.

mgallant · ‎02-25-2011

Right! The buttons are functional, they are just blank...

nseto · ‎02-28-2011

FYI, dtls isn't supported on the phone.

mgallant · ‎02-25-2011

I've upgraded to 7.4.7 on the phones...enabled dtls....just had my first call drop...it was my first call!! :-(

renato.guimaraes · ‎02-25-2011

Do you know of a way to clear out the SSL VPN connections? The phone I'm testing on is connected to the VPN but it's not registering. I did get it to work at one point but now it seems that a "reload" in the CME is the only thing I can think of doing.

mgallant · ‎02-25-2011

I typically do a "clear webvpn sess user USERNAME con all"

Ryan Hardy · ‎02-25-2011

I have had lots of problems with this with multiple versions on a few customers. The BU is looking into it still. If you are having problems, I would open a TAC case and escalate to the BU, and they might want to test with your system for a while. Cisco has been working with one of my customers for a month now with trying different versions and settings.

renato.guimaraes · ‎02-25-2011

Yeah I've been escalated before and got a group of people working on it. Turns out that "dtls" thing is supposed to help with it but now it seems there is a new problem with the phone registering after connecting to the VPN.