cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4300
Views
0
Helpful
15
Replies

UC560, SR520FE Site to Site VPN

graeme
Level 1
Level 1

I have a question that I need at first a simple yes no answer to

Can the attached diagram be setup and configured into a fully working system with only CCA3?

And if so, can anyone point me to a guide that would tell me how to do it, as I have tried everything, and contacted STAC and the answers are ambiuous to say the least.

I am now running out of time and need to set this up.

Any help appreciated.

2 Accepted Solutions

Accepted Solutions

mcasimirc63
Level 4
Level 4

Nice diagram,  very clear and to the point.  You have to nix the SR520 in front of the UC500 and it will work.

Follow this document to make it happen

SR520 Remote Teleworker lab

View solution in original post

Steven DiStefano
VIP Alumni
VIP Alumni

Take out the SR520FE at the UC560 site and it should work.   The document I wrote used the UC560 as the VPN Head end (Server) side directly connecte dto the internet with a routable IP address.  Not sure why you have the SR520 in the host office 9I am sure its a good reason), but that isnt a supported configuration.  Not with CCA anyway.

Steve

View solution in original post

15 Replies 15

mcasimirc63
Level 4
Level 4

Nice diagram,  very clear and to the point.  You have to nix the SR520 in front of the UC500 and it will work.

Follow this document to make it happen

SR520 Remote Teleworker lab

Hi,

I followed that Lab document and managed to get a site to site VPN up and running, and from the remote site I could succesfully ping

192.168.200.1

10.1.1.1

10.1.10.2

But could not ping beyond the UC560.

A phone connected to the remote site would get a 10.1.1.x IP address but would not load the phone load.

And from the UC560, I could not pint the laptop on the remote site that I used to ping the UC560.

I am stumped and struggling, I need this working soon.

Thanks

Graeme

Did you enable split tunneling and are you using the latest software image on the UC500 and SR520?

Did you connect all the phones to the UC500 first and then connect it remotely? If they have to pull down new firmware image it may take some time.

Hi

I have enabled split tunnelling, and as far as I am aware it's the latest software

Its s uc 560 not 520 I only have a visio shape for 520

I am setting it back to not having the sr at hq side and will try again,

I will send another diagram showing the configuration now once restored

Sent from my iPhone

Ok,

I have restored the system back according to attached diagram.

And as mentioned in an earlier post

From laptop I can

Ping

192.168.200.1

10.1.1.1

10.1.10.2

192.168.200.5

Any of the phones on the HQ side.

From UC560 on HQ site I cannot ping anything on remote site.

Phone on remote site is SPA 508G, and was setup on HQ site, is now marked as Teleworker,

It picks up 10.1.1.25 ip address but does not load phone software.

As this is UC560 as VPN server and SR520 as VPN remote

Now I may be being stupid here, but do I need to setup the remote SR520 as a VPN server and the UC560 as a vpn remote, to enable 2 way traffic?

Ta

Graeme

Steven DiStefano
VIP Alumni
VIP Alumni

Take out the SR520FE at the UC560 site and it should work.   The document I wrote used the UC560 as the VPN Head end (Server) side directly connecte dto the internet with a routable IP address.  Not sure why you have the SR520 in the host office 9I am sure its a good reason), but that isnt a supported configuration.  Not with CCA anyway.

Steve

HI Steve.,

As mentioned above I have taken out the SR520 at the UC560 site, and established the VPN from remote to HQ, and from remote I can ping anything on HQ side, but the phone software does not load, and I cant ping pack the way.

This is waht I dont understond remote office ip 192.168.75.103 ping 192.169.200.1 (UC560) on HQ side, works

Ping 10.1.1.1 works

Ping 10.1.10.2 works

Ping 10.1.1.13 works

from HQ side pinging 192.168.75.103 from 192.168.200.1 doesnt work, neither does from 10.1.1.1 or 10.1.10.2 as selected as outbound address on the UC560.

So its partly working but nothing is going from HQ to remote.

Thanks

GRaeme

Ok Thats it fixed and working.

STAC cam on and carried out the CLI changes at the end of the TEL document.

I missed those, it now works, it is the NAT on the SR520 causing the problems.

But once the changes were mad our SPA phones would not start up.

Under STAC advise, we have to reset them to facroty defaults, then set them to SPCP mode, which restarts the phone.

Then diasable CDP which restarts the phone,

Once done the phone will get a local data subnet IP address (192.168.75.104 for example) and boot up and work.

It didnt mention anythying about that in the TEL

But thanks for everyones help.

Regards

Graeme

Glad the TEL had the steps necessary for NAT to work, and sorry you missed them :-)  I was scratching my head knowing I git it working in my lab and documented hgow :-)

I never had a problem with SPA phones, so didnt know the additional restarts you had to do on them.  Feel free to add that as a comment to the TEL document.

HI Steven,

One further question, the equiment we are sing was recomended by our distributor, and for another site, which we are about to start their teleworker end requires 16 phones, in the TEL do it says only 5 are support through an SR520.

On this test lab we setup 8 on the remote site and the worked, is this something that may work but isnt supported or, shoudlnt work.

And if it shouldnt whats the best way to enable 16 phones on a remote site, from a UC560 at HQ.

Thanks.

Graeme

great question.  Me and the TEEs used to discuss this at least 1x/month.

Like you, I stretched the recommended limit beyond 5.  There is no restriction you will find blocking you.  I would monitor CPU and memory utilization on both the UC560 (more robust that UC540) and the SR520 as I placed more calls and also watched the bandwidth of the WAN for different call flows and codecs, and with just one teleworker, it wasnt too bad.

I think this is really an Engineering issue that would need to be performance tested by Cisco to find the real limit, but the operational profiles will vary from deployment to deployment, its probably hard for them to do.

I didnt to a whole heck of alot of 'negative' testing (like all phones pulling their phone load at the same time) or all phones using VVE or Webex Connect, etc.) so mine was pretty basic CPU/Memory/Bandwidth.

One more question re CCA3.1

I have just upgraded to CCA3.1, and on the SR520, it lets me into the firewall page, where as 3.0 didnt, and the VPN remote page reports that it is non standard config, and to delete the VPN vefore going further.

Now obviously I idnt do that

Can this be setup fully in CCA as I have to do another setup the same soon, and was wondering if 3.1 supported it fully in CCA?

Thanks

Graeme

CCA 3.1 shouldnt act too much differently than 3.0 or 3.0.1 in this regard, I dont think (but dont really know for sure since I havent built a teleworker with 3.1.  The TEL shows the 3.0.1 steps necessary to build the SR520 using CCA.  It SHOULD support you, yes.

BUT as soon as you add the Cisco IOS NAT SCCP Version 17 one way audio workaround in the SR520, CCA will never let you back in to the SR520 firewall again, since it doesnt recognize it.  Thats why you do it last :-) 

To fix that would be a justification case to convince CCA resources to spend time applying code to recognize a workaround.  The real fix there should be the SCCP or IOS side, IMHO.

Thanks Steven.

Your help has been appreciated.

Graeme

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: