07-26-2011 03:47 AM - edited 03-21-2019 04:23 AM
I have a question that I need at first a simple yes no answer to
Can the attached diagram be setup and configured into a fully working system with only CCA3?
And if so, can anyone point me to a guide that would tell me how to do it, as I have tried everything, and contacted STAC and the answers are ambiuous to say the least.
I am now running out of time and need to set this up.
Any help appreciated.
Solved! Go to Solution.
07-26-2011 03:52 AM
Nice diagram, very clear and to the point. You have to nix the SR520 in front of the UC500 and it will work.
Follow this document to make it happen
SR520 Remote Teleworker lab |
07-26-2011 06:05 AM
Take out the SR520FE at the UC560 site and it should work. The document I wrote used the UC560 as the VPN Head end (Server) side directly connecte dto the internet with a routable IP address. Not sure why you have the SR520 in the host office 9I am sure its a good reason), but that isnt a supported configuration. Not with CCA anyway.
Steve
07-26-2011 03:52 AM
Nice diagram, very clear and to the point. You have to nix the SR520 in front of the UC500 and it will work.
Follow this document to make it happen
SR520 Remote Teleworker lab |
07-26-2011 03:55 AM
Hi,
I followed that Lab document and managed to get a site to site VPN up and running, and from the remote site I could succesfully ping
192.168.200.1
10.1.1.1
10.1.10.2
But could not ping beyond the UC560.
A phone connected to the remote site would get a 10.1.1.x IP address but would not load the phone load.
And from the UC560, I could not pint the laptop on the remote site that I used to ping the UC560.
I am stumped and struggling, I need this working soon.
Thanks
Graeme
07-26-2011 04:20 AM
Did you enable split tunneling and are you using the latest software image on the UC500 and SR520?
Did you connect all the phones to the UC500 first and then connect it remotely? If they have to pull down new firmware image it may take some time.
07-26-2011 04:24 AM
Hi
I have enabled split tunnelling, and as far as I am aware it's the latest software
Its s uc 560 not 520 I only have a visio shape for 520
I am setting it back to not having the sr at hq side and will try again,
I will send another diagram showing the configuration now once restored
Sent from my iPhone
07-26-2011 04:47 AM
Ok,
I have restored the system back according to attached diagram.
And as mentioned in an earlier post
From laptop I can
Ping
192.168.200.1
10.1.1.1
10.1.10.2
192.168.200.5
Any of the phones on the HQ side.
From UC560 on HQ site I cannot ping anything on remote site.
Phone on remote site is SPA 508G, and was setup on HQ site, is now marked as Teleworker,
It picks up 10.1.1.25 ip address but does not load phone software.
As this is UC560 as VPN server and SR520 as VPN remote
Now I may be being stupid here, but do I need to setup the remote SR520 as a VPN server and the UC560 as a vpn remote, to enable 2 way traffic?
Ta
Graeme
07-26-2011 06:05 AM
Take out the SR520FE at the UC560 site and it should work. The document I wrote used the UC560 as the VPN Head end (Server) side directly connecte dto the internet with a routable IP address. Not sure why you have the SR520 in the host office 9I am sure its a good reason), but that isnt a supported configuration. Not with CCA anyway.
Steve
07-27-2011 06:01 AM
HI Steve.,
As mentioned above I have taken out the SR520 at the UC560 site, and established the VPN from remote to HQ, and from remote I can ping anything on HQ side, but the phone software does not load, and I cant ping pack the way.
This is waht I dont understond remote office ip 192.168.75.103 ping 192.169.200.1 (UC560) on HQ side, works
Ping 10.1.1.1 works
Ping 10.1.10.2 works
Ping 10.1.1.13 works
from HQ side pinging 192.168.75.103 from 192.168.200.1 doesnt work, neither does from 10.1.1.1 or 10.1.10.2 as selected as outbound address on the UC560.
So its partly working but nothing is going from HQ to remote.
Thanks
GRaeme
07-28-2011 07:03 AM
Ok Thats it fixed and working.
STAC cam on and carried out the CLI changes at the end of the TEL document.
I missed those, it now works, it is the NAT on the SR520 causing the problems.
But once the changes were mad our SPA phones would not start up.
Under STAC advise, we have to reset them to facroty defaults, then set them to SPCP mode, which restarts the phone.
Then diasable CDP which restarts the phone,
Once done the phone will get a local data subnet IP address (192.168.75.104 for example) and boot up and work.
It didnt mention anythying about that in the TEL
But thanks for everyones help.
Regards
Graeme
07-28-2011 07:09 AM
Glad the TEL had the steps necessary for NAT to work, and sorry you missed them :-) I was scratching my head knowing I git it working in my lab and documented hgow :-)
I never had a problem with SPA phones, so didnt know the additional restarts you had to do on them. Feel free to add that as a comment to the TEL document.
07-28-2011 07:17 AM
HI Steven,
One further question, the equiment we are sing was recomended by our distributor, and for another site, which we are about to start their teleworker end requires 16 phones, in the TEL do it says only 5 are support through an SR520.
On this test lab we setup 8 on the remote site and the worked, is this something that may work but isnt supported or, shoudlnt work.
And if it shouldnt whats the best way to enable 16 phones on a remote site, from a UC560 at HQ.
Thanks.
Graeme
07-28-2011 07:48 AM
great question. Me and the TEEs used to discuss this at least 1x/month.
Like you, I stretched the recommended limit beyond 5. There is no restriction you will find blocking you. I would monitor CPU and memory utilization on both the UC560 (more robust that UC540) and the SR520 as I placed more calls and also watched the bandwidth of the WAN for different call flows and codecs, and with just one teleworker, it wasnt too bad.
I think this is really an Engineering issue that would need to be performance tested by Cisco to find the real limit, but the operational profiles will vary from deployment to deployment, its probably hard for them to do.
I didnt to a whole heck of alot of 'negative' testing (like all phones pulling their phone load at the same time) or all phones using VVE or Webex Connect, etc.) so mine was pretty basic CPU/Memory/Bandwidth.
08-01-2011 01:20 AM
One more question re CCA3.1
I have just upgraded to CCA3.1, and on the SR520, it lets me into the firewall page, where as 3.0 didnt, and the VPN remote page reports that it is non standard config, and to delete the VPN vefore going further.
Now obviously I idnt do that
Can this be setup fully in CCA as I have to do another setup the same soon, and was wondering if 3.1 supported it fully in CCA?
Thanks
Graeme
08-01-2011 03:49 AM
CCA 3.1 shouldnt act too much differently than 3.0 or 3.0.1 in this regard, I dont think (but dont really know for sure since I havent built a teleworker with 3.1. The TEL shows the 3.0.1 steps necessary to build the SR520 using CCA. It SHOULD support you, yes.
BUT as soon as you add the Cisco IOS NAT SCCP Version 17 one way audio workaround in the SR520, CCA will never let you back in to the SR520 firewall again, since it doesnt recognize it. Thats why you do it last :-)
To fix that would be a justification case to convince CCA resources to spend time applying code to recognize a workaround. The real fix there should be the SCCP or IOS side, IMHO.
08-01-2011 04:30 AM
Thanks Steven.
Your help has been appreciated.
Graeme
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide