Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
1
Replies

remote phone SP525G2 ssl-vpn on dhcp wan port

Robin Lamarre
Level 1
Level 1

‎03-09-2012 01:50 PM - edited ‎03-21-2019 05:28 AM

Hi all,

     I have been provisioning a SPA525G2 as a remote phone using SSL-VPN with CCA 3.2 on 8.2 UC540 package and everything works perfectly fine as long as I have a static IP address setup on the WAN port of the UC towards my ISP.

In the release notes of CCA 3.2, it cleary says that we can now setup a SSL-VPN full tunnel when the wan port is DHCP. Even includes  nice dynamic DNS options.Obvisously since I am posting, you guessed that as soon as I try to reconfigure my SPA525G2 as a remote phone with a DHCP configuration on the internet port of the UC with a Dynamic DNS setup (or without), it fails to connect to UC from remote site.

     Before I open a STAC and gather more debugs, I figured I could ask the community see if anybody succeeded in this.

Is the new CCA feature only for webvpn and not for remote phone configuration?

thanks

SPA525G2 is latest 7.4.9c.

anyconnect ssl package is latest.

IOS is latest of UC540.

 

notes from CCA 3.2

SSL VPN Configuration

Provide an option to enter SSL VPN Port             

Provides the option to configure SSL VPN port during SSL creation on UC500.

Ability to accept the DHCP assigned IP address on the WAN for SSL VPN              

Allows creation of SSL VPN using DHCP Wan IP and also warns the user of any changes to the WAN IP that will cause SSL VPN to not work.

Labels:
0 Helpful
1 Reply 1

Robin Lamarre
Level 1
Level 1

‎03-13-2012 01:04 PM

Long story short the new CCA feature does let you setup the SSL-VPN even when you don`t have a static IP address on the wan, but when your lease expires and your ip changes the SSL-VPN config will not "self-update" and the service will be dead.

but in a nicer words from the nice TAC people:

It appears that CCA 3.2 can only support the initial configuration of an SSL vpn with a DHCP-leased WAN IP, even using DynDNS.Even after the lease has expired, the record in the webvpn configuration does not update. That is not a feature of IOS. The webvpn configuration would need to manually be updated to reflect each new DHCP lease on your WAN.

The reason why our setup was not even working was dead simple, the ADSL( with dhcp public ip) provider was bloking port 443...

cheers,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents