02-24-2011 01:38 PM - edited 03-21-2019 03:43 AM
I just upgraded our UC520/32U to 8.1.0 and bought a few SPA525G's to use as our teleworker phones. I've got the SSL piece up and running and the phones come up just as they should in the remote locations. Everything seems to be working just fine. BUT, the remote phones seem to be acting "flakey" every so often. Here are some issues I've run into this week:
Has only had a lot of experience with these phones using the SSL VPN client? I can alway fall back to doing IPSEC tunnels for most of the users, but that just doesn't seem smart.
Last piece of info...phones are running the load that came with 8.1.0 which is 7.4.6.
Any help will be greatly appreciated!
Thanks in advance!!
Matt
03-04-2011 05:46 AM
I've tried that. No help. When I was testing it at the office, I placed the phone behind a little Linksys router that was also connected to my Comcast cable that we use for our lab connectivity. Same issues. If it were a firewall issue, per se, it wouldn't work at all. My phones come up on the VPN and I can use them to make and receive calls. Only issue is that they fail more often than they work...and when they do work the call quality typically sucks.
03-04-2011 06:38 AM
What about the UC? Is that going straight out to the Internet?
The only thing I can think of now is do a factory reset and rebuild the entire system with the new CCA 3.0(1) and software pack 8.1.0. I know, that sucks but it is quite possible that the remnants of the previous CME/CUE versions are still in there and might be causing some issues. I wouldn't even backup anything, other than maybe voicemail greetings and autoattendant recordings (I don't even know if you can back those up individually). I had to do that once and turns out everyone on the system had to re-record their greetings. Good thing it was only about 20 users.
03-04-2011 06:44 AM
Hey Renato - This isn't my first rodeo!! This IS a new, fresh build. I blew the whole thing away and started from scratch with 8.1.0. There aren't any remnants of anything.
03-04-2011 06:48 AM
Damn dude, I dunno. It has to be something with your connection then...either on the UC side or the spa525 side. Most likely on the UC side. How is your setup on the UC side? Are you using it as your network's gateway to the Internet? Also, what kind of bandwidth do you have for your UC?
03-04-2011 07:10 AM
Nope...I have 22M/7M at all locations. AND, let's not forget that I am currently back up and running over the same infrastructure without ANY issues. The only difference is that I am letting the routers at the remote ends (871W) bring up IPSEC tunnels back to the UC520 rather than letting the phones bring up their own SSL tunnels. Everything works like a charm!
Lastly, my UC is directly connected to the internet, but only for the tunnels. All other internet traffic is routed out via a dedicated firewall.
I would have to say that the weak link in this puzzle is the spa525. I guess it could be something flakey with this IOS and the webvpn stuff. Here's my config for that:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address WAN_IP port 443
ssl trustpoint TP-self-signed-2442057468
inservice
!
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group SDM_WEBVPN_POLICY_1
functions svc-enabled
svc address-pool "SDM_WEBVPN_POOL_1"
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Nothing fancy...just as pure as it gets!! And, like I said, it's not that I can't get it working...the phones will come up. I've even pushed 7.4.7 out to all the phones to see if that helps since we've resolved the soft button issue, but it's still flakey. Could it be that the spa525 doesn't have enough resources to keep a tunnel up AND actually sustain a call? Hmmmm......
04-20-2011 10:25 PM
We're still seeing issues with the one customer using the 525's and vpn. I've pushed 7.4.8 out to the phones. But the phone will still drop it's registration to the UC. What's interesting is that the VPN tunnel never goes down. Has anybody seen a fix for this?
04-21-2011 05:55 AM
Hey Todd,
I haven't pushed 7.4.8 out yet. I was going to try XA3a on my UC520 first and see if that helped. Other than that one phone, how has 7.4.8 been working?
04-21-2011 06:03 AM
What I think is more interesting is that this is a pretty major issue and we haven't heard boo from Cisco for nearly two months...clearly this product line is not very important to them.
06-14-2011 11:57 AM
Matt,
Do you have any news on your progress with the spa525 phones?
06-15-2011 08:08 AM
Hey Renato - I haven't been able to make any progress. I have moved all the folks that have 871W's back to letting the router do the tunnel. I have two users that are using the SSL solution. They have to reboot their phones regularly throughout the day...when they don't reboot themselves. Conferencing seems to be a big issue. The SSL folks have horrible experiences.
When the latest release comes out, I'll blow it all away and start from scratch again and see what I get.
06-17-2011 06:48 AM
Matt,
There is another thread I started on 525G's spontaneously rebooting where the problem has been resolved with a pre-release IOS labeled T3c. See: https://supportforums.cisco.com/message/3365948#3365948
I didn't have the connectivity problems you also initially reported, but have battled quality problems over the course of the last 8 months and found for improving quality doing a few things: 1) check the teleworker box via CCA for the phone extension; 2) in yet another thread I reported that I found the UC540 Ethernet link speed was mis-matched with the Internet router/modem; 3) In one of my remote user phone sites I configured their Internet connection router to give priority to the phone's MAC address.
Hope some of this helps.
07-14-2011 06:40 AM
The restarts were fixed, but we're still having issues with call quality; in particular the upload or the user with the spa525g phone talking with intermittent choppy audio. Inbound audio is fine though. I'm guessing it might be a codec thing, maybe we can change the codec to G729 manually for these phones. I'm getting with support now.
07-14-2011 11:39 AM
We've discovered there was an entry in our interface vlan100, mtu 1514. We removed that and set it to its default mtu 1500 and the quality was a little better.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: