cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8443
Views
0
Helpful
57
Replies

SPA525G SSL VPN Stability Issues

mgallant
Level 1
Level 1

I just upgraded our UC520/32U to 8.1.0 and bought a few SPA525G's to use as our teleworker phones.  I've got the SSL piece up and running and the phones come up just as they should in the remote locations.  Everything seems to be working just fine.  BUT, the remote phones seem to be acting "flakey" every so often.  Here are some issues I've run into this week:

  • Calls dropping....phone locks...phone does the equivalent of a "restart" and then the phone is back to normal
  • Sometimes, if a phone is power cycled, it will constantly reboot and will never connect to the UC520.  I've played with this a little and have found that if I have the user unplug the phone for 5 minutes...and during that time I clear all the SSL tunnels using that username...and have them power it back up, that it will often work.  Pretty flakey.
  • Call quality is often horrible.  I'm running G729 on all phones to conserve bandwidth.  Most of the time the calls are OK, but I get complaints on call quality.  We used to be running IPSEC tunnels to all the remote users and had 7965's as remote phones and they worked perfectly, so I'm inclined to believe that it's NOT a bandwidth issue.

Has only had a lot of experience with these phones using the SSL VPN client?  I can alway fall back to doing IPSEC tunnels for most of the users, but that just doesn't seem smart.

Last piece of info...phones are running the load that came with 8.1.0 which is 7.4.6.

Any help will be greatly appreciated!

Thanks in advance!!

Matt

57 Replies 57

I've tried that. No help. When I was testing it at the office, I placed the phone behind a little Linksys router that was also connected to my Comcast cable that we use for our lab connectivity. Same issues. If it were a firewall issue, per se, it wouldn't work at all. My phones come up on the VPN and I can use them to make and receive calls. Only issue is that they fail more often than they work...and when they do work the call quality typically sucks.

What about the UC? Is that going straight out to the Internet?

The only thing I can think of now is do a factory reset and rebuild the entire system with the new CCA 3.0(1) and software pack 8.1.0.  I know, that sucks but it is quite possible that the remnants of the previous CME/CUE versions are still in there and might be causing some issues.  I wouldn't even backup anything, other than maybe voicemail greetings and autoattendant recordings (I don't even know if you can back those up individually).  I had to do that once and turns out everyone on the system had to re-record their greetings.  Good thing it was only about 20 users.

Hey Renato - This isn't my first rodeo!! This IS a new, fresh build. I blew the whole thing away and started from scratch with 8.1.0. There aren't any remnants of anything.

Damn dude, I dunno. It has to be something with your connection then...either on the UC side or the spa525 side.  Most likely on the UC side. How is your setup on the UC side? Are you using it as your network's gateway to the Internet?  Also, what kind of bandwidth do you have for your UC?

Nope...I have 22M/7M at all locations. AND, let's not forget that I am currently back up and running over the same infrastructure without ANY issues. The only difference is that I am letting the routers at the remote ends (871W) bring up IPSEC tunnels back to the UC520 rather than letting the phones bring up their own SSL tunnels. Everything works like a charm!

Lastly, my UC is directly connected to the internet, but only for the tunnels. All other internet traffic is routed out via a dedicated firewall.

I would have to say that the weak link in this puzzle is the spa525. I guess it could be something flakey with this IOS and the webvpn stuff. Here's my config for that:

webvpn gateway SDM_WEBVPN_GATEWAY_1

ip address WAN_IP port 443

ssl trustpoint TP-self-signed-2442057468

inservice

!

webvpn context SDM_WEBVPN_CONTEXT_1

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group SDM_WEBVPN_POLICY_1

functions svc-enabled

svc address-pool "SDM_WEBVPN_POOL_1"

default-group-policy SDM_WEBVPN_POLICY_1

aaa authentication list sdm_vpn_xauth_ml_1

gateway SDM_WEBVPN_GATEWAY_1

max-users 10

inservice

Nothing fancy...just as pure as it gets!! And, like I said, it's not that I can't get it working...the phones will come up. I've even pushed 7.4.7 out to all the phones to see if that helps since we've resolved the soft button issue, but it's still flakey. Could it be that the spa525 doesn't have enough resources to keep a tunnel up AND actually sustain a call? Hmmmm......

We're still seeing issues with the one customer using the 525's and vpn. I've pushed 7.4.8 out to the phones. But the phone will still drop it's registration to the UC. What's interesting is that the VPN tunnel never goes down. Has anybody seen a fix for this?

Hey Todd,

I haven't pushed 7.4.8 out yet.  I was going to try XA3a on my UC520 first and see if that helped.  Other than that one phone, how has 7.4.8 been working?

mgallant
Level 1
Level 1

What I think is more interesting is that this is a pretty major issue and we haven't heard boo from Cisco for nearly two months...clearly this product line is not very important to them.

Matt,

Do you have any news on your progress with the spa525 phones?

mgallant
Level 1
Level 1

Hey Renato - I haven't been able to make any progress.  I have moved all the folks that have 871W's back to letting the router do the tunnel.  I have two users that are using the SSL solution.  They have to reboot their phones regularly throughout the day...when they don't reboot themselves.  Conferencing seems to be a big issue.  The SSL folks have horrible experiences.

When the latest release comes out, I'll blow it all away and start from scratch again and see what I get.

John Gawf
Level 1
Level 1

Matt,

There is another thread I started on 525G's spontaneously rebooting where the problem has been resolved with a pre-release IOS labeled T3c. See: https://supportforums.cisco.com/message/3365948#3365948

I didn't have the connectivity problems you also initially reported, but have battled quality problems over the course of the last 8 months and found for improving quality doing a few things: 1) check the teleworker box via CCA for the phone extension; 2) in yet another thread I reported that I found the UC540 Ethernet link speed was mis-matched with the Internet router/modem; 3) In one of my remote user phone sites I configured their Internet connection router to give priority to the phone's MAC address.

Hope some of this helps.

The restarts were fixed, but we're still having issues with call quality; in particular the upload or the user with the spa525g phone talking with intermittent choppy audio. Inbound audio is fine though.  I'm guessing it might be a codec thing, maybe we can change the codec to G729 manually for these phones. I'm getting with support now.

We've discovered there was an entry in our interface vlan100, mtu 1514.  We removed that and set it to its default mtu 1500 and the quality was a little better.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: