cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

UC540 AND SR520 Teleworker Bug

ciscopmay
Beginner
Beginner

After several hours trouble shooting, Brandon with Cisco TAC was able to fix this problem.

I just want to post to save someone else time. It is an EZVPN setup from UC540 to SR520 with one 7962 phone behind SR520.

SCCP version 17 was negotiated when phone registered. However, this version of SCCP does not work with NAT.

Brandon had to configure with network extension mode and disable NAT between phone and UC540.

Before fix, phone would resgister; but there would be no audio. I am not sure if this bug has been documented, but I just wanted to let everyone know.

Also, I want to thank Brandon T. again for his dedication and time.

If anyone needs more info, please let me know.

Thanks

10 REPLIES 10

Would love to know the IOS/CME version, the phone load on that teleworker phone, and if you started configuring with CCA and it didn't work?

I can also get this from Brandon. Actually had dinner with him 2 nights ago in S.C. He is very sharp indeed and is now at the SBSC as an escalation Engineer.

SR520 is running 12.4(20)T5. UC540 is running 15.0(1)XA2.

I initially configured with CCA 2.2(5) and it worked. However, I was using a 7911 phone to test which we think may have negotiated a lower version of SCCP.

Thanks

Steven Holl
Cisco Employee
Cisco Employee

Glad to hear you resolved your issue.  I was the voice engineer helping Brandon out for a little while with this yesterday.  For anyone else that has issues with this, the culprit was the output of 'debug ip udp' which showed the RTP stream being built for CME:2000---->0.0.0.0:0.  With that, we knew CME wasn't getting the right destination address via SCCP, and then we discovered the phones were in SCCP v17.

IOS NAT will support it with 15.1(3)T as per CSCte70727.  ASA supports it as per CSCsy93500.  Not sure about ZBF's inspection for SCCP v17 support.

tuandatnv
Beginner
Beginner

I have the same problem with UC520 and Cisco 877 Remote EZVPN.

Before with UC520 firmware 7.1.1, this problem happened with cisco7960, but Cisco7906 phone was working OK, but with firmware 8.0.4, both Cisco 7906 and 7960 lost audio stream, althrough Cisco Communicator softphone is still working OK

The post related with my problem is bellow

https://supportforums.cisco.com/thread/2044917

Please advise if there is a fix for this bug

Thank you

Tuan Nguyen

This looks like same bug. Softphone works because it negotiated a lower version of SCCP than 17.

Version 17 will not work with NAT and EZVPN.

You will have to disable NAT on 877 for traffic destined for UC520.

You will also have to configure VPN on 877 for network extension mode. This will have to be done through CLI.

I can send you config changes we made to get it to work.

Hi ciscopmay,

If you can please send me your configuration for no NAT VPN

Now I am trying config to downgrade the firmware 7906 to previous version.

I will inform the result soon

(Because EZPVN Server is used for Remote Branch and for Mobile users  also, which connect to center office via VPN software, so I think remove  NAT and create static routing is only possible for 1 remote VPN branch ?!)

Thank you

Tuan Nguyen

These are the following configuration changes that Brandon made to get it to work.

**************************
Steps to get working:

****************************

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

connect auto

group EZVPN_GROUP_1 key XXXXX

mode network-extension   - only change in VPN config on SR520
peer X.X.X.X
virtual-interface 4
username teleworker password XXXXXXXXX
xauth userid mode local

***********************************

Modified ACL to disable NAT from SR520 LAN to Voice VLAN 10.1.1.x and 10.1.10.x

ip nat inside source list 110 interface FastEthernet4 overload

***********************************
192.168.76.0/24 is LAN of SR520.


90.0.0.0/24 is LAN of UC540

TELEWORKER2#sh access-list 110
Extended IP access list 110
    10 deny ip 192.168.76.0 0.0.0.255 10.1.1.0 0.0.0.255
    20 deny ip 192.168.76.0 0.0.0.255 10.1.10.0 0.0.0.255
    30 deny ip 192.168.76.0 0.0.0.255 90.0.0.0 0.0.0.255
    40 permit ip 192.168.76.0 0.0.0.255 any

*************************************

no ip cef  ** Note: helped with packet loss

Hi ciscopmay,

How does UC540 recognise and add your SR520 LAN subnet 192.168.76.0/2, can it recognise and add automatically when VPN connection was established ?

Or you have to add an static routing in UC540, but my question is how to add, because the your SR520 VPN address is not static, it would be one of VPN pool address?

If possible could you please send me the detail of command "show ip route" in both UC540 and SR520

Thank you

Tuan Nguyen

I have tried to downgrade the firmware of Cisco7906, by do the follow step, the phone reset and get the old firmware, but the problem still the same

uploaded the old 7906 phone files (from 7.1.1 firmware) to the root directory of flash of UC520, 08 files.


Then in config mode, add the follow command


no tftp-server flash:/phones/7906_7911/term06.default.loads alias term06.default.loads
no tftp-server flash:/phones/7906_7911/term11.default.loads alias term11.default.loads


tftp-server flash: SCCP11.8-4-2S.loads
tftp-server flash:cnu11.8-4-1-23.sbn
tftp-server flash:apps11.8-4-1-23.sbn
tftp-server flash:dsp11.8-4-1-23.sbn
tftp-server flash:jar11sccp.8-4-1-23.sbn
tftp-server flash:cvm11sccp.8-4-1-23.sbn
tftp-server flash:term11.default.loads
tftp-server flash:term06.default.loads


telephony-service
load 7906 SCCP11.8-4-2S


Then reset the remote phone
#ephone 22
#reset

UC540 will learn route. Static routes do not have to be configured on UC.

I tried to changed the VPN mode to network-extension

But after changing, the VPN connection can't extablish.Change back to VPN client mode, the VPN connection work again.

Here is detail of my 877 configuration, please advise if you find an incorrect setup:

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
crypto pki trustpoint TP-self-signed-2024902666
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2024902666
revocation-check none
rsakeypair TP-self-signed-2024902666
!
!
crypto pki certificate chain TP-self-signed-2024902666
certificate self-signed 01
  xxxx
        quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 208.67.222.222 208.67.220.220
   option 150 ip 10.1.1.1
   lease 0 2
!
!
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
!
password encryption aes
!
!
username XXXX privilege 15 secret 5 XXXXX
!
!
ip tcp synwait-time 10
!
!
crypto isakmp key XXXX hostname XXXXX
!
!
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
connect auto
group EZVPN_GROUP_1 key XXXXX
mode network-extension
peer XXXXX
username XXXX password XXXXX
xauth userid mode local
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode itu-dmt
dsl bitswap both
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password 7 XXXXX
ppp pap sent-username XXXXX password 7 XXXXX
ppp ipcp dns request
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 110 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.1.10.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
ntp server 63.240.161.99

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: