AnyConnect IP Phone VPN - SSL connection denied

stevenholzem · ‎03-07-2014

Hello all,

I am trying to configure an AnyConnect VPN for an IP Phone, however when the Phone tries to connect to the ASA the Syslog shows the SSL connection is denied. On the Phone it says the wrong Certificate is being used. The ASA sits behind another FIrewall, a Checkpoint, where all traffic to a certain IP is NATed to the ASA. The ASA Certificates are loaded on the CUCM and assigned to VPN Profile like another discussion had suggested. (

https://supportforums.cisco.com/docs/DOC-21469 ) Any suggestions?

Thank you

Steven

ASA Version 8.4(4)3

Phone 9951

Parts of the Configuration:

interface Ethernet0/0

nameif Voice

security-level 100

ip address 172.16.14.15 255.255.254.0

!

ip local pool TEST 172.16.15.20-172.16.15.29 mask 255.255.254.0

!

crypto ca trustpoint ASDM_TrustPoint_CASA_1

keypair ASDM_TrustPoint_CASA

crl configure

crypto ca trustpoint CAP-RTP-001_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint CAP-RTP-002_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint

enrollment terminal

crl configure

!

crypto ca trustpoint CallManager.pem

enrollment terminal

crl configure

crypto ca trustpoint CAPF.pem

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA.pem

enrollment terminal

no client-types

crl configure

crypto ca trustpoint CAP-RTP-002.pem

enrollment terminal

no client-types

crl configure

crypto ca trustpoint CAP-RTP-001.pem

enrollment terminal

no client-types

crl configure

!

group-policy GroupPhoneWebvpn internal

group-policy GroupPhoneWebvpn attributes

banner none

vpn-simultaneous-logins 10

vpn-idle-timeout none

vpn-tunnel-protocol ssl-clientless

default-domain value ********.local

address-pools value TEST

webvpn

anyconnect ssl dtls enable

anyconnect keep-installer installed

anyconnect ssl keepalive 120

anyconnect ssl rekey time 4

anyconnect ssl rekey method new-tunnel

anyconnect dpd-interval client none

anyconnect dpd-interval gateway 300

anyconnect ssl compression deflate

anyconnect ask none default webvpn

!

username casa password S2HJZC6AF95kdYh6 encrypted

username casa attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

username CP-9951-SEPD0C28242EB95 password E4dPR6NyFHyvpT34 encrypted

username CP-9951-SEPD0C28242EB95 attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

webvpn

filter value webvpn

username CUCM1 password CEFLXB5e2sUl7nlS encrypted

username CUCM1 attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

username <user> password UWSVh1yZsma11IZ2 encrypted

username <user> attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

webvpn

filter value webvpn

!

tunnel-group VPNPhone type remote-access

tunnel-group VPNPhone general-attributes

address-pool TEST

default-group-policy GroupPhoneWebvpn

tunnel-group VPNPhone webvpn-attributes

group-url https://172.16.14.15/VPNPhone enable

tunnel-group CertPassTunnelGroup type remote-access

tunnel-group CertPassTunnelGroup general-attributes

authorization-server-group LOCAL

default-group-policy GroupPhoneWebvpn

username-from-certificate CN

tunnel-group CertPassTunnelGroup webvpn-attributes

authentication aaa certificate

pre-fill-username ssl-client

group-url https://172.16.14.15/CertPass enable

tunnel-group CertOnlyTunnelGroup type remote-access

tunnel-group CertOnlyTunnelGroup general-attributes

default-group-policy GroupPhoneWebvpn

tunnel-group CertOnlyTunnelGroup webvpn-attributes

authentication certificate

group-url https://172.16.14.15/CertOnly enable

Marvin Rhoads · ‎03-07-2014

I believe the address reported by the certificate has to match the host address seen by the IP phone. Your NAT in-between may be an issue in this case.