cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
0
Helpful
4
Replies
Highlighted

ASA with VPN Phone not negotiating DTLS

I have an ASA 5510 running 8.2.2 code with 30 VPN Phones connected.  Of the 30 phones, I have 5 that do not negotiate DTLS and I'm having quality issues with these phones.  I've checked the login process and I don't see any errors when these phone connect, they just don't even attempt DTLS.  All the phones use the same VPN configuration.

Everyone's tags (5)
4 REPLIES 4

ASA with VPN Phone not negotiating DTLS

Turns out this is an undocumented caveat.  TAC has isolated the issue and is preparing a fix for it.

Re: ASA with VPN Phone not negotiating DTLS

Was this fix completed. How are things working now?

Sent from Cisco Technical Support iPad App

Re: ASA with VPN Phone not negotiating DTLS

I seem to be having a related problem and I hope I can ask this question as an add-on to the thread you started.

We have AnyConnect VPN phones setup to connect to ASA 5510 running 8.4(4) and it uses Active Directory credentials to login. The connection succeeds from external ISP networks including Comcast and smaller independant service providers. However, when any of us on the AT&T uverse service take this same 7965 phone to our home networks it fails to make any connection to the ASA at all. A packet capture on the ASA shows no connection activity from our uverse IP address.

What's more is that we can successfully authenticate the VPN phone connection when using local account logins (e.g. username admin password ******* priv 15) that are entered on the ASA. AT&T says they're not blocking any ports. It's confounding that it works for local login users but not with A/D.

So I guess the question is: What is the initial TCP/UDP handshake comprised of when a Cisco IP phone builds an AnyConnect SSL connection to an ASA and negotiates authentication of A/D credentials? For instance, what are the port numbers used in this handshake?  I couldn't find any diagrams illustrating ths and the RFCs for DTLS didn't seem to have the answer either.

Thanks in advance.

--Athonia

side note: I have a TAC case open currently but our CCVP engineer had some personal time off this week. He was pretty stumped by this too so it'd be nice to figure out the solution before he gets back.  The case is "622960141 : ASA 5510 VPN Edition w/ 250 SSL User- VPN annyconnect for phones. configuration"

Re: ASA with VPN Phone not negotiating DTLS

Developement has made an ES to fix this issue. 

SCCP45.9-3-1ES4S

SCCP75.9-3-1ES4S