I have an ASA 5510 running 8.2.2 code with 30 VPN Phones connected. Of the 30 phones, I have 5 that do not negotiate DTLS and I'm having quality issues with these phones. I've checked the login process and I don't see any errors when these phone connect, they just don't even attempt DTLS. All the phones use the same VPN configuration.
I seem to be having a related problem and I hope I can ask this question as an add-on to the thread you started.
We have AnyConnect VPN phones setup to connect to ASA 5510 running 8.4(4) and it uses Active Directory credentials to login. The connection succeeds from external ISP networks including Comcast and smaller independant service providers. However, when any of us on the AT&T uverse service take this same 7965 phone to our home networks it fails to make any connection to the ASA at all. A packet capture on the ASA shows no connection activity from our uverse IP address.
What's more is that we can successfully authenticate the VPN phone connection when using local account logins (e.g. username admin password ******* priv 15) that are entered on the ASA. AT&T says they're not blocking any ports. It's confounding that it works for local login users but not with A/D.
So I guess the question is: What is the initial TCP/UDP handshake comprised of when a Cisco IP phone builds an AnyConnect SSL connection to an ASA and negotiates authentication of A/D credentials? For instance, what are the port numbers used in this handshake? I couldn't find any diagrams illustrating ths and the RFCs for DTLS didn't seem to have the answer either.
Thanks in advance.
side note: I have a TAC case open currently but our CCVP engineer had some personal time off this week. He was pretty stumped by this too so it'd be nice to figure out the solution before he gets back. The case is "622960141 : ASA 5510 VPN Edition w/ 250 SSL User- VPN annyconnect for phones. configuration"