Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7094
Views
0
Helpful
12
Replies

Anyconnect VPN cert update

Steven Williams
Level 4
Level 4

‎04-14-2015 01:23 PM - edited ‎02-21-2020 08:10 PM

Today I had to update the cert for the vpn.domain.com on my Cisco ASA. Now all my vpn based IP phones are broken. Do we need to update something on the phones to get them back online?

Labels:
0 Helpful
12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-14-2015 02:03 PM

Not a good scenario. Sorry to be the bearer of bad news, but when you update an ASA certificate in an environment where VPN phones are in use, there are a couple of prerequisite steps.

Basically the new certificate has to be exported from the ASA to Call Manager and then phones need to get the instruction to trust it from the same CM. Unless and until that's done, they will be dead in the water.

There are a couple of TAC articles that talk about the steps in more detail:

Article 1

Article 2

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎04-15-2015 10:23 AM

Ok I reverted the cert back to the old one so phones can connect again. I imported the new cert to UCM and applied the config to the phone in hopes it will grab the new cert. Per TAC. but now how can I verify that the new cert was pushed to the phones? Also is there a way to apply config to like 50 phones?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎04-15-2015 10:33 AM

When you reset a phone it should pull the new certificate trust list from UCM.

You should be able to see it on the phone via Settings > Security Security Configuration > Trust List.

By the way, make sure the new certificate is NOT SHA-2 if you're running UCM 9.x or earlier.

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎04-15-2015 10:37 AM

I am running 8.6 so how do I check that setting? Sorry I am 4 months new to phones...I miss my routing and switching days...so much easier!

 

Also if I don't have the physical phone in my hands is there a way I can check?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Williams

‎04-15-2015 10:43 AM

If you have the actual certificate file, just right click on it in Windows and open it. The Details tab will list all of the attributes, including the Signature Hash Algorithm (SHA) type.

There's a procedure for verifying the update process from UCM described in this thread.

0 Helpful

Steven Williams
Level 4
Level 4
In response to Marvin Rhoads

‎04-15-2015 10:46 AM

Sha1 

sha256

 

I think I am good

0 Helpful

David Johan Castro Fernandez
Level 3
Level 3

‎04-14-2015 02:04 PM

Hi Steven,

 

You will need to get the new SSL certificate install it on the ASA, place it on the outside as before:

ssl trustpoint <TRUSTPOINT_NAME> <Interface_Name>

 

Then export it from the ASA and import it on the CUCM certs:

     ASA:

          crypto ca export <Trustpoint_Name> identity

Then you copy the Base-64 characters and paste them on a notepad and save as extension .pem

Go to Cisco Unified Operating System Administration > Security > Certificate Management > Upload Certificate/Certificate Chain

CertificateManagement.png 

 

Then removed the previous expired cert, and place the new one on the VPN gateway:

 

VPNGateway.png

 

Then connect the phones locally to the CUCM to import the new profile with the new cert, and then try to connect.

 

Take a look to this guide a peer created just in case:

  https://supportforums.cisco.com/document/85976/ip-phone-vpn-basic-configuration-example

 

Please proceed to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards

0 Helpful

Steven Williams
Level 4
Level 4
In response to David Johan Castro Fernandez

‎04-14-2015 04:16 PM

This isn't following for 9.1 ASA code. Looks like I can export as a .pem file straight from ASDM.

0 Helpful

David Johan Castro Fernandez
Level 3
Level 3
In response to Steven Williams

‎04-14-2015 04:43 PM

You can export the Identity cert from the ASDM as well extension .pem, then afterwards proceed to upload it to the CUCM and the steps I gave you before.

 

Please proceed to rate and mark as correct this post!

 

David Castro,

 

Regards,

0 Helpful

Steven Williams
Level 4
Level 4
In response to David Johan Castro Fernandez

‎04-14-2015 04:45 PM

Ok I did that and I have added the cert to the certs in this location area for my gateways. The issues is I don't actually have the phones on prem. they are all over the world. So how do they get the update?

0 Helpful

David Johan Castro Fernandez
Level 3
Level 3
In response to Steven Williams

‎04-14-2015 04:57 PM

On this case the phones will need to register locally to the CUCM or upload the profile through a TFTP server, under the VPN gateway config on CUCM you will see that:

 

Enable Auto Network Detect: If enabled, the VPN phone pings the TFTP server and if no response is received, it auto-initiates a VPN connection.

The users will need to get the profile through a TFTP server.

 

David Castro,

0 Helpful

Steven Williams
Level 4
Level 4
In response to David Johan Castro Fernandez

‎04-14-2015 05:03 PM

my client auth method is set to username and password? It was like this when I started my job here so I am unaware of what was done in the past.

 

Also I assume when we say tftp we mean the CUCM correct? So this would be configured in the phone.

0 Helpful
Customers Also Viewed These Support Documents