04-05-2012 06:26 AM
I have an ASA 5510 running 8.2.2 code with 30 VPN Phones connected. Of the 30 phones, I have 5 that do not negotiate DTLS and I'm having quality issues with these phones. I've checked the login process and I don't see any errors when these phone connect, they just don't even attempt DTLS. All the phones use the same VPN configuration.
07-24-2012 07:09 AM
Turns out this is an undocumented caveat. TAC has isolated the issue and is preparing a fix for it.
09-15-2012 07:26 AM
Was this fix completed. How are things working now?
Sent from Cisco Technical Support iPad App
09-15-2012 08:53 AM
I seem to be having a related problem and I hope I can ask this question as an add-on to the thread you started.
We have AnyConnect VPN phones setup to connect to ASA 5510 running 8.4(4) and it uses Active Directory credentials to login. The connection succeeds from external ISP networks including Comcast and smaller independant service providers. However, when any of us on the AT&T uverse service take this same 7965 phone to our home networks it fails to make any connection to the ASA at all. A packet capture on the ASA shows no connection activity from our uverse IP address.
What's more is that we can successfully authenticate the VPN phone connection when using local account logins (e.g. username admin password ******* priv 15) that are entered on the ASA. AT&T says they're not blocking any ports. It's confounding that it works for local login users but not with A/D.
So I guess the question is: What is the initial TCP/UDP handshake comprised of when a Cisco IP phone builds an AnyConnect SSL connection to an ASA and negotiates authentication of A/D credentials? For instance, what are the port numbers used in this handshake? I couldn't find any diagrams illustrating ths and the RFCs for DTLS didn't seem to have the answer either.
Thanks in advance.
--Athonia
side note: I have a TAC case open currently but our CCVP engineer had some personal time off this week. He was pretty stumped by this too so it'd be nice to figure out the solution before he gets back. The case is "622960141 : ASA 5510 VPN Edition w/ 250 SSL User- VPN annyconnect for phones. configuration"
09-15-2012 03:20 PM
Developement has made an ES to fix this issue.
SCCP45.9-3-1ES4S
SCCP75.9-3-1ES4S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide