Showing results for 
Search instead for 
Did you mean: 

SPA525g and SSL VPN question


I'm trying to setup a SPA525g with an SSL VPN. I've gone through the wizard and the phone indicates that it is connected to the VPN but the screen gets stuck at "downloading:XMLDefault.cnf.xml". When I connect it locally to the UC500 it works fine.

I've tried all sorts of IP address ranges in the ssl VPN but I can't find any docs that say if it should be in or if it matters at all.

My phone is running software version 7.4.3

Any help would be greatly appreciated.

Does it matter which anyconnect client you upload to the vpn server?

9 Replies 9


Can you check under Network Configuration on the 525G phone if you have the correct TFTP server set-up.

If you are using default IP addresses, try this - Under Network Configuration, Enable Alternate TFTP, manually enter as TFTP server 1, save config and reload the phone.

Thank you for your reply.

I have tried the alternate TFTP server to no avail.

Checking the VPN status on the phone shows I am connected but I receive 0 bytes. Attempts to ping the phone from the UC520 fail.

I'm having the same issue. I have tried 3 SPA525G's and they all do the same thing. I am running firmware 7-4-4. Was there ever any resolution to this issue?

I just found out that the SSL VPN Wizard in CCA had not created a split tunnel or access list from the data VLAN to the voice VLAN so the phone was not able to communicate with the TFTP server on the voice VLAN. That is frustrating. However, that did not resolve my issue on the UC540. For some reason the TFTP is timing out before it can get the XML files it needs to complete the regisrtation process. To verify, I set up the Anyconnect client on an XP machine and connected, I could ping the TFTP server, I loaded a TFTP client on the computer but was unable to download anything on that either. This is definitly a configuration issue on the router if not a bug. HELP!

I am trying to follow along to see if I can help here.

I built a SPA525G as a SSL VPN user off a UC520 and I am able to TFTP to the UC500.  I just tried to change ringtone, and it worked...

TFTP Event debugging is on
uc520_lab_5#term mon
003681: Apr 30 14:46:26.366: TFTP: Looking for Sax2.raw
003682: Apr 30 14:46:26.370: TFTP: Opened flash:/ringtones/Sax2.raw, fd 14, size 14233 for process 178
003683: Apr 30 14:46:26.594: TFTP: Finished flash:/ringtones/Sax2.raw, time 00:00:00 for process 178
003684: Apr 30 14:46:35.018: TFTP: Looking for Sax1.raw
003685: Apr 30 14:46:35.018: TFTP: Opened flash:/ringtones/Sax1.raw, fd 14, size 10858 for process 178
003686: Apr 30 14:46:35.198: TFTP: Finished flash:/ringtones/Sax1.raw, time 00:00:00 for process 178

Now when I built mine, I was asked if I wanted SPLIT or Full tunnel   see starting on page 5.

I am running 7.4.3.


I got this working fine first time following the doc and CCA, it is full tunnel right?

I'll wipe the phone config again and redo it to see if I have any issues.

There is nothing in front of the UC's WAN port is there?



I just tried it again wiping everything and following the doc. It worked fine running 7.4.3 on the phone 8.0.2 on the UC (although I lost video, but that's in the document) and the latest Windows Anyconnect client.

I wish I could be more help, All I can suggest is do a factory reset on the phone and try it all again

Bob, thanks for sticking with this. I have been working with Derek at STAC. He found the solution to my particular problem. He speculated that since we are not using the default IP scheme for the phones or the data VLAN's this could have caused the problem. However, see his information below on how he resolved the issue in my case:

What we are doing here is basically setting up a secondary TFTP option and forcing it to go that route.

- On the SPA525G Phone, go to the settings and select Network Configuration.
- Make sure the Alternate TFTP server is enabled and set it to (UC540 Public IP)

As far as the template goes, it should work like a champ now.  If by any means we run into a problem, this is what we had to do.

- Via CLI, obtain a copy of the IP Phone's cnf.xml file using your local tftp server.  (look for the MAC address where you see X below)

- copy flash:its/SEPxxxxxxxxxxxx.cnf.xml tftp:SEPxxxxxxxxxxxx.cnf.xml

Once you have this on your PC, open it using WordPad.  You are going to change two things.

1. The first IP address that you come across in the XML will be your voice VLAN gateway ( or whatever your voice vlan gateway is).  The second address that you will come to will be your WAN IP.  Switch these two addresses.

2. After that, you should see
( or whatever your  voice vlan gateway is) about three more times.  Change these to your WAN IP. 

- Save the file and copy it back to flash using the follow command:

- copy tftp:SEPxxxxxxxxxxxx.cnf.xml flash:its/SEPxxxxxxxxxxxx.cnf.xml

That pretty much does it.  On a side note, we had to add an additional statement to ACL 104 so it wouldn't block this traffic coming from us.  Just an FYI if you still have issues connecting.

I am trying to do this, but I cannot find the SEPxxxx file to copy from the UC520.  Where is it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers