I'm trying to setup a SPA525g with an SSL VPN. I've gone through the wizard and the phone indicates that it is connected to the VPN but the screen gets stuck at "downloading:XMLDefault.cnf.xml". When I connect it locally to the UC500 it works fine.
I've tried all sorts of IP address ranges in the ssl VPN but I can't find any docs that say if it should be in 10.1.1.0 or if it matters at all.
My phone is running software version 7.4.3
Any help would be greatly appreciated.
Does it matter which anyconnect client you upload to the vpn server?
I just found out that the SSL VPN Wizard in CCA had not created a split tunnel or access list from the data VLAN to the voice VLAN so the phone was not able to communicate with the TFTP server on the voice VLAN. That is frustrating. However, that did not resolve my issue on the UC540. For some reason the TFTP is timing out before it can get the XML files it needs to complete the regisrtation process. To verify, I set up the Anyconnect client on an XP machine and connected, I could ping the TFTP server, I loaded a TFTP client on the computer but was unable to download anything on that either. This is definitly a configuration issue on the router if not a bug. HELP!
I am trying to follow along to see if I can help here.
I built a SPA525G as a SSL VPN user off a UC520 and I am able to TFTP to the UC500. I just tried to change ringtone, and it worked...
TFTP Event debugging is on
003681: Apr 30 14:46:26.366: TFTP: Looking for Sax2.raw
003682: Apr 30 14:46:26.370: TFTP: Opened flash:/ringtones/Sax2.raw, fd 14, size 14233 for process 178
003683: Apr 30 14:46:26.594: TFTP: Finished flash:/ringtones/Sax2.raw, time 00:00:00 for process 178
003684: Apr 30 14:46:35.018: TFTP: Looking for Sax1.raw
003685: Apr 30 14:46:35.018: TFTP: Opened flash:/ringtones/Sax1.raw, fd 14, size 10858 for process 178
003686: Apr 30 14:46:35.198: TFTP: Finished flash:/ringtones/Sax1.raw, time 00:00:00 for process 178
Now when I built mine, I was asked if I wanted SPLIT or Full tunnel
https://supportforums.cisco.com/docs/DOC-9811 see starting on page 5.
I am running 7.4.3.
I just tried it again wiping everything and following the doc. It worked fine running 7.4.3 on the phone 8.0.2 on the UC (although I lost video, but that's in the document) and the latest Windows Anyconnect client.
I wish I could be more help, All I can suggest is do a factory reset on the phone and try it all again
Bob, thanks for sticking with this. I have been working with Derek at STAC. He found the solution to my particular problem. He speculated that since we are not using the default IP scheme for the phones or the data VLAN's this could have caused the problem. However, see his information below on how he resolved the issue in my case:
What we are doing here is basically setting up a secondary TFTP option and forcing it to go that route.
- On the SPA525G Phone, go to the settings and select Network Configuration.
- Make sure the Alternate TFTP server is enabled and set it to (UC540 Public IP)
As far as the template goes, it should work like a champ now. If by any means we run into a problem, this is what we had to do.
- Via CLI, obtain a copy of the IP Phone's cnf.xml file using your local tftp server. (look for the MAC address where you see X below)
- copy flash:its/SEPxxxxxxxxxxxx.cnf.xml tftp:SEPxxxxxxxxxxxx.cnf.xml
Once you have this on your PC, open it using WordPad. You are going to change two things.
1. The first IP address that you come across in the XML will be your voice VLAN gateway (10.1.1.1 or whatever your voice vlan gateway is). The second address that you will come to will be your WAN IP. Switch these two addresses.
2. After that, you should see (10.1.1.1 or whatever your voice vlan gateway is) about three more times. Change these to your WAN IP.
- Save the file and copy it back to flash using the follow command:
- copy tftp:SEPxxxxxxxxxxxx.cnf.xml flash:its/SEPxxxxxxxxxxxx.cnf.xml
That pretty much does it. On a side note, we had to add an additional statement to ACL 104 so it wouldn't block this traffic coming from us. Just an FYI if you still have issues connecting.