I have an ASA 5510 running 8.2.2 code with 30 VPN Phones connected. Of the 30 phones, I have 5 that do not negotiate DTLS and I'm having quality issues with these phones. I've checked the login process and I don't see any errors when these phone connect, they just don't even attempt DTLS. All the phones use the same VPN configuration.
View 4 Replies
I am just getting more confused the more I try to work it out. Not sure if this goes in the IP Telephony section or here. We have an ASA 5510 with the base license. We are needing to install IP Phones at remote workers homes, and I understand there are Cisco IP phones which have VPN clients built in to allow a tunnel to the central private network. IT appears that you can only use Any connect VPN for this, ans I am trying to work out what licensing upgrade we need to apply to the ASA, as the two Any connect licenses you get free on the ASA is not enough.
This is the phone we are looking to get; {URL} . What I want to know is will the Any connect Essentials license work with these IP phones? When I do a show version,
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
[code].....
This platform has a Base license. It shows "Any Connect for Linksys phone : Disabled", is this the same for Cisco IP Phones? Is this the specific licensing type I should be looking to get for Any connect on IP phones or will Essentials do?
I have configured anyconnect for phone at ASA 5510. Phone can connect to Corporate network through VPN from outside without any problem.
If I connect laptop to PC port at phone, I can run anyconnect client at pc and get vpn connection through phone. Can I get VPN connection for laptop through phone without running anyconnect client at the laptop i.e. can phone share VPN connection for laptop at PC port?
I have to sites connected togather using 4 MBps Link over the tunnel terminated on asa 5510,the call manager in site 1 and the other users on the site 2 unable to register with call mamager on site while i have a suceesull ping goes from site 2 to site 1 (call manager ip) so why this phone its not registered ,so in term of network no problems coz the ping gets through and am rely on ping to confirm that no network problem
----is there any udp traffic problem that prevent the phone registration
I have just upgraded one of our 4400 to 7.0.98.0. Most of the AP re-registered with out issues. I have two AIR-LAP1142N-E-K9 on a remote site that will not re-register.I have pointed them to another 2125 WLC (7.0.98.0) and they register fine. Point them to yet another 4400 (7.0.98.0) I get the same issue.I am getting this error when the register on the 4400s.*Jan 11 14:39:24.000: %CAPWAP-3-ERRORLOG: Selected MWAR 'abzewwlc'(index 1).*Jan 11 14:39:24.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jan 11 07:05:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 144.46.211.5 peer_port: 5246*Jan 11 07:06:55.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 144.46.211.5:5246 I suspect it may be as they both have In the client config.Then again maybe not.Configured Switch 1 Addr 158.139.177.203Configured Switch 2 Addr 144.46.214.25
Question 1 if I do a "clear config except static IP" will I still be able to telnet tp them or will they default to no telnet no ssh ?
Question 2 any idea how to get past this DTLS error ?
My work laptop uses a Cisco AnyConnect VPN Client (Software Version 2.5.2006). The connection protocol is DTLS.I recently upgraded to a Cisco RV180 at home at it is running the latest software version (1.0.1.9).
Since the RV180 went into service the work laptop will connect intermittantly. Usually email works but web browsing and and other services do not. It is slight strange behaviour- and seems to defy what a VPN should do......
The behaviour is very repeatable. For example from the customers office the laptop connects perfectly via VPN and if I swap back to an older inferior make of router at home VPN also works normal without changes to the laptop configuration.
I work for a large company (70,000+ employees) and we use "standard" builds so altering the laptop configuration is not really an option.
It seems to me that the RV180 doesn't support the DLTS VPN connection (indeed DLTS passthrough isn't an option in the VPN passthrough list) and is possibly blocking some incoming packets on the WAN interface.
I haven't yet tried a firewall rule to allow a DLTS (or UDP perhaps?) connection back in from the WAN side (obviously from just the IPs at my work end) but this is the only option I can think of to make this machine connect "correctly".
I've been labbing on my asa5505 at home, setting up different VPN solutions for testing purposes. However, I can't get my anyconnect client to establish a DTLS tunnel when connecting (anyconnect only shows tls, and does not display any errors about not connecting with dtls)I have set dtls port to 444 and this port is open on the other side.
View 2 Replies View RelatedWLC 5508 running 7.0.98.0
Site was running fine until the WLC had a hardware failure.
A new WLC was shipped out, was running 6.0.99 then manually upgraded to 7.0.98. Clients cannot authenticatewith recurrent logs messages like this.
*dot1xMsgTask: Feb 23 17:05:03.648: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:5c:<snip>*spamApTask0: Feb 23 17:05:01.926: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:629 Failed to complete DTLS handshake with peer 192.168.214.91
I have tried changing the key on the radius server to no avail.
I am setting up office extend with 1142 APs on a 5508 controller. All seems ok and I see my SSIDs on the remote AP. However when I try to connect I don't get a dhcp address and the connection fails. When I look at logs and some debugs I see dtls keepalive failures and the AP is actually disconnecting and re-associating with the controller.
View 24 Replies View RelatedI have a WLC 5508 and several 1142 access points. The APs are not showing up in the WLC. When i console into the APs, im getting the following errors,
*Dec 26 23:04:28.035: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 65.125.15.212:5246
*Dec 26 23:04:28.074: %CAPWAP-5-CHANGED: CAPWAP changed state to
[Code]....
Ive tried resetting the WLC, reloading the APs. I even factory defaulted one of the APs and still getting the same message.Ive verified that the WLC is set to accept MICs and SSCs.
Flex 7500
Software Version: 7.2.103.0
I have a Flex 7500 with 200 1142AP's working fine in remote office and local setup. We have since purchased 3 OEAP 602's and looking to distribute to teleworkers.
I have configured the OEAP to point to the NAT'd IP of the WLC, the OEAP does connect and is listed briefly in the WLC wireless listing but I am not able to make any configuration changes, it will then dissassociate and try the join process all over again. I have attached below the OEAP 600 event log. I see that the WLC does not support data DTLS encryption and looking to make this work.
I have tried to install the DTLS license file from the Cisco website, but says license failed to install, with no other errors.
*Jun 18 15:18:43.938: Build version 7.0.112.72 (compiled Feb 3 2012 at 01:56:39, [L]).
*Jun 18 15:18:47.859: CAPWAP State: Init.
*Jun 18 15:18:47.860: CAPWAP State: Discovery.
[Code]....
I'm trying to get the phone VPN function working from a Cisco 7965 phone. I can connect fine to the SSL VPN via a normal PC. When I try from a phone, it tries to connect and returns with: "VPN Authentication Failed"
yet, when I look on the ASA with "sh vpn-sessiondb anyconnect" I can see the phone has connected fine:
Username : fred Index : 17
Public IP : x.x.x.x
Protocol : AnyConnect-Parent
License : AnyConnect Premium, AnyConnect for Cisco VPN Phone
Encryption : AES128 Hashing : SHA1
Bytes Tx : 2417 Bytes Rx : 676
Group Policy : SSLClientPolicy Tunnel Group : SSLClientProfile
Login Time : 15:05:53 GMT/BDT Fri Aug 19 2011
Duration : 0h:00m:38s
Inactivity : 0h:00m:08s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
I have a CME that has a FXO card, I can call the CME's number from an on-site phone and it works just fine, but when I try from my cell phone it picks up but doesn't give the dial-tone like it's suppose to, but if I hook an analog line to the phone line I can call that no problem from my cell?
voice-port 0/0/0
supervisory disconnect dualtone mid-call
secondary dialtone
timeouts call-disconnect 2
timeouts ringing 30
timeouts wait-release 2
timing hookflash-out 500
caller-id enable
dial-peer voice 201 pots destination-pattern 9T port 0/0/0 and I can see it pick up.
I was under the impression that an FXO card didn't have any clue about inside/outside etc, all it knew was that it was getting a signal to ring.
I have a CME on the other end of my MPLS network. When troubleshooting phone issues i setup a phone on the CME system in question and point its TFTP server to the address of the CME router. Now, i need to point this phone to another CME but it keeps registering with the previous one no matter what i do (the TFTP server is pointed to the new CME). I have tried turning off the auto register, and i have deleted the ephone and its mac address all together but it always registers with the wrong CME.
The phone is a 7962 with a 7914 expansion module.
I am moving an IP Phone from one subnet to another subnet.I have deleted the IP Phone configuration in call manager(System version: 7.0.1.11000-2); however, when adding the same device (same MAC address) again in the call manager, the call manager associates the phone with the old IPv4 address (even though the phone is turned off). The phone is booting up and getting a different IP address on the new subnet, and is always in the "Registering" state. The phone has the right CM IP, TFTP IP, etc. the only difference is the phone IP address and the IP address that the CM is showing in the phone device configuration. I also tried resetting/rebooting and restore phone to default factory setting but it doesn't work, i have few more devices on this new subnet that are working fine.
View 5 Replies View RelatedIs-it possible to manage Cisco phone by web interface? (Manage transfertdiversion... of IP phone)When i go to http://ip_cisco7961 and i give permissions in settings of user (web Access: Enabled)I have only information in read only.
View 4 Replies View Relatedthe customer has CUCM in the inventory database of LMS 4.1. He has all accesses from LMS to CUCM. One phone 7961 is seen in the UT report. When the customer click on the CUCM in the inventory - there is no IP phone registered in the CUCM.
View 2 Replies View Relatedthe customer has CUCM in the inventory database of LMS 4.1. He has all accesses from LMS to CUCM. One phone 7961 is seen in the UT report. When the customer click on the CUCM in the inventory - there is no IP phone registered in the CUCM. What is wrong?:-( See the attachment.
View 1 Replies View RelatedI have a problem with 9971 phone its works perfect inside network but I cant figureout how to enable VPN on this phone.Also cant found any VPN menu on phone configuration.
View 2 Replies View RelatedHow to do implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.when trunk mode is enabled I can not configure 802.1x on trunk interface.
View 1 Replies View RelatedI try to aquier IP Phone in User Tracking. Phones are present but like pc (without other information...DN, user....)
the LMS version is 4.2.3
the CUCM version is 8.6
the CUCM is green on Topology..
Currently using PC fax/modem card with landline phone cord to send/receive faxes. I live in a very rural area that has really crappy landlines for my phones. Will be getting a Verizon wireless phone system that has 2 RJ-11 interface jacks so I can connect my current landline phones to the wireless system. Is there some way that I will be able to use my PC fax with this Verizon system? The Verizon salesman wasn't sure but didn't think so.
View 2 Replies View RelatedHook my landline phone to my computer.
View 1 Replies View RelatedI'm just trying to configure my phone that's it
View 1 Replies View RelatedI am trying to implement a small VoIP LAN (you can see the lan in attachments)for a personal project. I am using:
- 2 x XP (on which i installed Cisco IP Communicator 7.0.3.0)
- 1 x Ubuntu (running GNS3 with a c3600 Router)
The problem is that the phone which is not in the same LAN with the tftp server cannot register.
1) Can a phone register to a tftp server from another LAN ?
2) If the answer for 1) is yes, what am i doing wrong (you can see the details in the attachments)? I mention that the ping works well anywhere in the LAN.
When I place the phone on a different subnet, registration failed. The connectivity between the two subnet should be working because I have a desktop computer hook up behind the Avaya phone and the computer can talk with the server without problemThe phone has gotten the IP from DHCP server can I can even ping the IP from phone server. but on the phone it shows "Discover 10.0.10.10" then reboot, again and again. 10.0.10.10 is the IP of phone server. And there is no firewall rules blocking the traffic between the two subnet.Like I said before, if I place the phone on the same subnet as the server it worked. The setting of the switch remain unchanged
View 3 Replies View RelatedI have a questions on an Ip phone when getting the firmware from the TFTP server (e.g. CME) after bootup,- After the registration with CME, the IP phone will getting an auto config file which is the Default.xml file. - The CME will acts a a TFTP server which contains all the IP phone's firmware for different models like 7970 and 7640 in different directories.- The CME have configured with the directory path for all the IP phone when the IP phone come to TFTP and acquired the firmware.Let say I have a phone registered is 7970 and what is the mechanism that governs that my 7970 is not downloading the wrong firmware from the TFTP? Let say it might wrongly downloaded the 7640 firmware? Who take care of this? The phone itself? or the CME will tell the IP phone to take only the 7970 firmware via the Default.xml file?
View 1 Replies View RelatedIs it possible to connect an analog phone to an FXS port on a CME router and a VoIP phone to a switch connected to said router and have voice connectivity between the phones? Also, is it possible to connect an FXO port on that same CME to a RJ-11 wall jack to connect to the PSTN and be able to call that VoIP phone as well as the analog phone from my cellphone? I'm trying to tie as I read the CCNA Voice OCG.
View 5 Replies View Relatedi have a wlse setup in a small orgnization and have c1130 aps connected to lan netwrok and with two broadcast ssids,and i have cisco ip telephoy setup too, now i want to connect some of cisco wireless phone to connect through the wireless,as i said that i have two ssids and both are working very fine,so my question is that on lan switch side i have configuration:interface GigabitEthernet1/0/9 switchport trunk native vlan 54 switchport trunk allowed vlan 51,54,58,59 switchport mode trunk spanning-tree portfast.
View 2 Replies View RelatedWe have bought L-ASA-AC-PH-5520=Anyconnect Vpn Phone License for our Cisco Phones but when we entered this license into our ASA it shows th following i.e enabled for linksys phones. Is there a diff part no to enable vpn for cisco phones. [code]
View 2 Replies View RelatedI'm playing with an SF300-24P switch and want to connect an IP Phone. I'm more familar with IOS syntax than the SF300 GUI.
How would I replicate the following in the SF300:
Switch(config)#int fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 15
Switch(Config-if)# switchport voice vlan 5
Not sure if setting the port to an ACCESS port on VLAN 15 (i.e. 15UP) and having the Voice VLAN set to 5 is correct.
Or should the port be set to General or Trunk with 15 as the untagged VLAN and 5 as the tagged voice VLAN (i.e. 15UP, 5T)?
I am piloting an 802.1x implementation for a client who has Mitel IP Phones. I have setup the switch and ACS based on previous experience and a windows PC can authenticate onto the network OK. When I use a Mitel phone however, it seems to skip past the first 802.1x LCD message and goes straight to LLDP and DHCP discovery, which obviously fails. The phone are 5224s and the controller is on the original v10 release. I have cleared the 802.1x config on the phone and rebooting as per Mitel documentation which leads me to believe it should then prompt for a user/pass on next reboot. It does not do this.
I known the ACS is setup to support EAP-MD5 and I have tried all the various types of host modes including the default and Multi-Auth, Multi-Domain and none of them seem to make any difference. I have tried with and without a PC attached to the phone as well.
A wireshark shows the EAP identity request from the switch, and I see an EAP response from the phone, although it is slightly different to the PC's response. In the end the phone issues an EAP 4 failure message. So something in that EAP conversation doesnt seem to work.
We have a Cisco PIX 515r and currently our users install the Cisco Client on their desktops/laptops and connect to our VPN.
Now I'm being told I need to set up a VPN tunnel for a remote IP phone. What I need to do on the PIX for this
