cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
0
Helpful
5
Replies

ASA 8.0.4 Phone proxy and CUCM 6.1.2

tolya
Level 1
Level 1

Hello all,

I'm trying to test new phone-proxy feature and I can't make it work.

Phone shows registering and nothing happens.

I've attached config, it's a copy from Cisco website

Here the debug from debug phone-proxy:

PP: 192.168.1.5/49162 requesting CTLSEP001A6DE7CB1C.tlv

PP: opened 0x4213e156

PP: Data Block 1 forwarded from 192.168.1.10/15995 to 192.168.1.5/49162 ingress ifc Outside

PP: Received ACK Block 1 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: Data Block 2 forwarded to 192.168.1.5/49162

PP: Received ACK Block 2 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: Data Block 3 forwarded to 192.168.1.5/49162

PP: Received ACK Block 3 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: Data Block 4 forwarded to 192.168.1.5/49162

PP: Received ACK Block 4 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: Data Block 5 forwarded to 192.168.1.5/49162

PP: Received ACK Block 5 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: Data Block 6 forwarded to 192.168.1.5/49162

PP: Received ACK Block 6 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: Data Block 7 forwarded to 192.168.1.5/49162

PP: Received ACK Block 7 from Outside:192.168.1.5/49162 to inside:172.18.224.37

PP: TFTP session complete, all data sent

PP: 192.168.1.5/49163 requesting SEP001A6DE7CB1C.cnf.xml.sgn

PP: opened 0x42195542

PP: Received Data Block 1 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 1

PP: Acked Block #1 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 2 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 2

PP: Acked Block #2 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 3 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 3

PP: Acked Block #3 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 4 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 4

PP: Acked Block #4 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 5 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 5

PP: Acked Block #5 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 6 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 6

PP: Acked Block #6 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 7 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 7

PP: Acked Block #7 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 8 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 8

PP: Acked Block #8 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 9 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 9

PP: Acked Block #9 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Received Data Block 10 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

Received Block 10

PP: Acked Block #10 from 172.22.161.21/49163 to 172.18.224.37/33820

PP: Unable to get dns response for id 7

PP: Callback, error modifying config file

PP: Unable to CM name addr

PP: Callback required for parsing config file

PP: 192.168.1.5/49163 requesting SEP001A6DE7CB1C.cnf.xml.sgn

PP: Client Outside:192.168.1.5/49163 retransmitting request for Config file SEP001A6DE7CB1C.cnf.xml.sgn

PP: opened 0x421fc98e

PP: Received Data Block 1 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

PP: Received Data Block 1 from inside:172.18.224.37/33820 to Outside:192.168.1.5/49163

5 Replies 5

tolya
Level 1
Level 1

Config:

interface Vlan1

nameif inside

security-level 100

ip address 172.22.161.15 255.255.255.0

!

interface Vlan2

nameif Outside

security-level 0

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 2

access-list pp extended permit udp any host 192.168.1.10 eq tftp

access-list pp extended permit tcp any any eq 2000 log

access-list pp extended permit tcp any any eq 2443 log

pager lines 24

logging console debugging

logging buffered debugging

mtu inside 1500

mtu Outside 1500

icmp unreachable rate-limit 1 burst-size 1

static (inside,Outside) 192.168.1.10 172.18.224.37 netmask 255.255.255.255

static (Outside,inside) 172.22.161.21 192.168.1.5 netmask 255.255.255.255

static (inside,Outside) 172.18.224.37 192.168.1.10 netmask 255.255.255.255

static (inside,Outside) 172.22.161.21 192.168.1.5 netmask 255.255.255.255

access-group pp in interface Outside

route inside 0.0.0.0 0.0.0.0 172.22.161.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint cucm_tftp_server

enrollment self

serial-number

keypair cucmtftp_kp

crl configure

crypto ca trustpoint _internal_myctl_SAST_0

enrollment self

fqdn none

subject-name cn="_internal_myctl_SAST_0";ou="STG";o="Cisco Inc"

keypair _internal_myctl_SAST_0

crl configure

crypto ca trustpoint _internal_myctl_SAST_1

enrollment self

fqdn none

subject-name cn="_internal_myctl_SAST_1";ou="STG";o="Cisco Inc"

keypair _internal_myctl_SAST_1

crl configure

crypto ca trustpoint _internal_PP_myctl

enrollment self

fqdn none

subject-name cn="_internal_PP_myctl";ou="STG";o="Cisco Inc"

keypair _internal_PP_myctl

crl configure

crypto ca certificate chain cucm_tftp_server

certificate crypto ca certificate chain _internal_myctl_SAST_0

certificate _internal_myctl_SAST_1

certificate quit

crypto ca certificate chain _internal_PP_myctl

certificate

quit

telnet timeout 5

ssh timeout 5

console timeout 0

!

tls-proxy mytls

server trust-point _internal_PP_myctl

ctl-file myctl

record-entry cucm-tftp trustpoint cucm_tftp_server address 172.18.224.37

no shutdown

!

phone-proxy mypp

media-termination address 172.16.161.20

tftp-server address 192.168.1.10 interface Outside

tls-proxy mytls

cipc security-mode authenticated

ctl-file myctl

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map sec_sip

match port tcp eq 5061

class-map sec_sccp

match port tcp eq 2443

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map pp_policy

class sec_sccp

inspect skinny phone-proxy mypp

class sec_sip

inspect sip phone-proxy mypp

!

service-policy global_policy global

service-policy pp_policy interface Outside

calmichael
Level 1
Level 1

There is a portion of your debug that suggests that the CM is unable to be resolved:

PP: Unable to get dns response for id 7

PP: Callback, error modifying config file

PP: Unable to CM name addr

Do you publish your CCM/CUCM by hostname or by IP?

Thanks for the point, I've changed hostname to IP address, but the issue still the same.

Phone still shows "Registering".

ASA debug (debug inspect tls-proxy)

Setting SERVER_CLEAR flag in conn

TLSP d4f9bb10: Set up proxy for Client Outside:192.168.1.5/43381 <-> Server inside:192.168.1.10/2443

TLSP d4f9bb10: Using trust point '_internal_PP_myctl' with the Client, RT proxy d4f58f38

TLSP d4f9bb10: Waiting for SSL handshake from Client Outside:192.168.1.5/43381.

TLSP d4f9bb10: --> Proxy Rx 52 bytes

TLSP d4f9bb10: <== Proxy Tx 7 bytes

TLSP d4f9bb10: new event: KILL_FLOW

TLSP d4f9bb10: new event: KILL_FLOW

TLSP d4f9bb10: Tear down proxy for Client Outside:192.168.1.5/43381.

TLSP d4f9bb10: Tear down proxy for Server inside:172.18.224.37/2000.

Any ideas?

Try to debug the tftp (debug phone-proxy tftp).

this link maybe helpful...

http://supportwiki.cisco.com/wiki/index.php?title=ASA_Phone_Proxy_Troubleshooting_and_Common_Problems&oldid=99681

After the deepest troubleshooting, I've found that ASA didn't have 3DES license. After 3DES activation and updating parameters for ssl, it started to work.

Many thanks to all !!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: