Any progress on this issue?

Looks like there could be some issues with operation across NAT, which is the configuration for SBCS Remote teleworker.

However, no firm words back yet and the BU is investigating.

Is there anything I can do to move this along?

It looks like this is an unsupported capability.

I have the BU looking at it, but looks like this cant work across a NAT.

I've tracked where the problem occurs using a packet sniffer (wireshark).  Printouts are attached; the process seems to have no trouble with the VPN until it gets to the RegisterMessage packet (packet 10).  At that point, the Ack never comes back from the UC520, as it does when run locally (packet 11).  Hope this helps isolate the problem.

Did the files I uploaded help at all?  This problem is holding up an installation, so it's very important to get a resolution.

The Product Manager for UCC (John Vickroy) informed me that this would not work across a NAT environment, which is the environment we have for remote teleworker.  I am sorry to report that according to the Business Unit, this will not work as we have tried (both you and I captured the same trace data and I also shared it with the internal team).

This is not good news.  I want to point out that the FAQs for the UCC claim that it will work at a remote site.  Did they say what the issue is, and why they cannot fix it?

Also, I wanted to try a workaround by running the UCC through a Windows VPN client (since the 871 is allowing split-tunnelling, or even by running the PC apart from the 871), but now the UCC apparently cannot access its license file on startup when the VPN client is running!  This used to work in an older version of UCC; I personally was running the UCC over the VPN client to control a soft phone.  Help!

With a remote site, you don't have to have NAT.  You can use this VPN client with Network Extension mode.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

With this configuration, you shouldn't have any problems.

I was trying to avoid OOB CLI, so perhaps in the default SBCS with CCA mode of operation, it wont work.

Thanks for pointing this out Steve.  I have not tried that NEM method.....

I'm not sure I fully understand NEM, but I was under the impression that it doesn't permit split-tunnelling at the client; all internet traffic is routed through the EZvpn server site.  Is this correct?

I haven't personally tried this with a UC500, but here is a config example with an ASA and a 871 using splitt tunneling and network extension.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

I tried simply changing the EZvpn connecion mode from client to network-extension in the 871 and suddenly everything worked.  I can't recall what the CCA default was, since I know I fiddled with things for other reasons, so I may have inadvertantly changed it.  In any event, thanks for your help!