Unanswered Question
Dec 15th, 2009

Is there an updated guide for the SPA525G that can explain how to use the new features such as the SSL VPN?

For example, what is the correct format of entering the "VPN Server"?  is it just an IP address?  https://? what are the requirements?  is a certificate a requirement?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pro4ianyc Thu, 12/17/2009 - 06:19

Does the wizard also step you through on how to connect a SPA525G to the system?

I am working on setting this up in our office to take the 525G to a site for a demo.  The phone will get plugged into their network and come up as an extension on our system.  That is the way it is intended to work.  The problem is we have a 3rd party firewall in the mix.  The WAN port of the UC500 has an IP on the LAN side ( of the 3rd party firewall.  There is a public IP mapped to the UC500 WAN private IP through the firewall.  I am guessing when the 525G gets plugged in remotely,  it will try to connect to the instead of the mapped public IP.  Can I change the phone to point to the other address?

Kirk Robinson Thu, 04/08/2010 - 17:00

Is it possible to use the SPA525G's internal VPN capabilities when the UC520's external/WAN IP address is not static?  My WAN IP is obtained from our ISP via DHCP, and I in turn use DDNS to ensure that the DNS name is current.

Tried using CCA 2.2(2) with UC SW Pack 8.0(2) Phone VPN Wizard, and it didn't like the DHCP WAN.  Is there some CLI workaround to configure SSLVPN using a hostname (DDNS) to define the UC520 head-end?  Don't see why it wouldn't be possible to then configure the SPA525G with a hostname instead of static WAN IP to allow itself to call home and setup the voice connection.

Thanks, Kirk

pro4ianyc Fri, 04/09/2010 - 08:44

Has anyone successfully authenticated a SPA525G's SSL VPN to any other devices besides the UC500?

For example, in my setup, I have a Cisco ASA 5505 as our firewall/gateway.  I can't seem to get the phone to establish a VPN connectivity on the ASA 5505..

Marcos Hernandez Tue, 04/13/2010 - 15:37

This phone has only been tested against UC500 inside Cisco, using SSL VPN Server with a static IP.



Corey Davies Tue, 05/11/2010 - 19:47

I'm currently having the same issue, I can't get my SPA525G IP Phone to connect with my Cisco ASA 5510 with an AIP-SSM10 module externally using the SSL VPN.  Has anyone been able to successfully connect a SPA525G IP phone using the SSL VPN to a Cisco ASA firewall?

Joachim Kern Thu, 05/27/2010 - 04:06

In a recent ASA lab I brought the SPA525G and successfully connected the SSL tunnel to a ASA 5505.

As i do not have access to the ASA anymore I can't give you the details but it worked.

Corey Davies Sat, 07/03/2010 - 16:42

I was able to get the SPA525G phone to connect remotely to our network using SSL VPN, the primary document I used to get it to work was found at  Because networks are not all created out of the same mold there were some modifications I had to make to get the solution to work in my network.  The primary item I was missing was creating a dedicated Tunnel Group on the ASA which Tunnels all traffic (no split-tunneling). Also on the SPA525G I had to input the fully qualified name of the VPN server, including the tunnel group name (i.e. instead of just the URL of the outside interface of the ASA).  In my case I also had to manually setup the SPA525G phone to use SCCP rather than the default SIP.  I disregarded this SCCP setting at first because I had the setting enabled which auto detects SCCP, but I may have understood that out of context.  I'm not an expert by any means on the SPA525G IP Phone, my successes have come from trial and error and a strong understanding of the ASA firewall.

pro4ianyc Wed, 07/07/2010 - 08:21

Hey Corey,

Thanks for your info.  I read over the documents and it mentions that "AnyConnect for Cisco VPN Phone"  license must be enabled on the ASA.  I'm running 8.2(1) and I do not see that licensing option when I run a show ver.  Do you have that option?

pro4ianyc Wed, 07/07/2010 - 11:13

Got it working.  Had to create a new vpn tunnel-group dedicated for this purpose w/o any split tunneling.. added a url and it worked great. thanks.

netguyz08 Wed, 10/06/2010 - 16:16

If I don't see the Phone VPN Setup Wizard in CCA 2.2(5) does this mean I need to upgrade the firmware in the UC520?

David Hornstein Wed, 10/06/2010 - 17:25

Hi edward,

I sure have it, but I can't use it as I have a dynamic IP address on my WAN port.  I need a static IP address for the Phone VPN wizard to work.

On the left under the Home tab.

netguyz08 Thu, 10/07/2010 - 12:16


Yeah I don't have that at all in the CCA, and I am running 2.2(5), just double-checked. Maybe update the firmware for the UC520? Here is the show version:

Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 12.4(20)T2, RELEASE SOFTWARE (fc3)

Technical Support:

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Mon 26-Jan-09 20:55 by prod_rel_team

ROM: System Bootstrap, Version 12.4(11r)XW3, RELEASE SOFTWARE (fc1)

Having problems with the SSL tunnel for setting up a SPA525G, and can't seem to upload the AnyConnect VPN package to test, keeps erroring out. So looks like I will need to do it manually... ?

David Hornstein Thu, 10/07/2010 - 12:38

Hi Edward,

Historically from what I can see, CCA comes out with new versions to support new UC5XX software or fix existing  issues with CCA.

If you want to try out the SPA525G VPN client, try  lab 19 from the following location;

Your software was produced early last year, would you be able to upgrade your UC520 via CCA to the package to take advantage of newer code..

I am running  Version 15.0(1)XA3

Should be able to grab the code from;

regards Dave

Velin Tsekov Tue, 01/17/2012 - 08:55


We're advanced unified communications partner and I preffered to use CLI instead of CCA.

I've the following configuration:

webvpn gateway SSL_VPN

ip address port 443 

ssl trustpoint TP-self-signed-1061620902

logging enable



webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1


webvpn context SSL_VPN_CONTEXT

title "TEST"

secondary-color #0093D9

title-color #CCCC66

text-color black

ssl authenticate verify all



policy group SSL_WEBVPN_POLICY_1

   functions svc-enabled

   svc address-pool "SSL_WEBVPN_POOL_1"

   svc keep-client-installed

default-group-policy SSL_WEBVPN_POLICY_1

aaa authentication list SSL_vpn_xauth_ml_1

gateway SSL_VPN

max-users 2

logging enable


I've all of the pools and etc.

When I debug I saw some handshakes between the client and the server, but I saw this issue:

>>> SSL 3.0 Alert [length 0002], warning close_notify

When I try to open https: it redirecting me to the UC5xx homepage instead of the SSL VPN page. Any tips?


This Discussion

Related Content