SPA525g and SSL VPN question

Unanswered Question
Feb 25th, 2010
User Badges:

I'm trying to setup a SPA525g with an SSL VPN. I've gone through the wizard and the phone indicates that it is connected to the VPN but the screen gets stuck at "downloading:XMLDefault.cnf.xml". When I connect it locally to the UC500 it works fine.

I've tried all sorts of IP address ranges in the ssl VPN but I can't find any docs that say if it should be in or if it matters at all.

My phone is running software version 7.4.3

Any help would be greatly appreciated.

Does it matter which anyconnect client you upload to the vpn server?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vibhan Thu, 02/25/2010 - 11:55
User Badges:

Can you check under Network Configuration on the 525G phone if you have the correct TFTP server set-up.

If you are using default IP addresses, try this - Under Network Configuration, Enable Alternate TFTP, manually enter as TFTP server 1, save config and reload the phone.

mattgibson1 Thu, 02/25/2010 - 19:54
User Badges:

Thank you for your reply.

I have tried the alternate TFTP server to no avail.

Checking the VPN status on the phone shows I am connected but I receive 0 bytes. Attempts to ping the phone from the UC520 fail.

farrshepherd Thu, 04/29/2010 - 21:14
User Badges:

I'm having the same issue. I have tried 3 SPA525G's and they all do the same thing. I am running firmware 7-4-4. Was there ever any resolution to this issue?

farrshepherd Fri, 04/30/2010 - 00:01
User Badges:

I just found out that the SSL VPN Wizard in CCA had not created a split tunnel or access list from the data VLAN to the voice VLAN so the phone was not able to communicate with the TFTP server on the voice VLAN. That is frustrating. However, that did not resolve my issue on the UC540. For some reason the TFTP is timing out before it can get the XML files it needs to complete the regisrtation process. To verify, I set up the Anyconnect client on an XP machine and connected, I could ping the TFTP server, I loaded a TFTP client on the computer but was unable to download anything on that either. This is definitly a configuration issue on the router if not a bug. HELP!

Steven DiStefano Fri, 04/30/2010 - 08:02
User Badges:
  • Blue, 1500 points or more

I am trying to follow along to see if I can help here.

I built a SPA525G as a SSL VPN user off a UC520 and I am able to TFTP to the UC500.  I just tried to change ringtone, and it worked...

TFTP Event debugging is on
uc520_lab_5#term mon
003681: Apr 30 14:46:26.366: TFTP: Looking for Sax2.raw
003682: Apr 30 14:46:26.370: TFTP: Opened flash:/ringtones/Sax2.raw, fd 14, size 14233 for process 178
003683: Apr 30 14:46:26.594: TFTP: Finished flash:/ringtones/Sax2.raw, time 00:00:00 for process 178
003684: Apr 30 14:46:35.018: TFTP: Looking for Sax1.raw
003685: Apr 30 14:46:35.018: TFTP: Opened flash:/ringtones/Sax1.raw, fd 14, size 10858 for process 178
003686: Apr 30 14:46:35.198: TFTP: Finished flash:/ringtones/Sax1.raw, time 00:00:00 for process 178

Now when I built mine, I was asked if I wanted SPLIT or Full tunnel   see starting on page 5.

I am running 7.4.3.


I just tried it again wiping everything and following the doc. It worked fine running 7.4.3 on the phone 8.0.2 on the UC (although I lost video, but that's in the document) and the latest Windows Anyconnect client.

I wish I could be more help, All I can suggest is do a factory reset on the phone and try it all again

farrshepherd Sun, 05/02/2010 - 06:33
User Badges:

Bob, thanks for sticking with this. I have been working with Derek at STAC. He found the solution to my particular problem. He speculated that since we are not using the default IP scheme for the phones or the data VLAN's this could have caused the problem. However, see his information below on how he resolved the issue in my case:

What we are doing here is basically setting up a secondary TFTP option and forcing it to go that route.

- On the SPA525G Phone, go to the settings and select Network Configuration.
- Make sure the Alternate TFTP server is enabled and set it to (UC540 Public IP)

As far as the template goes, it should work like a champ now.  If by any means we run into a problem, this is what we had to do.

- Via CLI, obtain a copy of the IP Phone's cnf.xml file using your local tftp server.  (look for the MAC address where you see X below)

- copy flash:its/SEPxxxxxxxxxxxx.cnf.xml tftp:SEPxxxxxxxxxxxx.cnf.xml

Once you have this on your PC, open it using WordPad.  You are going to change two things.

1. The first IP address that you come across in the XML will be your voice VLAN gateway ( or whatever your voice vlan gateway is).  The second address that you will come to will be your WAN IP.  Switch these two addresses.

2. After that, you should see
( or whatever your  voice vlan gateway is) about three more times.  Change these to your WAN IP. 

- Save the file and copy it back to flash using the follow command:

- copy tftp:SEPxxxxxxxxxxxx.cnf.xml flash:its/SEPxxxxxxxxxxxx.cnf.xml

That pretty much does it.  On a side note, we had to add an additional statement to ACL 104 so it wouldn't block this traffic coming from us.  Just an FYI if you still have issues connecting.

alindzon Sat, 02/15/2014 - 22:09
User Badges:

I am trying to do this, but I cannot find the SEPxxxx file to copy from the UC520.  Where is it?


This Discussion

Related Content