VPN Client broken in IOS 15?

Unanswered Question
Mar 8th, 2010

Hi,

On the UC520 with both IOS 15.0(1)XA1 and XA1a, the VPN client seems to be broken?  The moment I upgrade from 12.4(24)YB4 to 15.0, the VPN client can connect but there is no data transfer.  If I downgrade to 12.4(24) again everything is fine.  I really want to upgrade to IOS 15 to fix a number of other bugs that are annoying me but I can't do so if the VPN client does not work.  AnyConnect still works however this gives us major issues for users with IP Communicator.

Can anyone confirm if this is a bug?  I can't find any mention of it in the bug toolkit.

-Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
john_platts Mon, 03/08/2010 - 05:56

I had successfully connected to UC520 units running the 15.0(1)XA1a release with Cisco VPN Client 5.0.05.0290 without any problems. I believe that the Easy VPN server, which allows VPN clients to connect to the UC520, is behaving properly in 15.0(1)XA1a, which is included in the 8.0.1 software pack. What version of the Cisco VPN Client are you using? I am not aware of any Easy VPN bugs in 15.0(1)XA1a, and I am able to connect to devices behind the UC520 successfully with IOS 15.0(1)XA1a.

I believe that the problem is really a configuration issue, especially since I have been able to successfully connect to UC520 units running 15.0(1)XA1a with Cisco VPN Client 5.0.05.0290 without any data transfer problems. Could you please e-mail me the UC520 config to jplatts@ipdimensions.com.

dprzywara Mon, 03/08/2010 - 17:26

Hey man,

I had the same problem you did last week and opened up a TAC case.  The problem after upgrading I was told was with split tunneling enabled, the virtual tunnel inerface uses the split tunneling ACL as an access-list.  The resolution was adding the VPN DHCP pool to the split tunnel ACL.  For instance:

Original ACL had these 2 networks for split tunneling:

Extended IP access list 100
    20 permit ip 192.168.254.0 0.0.0.255 any
    30 permit ip 192.168.10.0 0.0.0.255 any

New ACL with the VPN DHCP pool:

Extended IP access list 100
    10 permit ip 192.168.250.0 0.0.0.255 any (383920 matches)
    20 permit ip 192.168.254.0 0.0.0.255 any
    30 permit ip 192.168.10.0 0.0.0.255 any

The TAC engineer didn't give me a bug ID but here is my service request for reference: 613760695

Scott Pettit Mon, 03/08/2010 - 17:36

Sounds exactly like my problem dprzywara, I use a virtual interface for my VPN Client so this could be a resolution for me.  I will re-attempt my software upgrade tonight and report back - is this a bug or is it a new "feature"?

dprzywara Mon, 03/08/2010 - 18:50

Awesome!  The TAC engineer said it was a bug and should be fixed in the 15.x T train of IOS releases.

Steven DiStefano Tue, 03/09/2010 - 02:18

I think maybe this could be: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte69681

Also to be fixed in 15.0(1)XA2.   Is a Sev 2 Defect.

I have heard that I must disable split tunneling on my VPN Server on the UC500 to get the VPN to work because of this bug, but I like your TAC workaround better.

Thanks for the discussion.

Steve

brian.russell31... Tue, 03/09/2010 - 03:03

Hi Guys,

I have performed the upgrade to 8.0.1 with the new IOS image and I have recieved the same issue, I can no longer VPN back into my device.

I dont even have split tunneling enabled...

I have logged onto the CCO and can not find the new fixed IOS even though the report says it is fixed....

Can someone point me in the right direction?

Many Thanks

Brian

Steven DiStefano Tue, 03/09/2010 - 03:45

Hi Brian, did you try the workaround given in the original case for your DHCP client pool?

For some reason the ACL being used for split-tunneling was being applied to the
Virtual-access interface as an access-group and it was dropping the packets. As a
workaround I added the pool of addresses for the VPN clients in that ACL as line 1 and
were were able to pass traffic:

AFS-UC520#sh access-list 100
Extended IP access list 100
    1 permit ip 192.168.250.0 0.0.0.255 any (42 matches)
    10 permit ip 192.168.254.0 0.0.0.255 any
    20 permit ip 192.168.10.0 0.0.0.255 any


Steven DiStefano Wed, 03/10/2010 - 09:36

I mean setting the VPN server so that only interesting traffic from the remote site comes to the UC500 over the tunnel, and other internet connections are made directly from the teleworker router to the cloud, without coming to UC500.   Interesting traffic the data vlan, voice vlan and CUE interface in this case.

This is built in the CCA VPN Server configuration on the UC500

Steve

bjames@snetworks.com Wed, 03/10/2010 - 17:00

OK I understand this is the ACL pushed to clients to allow them to split tunnel...

I assume you can also hairpin once you come in via the tunnel (go back out to the Internet) as well.

Thanks

Bob James

rgarcia@satic.eu Thu, 03/25/2010 - 07:12

Regarding this issue, i´ve recently updated to 8.0.2, IOS 15.0.(1)XA2, I read the following in this software pack release notes "TCP over IPsec issue with EZVPN session Traffic through EZVPN tunnel fails with  Split-tunneling", I just wonder if this fix is related to this behavior.

After the upgrade split tunnel "interesting traffic" is still not flowing between UC520 and VPN software clients, I´ve tried the proposed TAC workaround already with no success.

Are there any other suggestions or workarounds?, if the issue is fixed in this software release, are there any additional instructions regarding ACL´s.

This issue is causing some headaches in our customers, thanks in advance for your help.

Steven Smith Thu, 03/25/2010 - 08:10

The 15.0.1XA2 IOS fixed a known problem with split tunneling and using a virtual-template interface, which happens to be the type of configuration the CCA uses to configure the UC500.  If you are using CCA and still having problems, I would delete the VPN configuration and readd using CCA.

rgarcia@satic.eu Thu, 03/25/2010 - 08:52

Thanks for the quick reply Steven, i will try it right now, i´m using CCA 2.2.2, as you say I understand the issue has been fixed in this IOS release. Anyway, thanks for your support, I will post my conclusions.

Thanks,

rgarcia@satic.eu Mon, 03/29/2010 - 01:44

Hi Steven, I´m afraid it is still not working, as you pointed i´ve tried deleting the VPN Server config via CCA and setting it again but split tunnel "interesting traffic" is not flowing, I will paste my actual config if you don´t mind checking it out, as you can see I´ve deleted firewall config as well, the VPN clients pool is 192.168.200.0/24, noitce I´ve deleted the WAN address and the crypto key to keep privacy. There´s no traffic matching the slip tunnel ACL (numbered 100 by CCA) while tunnel is up and the VPN client is connected, client version is 5.0.05.0290.

Hope you can find the answer, IOS image is uc500-advipservicesk9-mz.150-1.XA2

Thanks in advance, we´re really bothered about this issue.

!

! Last configuration change at 10:38:02 PST Mon Mar 29 2010 by satic

! NVRAM config last updated at 10:43:21 PST Mon Mar 29 2010 by satic

!

version 15.0

parser config cache interface

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

service compress-config

service sequence-numbers

!

hostname UC520

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret 5 $1$pv..$vhQIn99E9IKsFv7Jsl.Cd0

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local

aaa authorization exec local_author local

aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone CET 1

clock summer-time PST recurring

network-clock-participate wic 1

!

crypto pki trustpoint TP-self-signed-3006563701

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3006563701

revocation-check none

rsakeypair TP-self-signed-3006563701

!

!

crypto pki certificate chain TP-self-signed-3006563701

certificate self-signed 01 nvram:IOS-Self-Sig#44.cer

dot11 syslog

no ip source-route

ip cef

!

!

ip dhcp relay information trust-all

!

ip dhcp pool phone

   network 10.1.1.0 255.255.255.0

   default-router 10.1.1.1

   option 150 ip 10.1.1.1

!

ip dhcp pool data

   network 192.168.100.0 255.255.255.0

   default-router 192.168.100.254

   dns-server 8.8.8.8 8.8.4.4

!

!

ip domain name satic.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

!

stcapp ccm-group 1

stcapp

!

stcapp feature access-code

!

!

!

stcapp supplementary-services

port 0/0/0

  fallback-dn 301

port 0/0/1

  fallback-dn 302

port 0/0/2

  fallback-dn 303

port 0/0/3

  fallback-dn 304

!

!

multilink bundle-name authenticated

isdn switch-type basic-net3

!

!

voice call send-alert

voice rtp send-recv

!

voice service voip

sip

  no update-callerid

!

voice class codec 1

codec preference 1 g711ulaw

codec preference 2 g729r8

!

!

voice register global

!

!

!

!

voice-card 0

!

!

!

license udi pid UC520W-8U-2BRI-K9 sn FCZ12066000

archive

log config

  logging enable

  logging size 600

  hidekeys

username satic privilege 15 secret 5 $1$stGP$3nj8BTpRUsFEzHz5KsiXe.

!

!

ip tcp synwait-time 10

ip tftp source-interface Loopback0

!

class-map match-any media

match  dscp ef

class-map match-any signaling

match  dscp cs3

match  dscp af31

!

!

policy-map queue

class signaling

    bandwidth percent 5

class media

    priority percent 50

class class-default

    fair-queue

policy-map shape

class class-default

    shape average 500000

  service-policy queue

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPN_GROUP_1

key XXXXXXXXXXXXXXXXX

dns 8.8.8.8 8.8.4.4

pool SDM_POOL_1

acl 100

save-password

max-users 10

crypto isakmp profile sdm-ike-profile-1

   match identity group EZVPN_GROUP_1

   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1

   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

bridge irb

!

!

!

!

interface Loopback0

ip address 10.1.10.2 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

bandwidth 500

ip address X.X.X.X 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

service-policy output shape

!

interface Integrated-Service-Engine0/0

ip unnumbered Loopback0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

service-module ip address 10.1.10.1 255.255.255.252

service-module ip default-gateway 10.1.10.2

!

!

interface FastEthernet0/1/0

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/1

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/2

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/3

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/4

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/5

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/6

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/7

switchport voice vlan 100

macro description cisco-phone

spanning-tree portfast

!

!

interface FastEthernet0/1/8

switchport mode trunk

macro description cisco-switch

!

!

interface BRI0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

isdn switch-type basic-net3

isdn point-to-point-setup

isdn incoming-voice voice

isdn sending-complete

!

!

interface BRI0/1/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

isdn switch-type basic-net3

isdn point-to-point-setup

isdn incoming-voice voice

isdn sending-complete

!

!

interface Dot11Radio0/5/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

!

interface Virtual-Template1 type tunnel

ip unnumbered BVI1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

bridge-group 1

!

!

interface Vlan100

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

bridge-group 100

!

!

interface BVI1

ip address 192.168.100.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

!

interface BVI100

ip address 10.1.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

!

ip local pool SDM_POOL_1 192.168.200.1 192.168.200.10

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.100.1 3389 interface FastEthernet0/0 3389

ip nat inside source static tcp 192.168.100.1 5500 interface FastEthernet0/0 5500

ip nat inside source static udp 192.168.100.110 69 interface FastEthernet0/0 69

ip nat inside source static tcp 192.168.100.204 9090 interface FastEthernet0/0 9090

ip route 0.0.0.0 0.0.0.0 85.152.7.254

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 100 permit ip 10.1.10.0 0.0.0.255 any

!

!

!

!

tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin

tftp-server flash:/phones/525/spa525g-7-4-3.bin alias spa525g-7-4-3.bin

tftp-server flash:/phones/5x5/spa5x5-7-4-3.bin alias spa5x5-7-4-3.bin

tftp-server flash:/phones/7906_7911/apps11.8-5-3TH1-6.sbn alias apps11.8-5-3TH1-6.sbn

tftp-server flash:/phones/7906_7911/cnu11.8-5-3TH1-6.sbn alias cnu11.8-5-3TH1-6.sbn

tftp-server flash:/phones/7906_7911/cvm11sccp.8-5-3TH1-6.sbn alias cvm11sccp.8-5-3TH1-6.sbn

tftp-server flash:/phones/7906_7911/dsp11.8-5-3TH1-6.sbn alias dsp11.8-5-3TH1-6.sbn

tftp-server flash:/phones/7906_7911/jar11sccp.8-5-3TH1-6.sbn alias jar11sccp.8-5-3TH1-6.sbn

tftp-server flash:/phones/7906_7911/SCCP11.8-5-3S.loads alias SCCP11.8-5-3S.loads

tftp-server flash:/phones/7906_7911/term11.default.loads alias term11.default.loads

tftp-server flash:/phones/7906_7911/term06.default.loads alias term06.default.loads

tftp-server flash:/phones/7921/APPS-1.3.3.SBN alias APPS-1.3.3.SBN

tftp-server flash:/phones/7921/CP7921G-1.3.3.LOADS alias CP7921G-1.3.3.LOADS

tftp-server flash:/phones/7921/GUI-1.3.3.SBN alias GUI-1.3.3.SBN

tftp-server flash:/phones/7921/MISC-1.3.3.SBN alias MISC-1.3.3.SBN

tftp-server flash:/phones/7921/SYS-1.3.3.SBN alias SYS-1.3.3.SBN

tftp-server flash:/phones/7921/TNUX-1.3.3.SBN alias TNUX-1.3.3.SBN

tftp-server flash:/phones/7921/WLAN-1.3.3.SBN alias WLAN-1.3.3.SBN

tftp-server flash:/phones/7940_7960/P00308010200.bin alias P00308010200.bin

tftp-server flash:/phones/7940_7960/P00308010200.loads alias P00308010200.loads

tftp-server flash:/phones/7940_7960/P00308010200.sb2 alias P00308010200.sb2

tftp-server flash:/phones/7940_7960/P00308010200.sbn alias P00308010200.sbn

tftp-server flash:/phones/7970_7971/apps70.8-5-3TH1-6.sbn alias apps70.8-5-3TH1-6.sbn

tftp-server flash:/phones/7970_7971/cnu70.8-5-3TH1-6.sbn alias cnu70.8-5-3TH1-6.sbn

tftp-server flash:/phones/7970_7971/cvm70sccp.8-5-3TH1-6.sbn alias cvm70sccp.8-5-3TH1-6.sbn

tftp-server flash:/phones/7970_7971/dsp70.8-5-3TH1-6.sbn alias dsp70.8-5-3TH1-6.sbn

tftp-server flash:/phones/7970_7971/jar70sccp.8-5-3TH1-6.sbn alias jar70sccp.8-5-3TH1-6.sbn

tftp-server flash:/phones/7970_7971/SCCP70.8-5-3S.loads alias SCCP70.8-5-3S.loads

tftp-server flash:/phones/7970_7971/term70.default.loads alias term70.default.loads

tftp-server flash:/phones/7970_7971/term71.default.loads alias term71.default.loads

tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw

tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw

tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw

tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml

tftp-server flash:/ringtones/RingList.xml alias RingList.xml

tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw

tftp-server flash:/ringtones/Bass.raw alias Bass.raw

tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw

tftp-server flash:/ringtones/Chime.raw alias Chime.raw

tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw

tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw

tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw

tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw

tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw

tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw

tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw

tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw

tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw

tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw

tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw

tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw

tftp-server flash:/ringtones/Pop.raw alias Pop.raw

tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw

tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw

tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw

tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw

tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw

tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw

tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw

tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw

tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw

tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw

tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw

tftp-server flash:/Desktops/CampusNight.png

tftp-server flash:/Desktops/TN-CampusNight.png

tftp-server flash:/Desktops/CiscoFountain.png

tftp-server flash:/Desktops/TN-CiscoFountain.png

tftp-server flash:/Desktops/CiscoLogo.png

tftp-server flash:/Desktops/TN-CiscoLogo.png

tftp-server flash:/Desktops/Fountain.png

tftp-server flash:/Desktops/TN-Fountain.png

tftp-server flash:/Desktops/MorroRock.png

tftp-server flash:/Desktops/TN-MorroRock.png

tftp-server flash:/Desktops/NantucketFlowers.png

tftp-server flash:/Desktops/TN-NantucketFlowers.png

tftp-server flash:Desktops/320x212x16/List.xml

tftp-server flash:Desktops/320x212x12/List.xml

tftp-server flash:Desktops/320x216x16/List.xml

tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au

tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au

tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au

tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au

tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au

tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au

tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au

tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au

!

control-plane

!

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 100 protocol ieee

bridge 100 route ip

!

voice-port 0/0/0

timeouts ringing infinity

!

voice-port 0/0/1

timeouts ringing infinity

!

voice-port 0/0/2

timeouts ringing infinity

!

voice-port 0/0/3

timeouts ringing infinity

!

voice-port 0/1/0

compand-type a-law

bearer-cap Speech

!

voice-port 0/1/1

compand-type a-law

bearer-cap Speech

!

voice-port 0/4/0

auto-cut-through

signal immediate

input gain auto-control -15

description Music On Hold Port

!

sccp local Loopback0

sccp ccm 10.1.1.1 identifier 1 version 3.1

sccp

!

sccp ccm group 1

associate ccm 1 priority 1

!

dial-peer voice 1 pots

service stcapp

port 0/0/0

!

dial-peer voice 2 pots

service stcapp

port 0/0/1

!

dial-peer voice 3 pots

service stcapp

port 0/0/2

!

dial-peer voice 4 pots

service stcapp

port 0/0/3

!

dial-peer voice 5 pots

description ** MOH Port **

destination-pattern ABC

port 0/4/0

no sip-register

!

dial-peer voice 50 pots

destination-pattern 9T

direct-inward-dial

port 0/1/0

no sip-register

!

dial-peer voice 51 pots

destination-pattern 9T

direct-inward-dial

port 0/1/1

no sip-register

!

!

no dial-peer outbound status-check pots

!

!

telephony-service

video

fxo hook-flash

max-ephones 14

max-dn 56

ip source-address 10.1.1.1 port 2000

auto assign 10 to 19

auto assign 5 to 8 type anl

calling-number initiator

service phone videoCapability 1

service phone ehookenable 1

service dnis overlay

service dnis dir-lookup

timeouts interdigit 5

system message UC520

load 7906 SCCP11.8-5-3S

load 7911 SCCP11.8-5-3S

load 7921 CP7921G-1.3.3

load 7960-7940 P00308010200

load 7970 SCCP70.8-5-3S

load 7971 SCCP70.8-5-3S

load 521G-524G cp524g-8-1-17

load 525G spa525g-7-4-3

load 501G spa5x5-7-4-3

load 502G spa5x5-7-4-3

load 504G spa5x5-7-4-3

load 508G spa5x5-7-4-3

load 509G spa5x5-7-4-3

time-zone 23

max-conferences 8 gain -6

call-forward pattern .T

call-forward system redirecting-expanded

moh flash:/media/music-on-hold.au

multicast moh 239.10.16.16 port 2000

web admin system name cisco secret 5 $1$Sn99$xYBPXrWY.yALV3.iP66tR/

dn-webedit

time-webedit

transfer-system full-consult dss

transfer-pattern 9.T

transfer-pattern .T

secondary-dialtone 9

fac standard

create cnf-files version-stamp 7960 Mar 24 2010 20:57:31

!

!

ephone-template  15

softkeys idle  Redial Newcall Cfwdall Pickup Gpickup Dnd Login

softkeys seized  Cfwdall Endcall Redial Pickup Gpickup Callback

softkeys connected  Hold Endcall Trnsfer Confrn Acct Park

button-layout 7931 2

!

!

ephone-template  16

softkeys idle  Redial Newcall Cfwdall Pickup Gpickup Dnd Login

softkeys seized  Cfwdall Endcall Redial Pickup Gpickup Callback

softkeys connected  Hold Endcall Trnsfer Confrn Acct Park

!

!

ephone-dn  5  dual-line

number 301 no-reg primary

label 301

description PhoneA Analog

name PhoneA Analog

!

!

ephone-dn  6  dual-line

number 302 no-reg primary

label 302

description PhoneB Analog

name PhoneB Analog

!

!

ephone-dn  7  dual-line

number 303 no-reg primary

label 303

description PhoneC Analog

name PhoneC Analog

!

!

ephone-dn  8  dual-line

number 304 no-reg primary

label 304

description PhoneD Analog

name PhoneD Analog

!

!

ephone-dn  9

number BCD no-reg primary

description MoH

moh out-call ABC

!

!

ephone-dn  10  dual-line

number 201 no-reg primary

label 201

description 201

name 201

!

!

ephone-dn  11  dual-line

number 202 no-reg primary

label 202

description 202

name 202

!

!

ephone-dn  12  dual-line

number 203 no-reg primary

label 203

description 203

name 203

!

!

ephone-dn  13  dual-line

number 204 no-reg primary

label 204

description 204

name 204

!

!

ephone-dn  14  dual-line

number 205 no-reg primary

label 205

description 205

name 205

!

!

ephone-dn  15  dual-line

number 206 no-reg primary

label 206

description 206

name 206

!

!

ephone-dn  16  dual-line

number 207 no-reg primary

label 207

description 207

name 207

!

!

ephone-dn  17  dual-line

number 208 no-reg primary

label 208

description 208

name 208

!

!

ephone-dn  18  dual-line

number 209 no-reg primary

label 209

description 209

name 209

!

!

ephone-dn  19  dual-line

number 210 no-reg primary

label 210

description 210

name 210

!

!

ephone  1

device-security-mode none

mac-address B8FA.CD82.0000

max-calls-per-button 2

type anl

button  1:5

!

!

!

ephone  2

device-security-mode none

mac-address B8FA.CD82.0001

max-calls-per-button 2

type anl

button  1:6

!

!

!

ephone  3

device-security-mode none

mac-address B8FA.CD82.0002

max-calls-per-button 2

type anl

button  1:7

!

!

!

ephone  4

device-security-mode none

mac-address B8FA.CD82.0003

max-calls-per-button 2

type anl

button  1:8

!

!

banner login  UC500 Base Config - Default 8.0.2 

!

line con 0

password 7 014310555E0F56

login authentication local_authen

no modem enable

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

password 7 12491346170F5C

authorization exec local_author

login authentication local_authen

transport input telnet ssh

transport output telnet ssh

line vty 5 100

password 7 15421D5D012E7B

authorization exec local_author

login authentication local_authen

transport input telnet ssh

transport output telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

ntp master

end

Steven Smith Tue, 03/30/2010 - 14:49

Glad a reboot fixed it for you.  I am kind of surprised you had to do that unless it was still running the old IOS.  Let me know if the VPN acts up on you.

rgarcia@satic.eu Tue, 03/30/2010 - 15:41

Hi Steven, the split tunnel config is working as it should, the XA2 IOS image was already running when I followed your CCA instructions, I think it started working for me after the reboot just beacuse I made some ACL (the split tunnel one) modifications via CLI previously, so the UC was under the running-config and not the startup one.

Anyway, the VPN is performing well and the split tunnel ACL is behaving as it should, thanks for your help again.

Scott Pettit Wed, 03/10/2010 - 21:36

Sigh, looks as though this workaround doesn't work because now my "interesting" traffic works but it breaks all other traffic that isn't interesting.  I'm going to attempt reconfiguring as a dynmap instead

Actions

Login or Register to take actions

This Discussion

Posted March 8, 2010 at 12:33 AM
Stats:
Replies:19 Avg. Rating:
Views:2118 Votes:0
Shares:0
Tags: vpn, uc520
+

Related Content

Discussions Leaderboard