UC500 VPN and CCA - Making changes kills VPN configuration

Unanswered Question

Hi,


I have had this twice now and I'm getting a little PO'd. New client install of a 540 and I VPN in to fix something for them via CCA 2.2.2 and when I make the change it kicks me out and makes the VPN stop working. We have to go to the client site and there is an error in CCA about the VPN profile, once it's cleared it's fine and everything works again.


So I was changing the following: first DNS server presented to the client, changed it; killed the connection and had to do site visit. Next was allow local internet access (checkbox) as soon as I did that same thing, dead VPN.


I know it's not a great practice to VPN in and change VPN settings, but come on these are pretty benign, and we need to be able to support our clients without site visits.

Is this a design issue, bug or have others had simular experiences?


Thanks,


Bob James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcos Hernandez Thu, 05/06/2010 - 07:54
User Badges:
  • Blue, 1500 points or more

Hi Bob,


Remote modification of the VPN configuration is something we categorically discourage because of the problems that you have pointed out.


Marcos

JOHN NIKOLATOS Fri, 05/07/2010 - 19:43
User Badges:
  • Bronze, 100 points or more

This is another reason why CLI must be used with UC540 and 560 and <> not just the CCA.  Bob - go into CLI and set up a SSH connection or telnet to the box from the internet...  then use the IP address when you drop...

David Trad Fri, 05/07/2010 - 21:42
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2013 Small Business

Hi Marcos,


Remote modification of the VPN configuration is something we
categorically discourage because of the problems that you have pointed
out.


I am getting a little concerned about the mixed signals/messages at times





Or am I reading too much into the comments?



I think this is one of the reasons why i was a strong advocate of CCC, it made sense if you wanted to limit the amount of CLI work being done on the 500 series systems.


If you genuinely and honestly want to venture down the all GUI path and reduce the amount of CLI, then why wouldn't you look at the following?


  • Fully embedded management system of the 500 series appliances inside of the IOS?
  • Upgraded flash card based GUI that is as advanced as CCA if not more advanced (Which from using CCC i can see this is possible), and have it talk back to a Cisco centralised server that provides management informtion such as IOS upgrades, CUE upgrades, Phone loads etc...etc.. It will mean that the Flash cards will need to be upgraded so that way files can be downloaded to the local device so no upgrades are done over the air, but this is a small consideration.


I am not entirley conviced a Desktop application is the right way to go, there are just far too many variables with computer systems, there is no two environments the same, and there are too many scenarios that are poping up that are poking holes in the Desktop over CLI path that really need to be considered and discussed.



Bob,


It is encouraged that you use CLI for remote work, however brush up your skills on making sure they are within OOB specifications so read the guides and make sure you work within their specified paramaters.



Marcos, i ask you consider the whole open discussion, the above two options are high viable options and could prove to be more fruitful :) it is partly the reason why Asterisk is so highly successful, it's ability to be able to use either command line or GUI and they all work within the same format.



Cheers,



David.

Marcos,


Althought I can appreciate Cisco's position on this, there are some things that should not kak the configuration, all I was trying to do was add a third DNS entry, why this killed the config is beyond me.


Yes I know I could do this via SSH, heck I could do anything via CLI, but these would not be supported, and cause the Gui to choke.


David, what guides for OOB are you speaking of? If there are definitive guides on what you should or cannot do I would like to see them. As far as the "brush up on my skills" comment I have been working on Cisco gear for over 20 years, I am a CCSP and hope to have my CCIE by the end of the year, so I think my skills are just fine.



Bob

David Trad Sat, 05/08/2010 - 14:21
User Badges:
  • Gold, 750 points or more
  • Cisco Designated VIP,

    2013 Small Business

Hi Bob,




As far as the "brush up on my skills" comment I have been working on
Cisco gear for over 20 years, I am a CCSP and hope to have my CCIE by
the end of the year, so I think my skills are just fine.


Settle down :) i wasnt having a go at you, I was referring to the OOB guides, most CLI workers wouldn't program within those guides, most wouldn't even know about them either...



David, what guides for OOB are you speaking of?



There is a link for that guide somewhere on here, the PDF is on my computer at work so I dont have it on hand, but there is a definitive guide.. Well at least that is how it is put forward.


I am sure Marcos or Steve will post the link for it before i get a chance to upload it.



Cheers,



David.

Actions

This Discussion