UC520 - VPN with 871

Unanswered Question
Sep 20th, 2010

I've been trying to connect the cisco 871 to our UC520 for a little while and getting stuck. The scenario I believe is simple. We are setting up a remote office and will have 1-2 computers with 1-2 phones on a cisco 871.

So far I've been able to connect to the VPN through Cisco VPN Client software from various machines but not successfully with the hardware solution (871).

I've done considerable testing and reconfiguration. I am newer to Cisco products and mostly go through CCA but am comfortable in CLI.

Any help appreciated. Iinitially was trying to do this:


Using CCA to connect to the 871, I go to Configure > Security > Remote VPN and a message pops up right away.

"Voice services can not be enabled on the device."

The VPN portion I believe I got to work once but was unable to browse Active Directory network.

Do I need to install CME on the 871? or activate an interface?

I've tried so many different things and followed different guides online my head is dizzy. Even started trying to get a VPN to work with an RV082 in the office but I was thinking the 871 would be the easiest...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jaydien1358 Wed, 08/17/2011 - 07:17

I am experiencing the same exact issue with the same exact equipment. Have you found a resolution?


David Trad Wed, 08/17/2011 - 15:11

Hi Acromedia & Jaydien,

If I am not mistaken CCA creates two types of VPN services:

  • EZ_VPN and

Your Edge type routers would be your run of the mill IPSEC type VPN, and it would be interesting to see a debug on the UC-500 of the 871 trying to connect, I am fairly certain it would be the same as what I have seen on our equipment when I have tried to get it to work.

You could use Cisco Configuration Professional to set this up for you as well, but still I think the UC-500 might require a different VPN setup as opposed to the ones CCA builds. Of course I may actually be wrong and what I have experienced could be totally wrong, but unless I manually do an IPSEC tunnel on the UC none of the edge devices will talk to it properly.

NOTE: If you manually do an IPSEC tunnel on the UC, and you apply the firewall rulings, CCA may no longer wish to play nice for you, in fact I am fairly certain it will give you a hard time and will ask you to delete the VPN service and recreate it, and also the firewall rules.

Just some food for thought...



jaydien1358 Wed, 08/17/2011 - 16:13

I think the problem I'm having is more along the lines of trying to configure the 871 as opposed to the uc500. Because cca isn't allowing me to check the voice services text box in the VPN remote setup, I am unable to create the other end of the tunnel. Without using cca, I do not know how to setup a site to site VPN on the 871 side and allow for voice traffic.

How can I go about doing this? I read a configuration guide where it states that this can be accomplished between a uc500 and an 871.


David Trad Wed, 08/17/2011 - 16:30

Hi Brian,

On the UC side you will need to give access to the remote site to see the VLAN-100 & VLAN-90 (If this is a CCA 3.X configured system) and this needs to be done at an ACL level, so there firewall needs to allow this.

I am happy to give you a copy of a running configuration on an 877 that talks back to a UC-520 if this would help??

Let me know so I can prepare it and remove the sensitive data from it



aapexisinc Wed, 08/17/2011 - 17:43

Hi, Brian,

I did this with an 871 and a 520 three years ago, mostly using CLI at the time (CCA was nowhere near what it is now), so I'm a bit fuzzy on the details.  I've attached what I think are the successfully running configs of the 871 and 520 (note: this equipment is out of service and none of the routable IP addresses or passwords are in use, so I didn't bother to blank anything out).  The only trick I remember having to do outside the Cisco equipment was because the 871 was sitting behind a Comcast router;  I had to forward ports 500, 4500 and 10000 to the 871.

Hope this helps.


George Andres Thu, 08/18/2011 - 09:02

Hi Brian,

My solution was getting cisco to configure a manual IPSEC tunnel. Once this occured what David mentioned:

"NOTE: If you manually do an IPSEC tunnel on the UC, and  you apply the firewall rulings, CCA may no longer wish to play nice for  you, in fact I am fairly certain it will give you a hard time and will  ask you to delete the VPN service and recreate it, and also the firewall  rules."

I already had my EZVPN software setup before Cisco added the manual IPSEC so it still works with the client software as well as the p2p setup.

....is bang on. You won't be able to modify much. I was trying to do this with CCA 2.6, so perhaps CCA 3.0 is better setting up the VPN?

The manual IPSEC works very nice. It has been a solid setup for our company for a while now. Phones work great and VPN is snappy. Look through the Shownrun's aapexisinc has posted. I'll help where I can....I know how frustrating it can be trying to set it up when you're not a Cisco guru 


jaydien1358 Thu, 08/18/2011 - 09:27

Thanks for the example configs and the added support.

My question is, what does CCA add to the client config once you check the "Enable voice services" checkbox?


George Andres Thu, 08/18/2011 - 12:15

If you want to know exactly what CCA is doing, hit F2 when you have CCA open. A console window pops up and allows you to watch the commands being sent to your hardware.