Starting in CUCM 8.0.1 and IP Phone Firmware 9.X, IP Phones are now able to directly connect to an ASA using the AnyConnect VPN. This document will help address some common issues encountered during intial configuration.
Before we get into versions and model numbers let's look at how the feature works.
CUCM Places ASA Certificate Hash and VPN URL in Phone Config
The first step after the ASA is fully configured is to take the ASA Certificate and upload it to the CUCM server. This allows the CUCM server to build an IP Phone config file that tells the phone how to get to the ASA.
Here is an example of the IP Phone VPN section of a Phone's config file:
<vpnGroup> [Some Lines Omitted] <addresses> <url1>https://X.X.X.X/PhoneVPN</url1> </addresses> <credentials> <hashAlg>0</hashAlg> <certHash1>1eD9l3VEI9DGWQGKlNBGE1bRhUg=</certHash1> </credentials> </vpnGroup>
Note that the URL is printed exactly as entered on the VPN Gateway Configuration page in CUCM. Make sure the IP Phone can resolve this address.
Even more interesting is the Cert Hash. The IP Phone configuration does not contain the entire certificate, merely a SHA1 hash of the certificate.
Phone Downloads Configuration
Phone Connects to ASA
Phone Verifies Presented Certificate
Required Software Versions
CUCM >= 188.8.131.52000-4
IP Phone >= 9.0(2)SR1S - SCCP
ASA >= 8.0.4
Anyconnect VPN Pkg >= 2.4.1012
Note: A "Premium" license and an "AnyConnect for Cisco VPN Phone" license is required. The part number for the "AnyConnect for Cisco VPN Phone" is L-ASA-AC-PH-55XX= where XX = 05,10,20,40,50,80.
Required Phone Models
7942 / 7962 / 7945 / 7965 / 7975 / 8961 / 9951 / 9971. For a complete list of supported phones in your CUCM version go to:
https://<CUCM Server IP Address>:8443/cucreports/systemReports.do
Unified CM Phone Feature List
Generate a new report
Feature: Virtual Private Network
Required CUCM Configuration
The following document provides a complete set of configuration tasks required to configure CUCM for this feature:
Note: Please make sure the URL for the VPN Gateway contains the full and correct address to reach the right tunnel-group on the ASA.
Required Phone Configuration
1. Use a supported phone model per the CUCM release notes
2. Configure the IP Phone with a TFTP server manually.
3. Import the root certificate or identity certificate used by the ASA into to phone via CUCM.
Required ASA Configuration
Configure Anyconnect VPN access on ASA to provide network access.
See http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml for example configuration.
Some additional requirements:
- ASA must have the AnyConnect for Cisco VPN Phone Licensed feature enabled. Licensing info can be found using show version command.
- Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
- The tunnel-group used can not be the DefaultWEBVPNGroup. Create another tunnel-group and use "group-url https://x.x.x.x/phonevpn enable to map to the correct tunnel-group.
- DTLS must be enabled and negotiated for operation. This requires both tcp/443 and udp/443 to be open and allowed on all devices between the ASA and the phone.
- Plug the phone in the same subnet as the inside interface. This will test whether the phone's configuration works prior to adding vpn
- Connect with AnyConnect on a PC. This will confirm that the ASA is configured correctly for Anyconnect
- From the connected PC try to ping the TFTP server and CUCM server. This will test basic ip connectivity to the two servers.
- From the PC try to download the TFTP config file for the phone in question "tftp -i <TFTP Server> GET SEP<Mac Address>.cnf.xml. This will test that the tftp service is functional and reachable.
- From the PC try to telnet to TCP Port 2000 on the CUCM server "telnet <CUCM IP> 2000". This should immediately come back with a new line and a blank cursor. This will test connectivity to the sccp service, for SIP registrations use port 5060.
- Normal phone registering process testing.
- One-way or no voice. The phone registers and makes calls but no audio is heard. Confirm routing between the two phone/rtp stream endpoints.
- Auto Network Detect does not reliably work in IP Phone Firmware 9.0(2), but does work as expected in 9.2(1).
- Auto Network Detect allows the phone to detect whether it is inside or outside the network. If outside it will bring up the VPN, if inside, it will connect directly.
- The phone uses a series of pings to the TFTP server to determine whether it is outside the network. If pings to the TFTP server fail, the VPN GUI will be brought up on the phone and the phone will attempt to hit the VPN URL.