cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12004
Views
0
Helpful
0
Comments
shalushar
Level 7
Level 7

 

 

Introduction

 

This document describes the errors that can make IP phones unable to register with the phone proxy.The Cisco Phone Proxy on the ASA bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted.

 

The phone proxy supports a Cisco UCM cluster in mixed mode or nonsecure mode. Regardless of the cluster mode, the remote phones that are capable of encryption are always forced to be in encrypted mode. TLS (signaling) and SRTP (media) are always terminated on the ASA. The ASA can also perform NAT, open pinholes for the media, and apply inspection policies for the SCCP and SIP protocols. In a nonsecure cluster mode or a mixed mode where the phones are configured as nonsecure, the phone proxy behaves in the following ways:

 

The TLS connections from the phones are terminated on the ASA and a TCP connection is initiated to the Cisco UCM.

SRTP sent from external IP phones to the internal network IP phone via the ASA is converted to RTP.

 

In a mixed mode cluster where the internal IP phones are configured as authenticated, the TLS connection is not converted to TCP to the Cisco UCM but the SRTP is converted to RTP.

 

In a mixed mode cluster where the internal IP phone is configured as encrypted, the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone.

 

Since the main purpose of the phone proxy is to make the phone behave securely while making calls to a nonsecure cluster, the phone proxy performs the following major functions:

 

Creates the certificate trust list (CTL) file, which is used to perform certificate based authentication with remote phones.

 

Modifies the IP phone configuration file when it is requested via TFTP, changes security fields from nonsecure to secure, and signs all files sent to the phone. These modifications secure remote phones by forcing the phones to perform encrypted signaling and media.

 

Terminates TLS signaling from the phone and initiates TCP or TLS to Cisco UCM

 

Inserts itself into the media path by modifying the Skinny and SIP signaling messages.

 

Terminates SRTP and initiates RTP/SRTP to the called party.

 

 

Issue 1: TFTP Auth Error displays on IP Phone Console

Resolution

 

The IP phone displays the following Status message: TFTP Auth Error. This Status message can indicate a problem with the IP phone CTL file.

 

 

To correct problems with the IP phone CTL file, perform the following:-

 

Step 1

 

From the IP phone, select the Setting button > Security Configuration > Trust List. Verify that each entity in the network—Primary Cisco UCM, Secondary Cisco UCM, TFTP server—has its own entry in the trustlist and that each entity IP address is reachable by the IP phone.

 

Step 2

 

From the ASA, verify that the CTL file for the phone proxy contains one record entry for each entity in the network—Primary Cisco UCM, Secondary Cisco UCM, TFTP server—by entering the following command:

 

hostname# show running-config all ctl-file [ctl_name]

 

Each of these record entries creates one entry on the IP phone trustlist. The phone proxy creates one entry internally with the function CUCM+TFTP.

 

Step 3

 

In the CTL file, verify that each IP address is the global or mapped IP address of the entity. If the IP phones are on multiple interfaces, additional addressing requirements apply.

 

Issue 2: Configuration File Parsing Error

 

Resolution

 

When the ASA receives the configuration file from the Cisco UCM and tries to parse it, the following error appears in the debug output

 

(debug phone-proxy tftp errors):

 

 

PP: 192.168.10.5/49357 requesting SEP00010002003.cnf.xml.sgn

PP: opened 0x193166

.......

PP: Beginning of element tag is missing, got !

PP: error parsing config file

PP: Error modifying config file, dropping packet

 

Perform the following actions to troubleshoot this problem:

 

 

Step 1

 

Enter the following URL in a web browser to obtain the IP phone configuration file from the Cisco Unified CM Administration console:

 

http://<cucm_ip>:6970/<config_file_name>

 

For example, if the Cisco UCM IP address is 128.106.254.2 and the IP phone configuration file name is SEP000100020003.cnf.xml, enter:

 

http://128.106.254.2:6970/SEP000100020003.cnf.xml

 

 

Step 2

 

Save this file, open a case with TAC and send them this file and the output from running the debug phone-proxy tftp command on the ASA.

 

Issue 3: Configuration File Parsing Error: Unable to Get DNS Response

Resolution

 

When the ASA receives the configuration file from the Cisco UCM and tries to parse it, the following error appears in the debug output

 

(debug phone-proxy tftp errors):

 

 

PP: 192.168.10.5/49357 requesting SEP00010002003.cnf.xml.sgn

PP: opened 0x193166

.......

PP: Callback required for parsing config file

PP: Unable to get dns response for id 7

PP: Callback, error modifying config file

 

 

The error indicates that the Cisco UCM is configured as an FQDN and the phone proxy is trying to do a DNS lookup but failed to get a response.

 

 

Below are the steps to resolve this issue

 

 

Step 1 Verify that DNS lookup is configured on the ASA.

 

 

Step 2 If DNS lookup is configured, determine whether you can ping the FQDN for the Cisco UCM from the ASA.

 

 

Step 3 If ASA cannot ping the Cisco UCM FQDN, check to see if there is a problem with the DNS server.

 

 

Step 4 Additionally, use the name command to associate a name with an IP address with the FQDN. name command.

 

 

 

Issue 4 : Non-configuration File Parsing Error

 

Resolution

 

 

The ASA receives a file other than an IP phone configuration file from the Cisco UCM and attempts to parse it. The following error appears in the debug output (debug phone-proxy tftp):

 

 

PP: 192.168.10.5/49357 requesting SK72f64050-7ad5-4b47-9bfa-5e9ad9cd4aa9.xml.sgn

PP: opened 0x193166

.......

PP: Beginning of element tag is missing, got !

PP: error parsing config file

PP: Error modifying config file, dropping packet

 

 

The phone proxy should parse only the IP phone configuration file. When the phone proxy TFTP state gets out of state, the phone proxy cannot detect when it is attempting to parse a file other than the IP phone configuration file and the error above appears in the ASA output from the debug phone-proxy tftp command.

 

 

Perform the following actions to troubleshoot this problem:

 

 

Step 1 Reboot the IP phone.

 

 

Step 2 On the ASA, enter the following command to obtain the error information from the first TFTP request to the point where the first error occurred.

 

 

hostname# debug phone-proxy tftp

 

 

Step 3 Capture the packets from the IP phone to the ASA. Make sure to capture the packets on the interface facing the IP phone and the interface facing the Cisco UCM. See Debugging Information from the Security Appliance

 

 

Issue 5: IP Phone Does Not Respond After the Security Appliance Sends TFTP Data

 

Resolution

 

 

When the ASA receives a TFTP request from the IP phone for the CTL file and forwards the data to the IP phone, the phone might not see the data and the TFTP transaction fails.

 

 

The following errors appear in the debug output (debug phone-proxy tftp):

 

 

PP: Client outside:68.207.118.9/33606 retransmitting request for CTL file CTLSEP001DA2B78E91.tlv

PP: opened 0x214b27a

PP: Data Block 1 forwarded from 168.215.146.220/20168 to 68.207.118.9/33606 ingress ifc outside

PP: 68.207.118.9/33606 requesting CTLSEP001DA2B78E91.tlv

PP: Client outside:68.207.118.9/33606 retransmitting request for CTL file CTLSEP001DA2B78E91.tlv

PP: 68.207.118.9/33606 requesting CTLSEP001DA2B78E91.tlv

PP: Client outside:68.207.118.9/33606 retransmitting request for CTL file CTLSEP001DA2B78E91.tlv

 

 

Perform the following actions to determine why the IP phone is not responding and to troubleshoot the problem:

 

 

Step 1

 

Verify that the ASA is forwarding the TFTP request by entering the following command to capture the packets on the interface 

between the ASA and the IP phone:

 

hostname# capture out interface outside

 

 

Step 2

 

If the IP phone is behind a router, the router might be dropping the data. Make sure UDP port forwarding is enabled on the router.

 

 

Issue 6: IP Phone Requesting Unsigned File Error

 

Resolution

 

 

The IP phone should always request a signed file. Therefore, the TFTP file being requested always has the .SGN extension.When the IP phone does not request a signed file, the following error appears in the debug output (debug phone-proxy tftp errors):

 

 

Error: phone requesting for unsigned config file

 

 

Most likely, this error occurs because the IP phone has not successfully installed the CTL file from the ASA.

 

Determine whether the IP phone has successfully downloaded and installed the CTL file from the ASA by checking the Status messages on the IP phone.

 

Issue 7: IP Phone Unable to Download CTL File

 

Resolution

 

 

The IP phone Status message indicates it cannot download its CTL file and the IP phone cannot be converted to Secure (encrypted) mode.If the IP phone did not have an existing CTL file, check the Status messages by selecting the Settings button > Status > Status Messages.

 

 

This error can appear in the IP phone Status messages when the IP phone already has an existing CTL file.

 

 

Step 1 Check the IP phone to see if a CTL file already exists on it. This can occur if the IP phone previously registered with a mixed mode cluster Cisco UCM. On the IP phone, select the Settings button > Security Configuration > CTL file.

 

 

Step 2 Erase the existing CTL file by selecting the Settings button > Security Configuration > CTL file > Select. Press **# on the keypad and select Erase.

 

 

Problems downloading the CTL file might be caused by issues with media termination. Enter the following command to determine if the media-termination address in the phone proxy configuration is set correctly:

 

 

hostname(config)# show running-config all phone-proxy

!

phone-proxy mypp

media-termination address 10.10.0.25

cipc security-mode authenticated

cluster-mode mixed

disable service-settings

timeout secure-phones 0:05:00

hostname(config)#

 

Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet specific criteria for media termination.

 

Issue 8: IP Phone Registration Failure from Signaling Connections

 

Resolution

 

 

The IP phone is unable to complete the TLS handshake with the phone proxy and download its files using TFTP.

 

 

Step 1

 

Determine if the TLS handshake is occurring between the phone proxy and the IP phone, perform the following:

 

 

a.          Enable logging with the following command:

 

hostname(config)# logging buffered debugging

 

 

b.          To check the output from the syslogs captured by the logging buffered command, enter the following command:

 

hostname# show logging

 

 

The syslogs will contain information showing when the IP phone is attempting the TLS handshake, which happens after the IP phone downloads its configuration file.

 

 

Step 2

 

Determine if the TLS proxy is configured correctly for the phone proxy:

 

 

a.          Display all currently running TLS proxy configurations by entering the following command:

 

hostname# show running-config tls-proxy

tls-proxy proxy

server trust-point _internal_PP_<ctl_file_instance_name>

client ldc issuer ldc_signer

client ldc key-pair phone_common

no client cipher-suite

hostname#

 

 

b.          Verify that the output contains the server trust-point command under the tls-proxy command (as shown in substep a.).

 

 

If you are missing the server trust-point command, modify the TLS proxy in the phone proxy configuration.Having this command missing from the TLS proxy configuration for the phone proxy will cause TLS handshake failure.

 

 

 

Step 3

 

Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.

 

 

a.          Determine which certificates are installed on the ASA by entering the following command:

 

hostname# show running-config crypto

 

Additionally, determine which certificates are installed on the IP phones. See Debugging Information from IP Phones for information about checking the IP phone to determine if it has MIC installed on it.

 

 

b.          Verify that the list of installed certificates contains all required certificates for the phone proxy.

 

 

c.          Import any missing certificates onto the ASA. See also Importing Certificates from the Cisco UCM.

 

 

Step 4

 

If the steps above fail to resolve the issue, perform the following actions to obtain additional troubleshooting information for Cisco Support.

 

 

a.          Enter the following commands to capture additional debugging information for the phone proxy:

 

hostname# debug inspect tls-proxy error

hostname# show running-config ssl

hostname(config) show tls-proxy tls_name session host host_addr detail

 

 

b.          Enable the capture command on the inside and outside interfaces (IP phones and Cisco UCM) to enable packet capture capabilities for packet sniffing and network fault isolation.

 

 

Issue 8: Media Termination Address Errors

 

Resolution

 

Entering the media-termination address command displays the following errors:

 

 

hostname(config-phone-proxy)# media-termination address ip_address

ERROR: Failed to apply IP address to interface Virtual254, as the network overlaps with

interface GigabitEthernet0/0. Two interfaces cannot be in the same subnet.

ERROR: Failed to set IP address for the Virtual interface

ERROR: Could not bring up Phone proxy media termination interface

ERROR: Failed to find the HWIDB for the Virtual interface

 

Enter the following command to determine if the media-termination address in the phone proxy configuration is set correctly:

 

hostname(config)# show running-config all phone-proxy

asa2(config)# show running-config all phone-proxy

!

phone-proxy mypp

media-termination address 10.10.0.25

cipc security-mode authenticated

cluster-mode mixed

disable service-settings

timeout secure-phones 0:05:00

hostname(config)#

 

Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet specific criteria for media termination. 

 

Issue 9: Audio Problems with IP Phones

Resolution

 

The following audio errors can occur when the IP phones connecting through the phone proxy.

 

 

Media Failure for a Voice Call

 

 

The call signaling completes but there is one way audio or no audio.

 

•      Problems with one way or no audio might be caused by issues with media termination. Enter the following command to determine if the media

 

     -termination address in the phone proxy configuration is set correctly:

 

     hostname(config)# show running-config all phone-proxy

     asa2(config)# show running-config all phone-proxy

     !

     phone-proxy mypp

     media-termination address 10.10.0.25

     cipc security-mode authenticated

     cluster-mode mixed

     disable service-settings

     timeout secure-phones 0:05:00

     hostname(config)#

 

•     Make sure that each media-termination instance is created correctly and that the address or addresses are set correctly. The ASA must meet

     specific criteria for media termination.

 

 

•     If each media-termination address meets the requirements, determine whether the IP addresses are reachable by all IP phones.

 

 

•     If each IP address is set correctly and reachable by all IP phones, check the call statistics on an IP phone and determine if there are Rcvr packets     and Sender packets on the IP phone, or if there are any Rcvr Lost or Discarded packets.

 

Issue 10: SSL Handshake Failure

 

Resolution

 

The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in the ASA syslogs:-

 

 

%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_CERTIFICATE Reason: no certificate returned

%ASA-6-725006: Device failed SSL handshake with outside client:72.146.123.158/30519

%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate certificate serial number: 62D06172000000143FCC, subject name:

cn=CP-7962G-SEP002155554502,ou=EVVBU,o=Cisco Systems Inc.

%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to validate chain.

 

 

Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.

 

 

Step 1          Determine which certificates are installed on the ASA by entering the following command:

 

 

hostname# show running-config crypto

 

Additionally, determine which certificates are installed on the IP phones. Refer Debugging Information from IP Phones for information about checking the IP phone to determine if it has MIC installed on it.

 

 

Step 2          Verify that the list of installed certificates contains all required certificates for the phone proxy.

 

 

Refer Certificates Required by the Security Appliance for the Phone Proxy.

 

 

Step 3          Import any missing certificates onto the ASA. Refer Importing Certificates from the Cisco UCM.

 

 

 

 

 

Reference Links

https://supportforums.cisco.com/docs/DOC-5704

Configuring Cisco Phone proxy

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: