IP Phone SSL VPN to ASA using AnyConnect

Document

May 5, 2010 8:06 AM
May 5th, 2010

Purpose

Starting in CUCM 8.0.1 and IP Phone Firmware 9.X, IP Phones are now able to directly connect to an ASA using the AnyConnect VPN. This  document will help address some common issues encountered during intial configuration. This guide will act as a supplement to the Official IP Phone VPN Documentation.

Functional Overview

Before we get into versions and model numbers let's look at how the feature works.

CUCM Places ASA Certificate Hash and VPN URL in Phone Config

Before the phone is ready for VPN, it must first be provisioned using the internal network. This requires direct access to the CUCM TFTP server.

IPPhoneVPN-overview-Internal-Network.png

The first step after the ASA is fully configured is to take the ASA HTTPS Certificate and upload it to the CUCM server. This allows the CUCM server to build an IP phone config file that tells the phone how to get to the ASA. The CUCM requires some additional configuration to associate the uploaded certificate with a VPN Profile that can be assigned to the phone.

Here is an example of the IP Phone VPN section of a phone's config file after performing the required configuration:

jasburns@jasburns-gentoo /home/jasburns $ tftp 14.48.44.80
tftp> get SEP0011215A1AE3.cnf.xml.sgn
Received XXXX bytes in 0.0 seconds
jasburns@jasburns-gentoo /home/jasburns $ cat SEP0011215A1AE3.cnf.xml.sgn
..........
<vpnGroup>
[Some Lines Omitted]
<addresses>
<url1>https://X.X.X.X/PhoneVPN</url1>

</addresses>

<credentials>

<hashAlg>0</hashAlg>

<certHash1>1eD9l3VEI9DGWQGKlNBGE1bRhUg=</certHash1>

</credentials>

</vpnGroup>

Note that the URL is printed exactly as entered on the VPN Gateway Configuration page in CUCM. Make sure the IP Phone can resolve this address.

Even more interesting is the Cert Hash. The IP phone configuration does not contain the entire certificate, merely a SHA1 Base64 encoded hash of the certificate.

You can compare the certificate hash in the IP phone configuration file to the cert hash of the actual file on the ASA or CUCM if you copy it to a computer running OpenSSL (either Windows, Linux, or Mac)

$ cat r2800.cisco.com.pem

-----BEGIN CERTIFICATE-----

<Base64 value of the cert omitted>

-----END CERTIFICATE-----

openssl x509 -in r2800.cisco.com.pem -noout -fingerprint

SHA1 Fingerprint=D5:E0:FD:97:75:44:23:D0:C6:59:01:8A:94:D0:46:13:56:D1:85:48

This is the SHA1 Fingerprint in Hexadecimal form. In the configuration file this value is instead printed as the Base64 value. I used the following website to convert from Hex to Base64:

http://tomeko.net/online_tools/hex_to_base64.php

DecToBase64.png

This method can be used to verify the certificate loaded onto and presented by the ASA matches the certificate hash loaded into the phone.

1. Phone Downloads Configuration

This part is extremely important. The phone must download the configuration (including the certificate hash in Base64) while it is inside the network and has direct access to the CUCM TFTP server.

The phone has to be provisioned inside the network before it can be moved outside the network and use the VPN feature.

Phone Connects to ASA

After internal provisioning has been completed, the phone can be moved to the external network for VPN access. Here the Corporate Phone has been moved to a Home location.

IPPhoneVPN-overview-Whole-Network.png

Depending on the phone's configuration it will either automatically attempt to connect to the VPN gateway, or will connect once manually initiated. If auto network detect is enabled, the phone will try to ping the TFTP server. If there is no response to this ping request the phone will automatically bring up the VPN process on the phone.

The phone connects on TCP port 443 over HTTPS to the ASA. The ASA responds back with the configured certificate, hopefully the same certificate uploaded to CUCM. In additional TCP 443 (Transport Layer Security, or TLS), the phone will also connect on UDP 443 for DTLS (Datagram Transport Layer Security).

2. Phone Verifies Presented Certificate

The phone console logs show us the hash of the certificate that the ASA presents in Hex form:

3943: INF 18:10:22.354209 VPNC: vpnc_save_to_file: wrote: </tmp/leaf.crt>, 479 bytes

3944: NOT 18:10:22.355351 VPNC: cert_vfy_cb: peer cert saved: /tmp/leaf.crt

3945: NOT 18:10:22.361892 SECD: Leaf cert hash = D5E0FD97754423D0C659018A94D0461356D18548

3946: NOT 18:10:22.362574 SECD: Hash was found in the trust list

3947: NOT 18:10:22.400294 VPNC: VPN cert chain trusted

These messages show us that the phone was able to validate the certificate that the ASA presented. The cert presented matched the hash in the configuration file.

At this point the phone will establish an SSL session with the ASA and continue setting up the VPN tunnel.

All communication will now flow between the phone and the ASA in an encrypted tunnel. Once the traffic reaches the ASA it will be decrypted and forwarded along to any location in the network that the phone would like to connect to.

The beauty of this solution is that the phone obtains an address on the Internal network that is typically not filtered. The phone can connect using SCCP, SIP, HTTP, HTTPS to any server inside the Corporate Network. This allows advanced phone services and features to function that might not work through ASA Phone Proxy.

Software Versions

CUCM >= 8.0.1.100000-4

IP Phone >= 9.0(2)SR1S - SCCP

ASA >= 8.0.4

Anyconnect VPN Pkg >= 2.4.1012

Note: A "Premium" license and an "AnyConnect for Cisco VPN Phone" license is required.  The part number for the "AnyConnect for Cisco VPN Phone" is L-ASA-AC-PH-55XX= where XX = 05,10,20,40,50,80.

Phone Models

7942 / 7962 / 7945 / 7965 / 7975 / 8961 / 9951 / 9971. For a complete list of supported phones in your CUCM version go to:

https://<CUCM Server IP Address>:8443/cucreports/systemReports.do

Unified CM Phone Feature List

Generate a new report

Feature: Virtual Private Network

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secuvpn.html

CUCM Configuration

The following document provides a complete set of configuration  tasks required to configure CUCM for this feature:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secuvpn.html

Note: Please make sure the URL for the VPN Gateway contains the full and correct address to reach the IP Phone VPN tunnel-group on the ASA.

Phone Configuration

  1. Use a supported phone model per the CUCM Supported Models / Features report.
  2. Register the phone to the CUCM server on the Internal network
  3. Configure the IP phone with a TFTP server manually.
  4. Move the phone to the external network.

ASA Configuration

Configure Anyconnect VPN access on ASA to provide network access.

See  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml  for example configuration.

The lateset CUCM Security Guide also provides sample ASA configuration.

Additional Requirements:

  1. The ASA must have the AnyConnect for Cisco VPN Phone Licensed feature enabled.  Licensing info can be found using show version command.
  2. Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  3. The tunnel-group used can not be the DefaultWEBVPNGroup.   Create another tunnel-group and use "group-url https://x.x.x.x/phonevpn enable to map to the correct tunnel-group.
  4. DTLS must be enabled and negotiated for operation.  This  requires both tcp/443 and udp/443 to be open and allowed on all devices between the ASA and the phone.

Troubleshooting Steps

  1. Plug the phone into the internal network.  This will test whether the phone's configuration works prior to adding VPN.
  2. Connect with AnyConnect on a PC from the outside to the ASA.  This will confirm that the ASA is configured correctly for Anyconnect
  3. From the connected PC try to ping the TFTP server and CUCM server.  This will test basic ip connectivity to the two servers.
  4. From the PC try to download the TFTP config file for the phone in question "tftp -i <TFTP Server> GET  SEP<Mac Address>.cnf.xml"  This will test that the tftp service is reachable and serving files.
  5. From the PC try to telnet to TCP Port 2000 on the CUCM server "telnet <CUCM IP> 2000". This should immediately come back with a new line and a blank cursor.  This will test connectivity to the CUCM SCCP port, for SIP registrations use port 5060 instead.

Common Issues

  1. One-way or no voice.  The phone registers and makes calls but no audio is heard.  Confirm routing between the two phone/rtp stream endpoints.
  2. Auto Network Detect does not reliably work in IP Phone Firmware 9.0(2), but does work as expected in 9.2(1).
    1. Auto Network Detect allows the phone to detect whether it is inside or outside the network. If outside it will bring up the VPN, if inside, it will connect directly.
    2. The phone uses a series of pings to the TFTP server to determine whether it is outside the network. If pings to the TFTP server fail, the VPN GUI will be brought up on the phone and the phone will attempt to access the VPN URL.
  3. Username and Password authentication from the phone does NOT support the SPACE character in either the username or the password.
Average Rating: 4.3 (7 ratings)

Comments

Haitham Hadad Tue, 01/18/2011 - 07:10

Hi,

Thanks alot for this detailed mail

Only I need to confirm something,,

With CUCM 8, Do I need only premium license to have ip phone vpn feature on ASA, or also I need this license L-ASA-AC-PH-55XX= beside the premium

That I hear that with CUCM 8 we need only the premium license [Any connect include it] , and this license L-ASA-AC-PH-55XX= may be needed only with CUCME8 ?

If, I'll need this license L-ASA-AC-PH-55XX=

Will I order it per users or per session or per device ??

Thanks a lot and waiting for your reply

Best Regards

Jay Young Tue, 01/18/2011 - 07:21 (reply to Haitham Hadad)

You need both the Premium license and the Phone license applied to the ASA.  The Premium license is a number of concurrent sessions license whereas the Phone license is a enable/disable feature license.

You can order the licenses separately but whether or not they are included with the purchase of CUCM 8 I do not know.  Perhaps you can contact your local sales rep to see if they can perform a bundle.

Haitham Hadad Tue, 01/18/2011 - 07:40 (reply to Jay Young)

Dear Jay,

Thank you very much for your concern and fast reply

Only one other question:

Is this required license L-ASA-AC-PH-55XX= is not included in this license: ASA-ANYCONN-CSD-K9

ASA-ANYCONN-CSD-K9 : is AnyConnect  client license and I read that there is a new license for ASA called AnyConnect and it include most of the needed features ?

Kindly correct my sentense above that I'm a voice engineer and have low level expertise in Security and tell me what is the AnyConnect license exactly

Thanks for your help and patience

Best Regards

Jay Young Tue, 01/18/2011 - 08:19 (reply to Haitham Hadad)

The ASA-ANYCONN-CSD-K9 only allows anyconnect and csd.  You will want to order the both the premium license and the L-ASA-AC-PH-55XX=

calmichael Mon, 01/24/2011 - 19:36 (reply to Haitham Hadad)

Since the application is for a phone versus a workstation, is there any settings that should be tweaked?  e.g. Keepalive timers, dead peer detection timers, avoiding AES-256 encryption, etc

Sample:

ssl encryption aes128-sha1

group-policy <phone/UC> attributes

banner none

dns-server value <DNS1> <DNS2>

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol svc

default-domain value <company>.com

address-pools value <DHCP/RAS POOL>

webvpn

  svc dtls enable

  svc keep-installer installed

  svc keepalive 120

  svc rekey time 4

  svc rekey method new-tunnel

  svc dpd-interval client none

  svc dpd-interval gateway 300

  svc compression deflate

Thanks

calmichael Wed, 02/09/2011 - 05:54 (reply to calmichael)

Just a follow-up.  ASA code 8.2(4) was providing the unexpected result of random midcall failures using the configuration above.  ASA code 8.3(2)4 does seem to have corrected the issue.

sstoitsev Mon, 01/31/2011 - 09:28

Hi,

I have a couple of questions:

If I'm using user and password authentication do I need to get the ASA cert to the phones?

After installing the ASA certificate in CUCM and applying it to the phone will I see it in the phone CTL?

If I am using certificates for authentication which one gets picked - MIC or LSC?

BR,

Stoyan

Joe Martini Mon, 01/31/2011 - 09:57 (reply to sstoitsev)

Even with username nad password authentication you do need the ASA certificate uploaded to call manager as a phone-vpn-trust, so that the phone can "get" the certificate from call manager and has it to verify the SSL handshake when connecting to the ASA.  There is no way currently to see the certificate on the phone (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk00661) like you can with the CTL.  Either the MIC or LSC when using certificates for authentication too.

calmichael Wed, 02/09/2011 - 05:59 (reply to Joe Martini)

What happens when we need to replace the ASA's certificate?  e..g. The certificate on the ASA is revoked or ages out and simply needs to be replaced.  If I follow the procedure and "replace" the old certificate, won't my remote phones who were brought up using the legacy certifictate no longer be able to VPN in?

Joe Martini Wed, 02/09/2011 - 06:11 (reply to calmichael)

If you have to replace your ASA certificate if possible put the ASA certificate on call manager before applying it to the ASA, so that CUCM has a new phone-vpn-trust cert, apply that new certificate to the VPN gateway profile and then reset the phone, that way the phone gets the new certificate while still being connected to the VPN.  Alternatively, if the ASA cert expires the phone will not be able to connect to the VPN, what must be done in that case is an external TFTP has to be setup that has the phone's new config file with the new certificate that can be downloaded from call manager and then the phone has to be pointed to the external TFTP.  Otherwise you're correct the phone would have to be brought back inside the internal network again.

fgasimzade Mon, 02/14/2011 - 23:49

Thank you for this usefull topic!

Got one question

What if I dont have this feature mentioned in my sh run

AnyConnect for Cisco VPN Phone : Disabled 

Jay Young Tue, 02/15/2011 - 07:37 (reply to fgasimzade)

That feature won't be mentioned if you are running an older version of the ASA code.  You will need to upgrade to the minimum version as referenced about.

madan.kumar Mon, 02/21/2011 - 00:54 (reply to Jay Young)

Thank you for the Wonderfull Post.

I have congigured the CUCM/ASA as per the guidence given here and provioned the 7945 phone in the Inside network.

Now am trying to connect the phone from Public  network its prompts me for VPN username/password as soon as i give the creadentials it gives me "Authentication failed" and there is no logs in the orresponding time in ASA(Its not hitting the ASA?).I have tested by connecting PC to SSL VPN and accessing CUCM it works fine.

Any suggestiones here is very much appriciated

Thanks in Advance

Joe Martini Mon, 02/21/2011 - 04:58 (reply to madan.kumar)

If it's not hitting the ASA I would look at the phone console logs which can be accessed from putting in the phone's IP address into a browser.  Just to check something basic, is the URL configured as a hostname or IP address?  If it's a hostname does the phone have a DNS server that can resolve it?

madan.kumar Mon, 02/21/2011 - 05:25 (reply to Joe Martini)

The VPN GW url is configured as a IP address.I have checked the phone status messages for that time it says "All concentrators failed"

I think there is some thing basic is missing not able to crack it

Anyhelp here is very much apprciated

madan.kumar Tue, 02/22/2011 - 05:56 (reply to Joe Martini)

Hi Joe,

The below is the LOG message from Phone console

---------------------------------------------------------------------------

1087: NOT 13:10:18.180262 VPNC: VPN cert chain trusted
1088: DBG 13:10:18.181643 VPNU: SM wakeup - chld=0 tmr=0 io=1 res=0
1089: NOT 13:10:18.183502 VPNC: Using URL addr = (https://x.x.x.x/abcd)
1090: NOT 13:10:18.184080 VPNC: Host name = (x.x.x.x)
1091: NOT 13:10:18.184840 VPNC: Parsing host name from certificate...
1092: NOT 13:10:18.185512 VPNC: hostID not found in subject name
1093: ERR 13:10:18.186303 VPNC: hostIDCheck failed!!!
1094: ERR 13:10:18.188052 VPNC: ssl_state_cb: TLSv1: write: alert: fatal:unknown CA
1095: ERR 13:10:18.188968 VPNC: alert_err: SSL write alert: code 48, unknown CA
1096: ERR 13:10:18.189991 VPNC: create_ssl_connection: SSL_connect ret -1 error 1
1097: ERR 13:10:18.191394 VPNC: SSL: SSL_connect: SSL_ERROR_SSL (error 1)
1098: ERR 13:10:18.192406 VPNC: SSL: SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
1099: ERR 13:10:18.193416 VPNC: create_ssl_connection: SSL setup failure
1100: ERR 13:10:18.195227 VPNC: do_login: create_ssl_connection failed
1101: NOT 13:10:18.196442 VPNC: vpn_stop: de-activating vpn
1102: NOT 13:10:18.197296 VPNC: vpn_set_auto: auto -> auto
1103: NOT 13:10:18.197904 VPNC: vpn_set_active: activated -> de-activated
1104: NOT 13:10:18.198711 VPNC: set_login_state: LOGIN: 1 (TRYING) --> 3 (FAILED)
1105: NOT 13:10:18.199577 VPNC: set_login_state: VPNC : 1 (LoggingIn) --> 3 (LoginFailed)
1106: NOT 13:10:18.200518 VPNC: vpnc_send_notify: notify type: 1 [LoginFailed]

It says Host ID check failed i have tried disabling the Host id check field in the VPN   configuration still the issue persists.

Any inputs here is very much apprciated

Thanks in Advance

Joe Martini Tue, 02/22/2011 - 06:11 (reply to madan.kumar)

Looks like the "Enable Host ID Check" checkbox needs to be unchecked under the VPN profile in CUCM, since the URL is configured as an IP address and the certificate likely contains a hostname (so they don't match).

Joe Martini Tue, 02/22/2011 - 06:17 (reply to madan.kumar)

Was the phone internal when this change was made, so that it could download it's new configuration file with that change in it?

fgasimzade Tue, 02/22/2011 - 06:28 (reply to madan.kumar)

Each time you make a change in CCM configuration regarding VPN, you have to reset the IP phone to let him download new config

Haitham Hadad Mon, 09/12/2011 - 15:18 (reply to fgasimzade)

while the ip phone is outside, it can't take the ring tones as the internal ip phones

when putting the tftp ip address manually to point to the cucm, it gives vpn authentication fail

Plz help how to get the ring tones for the ouside phones or what may prevent the phone from getting it

chrfowle Mon, 02/21/2011 - 10:55

good stuff!! 

Does anyone know if the phone Cert can also be leveraged by the ASA for VPN-Phone-trust?

or is it just Phone-VPN-trust using the ASA's cert on the phone (via CUCM), and then the ASA trusts the phone just from the Username/PW?

Also, has anyone used a CA to issue signed certs to the phones that the ASA could validate via the CA?

thanks for the great dialog!

derveniss Thu, 06/09/2011 - 01:34

Hello,

Do I need to download any certificate from the cucm and upload to the ASA too?

And if so, which one?

yusuf.ujjainwala Sat, 07/30/2011 - 00:29

jason , i followed the steps you menitoned and it worked very well. I had a question , in the ASA when i look at SSL VPN Cclient it shows me the MAC Address of the Phone as the username is there any way we can change it to some standard user id . We are using as Certificate only as the authentication.

pravfern Thu, 08/18/2011 - 22:38

Hi Team.....Can anyone help me with a process to prevent the lost phones from connecting to the ASA.

Joe Martini Sat, 08/20/2011 - 05:46

If you are using username and password based authentication you can keep the phone from authenticated by deleting the user from the ASA, however the phone will still connect.  If you are using certificate based authentication you could change the certificates used by the ASA and phones so that the lost phone can no longer authenticate, however it will still try and connect.  The only way to prevent the phone from connecting completely would be to change the address (IP address) of your ASA and/or URL.  The phone will remember the address for the ASA until it downloads a new configuration file or is cleared (factory reset).

alaaraedissa Wed, 09/14/2011 - 06:20

Hi,

Could you please advise what is the format of the "VPN gatway url "we should configure on the CUCM? firstly, should we configure this url on the ASA? If yes, what are the procedures for doing this?

Thanks in advance

Jay Young Mon, 09/19/2011 - 06:32 (reply to alaaraedissa)

Ala Raed Issa,

As mentioned in the article above you will need to configure a url on the ASA like the following:

https://x.x.x.x/phonevpn

You will need to do that under the tunnel-group.  After that in the CUCM you put the following the phone config file:

<vpnGroup>
[Some Lines Omitted]
<addresses>
<url1>https://X.X.X.X/phonevpn</url1>
</addresses>
<credentials>
<hashAlg>0</hashAlg>
<certHash1>1eD9l3VEI9DGWQGKlNBGE1bRhUg=</certHash1>
</credentials>
</vpnGroup>
alaaraedissa Tue, 09/20/2011 - 01:16

Hi Jay,

Really, many thanks for your response.

in addtion, could you please provide me with the part number of the required "premium license" ???

Really, thanks in advance for your repsonse.

Best Regards,

alaaraedissa Fri, 09/23/2011 - 06:10

Hi Jay and all,

Is there any update regarding the part number of the required "premium license" ???

Thanks in advance

Warmest Regards,

Ala'a Issa

Jay Young Fri, 09/23/2011 - 06:57 (reply to alaaraedissa)

Ala'a Issa,

The license FRU number is:  ASA5500-SSL-XXXX

Where XX could be: 10,25,50,100,250,500,750,1000,2500,5000,10K

-Jay

don.click1 Wed, 12/14/2011 - 18:04

we have 2 questions we wanted to ask you guys about this setup.

1. we currently use Cisco NAC and Cisco ISE for remediation control. Do we need to manually exclude the mac of the phone before sending it to the field, or will NAC/ISE recognize the MAC as a phone?

2. Does the PC Port on the phone ALSO get vpn access? Is the only way to "disable" the pc port is through UCM, then lock the settings so a user can not "piggy back" into the network through the phone?

Jason Burns Thu, 12/15/2011 - 06:30 (reply to don.click1)

Don,

1. NAC / ISE - I don't know the answer to this question.

2. Does the PC Port on the phone get VPN Access?

     No - the PC port does not have access to the VPN. Only the phone has SSL VPN access. The PC port will have access to the local network where the phone is plugged in.

Jay Young Thu, 12/15/2011 - 09:05 (reply to don.click1)

Don,

I don't believe that the phones have a NAC agent installed on them nor CSD.  In addition since the connection is coming over a VPN the MACs of the phone will not be used when being sent out the inside of the ASA.

As a result:

NAC - don't have an agent so can't validate with the CAS.

ISE - The ASA doesn't have any of the endpoint attributes from the phone since CSD won't run.  As a result we can't make a policy decision on that info.

The solution for you is to setup another tunnel-group and group-policy specifically for the phones.  Setup a separate vlan to have them dumped into and on the CAS allow that vlan to pass.

Hope that helps.

Haitham Hadad Tue, 01/03/2012 - 02:09

Hi,

Any one here tried to restore a call manager backup after sending the phone outside, Will the call manager retain the certificate using the restore ? or the outside phones will fail and need to come home again ??

Regards

Haitham

Jason Burns Wed, 01/04/2012 - 11:24 (reply to Haitham Hadad)

Haitham,

The CUCM backup and restore should restore the VPN certificate and VPN Gateway and Group configuration as well during a DRS Restore.

Your outside phones wouldn't be affected and should register to the CUCM again once it was restored.

bvanbenschoten Wed, 01/11/2012 - 19:43

Is is possible to use a IOS router at the head end to terminate the phone VPN instead of the ASA ?

Say like a 29xx/39xx series ?

wallopez Thu, 01/26/2012 - 08:52

We did a lab recreation here and we confirmed the VPN phone can connect using AnyConnect Essential License. This is an option instead of use the Premium License.

gilrandy88 Wed, 02/29/2012 - 20:54

hi everyone. is it work on CIUS? i want to connect my CIUS with anyconnect, and registered with my CUCM. I already buy the ASA license to enable AnyConnect for mobile. When i try connecting CIUS to ASA ,there's message from CIUS "phone service unavailable" and "telephone service is unavailable". Do i need to buy another license to enable AnyConnect for CISCO VPN Phone?

Actions

Login or Register to take actions

This Document

Posted May 5, 2010 at 8:06 AM
Stats:
Comments:106 Avg. Rating:4.3
Views:120532 Contributors:37
Shares:10
Categories: AnyConnect, ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5