We've got a Series 800 SOHO with Ezvpn running. It get connected to our internal network through our ASA 5520 just fine. We have clients on the SOHO side which can ping and RDC to servers inside our network.
The SOHO clients are using MS Lync 2013 (instant messenger) which fails. Packet captures reveal that the external Lync clients are receiving an SSL cert from the firewall when they should be receiving from the internal Lync server. Running a capture against internal clients shows that working inside clients receive our GoDaddy cert and the program works.
The behavior is unexpected. The capture shows client-side sip-tls / Client Hello packets getting all the way to their appropriate internal server destination. The returning Server Hello / Certificate packets (from the appropriate IP address to the appropriate IP address) names a specific CAP-RTP-001 certificate that is part of the 5520 configuration.
The client application throws a certificate error, apparently having received a certificate other than that from the intended server.
The senior guys around here would drag their feet about an entire copy / paste of our FW config. Are there relevant sections you'd like to see which I can snippet into this thread?
This is expected behavior (although it was new to me). We had configured a TLS Proxy so it was handling TLS requests according to our configuration. We have staff who work from home with VOIP phones and need to have the firewall hand out certs to those clients.
We found that we were inspecting SIP in our phone proxy policy map and that was the connection. We modified that map to exclude SIP from inspection and those packets are now getting to their destination and the Lync clients are working.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :