7975G VPN Phone failed

huntlee · ‎11-05-2010

Dear NetPro gurus,

One of my customers have purchased a brand new Cisco ASA 5510 firewall. They have also bought a large number of Cisco 7975G IP Phones.

For some of their 7975G phones, they would like to use it as 'VPN Phones' and remote login from home.

What they found is that on the Cisco 7975G phone, whenever they try to login to 5510 ASA with the following address, it will fail on the 7975G phone. But if they tried on their PC with exactly the same login details, it can login perfectly fine from their PC.

https://210.177.249.x/phonevpn

U: phone1

P: 12345678

The home topology is as follows:

Internet ---- Dlink DIR-300 router ---- 7975G on port1 & Home PC on port2

And home PC can ping perfectly fine to the 7975G

The ASA 5510 firewall is equiped with AnyConnect for Cisco VPN Phone license as below:-

Serial #: JMX1135XXXX
Product Authorization Key : 2851J2XXXXX

Failover                       : Enabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : Default
GTP/GPRS                       : Disabled
SSL VPN Peers                  : Default
Total VPN Peers                : Default
Advanced Endpoint Assessment   : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Enabled
Shared License                 : Disabled
UC Phone Proxy Sessions        : Default
Total UC Proxy Sessions        : Default
AnyConnect Essentials          : Disabled
Botnet Traffic Filter          : Disabled
Intercompany Media Engine      : Disabled

Platform = asa

JMX1135XXXX: 2707cd78 8ca46573 a8e32144 85146848 XXXXXXXX

The 7975G phone will keeps on saying VPN login failed. And if I looked under the status message, the log keeps saying 'All concentrator failed'.

Cheers,

Hunt

Joseph Martini · ‎11-06-2010

Check these (from https://supportforums.cisco.com/docs/DOC-9124):

Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
The tunnel-group used can not be the DefaultWEBVPNGroup. Create another tunnel-group and use "group-url https://x.x.x.x/phonevpn enable to map to the correct tunnel-group.
DTLS must be enabled and negotiated for operation. This requires both tcp/443 and udp/443 to be open and allowed on all devices between the ASA and the phone.

huntlee · ‎11-06-2010

Hello joemar,

I have done exactly those but still not working. Here is the config of my Cisco ASA config abstract.

group-policy VPNPHONE_GroupPolicy1 internal
group-policy VPNPHONE_GroupPolicy1 attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
svc dtls enable

I have attached the full config as well.

Please help as I have spent countless days on this but still not working, would appreciated if anyone can shed some light on this.

Cheers,

Hunt

jomcgaug · ‎11-06-2010

Hi Hunt,

I don't see any trustpoint created on your ASA. Try the following procedure for configuring the ASA.

Download the Cisco_Manufacturing_CA and CAPF certs from CUCM. This is only needed for device level certificate authentication. If the cluster is in Mixed Mode, you’ll need to add the CallManager cert as well.

Download certificates from CUCM

1. Go to the Cisco UCM Operating System Administration web page.

2. Choose Security > Certificate Management. (this location may change based on the UCM version)

3. Find the certificates CallManager, Cisco_Manufacturing_CA, and CAPF. Download the .pem file and save as .txt file

Import certificates into the ASA

1. Create the CallManager trustpoint.

hostname(config)# crypto ca trustpoint CallManager

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto ca authenticate CallManager

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded CallManager.pem file along with the BEGIN and END lines.

2. Create the Cisco_Manufacturing_CA trustpoint.

hostname(config)# crypto ca trustpoint Cisco_Manufacturing_CA

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto ca authenticate Cisco_Manufacturing_CA

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded Cisco_Manufacturing_CA.pem file along with the BEGIN and END lines.

3. Create the CAPF trustpoint.

hostname(config)# crypto ca trustpoint CAPF

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto ca authenticate CAPF

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded CAPF.pem file along with the BEGIN and END lines.

Create the VPN trustpoint and generate self-signed certificate

1. Create ssl keypair.

hostname(config)# crypto key generate rsa label sslvpnkeypair modulus 1024

2. Create the VPN trustpoint.

hostname(config)# crypto ca trustpoint ASA_VPN

hostname(config-ca-trustpoint)# enrollment self

hostname(config-ca-trustpoint)# keypair sslvpnkeypair

!---For the CallManager certificate to work with host-id check enabled on the VPN profile in CUCM, the following should be added.

hostname(config-ca-trustpoint)# fqdn

hostname(config-ca-trustpoint)# subject-name CN=, CN=

hostname(config)# crypto ca enroll ASA_VPN

3. Assign trustpoint to outside interface.

ssl trust-point ASA_VPN outside

Export the VPN certificate and upload to CUCM.

1. Export the VPN certificate.

hostname(config)#crypto ca export ASA_VPN identity-certificate

2. Upload certificate to CUCM.

Go to the Cisco UCM Operating System Administration web page.

Choose Security > Certificate Management. (this location may change based on the UCM version)

Click Upload Certificate and select the Phone-VPN-Trust store.

Browse to the exported VPN certificate file and click Upload File.

Once this is complete configure the CUCM side as specified here.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_1/secugd/secuvpn.html

After all this, register the phone locally so that it can download the cert associated with the VPN gateway. Nowconnect the phone to your outside network and test the vpn . Let me know if this helps. If this still fails, attach the new ASA config and console logs from the phone. To get the console logs, browse to the phone's IP and click the Console Logs link on the left.

John

huntlee · ‎11-19-2010

Hello John,

I managed to get the 7975G phone connect to the VPN now, and the phone can also get an IP address from the ASA 5510 as well as the Default Gateway IP.

However, once connected, the phone is still not working and i can't ping it within the network from anywhere... i suspect the DTLS is not working.

I have attached the ASA debugs when the IP Phone is connecting, I have also include the Phone's console logs when it is connecting.

Cheers,

Hunt

huntlee · ‎11-19-2010

Hi John,

The IP address that the phone gets is 172.16.100.102 under the Username phone1.

Cheers,

Hunt

jomcgaug · ‎11-21-2010

It looks like DTLS is not working properly like you said.

1568: WRN 18:17:01.700186 VPNC: protocol_handler: DTLS dpd response not rcvd, # 2
1569: ERR 18:17:01.700843 VPNC: protocol_handler: DTLS DPD timeout, cleanup

Make sure both TCP and UDP ports 443 are open on the ASA.

Can you attach the updated ASA 'sh run' as well.

John

huntlee · ‎11-22-2010

Dear John,

Please find attached the config for Cisco ASA.

Would appreciated your help.

Cheers,

Hunt

jomcgaug · ‎11-22-2010

Hi Hunt,

I don't see any trustpoints configured on your ASA. What certificate did you load in the VPN Gateway config in CUCM? I would expect to see something like the following in your ASA config.

crypto ca trustpoint phonevpn
enrollment terminal
keypair sslvpnkeypair
crl configure

crypto ca certificate chain phonevpn
certificate 2509c62b000000000021

ssl trust-point phonevpn outside

The phonevpn cert should should be exported using the following procedure.

crypto ca export phonevpn identity-certificate

That cert should be uploaded to CUCM and added to the VPN Gateway config in CUCM. The phone then needs to be registered internally so it can download the cert.

John

huntlee · ‎11-22-2010

Hello John,

Thanks for your reply but I have the following question:-

1) The cert i got currently is a 'self-signed certificate' from the ASA. It is not those 'Verisign' cert so would those commands allow me to put the 'self-signed cert' for SSLVPN use??

crypto ca certificate chain phonevpn
certificate 2509c62b000000000021

2) Since I have normal PC users which needs cert to SSLVPN via ASA. If I do the commands and setup this cert as suggested, would this creates a problem where all my customer's PC will need to get this new cert from the ASA?? Coz they won't be able to connect to the SSLVPN if at any one time, only 1 cert is allowed.

Cheers,

Hunt

jomcgaug · ‎11-23-2010

Hi Hunt,

You can use a self signed cert. Use the following commands to create the truspoint on the ASA with the self signed cert.

hostname(config)# crypto key generate rsa label sslvpnkeypair modulus 1024
hostname(config)# crypto ca trustpoint phonevpn
hostname(config-ca-trustpoint)# enrollment self
hostname(config-ca-trustpoint)# keypair sslvpnkeypair

!--this generates the cert

hostname(config)# crypto ca enroll phonevpn

!--assign the trustpoint to the outside interface

hostname(config)# ssl trust-point phonevpn outside

!--use the following to export the cert. This is what needs to be uploaded to CUCM and assigned to te VPN Gateway.
hostname(config)#crypto ca export phonevpn identity-certificate

This shouldn't cause a problem for users using the client from their PC. They will just get a warning stating that the cert is from an unknown CA, click Yes to continue.

John

huntlee · ‎11-22-2010

Hello John,

Also, where to find the certificate string of 2509c62b000000000021?? Shouldnt it be 69DB0F29FAC8699F062FEC036EFD1680FA9E3EA2??

Cheers,

Hunt

jomcgaug · ‎11-23-2010

Hi Hunt,

2509c62b000000000021 was just an example from my lab. The serial number generated for your cert will look much different.

John

huntlee · ‎11-24-2010

Hello John,

I believe I have finally got it to work... just have to double-confirm tongiht.

Is there any way we can make the VPN session for VPN phones to infinite so that it will 'never time out'?? Reason is that the VPN phones will be placed at the sitting rooms at the house of the customer's executives, and they will want to be able to make calls whenever they want without having to authenticate into the VPN every now and then.

Cheers,

Hunt

Joseph Martini · ‎11-27-2010

The VPN session will use a keepalive mechanism that will not timeout (possibly config dependent) but you can get the anyconnect client which is what the phone does to never timeout the connection. Also the best option for you is to use certificate based authentication so that if the phone is powered off, reset, or loses connection, the phone will automatically connect back to the VPN on it's own. That way the user doesn't have to type in a username or password if the phone is reset or powered off.