Solved: Cisco IP Communicator issue when using VPN with CUCM 8.0.3

NICNGUYEN · ‎05-29-2012

Hi Team,

I am currently running CUCM 8.0.3 and I tried to run the Cisco IP Communicator (CIPC) 8.6.1.0 using a IP SEC VPN.

As a result : There is no way to register my CIPC 8.6.1.0 to the CUCM 8.0.3 when I use the VPN.

However when I uninstall the CIPC 8.6.1.0 and install CIPC 7.0.6.0 then I try to register the CIPC to the Call Manager through my VPN there is no problem at all !

Moreover I don't have any issue at all with both CIPC release 8.6.1.0 and 7.0.6.0 when I and within my compagny network.

Does anybody know if the CIPC 8.6.1.0 is compatible with CUCM 8.0.3 ? If so, then has anybody experienced a registration issue with CIPC 8.6.1.0 and CCUCM 8.0.3 ?

Thank you and Regards

Nick

guidobrinkmannl · ‎06-25-2012

Hi Nick,

Indeed!

I received a reply from Cisco CUCM Customer Support:

"

Skinny Call Control Protocol (SCCP) version 17 used by CIPC 8.6.1 is not supported by Juniper Firewalls.

You need to disable the SCCP ALG on the firewall by the following command:

unset alg sccp enable

"

After setting this on our ISG2000, it worked!

(

-> unset alg sccp enable

-> get alg

MSRPC ALG : enabled

SUNRPC ALG : enabled

SQL ALG : enabled

SIP ALG : enabled

RTSP ALG : enabled

H323 ALG : enabled

MGCP ALG : enabled

SCCP ALG : disabled

////

)

I think Cisco should answer these posts also, and have a Knowledge Base they would share with us on their site...!

Guido

View solution in original post

NICNGUYEN · ‎05-30-2012

All right Guys, here are some news :

I ran a Wireshark trace to capture the data when the IP communicator starts and register to CUCM using the TFTP server and there is indeed a difference between CIPC 7.0 and 8.6 :

CIPC 7.0.6.0 : The CIPC uses the TFTP protocol on port 69 to communicate with the TFTP server to get it's configuration.

CIPC 8.6.1.0 : The CIPC uses the HTTP protocol and address the web proxy on port 8080, which redirects to the TFTP server using HTTP (e.g. GET http://10.196.19.3:6970/CTLSEP5C260A85B957.tlv HTTP/1.1\r\n)

This is the major difference and as for me, that's why although I was connected with my CIPC 8.6.1.0

to my compagny's office from home using IP SEC VPN, the proxy server didn't redirect the request to the TFTP server

Regards

Nick

guidobrinkmannl · ‎06-20-2012

Hi Nick,

we have the same issue (when using 8.6.2.0 versus 7.x and CUCM 7.1.5) on our Juniper VPN.

In this PDF http://www.cisco.com/en/US/docs/voice_ip_comm/cipc/8_5/english/administration/cag85c.pdf

I found the option to use tftp instead off http. (see below)

but that didn't help:-(

But WTH? I can login with Extension Mobility, altough my phone doesn't register.

Guido

Application is Slow to Register

Problem The application takes a long time to register successfully and your proxy server has been configured in Internet Explorer for HTTP traffic.

Solution Disable HTTP download by changing the system registry setting at: HKEY_LOCAL_MACHINE -> Cisco System, Inc .-> Communicator -> EnableHttpDownload to 0.Application is Slow to Register
Problem The application takes a long time to register successfully and your proxy server has been configured in Internet Explorer for HTTP traffic.
Solution Disable HTTP download by changing the system registry setting at: HKEY_LOCAL_MACHINE -> Cisco System, Inc .-> Communicator -> EnableHttpDownload to 0.

NICNGUYEN · ‎06-20-2012

Hi Guido,

That's interresting. In my case I have a Cisco VPN ASA 5540 (release 8.4.2) IPSec concentrator and a JUNIPER Firewall Netscreen ISG 1000.

There was an issue - CSCtx82637 - described with the ASA release 8.4.2 related to the SCCP Skinny protocol used buy the latest CIPC softphone, however in our lab the issue described by Cisco didn't apply.

Now I am investigating with our network team on the Juniper FW side to find out whether the Netscreen ISG 1000 is having an issue with the latest SCCP Skinny version 19 provided by the CIPC softphone release 8.6(2).

I'll let you know as soon as I get more information

Best Regards

Nick

NICNGUYEN · ‎06-20-2012

Another URL which may be worth looking if your FW is 100% Cisco : https://supportforums.cisco.com/docs/DOC-8131

guidobrinkmannl · ‎06-25-2012

Hi Nick,

Indeed!

I received a reply from Cisco CUCM Customer Support:

"

Skinny Call Control Protocol (SCCP) version 17 used by CIPC 8.6.1 is not supported by Juniper Firewalls.

You need to disable the SCCP ALG on the firewall by the following command:

unset alg sccp enable

"

After setting this on our ISG2000, it worked!

(

-> unset alg sccp enable

-> get alg

MSRPC ALG : enabled

SUNRPC ALG : enabled

SQL ALG : enabled

SIP ALG : enabled

RTSP ALG : enabled

H323 ALG : enabled

MGCP ALG : enabled

SCCP ALG : disabled

////

)

I think Cisco should answer these posts also, and have a Knowledge Base they would share with us on their site...!

Guido

NICNGUYEN · ‎07-11-2012

Hi Guido,

You saved my life, as this is exacly what the issue I had was about !!!

The Juniper firewall didn't support the latest Skinny protocol provided by the Cisco IP Communicator. I fixed the issue on the FW with the command : unset alg sccp enable

Thank you again

Nick