Cisco Support Community
Community Member

Connecting 9971's over a VPN

I am trying to connect a 9971 over a VPN tunnel back to my call manager.  I have a wide open tunnel  back to my end.  I have to open up ports on the firewall that is in front of call manger.  I have tftp and sip opened up.  I can see the the phone trying to talk to the tftp server on call manager as the firewall rule is incrementing.  The phone isnt registering with call manager.


I can ping the phone from Call manager, so it has no problems in talking to it over the tunnel.


Any tricks to getting the 9971 to work over a VPN tunnel or any ports beyond SIP/TFTP to have open ?



Cisco Employee

Usually you do not have to

Usually you do not have to open ports directly back to your CUCM but it sounds like you are trying to provision and connect the phone without having to bring the phone to the internal network.  Usually the phone is provisioned and registered internally first.  The internal provisioning allows the phone to download its TFTP configuration which contains the VPN URL and the certificates the phone trusts for the VPN connection.


If you look at the phone's Status messages, Settings button > Admin Settings > Status > Status Messages, what do you see there?  Do you see a VPN icon on the applications menu and if you do if you select it is the VPN URL populated properly?  If all of that looks good the last step is to make sure you do not have "auto network detect" enabled in CUCM for your VPN connection.  The phone will check what it has configured for it's alternate TFTP and try and ping it, if the ping works the phone determines it is internal and will not start the VPN.

Community Member

I am going through a local

I am going through a local ASA 5505 where the phone will be located.  So it isnt doing its own VPN connection.  My boss decided that he wanted to use a Remote ASA to do this and then have the phone plug into the ASA.  I then was given the gear to get it working.


You need more than just TFTP

You need more than just TFTP & SIP for a phone to work nowadays! Have you looked at the Port Usage guide in the CUCM doc? is for CUCM 8.x (9.x isn't much/any different)


As a starter for 10, you'll need:



- TFTP Locator (port 6969 & 6970)

- Web ports (80, 443, 8080 & 8443)

- Maybe RTP if you've got MTPs configured. (16384 - 32767)



Please rate all helpful posts.

HI Ronald,

HI Ronald, Do you have a point to point VPN between the branch ASA and the headquaters firewall? If you have an IPSEc tunnel with a split tunnel with the CUCM added you could had communication with your CUCM from the branch. You can try registering an IP Communicator first. Regards.
CreatePlease to create content