Cisco Support Community
Community Member

Issues with Phone registration at remote site through ipsec tunnel

I'm having a bizarre phone registration issue that TAC is not able to understand , and i'm hoping someone may have ran into the same issue.

I have a Call Manager 7.0.1 server in location A, running in production, with 40 odd phones registered to it fine, everything is working properly.. We have Location B (Remote Site) which we want phones to register on our Call Manager in Location A. Between the sites we have an IPSEC Tunnel running over a netscreen ssg5 and a netscreen 25. I have a separate vlan for voice traffic set at the remote office on the dhcp server, and the phone gets an ip fine, points to the tftp of the call manager here, downloads its' locale and ofhter data,, get's an auto registration DN from our call manager, but then just unregisters itself, with error 'DNS UNKNOWN HOST' . I've confirmed all dns entries for the call managers are correct, and we've even changed the information on the call managers from name to ip ... still no go... i've attached a network diagram(fake ip's) and the console log of the phone and status messages.. hopefully someone can help me out here as i'm at a loss

The problem phone is a 7945, however i've tried with a 7965 at the same location and it has not worked either. IIf, however I install cisco IP communicator on a pc that's on that 3750 switch, it register's fine and functions properly.. (Tried switching the voice vlan of the phones themselves to vlan 1 when noticed the ip communicator worked, however it made no difference)(

The phone registration status on the call manager stays in 'Unknown' status.. And the phone itself has the incorrect time on the display and that's it.. no DN or anything else.

Cisco Employee

Re: Issues with Phone registration at remote site through ipsec


What is the firmware on the phones in the remote location? Is it the same as the one in CUCM? If not, can you confirm that the IP Phones are able to upgrade the firmware.

Also, can you get a sniffer from the switchport span of one of the IP Phone experiencing this issue.

As for DNS, after changing the System>Server entry from hostname to IP address, did you restart the tftp? If not please restart tftp and callmanager service.


Community Member

Re: Issues with Phone registration at remote site through ipsec

I do have a sniffer trace here but am reluctant to post on public forums as ip's are exposed... I will attempt to restart the tftp and call manager service but i'm pretty sure that I restarted the tftp service... If i restart the call manager service as part of a production day what will happen?

Cisco Employee

Re: Issues with Phone registration at remote site through ipsec

Restarting CM will causing your devices to failover and failback. So I would not recommend restarting CUCM during business hours. TFTP restart will not cause any issues.

As for sniffer, I understand your concern. How about this, open the sniffer and filter for the IP of the primary CUCM and the TFTP server. Make sure that tftp download by the phone completes.

Once that is done, you should see a skinny register msg from the phone to the CUCM. plz confirm that the register msg is sent to CUCM and CUCM responds back to it.

So 2 possible issues,

1. TFTP download by the phone is not compeleting and so evetually phone gives up and is attempting to use its old config which causes it to not register.

2. TFTP works but phone registration does not complete, as in either phones does not send register to CUCM or CUCM does not respond back. In which case you will have to look at the CUCM traces.

Also, please ensure that you don't have NAT in this flow. if you do, that could explain some issues as the config file from CUCM will have internal IP which the remote location cannot reach.


Community Member

Re: Issues with Phone registration at remote site through ipsec

Hi Pathispax,

did you solve the issue?

I'have almnost the same problem.



CreatePlease to create content