cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
0
Helpful
1
Replies

Phone VPN - Java / XML Services Not Working

Steven Griffin
Level 4
Level 4

Everyone,

I have a CUCM 8.0(3) cluster with PhoneVPN enabled. 

The ASA 5510 hosting the AnyConnect VPN service is running 8.3(2).

The 7975G phone using the VPN client is running 9.0(3) software.

FYI, the 7975G phone connects up just fine to the AnyConnect service on the  ASA and we can call to/from other phones, the PSTN, and access the  Voicemail TUI.

The issue I am having is that the XML and/or Java Midlet services on the  phone are not working outside of the corporate directory. I've configured  Extension Mobility and Visual Voicemail and neither seem to work.  Extension  Mobility says that the logon server is unavailable and Visual Voicemail just  doesn't work at all and the user ends up default dialing into the TUI.  I should  mention at this point that if the phone is brought on-net, Extension Mobilty and  Visual Voicemail work correctly.

What is strange is that the Enterprise services of Corporate Directory and  Regular Voicemail seem to work just fine. It is only the 'subscribed' services  that do not work which may be an important point (or not). In the Security Guide  for CUCM 8.0(2) section for Configuring Virtual Private Networks section says,  "VPN tunnel only applies to voice and IP phone services" so  I must assume it 'should' work.

Has anyone else had this issue?  I cannot find a bugid in the CCO online  database or any other reference to this issue in other forums.

Troubleshooting steps I've tried so far:

  • Was it a DNS issue? Not as far as I can tell. I've tried hard-coding the IP  address instead of the hostname of the CUCM or CUC server and it still gives the  same errors.  FYI, the phone is getting a domain name and corporate DNS servers  in its VPN based DHCP offering from the ASA.

  • Was it a routing issue?  No, I can ping the phone from the CUCM or CUC  server.  The phone can register with CUCM and dial into the TUI of Unity  Connection.

  • Is the CUCM/ASA configured incorrectly?  Not as far as I can tell. I am not  doing split-tunneling (it was explicitly mentioned NOT to do this) nor am I  filtering any traffic. I don't see any NAT issues or other firewall 'deny'  messages in the logs.

I am a bit befuddled, any insights or help would be much appreciated.

-Steven

Please help us make the communities better. Rate helpful posts!
1 Reply 1

Joseph Martini
Cisco Employee
Cisco Employee


What I would do next if I were you would be to take a packet capture from the inside of the ASA and filter on the inside IP address of the phone.  Press the directories button and then press the services button and try and select a service.  It would be interesting to see if the phone is sending out the request over the VPN poreperly.  This might be localized to the phone, but if we can confirm that then we can check into if this is the expected behavior or not.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: