I have a CUCM 8.0(3) cluster with PhoneVPN enabled.
The ASA 5510 hosting the AnyConnect VPN service is running 8.3(2).
The 7975G phone using the VPN client is running 9.0(3) software.
FYI, the 7975G phone connects up just fine to the AnyConnect service on the ASA and we can call to/from other phones, the PSTN, and access the Voicemail TUI.
The issue I am having is that the XML and/or Java Midlet services on the phone are not working outside of the corporate directory. I've configured Extension Mobility and Visual Voicemail and neither seem to work. Extension Mobility says that the logon server is unavailable and Visual Voicemail just doesn't work at all and the user ends up default dialing into the TUI. I should mention at this point that if the phone is brought on-net, Extension Mobilty and Visual Voicemail work correctly.
What is strange is that the Enterprise services of Corporate Directory and Regular Voicemail seem to work just fine. It is only the 'subscribed' services that do not work which may be an important point (or not). In the Security Guide for CUCM 8.0(2) section for Configuring Virtual Private Networks section says, "VPN tunnel only applies to voice and IP phone services" so I must assume it 'should' work.
Has anyone else had this issue? I cannot find a bugid in the CCO online database or any other reference to this issue in other forums.
Troubleshooting steps I've tried so far:
Was it a DNS issue? Not as far as I can tell. I've tried hard-coding the IP address instead of the hostname of the CUCM or CUC server and it still gives the same errors. FYI, the phone is getting a domain name and corporate DNS servers in its VPN based DHCP offering from the ASA.
Was it a routing issue? No, I can ping the phone from the CUCM or CUC server. The phone can register with CUCM and dial into the TUI of Unity Connection.
Is the CUCM/ASA configured incorrectly? Not as far as I can tell. I am not doing split-tunneling (it was explicitly mentioned NOT to do this) nor am I filtering any traffic. I don't see any NAT issues or other firewall 'deny' messages in the logs.
I am a bit befuddled, any insights or help would be much appreciated.
Please help us make the communities better. Rate helpful posts!
What I would do next if I were you would be to take a packet capture from the inside of the ASA and filter on the inside IP address of the phone. Press the directories button and then press the services button and try and select a service. It would be interesting to see if the phone is sending out the request over the VPN poreperly. This might be localized to the phone, but if we can confirm that then we can check into if this is the expected behavior or not.
The short answer is that you don't.... That isn't entirely true while at
the same time it kind of is, but for the most part you don't configure
the softkeys. You enable or disable them via TCL. Here is the long
answer. Be sure to read the whole thing or e...
Topology: IP Phone > Switches > Microsoft NPS setup to forward 802.1x
proxy to > ISE 2.1 patch 3 Authentication: EAP-TLS using Cisco MIC SANs
Phone Models 802.1X support? 802.1x flavor Addtl Comment EAP-MD5 EAP-TLS
Cisco 3905 Y Y N Cisco 6911 Y Y N Cisco ...
This document describe how DST changes and how time changes are
implemented in DST. Daylight Saving Time (DST) is the practice of
setting the clocks forward 1 hour from standard time during the summer
months, and back again in the fall, in order to make b...