I currently have a ASA 5510 with remote VPN phones authenticating via certificates. It has been working well, but now I need to change certificate vendors. I have the new certificate loaded in Callmanager, applied to the VPN profile, and installed on the ASA. However, it doesn't look like the current remote phones get the new certificate while connected via VPN. A test phone that I had inside my site and then moved to VPN seems to be working fine with the new certificate.
I installed the new certificate in Callmanager, applied to VPN profile, etc, then reset all of the remote phones, thinking that would trigger them to get the new certificate hash. But that doesn't seem to work. After switching the cert on the ASA, those phones can't connect until I switch back to the old cert.
Is there something special I need to do to get the new certificate on the currently connected VPN phones? Do I need to bring them back in house? I can't imagine that being the case but figured I would ask. Some of these phones are hundreds of miles away.
Thanks for the reply. I have all of the certs added properly and MIC imported into ASA. I have several remote phones online now. Will those remote phones NOT pull down new certificates even though they are connected now?
I figured out my own problem. Hopefully it helps someone someday.
My remote phones are not getting a TFTP server in their DHCP request. The ASA is giving them IP's when they connect to the VPN but the TFTP server is blank. I set the Alternate TFTP server to YES and put in the inside IP address of my Callmanager server. Now I just need to figure out how to add the TFTP on my ASA when it hands out IP's. For some reason entering it on the command line didn't work. It is giving addresses from the group policy address pools.
I'm not able to access my old voice mail messages all of a sudden. The recording says something like 'the message is currently not available'. This has never happened before in all the years I have been using this system. I have t...
If you have 2 ISR routers, one acting as Failover, do we need to have both the same number of SRST licenses on the 2 routers?
No. You will only need the SRST licenses on the primary router. Because this feature...