01-27-2012 02:24 PM - edited 03-19-2019 04:18 AM
I have a TAC case going, but they have so far been of very little use. We are trying to get an iphone to connect to Cuma. We have an ASA 8.2, and cuma 7.1.3. Geotrust certificate on the outside, self signed certs configured per the docs. I ran a capture and can see 2 way communications between the phone, asa, and server on port 5443.
The iphone gives error 1213 after a delay during verifying. From the iphone console,
Jan 27 15:59:17 unknown Cisco Mobile[3422] <Warning>: ERROR: Error Domain=UMCOraErrorDomain Code=1213 "Cisco Mobile experienced a problem connecting to server." UserInfo=0x312e40 {NSLocalizedDescription=Cisco Mobile experienced a problem connecting to server.}
A debug of all cry ca shows
CRYPTO_PKI(Cert Lookup) issuer="cn=GeoTrust DV SSL CA,ou=Domain Validated SSL,o=GeoTrust Inc.,c=US" serial number=
CRYPTO_PKI: looking for cert in handle=d75da4a0, digest=
1f 44 3b 81 a0 1e 39 62 44 3d 50 63 59 ce 4a 2c | .D;...9bD=PcY.J,
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_CA: certificate not found
CRYPTO_PKI(Cert Lookup) issuer="cn=GeoTrust DV SSL CA,ou=Domain Validated SSL,o=GeoTrust Inc.,c=US" serial number=03 f0 | ...
I have every root certificate Geotrust lists in the ASA too.
Is this a cert issue, ASA issue or a server issue?
Does teh ASA need to have UC Phone Proxy licenses installed beyond the 2 that it comes with for it to work?
02-09-2012 11:22 AM
Phone Proxy is different. TLS Proxy is used in this case. May be iPhone is not able to resolve the FQDN or CN of the cert installed on the outside interface of ASA. Please make sure it is resolved. Also the domain name on CUMA has the right domain name from ASA outiside.
Extremely useful step-by-step:
https://supportforums.cisco.com/docs/DOC-8402
Official Guide:
02-09-2012 11:29 AM
The certificates are OK, I had TAC look at them and I got them corrected, found a name mismatch on the ASA to CUMA cert. The iphone is talking to the CUMA server, I can see it in a capture, but it never uses any other port than 5443, and from what I can tell, the server is looking for something from the phone, or vise vers. It looks like one packet gets repeated before the phone times out.
I'm starting to think the problem lies beyond the ASA and is in the CUCM realm that is preventing it from working. I did find out CUMA uses the UC Proxy license, but since there are 2 available for testing, that shouldnt be a factor, that and if it was, there would be an error generated when the licenses are in use.
We did get Jabber working finally, turns out to be a netowrking problem with the iphones VPN, need to tunnel all traffic for it to work correctly.
02-09-2012 11:31 AM
Great to hear all is working now!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide