Cisco 7945g over site to site vpn not registering
Route->This
Member Posts: 32 ■■□□□□□□□□
Not sure which forum to post this in Security or voice. But i established a site to site vpn between a ASA and 1841 at the remote site. I am having trouble registering the 7945 located at the remote site to HQ. This phone was originally registered on site with the cme to make sure it worked before it went out to the remote site.
10.10.10.0/VOICE 2911/CME-->ASA(8.4.7)--->S2S VPN
> 1841(15.1) 192.168.100.0/Data
192.168.2.0/DATA REMOTE 192.168.110.0/voice
HQ REMOTE
CME ADDRESS 10.10.10.1
The tunnel is established and I can ping internal hosts at both sides. Phone from remote site tftp request is coming through the CME at HQ seen with debug tftp events command.
This is the output on the HQ CME router when it recieves a request from the remote phone for the tftp files.
ROUTER-2911#
004956: Aug 24 22:22:21.515: TFTP: Looking for CTLSEP00215554FF51.tlv
004957: Aug 24 22:22:21.611: TFTP: Looking for ITLSEP00215554FF51.tlv
004958: Aug 24 22:22:21.711: TFTP: Looking for ITLFile.tlv
004959: Aug 24 22:22:21.967: TFTP: Looking for SEP00215554FF51.cnf.xml
004960: Aug 24 22:22:21.971: TFTP: Opened flash:/its/vrf1/SEP00215554FF51.cnf.xml, fd 4, size 1728 for process 115
004961: Aug 24 22:22:22.071: TFTP: Finished flash:/its/vrf1/SEP00215554FF51.cnf.xml, time 00:00:00 for process 115
ROUTER-2911#
004962: Aug 24 22:22:23.587: TFTP: Looking for English_United_States/be-sccp.jar
004963: Aug 24 22:22:23.911: TFTP: Looking for United_States/g3-tones.xml
ROUTER-2911#
REMOTE1841#SH cdp nei det
Device ID: SEP00215554FF51
Entry address(es):
IP address: 192.168.110.20
Platform: Cisco IP Phone 7945, Capabilities: Host Two-port Mac Relay
Interface: FastEthernet0/0/1, Port ID (outgoing port): Port 1
Holdtime : 176 sec
Version :
SCCP45.9-2-1S
advertisement version: 2
Duplex: full
Power drawn: 12.000 Watts
REMOTE1841#
ROUTER-2911#ping 192.168.110.20 source 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.110.20, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms
ROUTER-2911#
REMOTE1841#ping 10.10.10.1 source vlan 110
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.110.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
REMOTE1841#
It shows that there is connectivity between the CME and phone both ways.
These are the load files under telephony-service in the 2911
load 7921 CP7921G-1.0.1
load 7945 SCCP45.9-2-1S
load 7965 SCCP45.9-2-1S
tftp-server flash0:/Phone/7945_7965/apps45.9-2-1TH1-13.sbn alias apps45.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/cnu45.9-2-1TH1-13.sbn alias cnu45.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/cvm45sccp.9-2-1TH1-13.sbn alias cvm45sccp.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/dsp45.9-2-1TH1-13.sbn alias dsp45.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/jar45sccp.9-2-1TH1-13.sbn alias jar45sccp.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/SCCP45.9-2-1S.loads alias SCCP45.9-2-1S.loads
tftp-server flash0:/Phone/7945_7965/term45.default.loads alias term45.default.loads
tftp-server flash0:/Phone/7945_7965/term65.default.loads
tftp-server flash0:/Phone/7945_7965/term65.default.loads alias term65.default.loads
I doubt it has to do anything with the load file or tftp-server entry because this phone registered and worked perfectly fine when it was on site with the CME.
Does anyone have any experience setting up Site to Site Vpns while sending Voice/TFTP traffic through.
10.10.10.0/VOICE 2911/CME-->ASA(8.4.7)--->S2S VPN
> 1841(15.1) 192.168.100.0/Data
192.168.2.0/DATA REMOTE 192.168.110.0/voice
HQ REMOTE
CME ADDRESS 10.10.10.1
The tunnel is established and I can ping internal hosts at both sides. Phone from remote site tftp request is coming through the CME at HQ seen with debug tftp events command.
This is the output on the HQ CME router when it recieves a request from the remote phone for the tftp files.
ROUTER-2911#
004956: Aug 24 22:22:21.515: TFTP: Looking for CTLSEP00215554FF51.tlv
004957: Aug 24 22:22:21.611: TFTP: Looking for ITLSEP00215554FF51.tlv
004958: Aug 24 22:22:21.711: TFTP: Looking for ITLFile.tlv
004959: Aug 24 22:22:21.967: TFTP: Looking for SEP00215554FF51.cnf.xml
004960: Aug 24 22:22:21.971: TFTP: Opened flash:/its/vrf1/SEP00215554FF51.cnf.xml, fd 4, size 1728 for process 115
004961: Aug 24 22:22:22.071: TFTP: Finished flash:/its/vrf1/SEP00215554FF51.cnf.xml, time 00:00:00 for process 115
ROUTER-2911#
004962: Aug 24 22:22:23.587: TFTP: Looking for English_United_States/be-sccp.jar
004963: Aug 24 22:22:23.911: TFTP: Looking for United_States/g3-tones.xml
ROUTER-2911#
REMOTE1841#SH cdp nei det
Device ID: SEP00215554FF51
Entry address(es):
IP address: 192.168.110.20
Platform: Cisco IP Phone 7945, Capabilities: Host Two-port Mac Relay
Interface: FastEthernet0/0/1, Port ID (outgoing port): Port 1
Holdtime : 176 sec
Version :
SCCP45.9-2-1S
advertisement version: 2
Duplex: full
Power drawn: 12.000 Watts
REMOTE1841#
ROUTER-2911#ping 192.168.110.20 source 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.110.20, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms
ROUTER-2911#
REMOTE1841#ping 10.10.10.1 source vlan 110
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.110.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
REMOTE1841#
It shows that there is connectivity between the CME and phone both ways.
These are the load files under telephony-service in the 2911
load 7921 CP7921G-1.0.1
load 7945 SCCP45.9-2-1S
load 7965 SCCP45.9-2-1S
tftp-server flash0:/Phone/7945_7965/apps45.9-2-1TH1-13.sbn alias apps45.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/cnu45.9-2-1TH1-13.sbn alias cnu45.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/cvm45sccp.9-2-1TH1-13.sbn alias cvm45sccp.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/dsp45.9-2-1TH1-13.sbn alias dsp45.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/jar45sccp.9-2-1TH1-13.sbn alias jar45sccp.9-2-1TH1-13.sbn
tftp-server flash0:/Phone/7945_7965/SCCP45.9-2-1S.loads alias SCCP45.9-2-1S.loads
tftp-server flash0:/Phone/7945_7965/term45.default.loads alias term45.default.loads
tftp-server flash0:/Phone/7945_7965/term65.default.loads
tftp-server flash0:/Phone/7945_7965/term65.default.loads alias term65.default.loads
I doubt it has to do anything with the load file or tftp-server entry because this phone registered and worked perfectly fine when it was on site with the CME.
Does anyone have any experience setting up Site to Site Vpns while sending Voice/TFTP traffic through.
Comments
-
negru_tudor
Member Posts: 473 ■■■□□□□□□□
What does the phone's display at the remote site look like? How is it behaving?
Do you have auto registration enabled on the CME router? If not, you might want to double check that you haven't removed the ephone configuration from the CME database/config...phone might be getting denied registration due to its MAC address not being configured under any ephone. Just a thought.
EDIT: another thing to check is make sure port 2000 (default for SCCP or whatever port you've set under the telephony-service, ip source-address) is allowed across the VPN. If it's not, your skinny phone won't register.2017-2018 goals:
[X] CIPTV2 300-075
[ ] SIP School SSCA
[X] CCNP Switch 300-115 [X] CCNP Route 300-101 [X] CCNP Tshoot 300-135
[ ] LPIC1-101 [ ] LPIC1-102 (wishful thinking) -
negru_tudor
Member Posts: 473 ■■■□□□□□□□
Route->This: Just curious, did you manage to fix this? What was the problem in the end if so?2017-2018 goals:
[X] CIPTV2 300-075
[ ] SIP School SSCA
[X] CCNP Switch 300-115 [X] CCNP Route 300-101 [X] CCNP Tshoot 300-135
[ ] LPIC1-101 [ ] LPIC1-102 (wishful thinking) -
Route->This
Member Posts: 32 ■■□□□□□□□□
Hey buddy sorry I've been a bit backed up to update this post. When I originally configured that CME router 2 years ago I set the ip source address as the loopback interface ip address of 1.x.x.x as per "best practice". The voice vlan was on 10.10.10.0/network, option 150 10.10.10.1.
I figured the differing ip source address wasn't impacting anything because my anyconnect clients work perfectly registering with that option 150 address. I figured since the vpn only had the ranges of the data 10.x.x.x and 192.x.x.x network allowed it wasn't sending traffic for the 1.x.x.x source interface. I added the current ip source address in the interesting traffic for both sides still didn't work. I thought for kicks to change the ip source address to 10.10.10.1 and see if anything happens. Surely it registered immediately. -
negru_tudor
Member Posts: 473 ■■■□□□□□□□
Cool! Good to hear you've solved it!2017-2018 goals:
[X] CIPTV2 300-075
[ ] SIP School SSCA
[X] CCNP Switch 300-115 [X] CCNP Route 300-101 [X] CCNP Tshoot 300-135
[ ] LPIC1-101 [ ] LPIC1-102 (wishful thinking)