+ Reply to Thread
Results 1 to 5 of 5
  1. Member
    Join Date
    Nov 2013
    Posts
    32
    #1

    Arrow Cisco 7945g over site to site vpn not registering

    Not sure which forum to post this in Security or voice. But i established a site to site vpn between a ASA and 1841 at the remote site. I am having trouble registering the 7945 located at the remote site to HQ. This phone was originally registered on site with the cme to make sure it worked before it went out to the remote site.

    10.10.10.0/VOICE 2911/CME-->ASA(8.4.7)--->S2S VPN------> 1841(15.1) 192.168.100.0/Data
    192.168.2.0/DATA REMOTE 192.168.110.0/voice
    HQ REMOTE
    CME ADDRESS 10.10.10.1

    The tunnel is established and I can ping internal hosts at both sides. Phone from remote site tftp request is coming through the CME at HQ seen with debug tftp events command.

    This is the output on the HQ CME router when it recieves a request from the remote phone for the tftp files.

    ROUTER-2911#
    004956: Aug 24 22:22:21.515: TFTP: Looking for CTLSEP00215554FF51.tlv
    004957: Aug 24 22:22:21.611: TFTP: Looking for ITLSEP00215554FF51.tlv
    004958: Aug 24 22:22:21.711: TFTP: Looking for ITLFile.tlv
    004959: Aug 24 22:22:21.967: TFTP: Looking for SEP00215554FF51.cnf.xml
    004960: Aug 24 22:22:21.971: TFTP: Opened flash:/its/vrf1/SEP00215554FF51.cnf.xml, fd 4, size 1728 for process 115
    004961: Aug 24 22:22:22.071: TFTP: Finished flash:/its/vrf1/SEP00215554FF51.cnf.xml, time 00:00:00 for process 115
    ROUTER-2911#
    004962: Aug 24 22:22:23.587: TFTP: Looking for English_United_States/be-sccp.jar
    004963: Aug 24 22:22:23.911: TFTP: Looking for United_States/g3-tones.xml
    ROUTER-2911#

    REMOTE1841#SH cdp nei det
    -------------------------
    Device ID: SEP00215554FF51
    Entry address(es):
    IP address: 192.168.110.20
    Platform: Cisco IP Phone 7945, Capabilities: Host Two-port Mac Relay
    Interface: FastEthernet0/0/1, Port ID (outgoing port): Port 1
    Holdtime : 176 sec

    Version :
    SCCP45.9-2-1S

    advertisement version: 2
    Duplex: full
    Power drawn: 12.000 Watts

    REMOTE1841#

    ROUTER-2911#ping 192.168.110.20 source 10.10.10.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.110.20, timeout is 2 seconds:
    Packet sent with a source address of 10.10.10.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/28 ms
    ROUTER-2911#

    REMOTE1841#ping 10.10.10.1 source vlan 110
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.110.1
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
    REMOTE1841#

    It shows that there is connectivity between the CME and phone both ways.

    These are the load files under telephony-service in the 2911
    load 7921 CP7921G-1.0.1
    load 7945 SCCP45.9-2-1S
    load 7965 SCCP45.9-2-1S

    tftp-server flash0:/Phone/7945_7965/apps45.9-2-1TH1-13.sbn alias apps45.9-2-1TH1-13.sbn
    tftp-server flash0:/Phone/7945_7965/cnu45.9-2-1TH1-13.sbn alias cnu45.9-2-1TH1-13.sbn
    tftp-server flash0:/Phone/7945_7965/cvm45sccp.9-2-1TH1-13.sbn alias cvm45sccp.9-2-1TH1-13.sbn
    tftp-server flash0:/Phone/7945_7965/dsp45.9-2-1TH1-13.sbn alias dsp45.9-2-1TH1-13.sbn
    tftp-server flash0:/Phone/7945_7965/jar45sccp.9-2-1TH1-13.sbn alias jar45sccp.9-2-1TH1-13.sbn
    tftp-server flash0:/Phone/7945_7965/SCCP45.9-2-1S.loads alias SCCP45.9-2-1S.loads
    tftp-server flash0:/Phone/7945_7965/term45.default.loads alias term45.default.loads
    tftp-server flash0:/Phone/7945_7965/term65.default.loads
    tftp-server flash0:/Phone/7945_7965/term65.default.loads alias term65.default.loads

    I doubt it has to do anything with the load file or tftp-server entry because this phone registered and worked perfectly fine when it was on site with the CME.

    Does anyone have any experience setting up Site to Site Vpns while sending Voice/TFTP traffic through.
    Last edited by Route->This; 08-25-2015 at 02:36 AM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jan 2015
    Location
    Cluj-Napoca, RO
    Posts
    302

    Certifications
    Several (ITIL, Avaya, ShoreTel, Cisco)
    #2
    What does the phone's display at the remote site look like? How is it behaving?

    Do you have auto registration enabled on the CME router? If not, you might want to double check that you haven't removed the ephone configuration from the CME database/config...phone might be getting denied registration due to its MAC address not being configured under any ephone. Just a thought.

    EDIT: another thing to check is make sure port 2000 (default for SCCP or whatever port you've set under the telephony-service, ip source-address) is allowed across the VPN. If it's not, your skinny phone won't register.
    Last edited by negru_tudor; 08-25-2015 at 09:37 AM.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jan 2015
    Location
    Cluj-Napoca, RO
    Posts
    302

    Certifications
    Several (ITIL, Avaya, ShoreTel, Cisco)
    #3
    @Route->This: Just curious, did you manage to fix this? What was the problem in the end if so?
    Reply With Quote Quote  

  5. Member
    Join Date
    Nov 2013
    Posts
    32
    #4
    Hey buddy sorry I've been a bit backed up to update this post. When I originally configured that CME router 2 years ago I set the ip source address as the loopback interface ip address of 1.x.x.x as per "best practice". The voice vlan was on 10.10.10.0/network, option 150 10.10.10.1.

    I figured the differing ip source address wasn't impacting anything because my anyconnect clients work perfectly registering with that option 150 address. I figured since the vpn only had the ranges of the data 10.x.x.x and 192.x.x.x network allowed it wasn't sending traffic for the 1.x.x.x source interface. I added the current ip source address in the interesting traffic for both sides still didn't work. I thought for kicks to change the ip source address to 10.10.10.1 and see if anything happens. Surely it registered immediately.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jan 2015
    Location
    Cluj-Napoca, RO
    Posts
    302

    Certifications
    Several (ITIL, Avaya, ShoreTel, Cisco)
    #5
    Cool! Good to hear you've solved it!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks