Cisco ASA 5505 User Manual

Page 1020

Advertising
background image

48-38

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 48 Configuring the Cisco Phone Proxy

Troubleshooting the Phone Proxy

b.

Verify that the list of installed certificates contains all required certificates for the phone proxy.

See

Table 48-2

,

Certificates Required by the Security Appliance for the Phone Proxy

, for

information.

c.

Import any missing certificates onto the ASA. See also

Importing Certificates from the Cisco UCM,

page 48-15

.

Step 4

If the steps above fail to resolve the issue, perform the following actions to obtain additional
troubleshooting information for Cisco Support.

a.

Enter the following commands to capture additional debugging information for the phone proxy:

hostname# debug inspect tls-proxy error

hostname# show running-config ssl

hostname(config) show tls-proxy tls_name session host host_addr detail

b.

Enable the capture command on the inside and outside interfaces (IP phones and Cisco UCM) to
enable packet capture capabilities for packet sniffing and network fault isolation. See the command
reference for information.

Problem

The TLS handshake succeeds, but signaling connections are failing.

Solution

Perform the following actions:

Check to see if SIP and Skinny signaling is successful by using the following commands:

debug sip

debug skinny

If the TLS handshake is failing and you receive the following syslog, the SSL encryption method
might not be set correctly:

%ASA-6-725001: Starting SSL handshake with client dmz:171.169.0.2/53097 for TLSv1

session.

%ASA-7-725010: Device supports the following 1 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725008: SSL client dmz:171.169.0.2/53097 proposes the following 2 cipher(s).

%ASA-7-725011: Cipher[1] : AES256-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

%ASA-6-725006: Device failed SSL handshake with dmz client:171.169.0.2/53097

Set the correct ciphers by completing the following procedure:

Step 1

To see the ciphers being used by the phone proxy, enter the following command:

hostname# show run all ssl

Step 2

To add the required ciphers, enter the following command:

hostname(config)# ssl encryption

The default is to have all algorithms available in the following order:

[3des-sha1] [des-sha1] [rc4-md5] [possibly others]

See the command reference for more information about setting ciphers with the ssl encryption
command.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals