Cisco ASA 5505 User Manual

Page 1019

Advertising
background image

48-37

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 48 Configuring the Cisco Phone Proxy

Troubleshooting the Phone Proxy

Make sure that each media-termination instance is created correctly and that the address or addresses are
set correctly. The ASA must meet specific criteria for media termination. See

Media Termination

Instance Prerequisites, page 48-6

for the complete list of prerequisites that you must follow when

creating the media termination instance and configuring the media termination addresses.

IP Phone Registration Failure from Signaling Connections

Problem

The IP phone is unable to complete the TLS handshake with the phone proxy and download its

files using TFTP.

Solution

Step 1

Determine if the TLS handshake is occurring between the phone proxy and the IP phone, perform the
following:

a.

Enable logging with the following command:

hostname(config)# logging buffered debugging

b.

To check the output from the syslogs captured by the logging buffered command, enter the
following command:

hostname# show logging

The syslogs will contain information showing when the IP phone is attempting the TLS handshake,
which happens after the IP phone downloads its configuration file.

Step 2

Determine if the TLS proxy is configured correctly for the phone proxy:

a.

Display all currently running TLS proxy configurations by entering the following command:

hostname# show running-config tls-proxy

tls-proxy proxy

server trust-point _internal_PP_<ctl_file_instance_name>

client ldc issuer ldc_signer

client ldc key-pair phone_common

no client cipher-suite

hostname#

b.

Verify that the output contains the server trust-point command under the tls-proxy command (as
shown in substep

a.

).

If you are missing the server trust-point command, modify the TLS proxy in the phone proxy
configuration.

See Step 3 in the

“Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster”

section on page 48-15

, or Step 3 in the

“Task Flow for Configuring the Phone Proxy in a

Mixed-mode Cisco UCM Cluster” section on page 48-17

.

Having this command missing from the TLS proxy configuration for the phone proxy will cause
TLS handshake failure.

Step 3

Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.

a.

Determine which certificates are installed on the ASA by entering the following command:

hostname# show running-config crypto

Additionally, determine which certificates are installed on the IP phones. See

Debugging

Information from IP Phones, page 48-31

for information about checking the IP phone to determine

if it has MIC installed on it.

Advertising