This document describes the methodology to troubleshoot IP phone registration to Communications Manager Express (CME) via Secure Sockets Layer (SSL) VPN.
Cisco recommends that you have a basic understanding of security certificates, the packet capturing tool, and Communications Manager Express.
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
There are two methods to set up SSL VPN between an IP phone on the Internet and CME inside the corporate network.
In both scenarios, establishing SSL VPN between an IP phone on the Internet and the CME consists of similar steps:
In order to verify that the CME has pushed the hash to the IP phone, check the configuration file it generated for the secure phone. In order to simplify this step, you can configure the CME to generate a configuration file per phone and store it in flash:
R009-3945-1(config-telephony)#cnf-file perphone
R009-3945-1(config-telephony)#cnf-file location flash:
In order to ensure that new configuration is generated, it is recommended to recreate the configuration files:
R009-3945-1(config-telephony)#no create cnf-files
CNF files deleted
R009-3945-1(config-telephony)#create cnf-file
Creating CNF files
After the corresponding configuration file in the flash displays (for an ephone with vpn-group configured), you should see this near the end of the file content:
<vpnGroup> <enableHostIDCheck>0</enableHostIDCheck>
<addresses>
<url1>https://10.201.160.201/SSLVPNphone</url1>
</addresses>
<credentials>
<hashAlg>0</hashAlg>
<certHash1>fZ2xQHMBcWj/fSoNs5IkPbA2Pt8=</certHash1>
</credentials>
</vpnGroup>
The certHash1 value is the hash of the certificate. When the IP phone receives the certificate from VPN Headend during TLS setup, it expects the hash of the certificate to be same as the stored hash value. If the IP phone throws a "Bad Certificate" error, it could be that the hash values do not match.
In order to verify, follow these steps to extract the hash value from the packet capture collected between the IP phone and the VPN Headend: