Cisco ASA Series Cli Configuration Manual page 1237

Software version 9.0 for the services module

Hide thumbs Also See for ASA Series:

Configuration manual (429 pages)

Getting started (31 pages)

Mount and connect (12 pages)

Table of Contents

Configuring the Cisco Phone Proxy

Verify that the list of installed certificates contains all required certificates for the phone proxy.

information.

Import any missing certificates onto the ASA. See also

If the steps above fail to resolve the issue, perform the following actions to obtain additional

troubleshooting information for Cisco Support.

Enter the following commands to capture additional debugging information for the phone proxy:

hostname# debug inspect tls-proxy error

hostname# show running-config ssl

hostname(config) show tls-proxy tls_name session host host_addr detail

Enable the capture command on the inside and outside interfaces (IP phones and Cisco UCM) to

enable packet capture capabilities for packet sniffing and network fault isolation. See the command

reference for information.

Check to see if SIP and Skinny signaling is successful by using the following commands:

If the TLS handshake is failing and you receive the following syslog, the SSL encryption method

might not be set correctly:

%ASA-6-725001: Starting SSL handshake with client dmz:171.169.0.2/53097 for TLSv1

%ASA-7-725010: Device supports the following 1 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725008: SSL client dmz:171.169.0.2/53097 proposes the following 2 cipher(s).

%ASA-7-725011: Cipher[1] : AES256-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

%ASA-6-725006: Device failed SSL handshake with dmz client:171.169.0.2/53097

Set the correct ciphers by completing the following procedure:

To see the ciphers being used by the phone proxy, enter the following command:

hostname# show run all ssl

To add the required ciphers, enter the following command:

hostname(config)# ssl encryption

The default is to have all algorithms available in the following order:

[3des-sha1] [des-sha1] [rc4-md5] [possibly others]

See the command reference for more information about setting ciphers with the ssl encryption

Certificates Required by the Security Appliance for the Phone

The TLS handshake succeeds, but signaling connections are failing.

Perform the following actions:

debug skinny

Troubleshooting the Phone Proxy

Importing Certificates from the Cisco UCM,

Cisco ASA Series CLI Configuration Guide

Show Quick Links

Chapters

Table of Contents

Troubleshooting

Cisco ASA Series Cli Configuration Manual page 1237

Hide quick links:

Chapters

Troubleshooting

Related Manuals for Cisco ASA Series

Related Products for Cisco ASA Series

This manual is also suitable for:

Table of Contents