48-37
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter48 Configuring the Cisco Phone Proxy
Troubleshooting the Phone Proxy
Make sure that each media-termination instance is created correctly and that the address or addresses are
set correctly. The ASA must meet specific criteria for media termination. See Media Termination
Instance Prerequisites, page48-6 for the complete list of prerequisites that you must follow when
creating the media termination instance and configuring the media termination addresses.
IP Phone Registration Failure from Signaling Connections
Problem The IP phone is unable to complete the TLS handshake with the phone proxy and download its
files using TFTP.
Solution
Step1 Determine if the TLS handshake is occurring between the phone proxy and the IP phone, perform the
following:
a. Enable logging with the following command:
hostname(config)# logging buffered debugging
b. To check the output from the syslogs captured by the logging buffered command, enter the
following command:
hostname# show logging
The syslogs will contain information showing when the IP phone is attempting the TLS handshake,
which happens after the IP phone downloads its configuration file.
Step2 Determine if the TLS proxy is configured correctly for the phone proxy:
a. Display all currently running TLS proxy configurations by entering the following command:
hostname# show running-config tls-proxy
tls-proxy proxy
server trust-point _internal_PP_<ctl_file_instance_name>
client ldc issuer ldc_signer
client ldc key-pair phone_common
no client cipher-suite
hostname#
b. Verify that the output contains the server trust-point command under the tls-proxy command (as
shown in substep a.).
If you are missing the server trust-point command, modify the TLS proxy in the phone proxy
configuration.
See Step 3 in the “Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster”
section on page 48-15, or Step3 in the “Task Flow for Configuring the Phone Proxy in a
Mixed-mode Cisco UCM Cluster” section on page48-17.
Having this command missing from the TLS proxy configuration for the phone proxy will cause
TLS handshake failure.
Step3 Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.
a. Determine which certificates are installed on the ASA by entering the following command:
hostname# show running-config crypto
Additionally, determine which certificates are installed on the IP phones. See Debugging
Information from IP Phones, page48-31 for information about checking the IP phone to determine
if it has MIC installed on it.