48-38
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter48 Configuring the Cisco Phone Proxy
Troubleshooting the Phone Proxy
b. Verify that the list of installed certificates contains all required certificates for the phone proxy.
See Table 4 8-2, Certificates Required by the Security Appliance for the Phone Proxy, for
information.
c. Import any missing certificates onto the ASA. See also Importing Certificates from the Cisco UCM,
page 48-15.
Step4 If the steps above fail to resolve the issue, perform the following actions to obtain additional
troubleshooting information for Cisco Support.
a. Enter the following commands to capture additional debugging information for the phone proxy:
hostname# debug inspect tls-proxy error
hostname# show running-config ssl
hostname(config) show tls-proxy tls_name session host host_addr detail
b. Enable the capture command on the inside and outside interfaces (IP phones and Cisco UCM) to
enable packet capture capabilities for packet sniffing and network fault isolation. See the command
reference for information.
Problem The TLS handshake succeeds, but signaling connections are failing.
Solution Perform the following actions:
Check to see if SIP and Skinny signaling is successful by using the following commands:
debug sip
debug skinny
If the TLS handshake is failing and you receive the following syslog, the SSL encryption method
might not be set correctly:
%ASA-6-725001: Starting SSL handshake with client dmz:171.169.0.2/53097 for TLSv1
session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725008: SSL client dmz:171.169.0.2/53097 proposes the following 2 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-725006: Device failed SSL handshake with dmz client:171.169.0.2/53097
Set the correct ciphers by completing the following procedure:
Step1 To see the ciphers being used by the phone proxy, enter the following command:
hostname# show run all ssl
Step2 To add the required ciphers, enter the following command:
hostname(config)# ssl encryption
The default is to have all algorithms available in the following order:
[3des-sha1] [des-sha1] [rc4-md5] [possibly others]
See the command reference for more information about setting ciphers with the ssl encryption
command.