Hello. I have managed to get our 5610 IP phones connected over VPN by way of our Cisco ASA. We have IP office 500 and the few VPN-enabled 5610's we have had in use for a few years seem to have been doing fine until we added ~10 more 5610's. Now, all the phones are getting "bumped" off VPN frequently. At he same time, Cisco Client VPN users have been experiencing IP address conflict messages when connecting their laptops to the same ASA firewall. When I view my ASA, I see the local IP addresses assigned to the Cisco Clients on the laptops; I see no addresses assigned (or at least reported) for the VPN phones (I can tell they are phones since they are using a differently named but identical profile). All this leads me to believe the 5610's are receiving an IP address but the ASA firewall is not registering/logging the associations. Therefor, the ASA mistakenly redistributes an IP that is already in use by a 5610 and thereby causes it to either not communicate or get bumped off of VPN when someone else receives it.
I have recently created a different pool for the 5610's since they do not disconnect/reconnect as frequently as the laptop clients. This seems to have minimized the "bumping" of the VPN phones. I may even create a separate VPN profile and associated pool on my firewall for each VPN phone: Each phone will be assigned their own personal pool of 2 IP addresses. I am choosing 2 since I have optioned to hold an IP address for 5 minutes before redistributing and, if any problems occur, then at least each phone will have another IP address to pickup rather than wait 5 minutes. However, this method, though assuring of no IP conflicts whatsoever, will add a lot of overhead to my firewalls config, let alone add much to administration.
With all that said, can anyone recommend another, more preferred way of alleviating IP address conflicts with the 5610 VPN phones? Perhaps I missed something in setting up the phones? I think I must have since this seems as if it would be quite a problem across the board with folks.
Your thoughts are much appreciated. Thanks!
I have recently created a different pool for the 5610's since they do not disconnect/reconnect as frequently as the laptop clients. This seems to have minimized the "bumping" of the VPN phones. I may even create a separate VPN profile and associated pool on my firewall for each VPN phone: Each phone will be assigned their own personal pool of 2 IP addresses. I am choosing 2 since I have optioned to hold an IP address for 5 minutes before redistributing and, if any problems occur, then at least each phone will have another IP address to pickup rather than wait 5 minutes. However, this method, though assuring of no IP conflicts whatsoever, will add a lot of overhead to my firewalls config, let alone add much to administration.
With all that said, can anyone recommend another, more preferred way of alleviating IP address conflicts with the 5610 VPN phones? Perhaps I missed something in setting up the phones? I think I must have since this seems as if it would be quite a problem across the board with folks.
Your thoughts are much appreciated. Thanks!
