Filter
Top Products
16-40
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Configuring the Cisco Phone Proxy
Troubleshooting the Phone Proxy
SSL Handshake Failure
Problem The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in
the ASA syslogs:
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_CERTIFICATE Reason: no certificate
returned
%ASA-6-725006: Device failed SSL handshake with outside client:72.146.123.158/30519
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate
certificate serial number: 62D06172000000143FCC, subject name:
cn=CP-7962G-SEP002155554502,ou=EVVBU,o=Cisco Systems Inc.
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to
validate chain.
Solution
Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.
Step 1 Determine which certificates are installed on the ASA by entering the following command:
hostname# show running-config crypto
Additionally, determine which certificates are installed on the IP phones. See Debugging
Information from IP Phones, page 16-32 for information about checking the IP phone to determine
if it has MIC installed on it.
Step 2 Verify that the list of installed certificates contains all required certificates for the phone proxy.
See Table 16-2, Certificates Required by the Security Appliance for the Phone Proxy, for
information.
Step 3 Import any missing certificates onto the ASA. See also Importing Certificates from the Cisco UCM,
page 16-15.
Problem The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in
the ASA syslogs:
%ASA-6-725001: Starting SSL handshake with client dmz:171.169.0.2/53097 for TLSv1
session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725008: SSL client dmz:171.169.0.2/53097 proposes the following 2 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-725006: Device failed SSL handshake with dmz client:171.169.0.2/53097
Solution the SSL encryption method might not be set correctly. Set the correct ciphers by completing the
following procedure:
Step 1 To see the ciphers being used by the phone proxy, enter the following command:
hostname# show run all ssl
Step 2 To add the required ciphers, enter the following command:
hostname(config)# ssl encryption
The default is to have all algorithms available in the following order: