I've had a TAC logged since May 2015. I've mentioned it on here. Just had word that the field notice is now raised. I also notice that there is a workaround listed in the FN, which I was not aware of before.
In short, Cisco have made a change to the SSL VPN component in Cisco IOS routers. The change now expects the endpoint to send a DTLS request packet. The Cisco IP phones which have AnyConnect VPN integrated in the phone itself (such as 8945, 9971 etc) do not support the sending of this header type and so connect successfully but fall back to VPN over TCP/443 instead of establishing a UDP/443 connection.
Field notice: http://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64138.html
The risk and hence the tac case is that in one of my sites the firewall is also the IOS SSL VPN server. So if I cannot update the IOS to mitigate security vulnerabilities due to breaking phones then it leaves my backdoor wide open and fully in the air, waving about; like an invitation of some kind. :barf:
Is this the one where you had to constantly ping the phone for it to work?
Quote from: deanwebb on July 11, 2016, 08:23:49 AM
Is this the one where you had to constantly ping the phone for it to work?
No, that one strangely looks like the issue is my ISP home router and I've been meaning to go buy another home router but not got round to it yet.
This one is where a remote IP phone will stay registered but voip quality is dire. The FN lists that the phones do other weird things and are not usable. The reason for this is that the phone has not established a UDP VPN connection. Therefore VOIP runs on TCP packets.
VoIP over TCP?
Yeeeeuuurrrrrgh
:barf:
Quote from: deanwebb on July 12, 2016, 10:25:16 AM
VoIP over TCP?
Yeeeeuuurrrrrgh
when your call absolutely positively must go through....