This document explains the procedure to migrate a VPN phone to a different call manager and ASA without taking the phone to office.
As per the Cisco documents we cannot make VPN configuration changes to the phone when the phone is outside of corporate network. But sometimes the User might be there in a remote location and cannot be connected to corporate network.
This document will help you to solve those problem. This is a tested procedure.
Considering that there is a New ASA and New call manager is installed with different IP addresses and the phone needs to connected to these new devices.
Step 1: Export the Certificate from the Old ASA and Import it to the New ASA.
Step 2 :Import the CA Crtificate to new ASA.
Enter the below command on the New ASA and this will ask you to enter the certificate. Paste the output from the old ASA to this New ASA (Paste the BEGIN PKCS12 and END PKCS12 line also.
Step 3: Import the CA Certificate to New CUCM.
From Cisco Unified Communications Operating System Administration, choose Security > Certificate Management.
Click Upload Certificate and from the certificate name pull-down-menu, choosr Phone-VPN-trust
Click browse to choose the file you want to upload .
The remaining configuration (Phone and Cucm) can be copy pasted from old devices.
Please refer Cisco for more details
Step 4: Configure the VPN Phone Username/ Passowd in the New ASA
Make sure the username and password matches the old ASA config.
username vishnu password hRoasdasQoPWF/3 encrypted
Step 5 : Configure the Phones in the New CUCM
Configure the VPN Phones in the New CUCM and make sure the ssl vpn profile is assigned to it and it matches the old CUCM
Step 6: Change the TFTF Server in the VPN Phone Point to New CUCM
Contact the Remote user and ask him to change the TFTP Server in the VPN Phone pointing to the New CUCM
Step 7 : Delete the ITL File from the VPN Phone
Next delete the ITL file.
Step 8: Connects to the New ASA
Once upgraded it pops up for the Username/password
Enter the Username/Password
Now it connects to the New ASA and updates its Locale and other files and disconnects from the VPN
Again it pops up for the Username/Password. Enter the username/Password and wait for 10 Min. The phone connects to US call manager.
Step 9: Migration Completed.
As per the Cisco documents we cannot make VPN configuration changes to the phone when the phone is outside of corporate network. But sometimes the User might be there in a remote location and cannot be connected to corporate network.
This document will help you to solve those problem. This is a tested procedure.
Considering that there is a New ASA and New call manager is installed with different IP addresses and the phone needs to connected to these new devices.
Step 1: Export the Certificate from the Old ASA and Import it to the New ASA.
Use the below command on the old ASA. Once entered, the ASA will output a key.
crypto ca export <trust-point-name> pkcs12 <passphrase>
Copy the output and save it in a file. Save the file with the extension as .pki
Please copy the BEGIN PKCS12 and END PKCS12 also to the file.
If you dont remember the passphrase of the old ASA. Then you can use the below command.
crypto ca export <trust-point-name> identity-certificate
The problem with the identity-certificate command is that this will not export the rsa keys. so you have to figure out a way to export the rsa keys also.
Step 2 :Import the CA Crtificate to new ASA.
Enter the below command on the New ASA and this will ask you to enter the certificate. Paste the output from the old ASA to this New ASA (Paste the BEGIN PKCS12 and END PKCS12 line also.
crypto ca import <trust-point-name> pkcs12 <passphrase>
Step 3: Import the CA Certificate to New CUCM.
From Cisco Unified Communications Operating System Administration, choose Security > Certificate Management.
Click Upload Certificate and from the certificate name pull-down-menu, choosr Phone-VPN-trust
Click browse to choose the file you want to upload .
The remaining configuration (Phone and Cucm) can be copy pasted from old devices.
Please refer Cisco for more details
Step 4: Configure the VPN Phone Username/ Passowd in the New ASA
Make sure the username and password matches the old ASA config.
username vishnu password hRoasdasQoPWF/3 encrypted
Step 5 : Configure the Phones in the New CUCM
Configure the VPN Phones in the New CUCM and make sure the ssl vpn profile is assigned to it and it matches the old CUCM
Step 6: Change the TFTF Server in the VPN Phone Point to New CUCM
Contact the Remote user and ask him to change the TFTP Server in the VPN Phone pointing to the New CUCM
- Click on Setting --> Network Configuration --> IPv4 Configuration --> TFTP Server 1
- type **# to unblock the access to edit the setting
- click edit and type <New CUCM IP> and click Validate
- Click on Setting --> Network Configuration --> IPv4 Configuration --> TFTP Server 2
- type **# to unblock the access to edit the setting
- click edit and type <Nwe CUMP IP> and click Validate
Step 7 : Delete the ITL File from the VPN Phone
Next delete the ITL file.
- Click on Settings --> Security Configuration --> Trust list --> ITL File
- type **# to unblock the access to edit the setting
- click more --> erase
Phone starts upgrading by taking the config from New CUCM. It takes minimum 2 hours to complete the UPgrade. This Upgrade time is totally detpends on the distance between the CUCM and VPN Phone(latency)
Once the upgrade is done.You may need to Enable the VPN on the Phone again.
At this point it will upgrade all over again but takes only 10 Minutes.
Once upgraded it pops up for the Username/password
Enter the Username/Password
Now it connects to the New ASA and updates its Locale and other files and disconnects from the VPN
Again it pops up for the Username/Password. Enter the username/Password and wait for 10 Min. The phone connects to US call manager.
Step 9: Migration Completed.
