Cisco CP-6921 handset restrictions

15 September 2011

Cisco have recently marked as end of sale the CP-7911 handset which is a “work horse” handset for many customer deployments. The 6921, featuring a headset port and full duplex speakerphone which the 7911 didn’t have, seems to be an attractive option however there are a few of restrictions to be aware of.

1. The 6921 whilst being a two line phone does not support two calls per button. The second channel can only be used for transfer or conference. This is unlike the way that the 7911 operates which provides two calls per button.

2. DND does not work on the handset when mapped to a softkey. This is an issue that is known by Cisco and there is a workaround of setting it to the 2nd button. However, if you want to use the 2nd button as a second line, you can’t use DND. This does not sound great to us.

3. Auto Answer on headsets. Other Cisco handsets that support auto answer on headsets provide the ability to play a “zip” tone on auto answer so that the agent knows a call has just arrived. The 6921 does NOT support this tone and we don’t know why. It can seemingly play the tone for internal calls, however it does not play it for external calls. Cisco TAC confirm that this is expected behaviour however we haven’t been able to find any documentation that reflects this. It also seems like a very strange restriction. Net result, we’d be loath to recommend 6921s with headsets if you want auto answer.

So all in all, be careful how you deploy 6921s. They are not as attractive as they appear at first glance.

Barry Hesk

Cisco IOS AnyConnect SSL VPN Configuration

15 September 2011

Cisco have been pushing the new versions of their AnyConnect client for some time now. They have also announced as End of Sale the traditional IPSEC based client which has been around for a number of years. This means that the IPSEC client will not be available on new OS platforms and is also not supported on 64 bit platforms.

The new client is the AnyConnect Secure Mobility Client which will be the platform to use moving forwards.

At the head end, both Cisco ASA Firewalls, and IOS based routers with the correct software image are supported. Licenses are required on both platforms – which is a change from Cisco as on the ASA platform in particular, the cost of IPSEC VPN was bundled into the unit cost.

Attached is a sample config for an IOS based router. You will need version 15 to get this to work properly.

ip http server enable
ip http secure-server enable
ip local pool client-pool
webvpn gateway SSLVPN
ip address X.X.X.X port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3096684075
webvpn install svc flash:/webvpn/anyconnect-win-3.0.3054-k9.pkg sequence 1
webvpn context SSLVPN
ssl authenticate verify all
policy group SSLVPN_Policy
functions svc-required
svc address-pool “client-pool”
svc keep-client-installed
svc split include
svc split include
default-group-policy SSLVPN_Policy
gateway SSLVPN
max-users 10

Barry Hesk

Cisco ASA 8.3 NAT

Cisco ASA Version 8.3 (and now 8.4) has been out and shipping for quite some time. Based around our own experiences, and some feedback from customers we’ve been researching.

The following link provides a really helpful overview of what has changed in version 8.3 and higher.

It’s fair to say that NAT in 8.3 does cause confusion and is a radical departure from what was in place previously. In our minds, it’s much more aligned to the way that Checkpoint perform NAT on their platforms. It is also worth pointing out that in our experience, migrating from 8.2 to 8.3 does not work smoothly, or in some cases at all, and you will almost definitely need to rebuild your NAT from scratch at version 8.3. If you’re planning an upgrade to 8.3 or 8.4 please bear it in mind, and that you may need to completely rework your NAT. For most people this is not a massive issue as typically you may have a couple of static NAT entries, some exclusions for VPN traffic, and a dynamic interface based statement to catch everything else. However, if you have anything a little more complex, like policy NAT make sure you test and test again to ensure it’s all working ok.

Barry Hesk

AIM2-CUE in 2900 Series ISRs

18 April 2011:Another little gotcha for you.

The AIM2-CUE modules do NOT work in the new 2900 series ISR G2 platforms. They’ve been around (and are still shipping) for the 2800 series platforms, however they will neither fit nor work in the 2900 series units.

The replacement part code is ISM-SRE-300-K9 which will need CUE 8.x loading on it.

Also, licensing in CUE 8.x has changed and you now no longer receive any port or user licenses as standard (you used to receive 6 port licenses and 12 mailbox licenses as part of the AIM2-CUE bundle). The part codes that now need to be ordered are:


 These are the VM port licenses (in blocks of 2), IVR (including database access again in blocks of 2) and mailboxe licenses (in blocks of 5). 

The Version 8.x GUI has now changed radically as well, and you can no longer use it to configure CUCME.