Finally, after 14 months - Cisco Field Notice raised

Started by Dieselboy, July 11, 2016, 03:54:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

July 11, 2016, 03:54:04 AM
I've had a TAC logged since May 2015. I've mentioned it on here. Just had word that the field notice is now raised. I also notice that there is a workaround listed in the FN, which I was not aware of before.

In short, Cisco have made a change to the SSL VPN component in Cisco IOS routers. The change now expects the endpoint to send a DTLS request packet. The Cisco IP phones which have AnyConnect VPN integrated in the phone itself (such as 8945, 9971 etc) do not support the sending of this header type and so connect successfully but fall back to VPN over TCP/443 instead of establishing a UDP/443 connection.

Field notice: http://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64138.html

The risk and hence the tac case is that in one of my sites the firewall is also the IOS SSL VPN server. So if I cannot update the IOS to mitigate security vulnerabilities due to breaking phones then it leaves my backdoor wide open and fully in the air, waving about; like an invitation of some kind.  :barf:

deanwebb

#1
July 11, 2016, 08:23:49 AM
Is this the one where you had to constantly ping the phone for it to work?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#2
July 11, 2016, 08:37:53 PM Last Edit: July 11, 2016, 08:43:17 PM by Dieselboy
Quote from: deanwebb on July 11, 2016, 08:23:49 AM
Is this the one where you had to constantly ping the phone for it to work?

No, that one strangely looks like the issue is my ISP home router and I've been meaning to go buy another home router but not got round to it yet.

This one is  where a remote IP phone will stay registered but voip quality is dire. The FN lists that the phones do other weird things and are not usable. The reason for this is that the phone has not established a UDP VPN connection. Therefore VOIP runs on TCP packets.

deanwebb

#3
July 12, 2016, 10:25:16 AM
VoIP over TCP?

Yeeeeuuurrrrrgh

:barf:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#4
July 12, 2016, 11:09:52 AM
Quote from: deanwebb on July 12, 2016, 10:25:16 AM
VoIP over TCP?

Yeeeeuuurrrrrgh


when your call absolutely positively must go through....
:professorcat:

My Moral Fibers have been cut.
Print
Go Up Pages1
User actions