Troubleshooting the Phone Proxy
SSL Handshake Failure
Problem
the ASA syslogs:
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_CERTIFICATE Reason: no certificate
returned
%ASA-6-725006: Device failed SSL handshake with outside client:72.146.123.158/30519
%ASA-3-717009: Certificate validation failed. No suitable trustpoints found to validate
certificate serial number: 62D06172000000143FCC, subject name:
cn=CP-7962G-SEP002155554502,ou=EVVBU,o=Cisco Systems Inc.
%ASA-3-717027: Certificate chain failed validation. No suitable trustpoint was found to
validate chain.
Solution
Verify that all required certificates are imported into the ASA so that the TLS handshake will succeed.
Step 1
Determine which certificates are installed on the ASA by entering the following command:
Step 2
Verify that the list of installed certificates contains all required certificates for the phone proxy.
Step 3
Import any missing certificates onto the ASA. See also
page
Problem
the ASA syslogs:
Solution
the following procedure:
Step 1
To see the ciphers being used by the phone proxy, enter the following command:
hostname# show run all ssl
Step 2
To add the required ciphers, enter the following command:
hostname(config)# ssl encryption
The default is to have all algorithms available in the following order:
Cisco ASA Series CLI Configuration Guide
1-40
The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in
hostname# show running-config crypto
Additionally, determine which certificates are installed on the IP phones. See
Information from IP Phones, page 1-32
it has MIC installed on it.
See
Table
1-2,
Certificates Required by the Security Appliance for the Phone
information.
1-15.
The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in
%ASA-6-725001: Starting SSL handshake with client dmz:171.169.0.2/53097 for TLSv1
session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725008: SSL client dmz:171.169.0.2/53097 proposes the following 2 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA
%ASA-7-725011: Cipher[2] : AES128-SHA
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-725006: Device failed SSL handshake with dmz client:171.169.0.2/53097
the SSL encryption method might not be set correctly. Set the correct ciphers by completing
Chapter 1
for information about checking the IP phone to determine if
Importing Certificates from the Cisco UCM,
Configuring the Cisco Phone Proxy
Debugging
Proxy, for