Cisco 7965 phone connecting via VPN to XG135

Hello Kevin,

Thank you for contacting the Sophos Community.

Are you using what type of VPN? I would think it is IPsec (site-to-site VPN) but please confirm.

I would check first if you are seeing traffic from the phones arriving to the XG on port 5060 on the Advanced Shell (5>3)

#tcpdump -nei ipsec0 port 5060

#tcpdump -nei ipsec0 host <Cisco IP Phone> and host <XG Side IP Phone or VoIP Server)

#Conntrack -E -o timestamp | grep <Cisco IP Phone> grep <XG side ip phone/VoIP Server)

From the console try (5>4) 

console> drop-packet-capture 'host <Cisco IP Phone> or host <XG side IP Phone/VoIP server> 

regards,

we have several users working remote with Cisco 7965 phone stations, they connect using Cisco VPN client to a Cisco ASA. But these ASAs are EOL and no longer supported by cisco and we have migrated all users to sophos SSL VPN which works great. But now i want to completely get rid of the ASA and have the Cisco 7965 phones connect via VPN to sophos. I have tried a few things but I always get "authentication failed"

You are going to have to give a lot more info about your setup to get any meaningful suggestions and even then I suspect there is probably not a lot of people with Cisco voice knowledge on this forum.

We do have a 7975 (SCCP) working over a site to site VPN between Sophos XG (Cisco CME) and a Cisco router (handset). I don't remember any particular issues getting it working. Authentication failures are often because of TFTP issues. However the handset gets its IP, it will need to have option 150 set. I would start with debugging on your Cisco voice solution to try and find what is failing and work from there. If you are using CME you can try "debug ephone detail" and "debug tftp events". You can also try downloading files via TFTP (using putty) from the CME/CUCM at the client end to check that is working.

You are going to have to give a lot more info about your setup to get any meaningful suggestions and even then I suspect there is probably not a lot of people with Cisco voice knowledge on this forum.

We do have a 7975 (SCCP) working over a site to site VPN between Sophos XG (Cisco CME) and a Cisco router (handset). I don't remember any particular issues getting it working. Authentication failures are often because of TFTP issues. However the handset gets its IP, it will need to have option 150 set. I would start with debugging on your Cisco voice solution to try and find what is failing and work from there. If you are using CME you can try "debug ephone detail" and "debug tftp events". You can also try downloading files via TFTP (using putty) from the CME/CUCM at the client end to check that is working.

I am at the stage where I am simply trying to make the phone logon to the VPN, I keep getting the "authentication failed' message, so tftp or traffic are not even in play at this point.

This is well outside my experience and expertise. I did have a look at Cisco's guides for setting this up. It was designed to be terminated with a Cisco ASA Anyconnect VPN (v2 in the documentation I read). SCCP and that version of Anyconnect are pretty old technology and you may struggle to emulate the same cryptographic settings in an XG. I suspect your SSL settings may not match what is needed and that is why it isn't authenticating. Have you looked at the SSL logs on the XG to see what is happening (https://support.sophos.com/support/s/article/KB-000035834?language=en_US) ?