Troubleshooing Proxy Phone on a Cisco ASA Firewall

You can use show version to check if the ASA has the proper UC Proxy Phone license installed and show phone-proxy secure-phones for troubleshooting active proxy phone database. The license is additive in an Active-Standby (or Active-Active) firewall pair. In this case ASA1 (Active) has 50 UC Proxy Phone license and ASA2 (Standby) has 2 UC Proxy Phone license (50 + 2 = 52).


ciscoasa/pri/act# show version

Cisco Adaptive Security Appliance Software Version 9.1(6)8
Device Manager Version 7.5(1)

Compiled on Tue 04-Aug-15 16:13 by builders
System image file is "disk0:/asa916-8-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 3 days 4 hours
failover cluster up 1 year 111 days

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNlite-MC-SSLm-PLUS-2.08
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 0: Ext: Ethernet0/0         : address is c47d.4f85.0f56, irq 9
 1: Ext: Ethernet0/1         : address is c47d.4f85.0f57, irq 9
 2: Ext: Ethernet0/2         : address is c47d.4f85.0f58, irq 9
 3: Ext: Ethernet0/3         : address is c47d.4f85.0f59, irq 9
 4: Ext: Management0/0       : address is c47d.4f85.0f55, irq 1             
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 50             perpetual        // ACTIVE (ASA1) UC PHONE PROXY LICENSE
Total UC Proxy Sessions           : 50             perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 4              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 52             perpetual       // +2 UC PHONE PROXY LICENSE FROM STANDBY ASA2
Total UC Proxy Sessions           : 52             perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1416ABCD
Running Permanent Activation Key: 0x2c1bee62 0x6cbe1d1d 0xe8331d68 0xa19c48a8 0x43391234
Configuration register is 0x1

ciscoasa/pri/act# show phone-proxy ?

  media-sessions      Show phone-proxy media session information
  secure-phones       Show the phone-proxy secure-phone database
  signaling-sessions  Show phone-proxy signaling session information
  |                   Output modifiers
  <cr>

ciscoasa/pri/act# show phone-proxy secure-phones
ASA-phone-proxy: 10 in use, 13 most used

           Interface      IP Address  Port      MAC                 Timeout Idle
             outside   86.25.1.27    5161     0008.308a.a4ab   0:05:00 0:00:02
             outside   18.92.36.29  17409   20bb.c092.38cd   0:05:00 0:00:29
             outside   14.11.26.15  35174   04c5.a44c.75ef    0:05:00 0:00:11
             outside   98.96.24.16  51317   0cd9.9690.0c12   0:05:00 0:00:24
             outside   74.80.1.9      44768   0024.c40c.5c34   0:05:00 0:00:29
             outside   66.5.32.4      56107   7cad.7442.9d56   0:05:00 0:00:04
             outside   98.21.27.9    49278   b862.1f6d.a378   0:05:00 0:00:27
             outside   17.92.54.68   15574   0025.84a2.f29a  0:05:00 0:00:21
             outside   208.11.16.26  0          9410.3eea.dabc  0:05:00 0:01:25     // PORT 0 MEANS THE PROXY PHONE DIDN'T SUCCESSFULLY REGISTERED TO CUCM
             outside   179.34.5.21 32945 381c.1abb.3ade 0:05:00 0:00:00


From the output above, you can search the IP phone's MAC address in the Call Manager (or CUCM) for more info (proxy phone is supported on legacy CUCM7).