Mitel 5330 TFTP Error 4 at Remote Site over IPSec VPN

Single user at remote site with Cisco ASA 5505 connecting to our corporate ASA 5510 over an IPSec site-to-site tunnel.

This user, about once a week, has the phone reboot and display this error. Today, the phone has not booted all day and continually reboots after this error.

IP is statically assigned, no vlan or PRI options set, and ICP/TFTP address set to the 3300 controller.

I've read about everything I could on this, from inspection maps on the ASA for SIP traffic, to potential packet sizes for the TFTP from the 3300 coming in at 1522 which would fragment on the 1500 MTU ASA.

Any ideas? I'm now exploring setting up the Teleworker portion of the phone, though we don't have the module, as I understand it has longer timeout and "jitter" periods.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you have a routed (using NAT0 statements) connection, the you should not need the SIP inspection.

The phone will reboot if it is not able to contact the ICP.

As you have an ASA at the remote site, I would usually configure the phone with DHCP and add the Mitel DHCP options to DHCP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If you have an ipsec tunnel then you don't need to use Teleworker.  Your error means that the phone is having trouble locating the MBG server (aka teleworker server).  If you don't have a MBG server then you should be just pointing it to the 3300 ip and NOT using the 7 key to program the phone.  using the 7 key upon boot allows you to program/set the phone in teleworker mode.
TercestisiAuthor Commented:

I only did teleworker as last resort, as I read others used that as a hack of sorts to extend the timeout period for the phone contacting the ICP; the initial problem was before applying teleworker settings.

Anyhow, the phone came up on Saturday, and we've all been away out of state since so I don't have any updates or have tried anything else since.

I will look into using DHCP options instead of a static IP.
TercestisiAuthor Commented:
Didn't find a bonafide answer yet so will keep digging; closing question, and thanks for the responses.
tillie arendCommented:
Fantastic comments ! my colleague recently located <code></code> to share pdf - It's quite convenient to navigate and it's superb . I know they are giving a 30 day trial now
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.