cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1054
Views
0
Helpful
9
Replies
Highlighted

Cannot access to phone services, additionally causing restart Call Manager service

Hi,

We have issues with using secure security profiles on Jabber clients. We have UC infrastructure with CUCMs (10.5.2.10000-5), CUCM IM&P (10.5.2.10000-9) and Expressway-C/E (X8.5), ... . In the our corporate network (LAN or WiFi), all services work normally as expected when we use secure security profiles on Jabber clients. But, for Jabber clients (Windows, Android,...), accessing to phone services via internet (using Expressway) is possible only if Jabber clients have non-secure profile. To be worse, in the time when Jabber clients with secure security profile trying to connect to phone services, Cisco CallManager service on primary CUCM is restarted. 

CUCM cluster is in mixed-mode, all servers use FQDN instead of IP address, all necessary certificates (tomcat and Call Manager on CUCMs, tomcat and cup-xmpp on IM&P, Expressway-C. Expressway-E) are issued by internal CAs, etc. Secure security profiles on particular Jabber clients have names, which we use during generating certificate request on Expressway-C in the field: Unified CM phone security profile names.

Obviously, temporary workaround can be using non-secure security profiles, but ideally for us is to use secure security profiles.

Please help with comments, suggestions, solutions or similar. :)

Regards,

Zlatko

9 REPLIES 9
Highlighted

hi Zlatko, have you manage

hi Zlatko,

 

have you manage this issue?

Highlighted

Ruslan, Yes, this issues were

Ruslan,

 

Yes, this issues were solved. The key problem was with certificates on UC servers, issued only with server authentication. Certificates should be issued by CA with appropriate template including server authentication, client authentication, IP security end system.

Highlighted

thank you for answeryeah it's

thank you for answer

yeah it's common problem with all those certificates for MRA.

in my case I couldn't get it work earlier because of non-mixed mode of my cluster. however I still can't get phone services working on Jabber for iPhone but JfW, for Android is ok.

Highlighted
Beginner

I am having trouble with my

I am having trouble with my secure SIP profiles.  Without TLS phone services register ok, using a secure TLS phone profile the phone service doesn't register.

 

I am using an internal CA server for the certificates, are you using a separate template for each authentication type (server/client/IPSec) or have you made a template that includes all three (server/client/IPSec) ?

Highlighted

hi, I created certificate

hi,

 

I created certificate generation template in Windows Server CA as mentioned in this document - http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-5-1.pdf, in "Appendix 5: Configuring Windows Server Manager with a "client and server" certificate template" and after that signed my CSR from Expressway.

and as I remeber correctly IPsec authentication is included by default, but I may be wrong. try to sign up you certificate and check it after.
don't forget to include subject alternative names for security profiles:

this screenshot from the certificate requirements for Expressway-C. it's from guide mentioned above. you can find there certificate requirements for both - Expressway-C and Expressway-E.
does your UCM cluster is in Mixed Security Mode?

Highlighted
Beginner

that is the steps I am

that is the steps I am following, my UCM is in mixed security mode.  What format are your phone security profile names using?  It mentions in the guide that they need a FQDN format.  I have created mine with:

iPhone = "CDMIphone.lab-cucm01.lab.local"

Android = "cdmAndroid.lab-cucm01.lab.local"

should these have an external address instead?

I have configured them with the following:

Device Security Mode: Encrypted

Authentication Mode: By Authentication String

Key Size: 1024

Sip Phone Port: 5061

 

I have a SIP trunk to the Expressway-C for outbound calls using SIP port 5065. Should these security profiles be using the same SIP port?

 

Highlighted

does your phone security

does your phone security profiles FQDN's refers to your UC deployment FQDN's?
I assume you can find useful next two links:
https://supportforums.cisco.com/discussion/12221716/creating-csr-using-expressway
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html

no, those security profiles can use usual secure SIP port - 5061.

Highlighted

does your phone security

does your phone security profiles FQDN's refers to your UC deployment FQDN's?
I assume you can find useful next two links:
https://supportforums.cisco.com/discussion/12221716/creating-csr-using-expressway
http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118696-config-cucm-00.html

no, those security profiles can use usual secure SIP port - 5061.

Highlighted
Beginner

I am having trouble with my

I am having trouble with my secure SIP profiles.  Without TLS phone services register ok, using a secure TLS phone profile the phone service doesn't register.

 

I am using an internal CA server for the certificates, are you using a separate template for each authentication type (server/client/IPSec) or have you made a template that includes all three (server/client/IPSec) ?

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey