on 04-22-2026 07:21 AM
CUCM Mixed Mode is not a single switch. Enabling it at the cluster level does not automatically secure every layer of the UC stack. This article walks the ten verification points that determine whether Mixed Mode is actually protecting your environment, and shows how to diagnose and fix each one.
Common signs that Mixed Mode is not fully or correctly enabled across the UC stack:
Walk the ten layers in order. Each layer has a specific verification method and a specific finding that points to the fix in the Solution section.
From the publisher CLI:
utils ctl show-clusterReturns "Cluster is in Mixed Mode" or "Cluster is in Non Secure Mode" on 10.0 and newer.
Alternative database query:
run sql select paramvalue from processconfig where paramname='ClusterSecurityMode'0 = Non-Secure, 1 = Mixed Mode.
On every node (publisher and each subscriber):
show ctlshow itl
Confirm the CTL contains CallManager certificates for each node and that ITL hashes match across the cluster.
On affected phones: Settings, Security Configuration, Trust List. Verify CTL and ITL files are present and match cluster hashes.
Cisco Unity Connection Administration, Telephony Integrations, Port Group. Verify Security Mode is Encrypted or Authenticated (not Non-Secure), TLS Transport is enabled, Port is 5061, SRTP is enabled when Security Mode is Encrypted.
Cisco Unified CCX Administration, System, System Parameters. Confirm SRTP Support is Enabled. Verify the UCCX Application User is in Access Control Groups "Standard CTI Allow Reception of SRTP Key Material" and "Standard CTI Secure Connection" on CUCM.
Cisco Unified CM IM and Presence Administration, System, Security, TLS Peer Subjects and TLS Context Configuration. Confirm peer subjects match current CUCM cert identities.
On each active voice dial-peer, confirm session transport tls, tls-profile, srtp-crypto, and srtp are all configured.
show crypto pki trustpointsshow voice class tls-profileshow dial-peer voice summary
8. Emergency Responder JTAPI
Cisco Emergency Responder Administration, System, Cisco Unified CM Cluster Settings. Verify TLS is enabled and the JTAPI user is in the secure Access Control Groups.
Confirm TLS on neighbor zones to CUCM, port 5061, and bidirectional certificate trust.
Cisco Unified CM Administration, System, Security, Phone Security Profile. Confirm each production profile has Device Security Mode set to Encrypted or Authenticated. Then audit phone-to-profile assignment in Device, Phone.
Every secure connection between products requires bidirectional certificate trust. Each cell marked BOTH means the product in that row must trust the product in that column, and the reverse must also be true.
Missing a cert in either direction breaks the secure connection silently. This matrix is the single most useful artifact to audit before and after any certificate regeneration work.
The most commonly missed audit point: cluster Mixed Mode alone does not secure phones. The phone state is determined by the combination of cluster mode and Phone Security Profile.
The highlighted gotcha row is the configuration I see most often in audits: cluster reports Mixed Mode, but phones remain on Non-Secure profiles because nobody updated the profile assignments after enabling Mixed Mode. That combination produces CTL management overhead with zero encryption benefit.
Corrective actions for each finding identified during Diagnosis. Each fix is indexed to the corresponding layer number.
If the CUCM cluster is Non-Secure (Layer 1)
From the publisher CLI:
utils ctl set-cluster mixed-modeRestart Cisco CallManager and Cisco TFTP services on every node. Reset phones to download the new CTL or updated ITL.
If CTL or ITL hashes do not match across nodes (Layer 2)
From the publisher CLI:
utils ctl update CTLFileRestart Cisco CallManager and Cisco TFTP services on all nodes. Verify hashes match after services return.
If phones are stuck on old trust files (Layer 3)
Bulk reset: Cisco Unified CM Administration, Bulk Administration, Phones, Reset Phones.
For individual recalcitrant phones: Settings, Security Configuration, Trust List, Delete CTL or Delete ITL, then reset the phone.
If the Unity Connection Port Group is Non-Secure (Layer 4)
Telephony Integrations, Port Group. Change Security Mode to Encrypted, enable TLS Transport and SRTP, change Port to 5061, Save. Reset the Port Group. Verify bidirectional certificate trust between CUCM and Unity. Restart Cisco Tomcat and Connection Conversation Manager.
If UCCX SRTP is disabled or JTAPI is insecure (Layer 5)
Cisco Unified CCX Administration, System, System Parameters, set SRTP Support to Enabled. Verify the UCCX Application User's Access Control Group memberships in CUCM include the required secure CTI groups. Restart Cisco Unified CCX Engine if RmCm is stuck.
If SRTP was enabled before a CUCM upgrade, disable and re-enable SRTP to refresh the JTAPI secure connection after the upgrade.
If IM and Presence TLS is misconfigured (Layer 6)
Update TLS Peer Subjects and TLS Context Configuration to match current CUCM cert identities. Restart Cisco XCP Router and Cisco Tomcat on IM and Presence.
If voice gateway or CUBE dial-peers are on UDP or TCP (Layer 7)
Update each active dial-peer:
dial-peer voice (tag) voip session transport tls voice-class sip tls-profile (profile ID) voice-class sip srtp-crypto (crypto ID) srtp
Every active voice dial-peer must be secured individually. There is no inheritance.
If CER JTAPI is not secure (Layer 😎
Cisco Emergency Responder Administration, System, Cisco Unified CM Cluster Settings, enable TLS. Exchange certificates bidirectionally with CUCM. Verify JTAPI user is assigned to the secure CTI Access Control Groups.
If Expressway zones are on TCP 5060 (Layer 9)
Change neighbor zone transport to TLS and port to 5061. Verify certificate trust between Expressway C or E and CUCM.
If Phone Security Profiles are Non-Secure (Layer 10)
For each production Phone Security Profile, change Device Security Mode to Encrypted or Authenticated. Save.
For phones still associated with a Non-Secure profile, bulk-reassign to an Encrypted profile via Bulk Administration, Phones, Update Phones. Reset the phones.
After all corrections are applied, place a test call and walk through this checklist before declaring the audit complete:
If any check fails, return to the Diagnosis section for that specific layer and re-verify. Do not declare the audit complete until every checkbox is satisfied.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: