When Encryption is enabled in CUCM then the VG224 analog ports are not getting registered.
The registration is shown as rejected in cucm.
The issue is noticed only on some gateways, however there are working Gateways which are registered properly with similar configuration.
The configuration is through SCCP and is configured correctly.
When a secured Analog profile is selected for the Analog phones then the phones will not get registered.
On Some Gateways the phones are registered when we select the encryption option in the phone security profile without any issue.
The VG224's on working and non-working are on the same release.
In CUCM traces we could see that the registration is rejected as invalid certificate name or configuration issue.
Reason code 11 and reason code 3 which is certificate name invalid/ DatabaseConfigurationError.
May 12 09:01:55 POZVLNX001 local7 3 : 38266: POZVLNX001: May 12 2014 10:01:55.489 UTC : %UC_CALLMANAGER-3-DeviceTransientConnection: %[ConnectingPort=2000][DeviceName=ANF70D02F618400][IPAddress=10.32.252.85][DeviceType=30027][Reason=11][Protocol=SCCP][IPAddrAttributes=2][UNKNOWN_PARAMNAME:LastSignalReceived=StationRegister][UNKNOWN_PARAMNAME:StationState=wait_register][AppID=Cisco CallManager][ClusterID=EURO-CUCM][NodeID=POZVLNX001]: A device attempted to register but did not complete registration
3 indicates DatabaseConfigurationError - The device is not configured in the Unified CM Administration database and auto-registration is either not supported for the device type or is not enabled. To correct this problem, configure this device in Unified CM Administration.
11 indicates InvalidX509NameInCertificate - Configured "X.509 Subject Name" doesn't match the information in the certificate from the device. Check the Security profile of the indicated device and verify that the Device Security Mode is set to either Authenticated or Encrypted. Verify that the X.509 Subject Name field has the appropriate content; it should match the Subject Name in the certificate from the peer.
We could see the same from the call manager traces.
Line 15394: 09:03:59.210 |DeviceTransientConnection - A device attempted to register but did not complete registration Connecting Port:2000 Device Name:ANF70D02F618401 Device IP Address:10.32.252.85 Device type:30027 Reason Code:11 Protocol:SCCP IPAddressAttributes:2 UNKNOWN_PARAMNAME:LastSignalReceived:StationRegister UNKNOWN_PARAMNAME:StationState:wait_register App ID:Cisco CallManager Cluster ID:EURO-CUCM Node ID:POZVLNX001|AlarmANF70D02F618401^*^ANF70D02F618401
Line 15401: 09:03:59.210 |StationD: (0036154) registrationError sent StationOutputRegisterReject|0,0,0,0.0^10.32.252.85^ANF70D02F618401
Line 15402: 09:03:59.210 |StationD: (0036154) RegisterReject text='Security Error'.|0,0,0,0.0^10.32.252.85^ANF70D02F618401
We have done the following:
1. Stop “Cisco Certificate Change Notification Service” on all the nodes and regenerate the certificate and upload it to the call manager.
2. Restart the call manager service/Node and check the issue.
This did not have any impact.
The issue is with the subject name.
So under crypto pki trustpoint” configuration of gateway we changed the change the “subject-name CN= F7:0D:02:F6:18” from xx.xx.xx.xx.xx format to xx:xx:xx:xx:xx
After which the gateway is registered.
However we need to make sure the following point which is important.
The device pool under the VG224 and the analog port should be same if not the ports may register or may not register; even though the ports are registered the calls would fail.
Other point which is important to be noted when configuring a PLAR when VG224 is registered to CUCM then it is recommended to use PLAR configuration on the gateway side rather than the CUCM side.
The impact of this is, when the called party disconnects the call then the status of the analog phone still remains off –hook which causes the gateway to send the off-hook status to CUCM and thus resulting the call again.
