Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2870
Views
9
Helpful
2
Comments

Newly delivered 7962 IP Phones are unable to lookup "Corporate Directory"

Mohit Grover
Level 1
Level 1

‎06-30-2015 10:23 PM - edited ‎03-12-2019 10:16 AM

 
# Problem Description #
 
Newly delivered 7962 phones with firmware SIP42.9-3-1SR2-1S are unable to lookup Corporate directory
 
o Non-Working Firmware: SIP42.9-3-1SR2-1S 
o CUCM System version: 8.5.1.13900-5
o CUCM Nodes IPs: 12.12.12.12 & 11.11.11.11
 
o Working endpoints are requesting Corp. Directory services on 12.12.12.12:8080          !! 8080 port
o Working Phones are using old firmware SIP42.8-4-1S
 
o NON-Working endpoints are requesting directory service on 8443 port
o NON-Working firmware: SIP42.9-3-1SR2-1S 
 
!! IP Addresses of the devices !!
CUCM Primary Server == 11.11.11.11
CUCM Secondary Server == 12.12.12.12
NON Working IP Phone: == 95.95.95.95
WORKING IP Phone: == 157.157.157.157
 
NON Working IP Phone: 95.95.95.95
Registered with Cisco Unified Communications Manager 12.12.12.12
Active Load ID: SIP42.9-3-1SR2-1S
Phone Load Name: SIP42.9-3-1SR2-1S
Cisco 7962  
Device Protocol:   SIP  
 
WORKING IP Phone: 157.157.157.157
Registered with Cisco Unified Communications Manager 12.12.12.12
Active Load ID: SIP42.8-4-1S
Phone Load Name: SIP42.8-4-1S
Cisco 7962  
Device Protocol:   SIP
 
!! Enterprise Parameters Dir. URL configuration  !!
 
!! Phone Console Truncated Output !!
 
2010: NOT 13:44:07.102524 SECD: clpClntRd: clnt closed conn to <12.12.12.12> c:-1 s:-1
2011: NOT 13:44:07.103346 SECD: clpClntRd: clnt closed conn to <12.12.12.12> c:-1 s:-1
2012: ERR 13:44:07.117869 SECD: Authentication failed for the HTTPS conn via TVS
2013: NOT 13:44:07.118500 SECD: srvr_cert_vfy:  ** srvr cert verify FAILED ** <12.12.12.12>                                                                     
2014: ERR 13:44:07.119510 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:<12.12.12.12:8443>
2015: ERR 13:44:07.120770 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <12.12.12.12> c:9 s:10                                                            
2016: ERR 13:44:07.121407 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <12.12.12.12> c:9 s:10                                                            
2017: ERR 13:44:07.122044 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <12.12.12.12> c:9 s:10
2018: ERR 13:44:07.122609 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<12.12.12.12>                                                                                   
2019: ERR 13:44:07.123156 SECD: EROR:secErr_errStr:  *** bad err table ***
2020: ERR 13:44:07.123718 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)                                                            
2021: ERR 13:44:07.124272 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <HTTPS cert failed auth via TVS>
2022: WRN 13:44:07.137398 JVM: Startup Module Loader|cip.http.ae:? - listener.httpFailed                                                                
2023: NOT 13:44:07.158300 SECD: clpDelClnt: closing conn to <12.12.12.12>, c:9, s:10
2024: NOT 13:44:07.160077 SECD: clpDelClnt: Adding a one second delay before we close the local socket
 
 
!! We also performed following actions !!
 
o Simultaneous packet captures from the IP phone and from the CUCM server (the server which is first in it's CM group where the HTTP(S) request would be sent to)
o IP phone console logs
o Cisco TVS logs (detailed)
 
FYI: When you set the TVS logs to detailed, the service needs to be restarted for the trace level changes to take place. 
See Cisco bug ID CSCuq22327 for the enhancement to notify that a service restart is required when log levels are changed.
 
o The phone is unable to contact the TVS server.
           In the PCAPS, verify the communication on port 2445 (use this filter -> "tcp.port==2445") (FYI: Wireshark Filters Page)
           Ensure that none of the network devices in the path block this port.
 
o Make sure HTTPS traffic is not blocked/dropped somewhere in the network.
o Get simultaneous PCAPs from the phone and the CUCM server in order to verify the communication.
o Also verify the output of 'show itl' & 'show cert own TVS'
 
 
!! Truncated TVS Logs output !!
 
     14:46:40.795 |-->debug 
     14:46:40.795 |   debug CertificateCTLCache::getCertificateInformation - Looking up the certificate cache using Unique MAP ID : 763555F42ED2834ACN=CRALV1-CM2;OU=SINGAPORE;O=CASINO REGURATORY AUTHORITY OF SINGAPORE;L=SINGAPORE;ST=SINGAPORE;C=SG
     14:46:40.795 |<--debug 
     14:46:40.795 |-->debug 
     14:46:40.795 |   debug ERROR:CertificateCTLCache::getCertificateInformation - Cannot find the certificate in the cache <<<<<<<<<<<<<<<
     14:46:40.795 |<--debug 
     14:46:40.795 |-->debug 
     14:46:40.795 |   debug getCertificateInformation(cert) : certificate not found <<<<<<<<<<<<<<<
     14:46:40.795 |<--debug 
 
 
 
 
o Suggested the customer to restart 'TVS service' in maintenance window to let cert load in the cache (which resolved the issue)
 
 
 
 
# Other related references #
 
 
 
 
 
 
 
 
 
Comments
kkeeton
Cisco Employee
Cisco Employee
‎02-13-2016 12:54 PM

I know this is 8 months old, so I hope you got the help you needed. Normally whne you see SSL/TLS errors, it's certificate related.

Is this a secure cluster? If you've regenerated certs lately, update your CTL.

Mohit Grover
Level 1
Level 1
‎11-19-2016 08:08 AM

This document was created to help customers who may be facing the same issue.

In my case solution had been provided to the customer then & there

I assume you didn't check the following section :)
## Solution Provided ##
 
Suggested the customer to restart 'TVS service' in maintenance window to let cert load in the cache (which resolved the issue)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents