Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
1
Helpful
4
Replies

7841 Phones Won't Register with subscribers after enabling security

Go to solution
johnny-sheppard
Level 1
Level 1

‎10-21-2024 06:03 AM

I enabled LSCs and CAPF on CUCM 14. I created a secure profile and added it to 7841 phones. The phones complain about opening a TLS connection to both subscribers, but then register successfully with the publisher. 

8672 ERR Oct 21 06:33:34.760327 (352-28244) SECUREAPP-SECERR_DESC: ** SEC-ERR: desc [Connection timed out]
8673 ERR Oct 21 06:33:34.776076 (23368-23659) JAVA-SCS_CONN_F: ** Failed to connect to target **
8674 ERR Oct 21 06:33:34.776289 (23368-23659) JAVA-SCS_SSL_F: ** SSL/TLS failed to [XXX.XXX.XXX.XXX] error 110

Also, the publisher appears to be listening on port 5061, but not the subscribers, which explains why endpoints can't connect to the subscribers on port 5061. 

show open ports regexp "5061"
Executing.. please wait.


show open ports regexp "5061"
Executing.. please wait.
ccm 20806 ccmbase 356u IPv4 431464 0t0 TCP XXX.XXX.XXX.XXX:5061 (LISTEN)

 

Any thoughts or feedback are appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnny-sheppard
Level 1
Level 1

‎10-21-2024 06:51 AM

So after putting the cluster into mixed mode with CLI 'utils ctl set-cluster mixed-mode', restart CCM and TFTP services on your subscribers as the documentation clearly states. 

View solution in original post

4 Replies 4

Go to solution
BusRentalDubai
Level 1
Level 1

‎10-21-2024 06:45 AM

Make sure your subscribers are configured to listen on port 5061. You might need to adjust the SIP trunk security profile and ensure it's properly applied to your subscribers. Checking firewall rules to ensure they allow traffic on port 5061 could also help resolve the issue.

0 Helpful

Go to solution
johnny-sheppard
Level 1
Level 1

‎10-21-2024 06:46 AM

Ugghh....I just realized I didn't restart the ccm.exe service on the subs. I just restarted it on the secondary subscriber where no phones are currently registered and suddenly it's listening on port 5061. Looks like an ID10T error. 

Please Disregard

0 Helpful

Go to solution
johnny-sheppard
Level 1
Level 1

‎10-21-2024 06:51 AM

So after putting the cluster into mixed mode with CLI 'utils ctl set-cluster mixed-mode', restart CCM and TFTP services on your subscribers as the documentation clearly states. 

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to johnny-sheppard

‎10-21-2024 09:31 AM

Reminder that LSCs do not renew automatically and the phone will unregister if it expires. Add this to whatever your cert renewal process is. I suggest a BAT job per-Device Pool to initiate bulk renewals.

Unless you specifically need the LSC for 802.1x purposes, you can avoid CAPF in favor of SIP OAuth for current-generation endpoints. The OAuth tokens automatically refresh themselves forever as long as the phone is online.

0 Helpful
Customers Also Viewed These Support Documents