10-21-2024 06:03 AM
I enabled LSCs and CAPF on CUCM 14. I created a secure profile and added it to 7841 phones. The phones complain about opening a TLS connection to both subscribers, but then register successfully with the publisher.
8672 ERR Oct 21 06:33:34.760327 (352-28244) SECUREAPP-SECERR_DESC: ** SEC-ERR: desc [Connection timed out]
8673 ERR Oct 21 06:33:34.776076 (23368-23659) JAVA-SCS_CONN_F: ** Failed to connect to target **
8674 ERR Oct 21 06:33:34.776289 (23368-23659) JAVA-SCS_SSL_F: ** SSL/TLS failed to [XXX.XXX.XXX.XXX] error 110
Also, the publisher appears to be listening on port 5061, but not the subscribers, which explains why endpoints can't connect to the subscribers on port 5061.
show open ports regexp "5061"
Executing.. please wait.
show open ports regexp "5061"
Executing.. please wait.
ccm 20806 ccmbase 356u IPv4 431464 0t0 TCP XXX.XXX.XXX.XXX:5061 (LISTEN)
Any thoughts or feedback are appreciated.
Solved! Go to Solution.
10-21-2024 06:51 AM
So after putting the cluster into mixed mode with CLI 'utils ctl set-cluster mixed-mode', restart CCM and TFTP services on your subscribers as the documentation clearly states.
10-21-2024 06:45 AM
Make sure your subscribers are configured to listen on port 5061. You might need to adjust the SIP trunk security profile and ensure it's properly applied to your subscribers. Checking firewall rules to ensure they allow traffic on port 5061 could also help resolve the issue.
10-21-2024 06:46 AM
Ugghh....I just realized I didn't restart the ccm.exe service on the subs. I just restarted it on the secondary subscriber where no phones are currently registered and suddenly it's listening on port 5061. Looks like an ID10T error.
Please Disregard
10-21-2024 06:51 AM
So after putting the cluster into mixed mode with CLI 'utils ctl set-cluster mixed-mode', restart CCM and TFTP services on your subscribers as the documentation clearly states.
10-21-2024 09:31 AM
Reminder that LSCs do not renew automatically and the phone will unregister if it expires. Add this to whatever your cert renewal process is. I suggest a BAT job per-Device Pool to initiate bulk renewals.
Unless you specifically need the LSC for 802.1x purposes, you can avoid CAPF in favor of SIP OAuth for current-generation endpoints. The OAuth tokens automatically refresh themselves forever as long as the phone is online.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide