cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
3
Replies

7841 register question

dotttts
Level 1
Level 1

My company changed their DHCP server. They didn't configure DHCP options for tftp. I did a packet capture on the port and didn't see the options 66 or150. I took a phone that was registered and rebooted the phone and it came up and registered. The pcap showed it only reached out for a dns request for the url for the cm. I factory reset the phone which deleted the itl file and bricked it/wouldn't register. The phone then had ip address, but no server addresses for tftp/server. The pcap showed DHCP.... But with no 150 or 66 and no dns request for the cm url. So is the phone getting the config file when rebooting by using the itl file or is the phone storing the config file and when you factory reset it it bricks it.

1 Accepted Solution

Accepted Solutions

Cisco phones use option 150, which will be your tftp server ip address. The phone download the configuration files from tftp which contains the server which it can register and also it contains the phone configuration . Based on the configuration files phone register with the mentioned cucm order.

Unless you reset the network settings from phones, Cisco phone hold the ip details and that cause  the phone to register even after the reboot. 
when you deleted the itl file, it also reset the phones which made the phone not to register.

Itl is basically the certificate chain,

ITL File Contents

The ITL file contains the following certificates:

  • The CallManager certificate of the TFTP server—This certificate allows you to authenticate the ITL file signature and the phone configuration file signature.

  • All the TVS certificates available on the cluster—These certificates allow the phone to communicate to TVS securely and to request certificates authentication.

  • The CAPF certificate—These certificates support configuration file encryption. The CAPF certificate isn't required in the ITL File (TVS can authenticate it), however, it simplifies the connection to CAPF.

The ITL file contains a record for each certificate. Each record contains:

  • A certificate

  • Pre-extracted certificate fields for easy lookup by the Cisco IP Phone

  • Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)

The TFTP server's CallManager certificate is present in two ITL records with two different roles:

  • TFTP or the TFTP and CCM role—To authenticate configuration file signature.

  • SAST role—To authenticate the ITL file signature.



Response Signature


View solution in original post

3 Replies 3

Cisco phones use option 150, which will be your tftp server ip address. The phone download the configuration files from tftp which contains the server which it can register and also it contains the phone configuration . Based on the configuration files phone register with the mentioned cucm order.

Unless you reset the network settings from phones, Cisco phone hold the ip details and that cause  the phone to register even after the reboot. 
when you deleted the itl file, it also reset the phones which made the phone not to register.

Itl is basically the certificate chain,

ITL File Contents

The ITL file contains the following certificates:

  • The CallManager certificate of the TFTP server—This certificate allows you to authenticate the ITL file signature and the phone configuration file signature.

  • All the TVS certificates available on the cluster—These certificates allow the phone to communicate to TVS securely and to request certificates authentication.

  • The CAPF certificate—These certificates support configuration file encryption. The CAPF certificate isn't required in the ITL File (TVS can authenticate it), however, it simplifies the connection to CAPF.

The ITL file contains a record for each certificate. Each record contains:

  • A certificate

  • Pre-extracted certificate fields for easy lookup by the Cisco IP Phone

  • Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)

The TFTP server's CallManager certificate is present in two ITL records with two different roles:

  • TFTP or the TFTP and CCM role—To authenticate configuration file signature.

  • SAST role—To authenticate the ITL file signature.



Response Signature


Thank you for the incredible detailed explanation. Have a good one, thanks.

I rebooted a 7841 and plugged it into a standalone switch with no config. The 7841 didnt retain anything I can see other than the itl file. I was looking thru the menuing on the phone, with the phone buttons.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: