03-05-2023 08:08 AM
My company changed their DHCP server. They didn't configure DHCP options for tftp. I did a packet capture on the port and didn't see the options 66 or150. I took a phone that was registered and rebooted the phone and it came up and registered. The pcap showed it only reached out for a dns request for the url for the cm. I factory reset the phone which deleted the itl file and bricked it/wouldn't register. The phone then had ip address, but no server addresses for tftp/server. The pcap showed DHCP.... But with no 150 or 66 and no dns request for the cm url. So is the phone getting the config file when rebooting by using the itl file or is the phone storing the config file and when you factory reset it it bricks it.
Solved! Go to Solution.
03-05-2023 08:20 AM
Cisco phones use option 150, which will be your tftp server ip address. The phone download the configuration files from tftp which contains the server which it can register and also it contains the phone configuration . Based on the configuration files phone register with the mentioned cucm order.
Unless you reset the network settings from phones, Cisco phone hold the ip details and that cause the phone to register even after the reboot.
when you deleted the itl file, it also reset the phones which made the phone not to register.
Itl is basically the certificate chain,
The ITL file contains the following certificates:
The CallManager certificate of the TFTP server—This certificate allows you to authenticate the ITL file signature and the phone configuration file signature.
All the TVS certificates available on the cluster—These certificates allow the phone to communicate to TVS securely and to request certificates authentication.
The CAPF certificate—These certificates support configuration file encryption. The CAPF certificate isn't required in the ITL File (TVS can authenticate it), however, it simplifies the connection to CAPF.
The ITL file contains a record for each certificate. Each record contains:
A certificate
Pre-extracted certificate fields for easy lookup by the Cisco IP Phone
Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)
The TFTP server's CallManager certificate is present in two ITL records with two different roles:
TFTP or the TFTP and CCM role—To authenticate configuration file signature.
SAST role—To authenticate the ITL file signature.
03-05-2023 08:20 AM
Cisco phones use option 150, which will be your tftp server ip address. The phone download the configuration files from tftp which contains the server which it can register and also it contains the phone configuration . Based on the configuration files phone register with the mentioned cucm order.
Unless you reset the network settings from phones, Cisco phone hold the ip details and that cause the phone to register even after the reboot.
when you deleted the itl file, it also reset the phones which made the phone not to register.
Itl is basically the certificate chain,
The ITL file contains the following certificates:
The CallManager certificate of the TFTP server—This certificate allows you to authenticate the ITL file signature and the phone configuration file signature.
All the TVS certificates available on the cluster—These certificates allow the phone to communicate to TVS securely and to request certificates authentication.
The CAPF certificate—These certificates support configuration file encryption. The CAPF certificate isn't required in the ITL File (TVS can authenticate it), however, it simplifies the connection to CAPF.
The ITL file contains a record for each certificate. Each record contains:
A certificate
Pre-extracted certificate fields for easy lookup by the Cisco IP Phone
Certificate role (TFTP, CUCM, TFTP+CCM, CAPF, TVS, SAST)
The TFTP server's CallManager certificate is present in two ITL records with two different roles:
TFTP or the TFTP and CCM role—To authenticate configuration file signature.
SAST role—To authenticate the ITL file signature.
03-05-2023 10:24 AM
Thank you for the incredible detailed explanation. Have a good one, thanks.
03-06-2023 06:01 PM
I rebooted a 7841 and plugged it into a standalone switch with no config. The 7841 didnt retain anything I can see other than the itl file. I was looking thru the menuing on the phone, with the phone buttons.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide