cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12622
Views
5
Helpful
26
Replies

78xx 7800 7821 " Host not found " Corporate Directory

Hello Community,

Following Szenario,

Encrypted Phones SIP 7911, 7931, 7962, 7975 at CUCM 8.6.2 have access long time to the corporate directory and - works fine.

Today I add 7821 SIP Phones and they works works fine, but no access to corporate directory message "host not found" appears. Works also not with non sip secure profile.

The config is the same as the other phones, nothing different. Get the same IP Address Range, same DNS, same TFTP Server etc.........

The Cluster have 3 Servers, First PUB1, SUB1 and SUB2. The Phones are register at SUB1. For me it seems may be there is a problem with the TVS Certification.

But how could I fix this?

Please see attached Trace from the Phone.

I hope the Community could help me to solve the issue.

Really thanks in advance.

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.
26 Replies 26

Nishant Savalia
Level 4
Level 4

Hi armin,

Please refer below link and see if this helps you

https://supportforums.cisco.com/thread/2158953

Regards,

Nishant Savalia

Regards, Nishant Savalia

Hi, we work already w/ Ip Addresses and TVS entry is also IP based. So this point of view should not be the problem. I try it several time w/ 7962 works fine, but not w/ 7821. The 7821 and 7962 config files regarding directory service and TVS seems 100% identica.

It seems for me that has something to do w/ the new "device 7821 ". To handle the 7821 as a device in CUCM I had to install a Device Package.

CUCM not accept the XML Request w/ this error:

See also attachment

8396 NOT 09:22:05.536516 SECUREAPP-No match found in trust list against the item

8397 NOT 09:22:05.536784 SECUREAPP-Using TVS for cert validation

8398 NOT 09:22:05.536973 SECUREAPP-Waiting for TVS response - will retry; retry count: <0>

8399 NOT 09:22:05.669941 SECUREAPP-Attempting connect to TVS server addr [10.199.188.178], mode [IPv4]

8400 NOT 09:22:05.670398 SECUREAPP-TOS set to [96] on sock, [10.199.188.178][10]

8401 NOT 09:22:12.677336 SECUREAPP-[errno=Connection timed out] TCP connect() failed, [10.199.188.178] [10] mode[0] port[2445]

8402 NOT 09:22:12.677808 SECUREAPP-TVS failed connect using [IPv4] mode, will attempt to fail over to [IPv6] mode Addresses if available.

8403 NOT 09:22:12.678106 SECUREAPP-TOS set to [96] on sock, [][10]

8404 NOT 09:22:12.678645 SECUREAPP-[errno=Connection refused] TCP connect() failed, [] [10] mode[1] port[2445]

8405 NOT 09:22:12.678887 SECUREAPP-Invalid BIO object

8406 NOT 09:22:12.679078 SECUREAPP-TVS provider Init - connect returned invalid srvr sock: -1

8407 NOT 09:22:12.679301 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_COMMUNICATION_ERROR

8408 NOT 09:22:12.679573 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_SUCCESS

8409 NOT 09:22:12.680321 SECUREAPP-TVS Cert Validation - provider returned NULL response

8410 NOT 09:22:12.680430 SECUREAPP-Failed to validate cert using TVS

8411 INF 09:22:12.707173 JAVA: SSL session setup Cert Verification - Certificate validation helper plugin returned.

8412 ERR 09:22:12.707349 JAVA: SSL session setup Cert Verification - Certificate is invalid.

8413 DEB 09:22:12.707403 JAVA: SSL session setup Cert Verification - returning validation result = 0

8414 ERR 09:22:12.707449 JAVA: Sec SSL Connection - Handshake failed.

8415 DEB 09:22:12.707489 JAVA: SSL shutdown.

8416 DEB 09:22:12.707529 JAVA: BIO reset.

8417 DEB 09:22:12.707568 JAVA: SSL free.

8418 DEB 09:22:12.707607 JAVA: Closing socket 8396 NOT 09:22:05.536516 SECUREAPP-No match found in trust list against the item
8397 NOT 09:22:05.536784 SECUREAPP-Using TVS for cert validation
8398 NOT 09:22:05.536973 SECUREAPP-Waiting for TVS response - will retry; retry count: <0>
8399 NOT 09:22:05.669941 SECUREAPP-Attempting connect to TVS server addr [10.199.188.178], mode [IPv4]
8400 NOT 09:22:05.670398 SECUREAPP-TOS set to [96] on sock, [10.199.188.178][10]
8401 NOT 09:22:12.677336 SECUREAPP-[errno=Connection timed out] TCP connect() failed, [10.199.188.178] [10] mode[0] port[2445]
8402 NOT 09:22:12.677808 SECUREAPP-TVS failed connect using [IPv4] mode, will attempt to fail over to [IPv6] mode Addresses if available.
8403 NOT 09:22:12.678106 SECUREAPP-TOS set to [96] on sock, [][10]
8404 NOT 09:22:12.678645 SECUREAPP-[errno=Connection refused] TCP connect() failed, [] [10] mode[1] port[2445]
8405 NOT 09:22:12.678887 SECUREAPP-Invalid BIO object
8406 NOT 09:22:12.679078 SECUREAPP-TVS provider Init - connect returned invalid srvr sock: -1
8407 NOT 09:22:12.679301 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_COMMUNICATION_ERROR
8408 NOT 09:22:12.679573 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_SUCCESS
8409 NOT 09:22:12.680321 SECUREAPP-TVS Cert Validation - provider returned NULL response
8410 NOT 09:22:12.680430 SECUREAPP-Failed to validate cert using TVS
8411 INF 09:22:12.707173 JAVA: SSL session setup Cert Verification - Certificate validation helper plugin returned.
8412 ERR 09:22:12.707349 JAVA: SSL session setup Cert Verification - Certificate is invalid.
8413 DEB 09:22:12.707403 JAVA: SSL session setup Cert Verification - returning validation result = 0
8414 ERR 09:22:12.707449 JAVA: Sec SSL Connection - Handshake failed.
8415 DEB 09:22:12.707489 JAVA: SSL shutdown.
8416 DEB 09:22:12.707529 JAVA: BIO reset.
8417 DEB 09:22:12.707568 JAVA: SSL free.
8418 DEB 09:22:12.707607 JAVA: Closing socket

but the 7821 has load the right CTL and ITL File.

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

Hi armin,

The log shows that connection to TVS is timed out for port 2445.

8397 NOT 09:22:05.536784 SECUREAPP-Using TVS for cert validation

8398 NOT 09:22:05.536973 SECUREAPP-Waiting for TVS response - will retry; retry count: <0>

8399 NOT 09:22:05.669941 SECUREAPP-Attempting connect to TVS server addr [10.199.188.178], mode [IPv4]

8400 NOT 09:22:05.670398 SECUREAPP-TOS set to [96] on sock, [10.199.188.178][10]

8401 NOT 09:22:12.677336 SECUREAPP-[errno=Connection timed out] TCP connect() failed, [10.199.188.178] [10] mode[0] port[2445]

8402 NOT 09:22:12.677808 SECUREAPP-TVS failed connect using [IPv4] mode, will attempt to fail over to [IPv6] mode Addresses if available.

What you can do is try to delete the CTL/ITL file or factory reset the phone and capture the logs from the wireshark.

After that you can see from the logs whether phone has downloaded the CTL/ITL file successfuly?

Also you can refer the below link which will give you idea about the certificate valdiation process.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080c1701f.shtml

Regards,

Nishant Savalia

Regards, Nishant Savalia

Hi, really thanks for Support me. I am sure, that the CTL ITL File in the Phone load correct, because I had already verify it w/ the CUCM.

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

Hi Amin,

Installation of Device Pack requires Cluster reboot. Hope that has been done.

Logs says that there is timout connecting TVS server.

Next Action Plan:

Restart TFTP and TVS

Next Action Plan:

Perform similar action with working and non-working phone.

e.g Delete 2 phones, one good and one bad. Add the 2 phones to the CUCM and register them. Now check the IP Phone Directory on both the phones.

If the issue persists on both the phones, then the issue persists for all the phones not 7821 only.

What are the secruity involved in the cluster? ITL/CTL/TLS?

Regards,

Tirtha

Regards, Tirtha

Hi Tirtha, yes --- > Restart Cluster after had already install dev.pack.

I restart several times TFTP and TVS, but still host not found. From 7962 works fine, but still not from the new one 7821.

The Phones are encrypted, but it is not depend from encrypten. For the traces I change to none secure -- > 7962 works and 7821 works not.

Both Phones has the same IP and Link for Corp. Directory.

I will trace good and none good case and come back.

Thanks Armin

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

......it works now also w/ the 7821. Strange thing!!!! Both Phones work at the same CUCM and same Network. In both traces I saw that TVS request works w/ Port 2445. But for this Network TCP 2445 is "deny". I open TCP 2445 and it works also w/ the 7821.

The Main Question is, at the time I ad deny 2445, why it works w/ 7962, 7975, 8831 etc...... and not w/ 78XX Phones?????

Attached the Phone Trace work and non work.

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

Great armin,

As mentioned earlier and finally it was the issue with TVS port 2445.

Where this 78XX phone is located? Is it located with the existing phones which were working fine or it's a different location?

And i think you missed to attach the logs. Please attach it

Regards,
Nishant Savalia

Regards, Nishant Savalia

Hi Nishant, the logs from the phones I had already attached. As I mentioned in my last answer...... Both Phones work at the same CUCM and same Network!

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

Hi armin,

Can you send the successfull log of 7821 i.e.after opening 2445 port.

Regards,
Nishant Savalia

Regards, Nishant Savalia

Hi, sure. But keep in mind, this is a 7821 working case, thanks goodness, still I have no non_working case w/ 7821 :-).

Still the Question open, why 7962, 7975 etc........ works in the same subnetz, same Subscriber etc..... with deny tcp 2445???

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

Hi Armin,

I went through all the three files attached. Here is what I suspect you have done to deny and allow 2445 port and here is understanding.

There are 2 TVS servers in the cluster(which I can see in7962 logs)

10.199.188.178

10.199.188.177

I suspect you have blocked\deny port 2445 for IP 10.199.188.178 and not for 10.199.188.177.

From the 7962 working logs, the IP Phone tries to connect the first TVS server .178. It fails hence phone retries after 10 seconds to .177 and validates TVS, hence it works.

But in 7821, the phone seems to have only one TVS and I do not see the second TVS being invoked anywhere in the logs... and has never tried to reach .177, hence it fails.

Now if you block both the .177 and .178 port 2445, you will experience the same scenario for all the phones.

Regards,

Tirtha

Regards, Tirtha

Hi Tirtha, yes, partial right. To one Server was 2445 free and the other Server was 2445 deny. Thats true.

But, both have the same CUCM Group and both have in XML Config file the same both TVS Server w/ Prio 0 and 1. So, I expect 7821 go the same way as 7962 to the second Server, when Server 1 is not reachable over port 2445.

Nothing different!!!!!

Please see here:

7821:

2445

10.199.188.178

2445

10.199.188.177

7962:

2445

10.199.188.178

2445

10.199.188.177


May be it is a Bug that 7821 not try to reach the second one.

HTH, please rate all useful posts and right answers.

HTH, please rate all useful posts and right answers.

Hi Armin,

I knew you would come back with this questions for TVS being same for both phones

To figure out the answers, ssh to the phones and show tvs to find the the TVS servers for verification.

Regards,
Tirtha

Regards, Tirtha