Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
6
Replies

79xx Series move between 2 secure Clusters

Go to solution
s.lehmann
Level 1
Level 1

‎08-10-2011 04:45 AM - last edited on ‎03-25-2019 08:08 PM by Community Manager

Hi all,

I am trying to move phones from one secure cucm 8.0 cluster to another 8.6 cluster (no upgrade).

I thought do this steps:

1. Delete LSCs

2. Set the phones to non-secure

3. Add the ip addresses from the 2 new nodes to the old ctl list

4. Change the dhcp tftp option.

Unfortunately I see a "error updating ctl" and the phone is registering to the "old" cucm

What is my mistake ?

Thanks for any help.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to s.lehmann

‎08-10-2011 08:13 AM

The new CTL file would have to be signed by a token included in the "old" CTL file. If you're using new token(s), add them to the old CTL file on the 8.0 cluster and ensure the phones download this before pushing them to the 8.6 cluster.

View solution in original post

0 Helpful

Go to solution
jleehawkins
Level 1
Level 1

‎08-10-2011 09:16 AM

okay what you're trying to do is possible but requires a very specific order of events.

Before I get started I want to ensure we are on the same sheet of music.

The certificate trust list (CTL) is well a list of trusted servers.  You cannot add servers from different clusters to the CTL so you will have to have different CTL files for each of the clusters.  During the phone bootup process the first file a phone asks for is the CTL file.

So the first thing you will want to do is download the CTL files from each of the clusters to your PC.  Make sure you keep track of which CTL file is from which cluster.  The file that you want to download is CTLFile.tlv.  You can use any tftp client to download it. 

Now you have to be careful here and make sure no phones are restarted or reset that you aren't ready to move.

Take the CTL file from the new cluster and upload it to the old cluster.  You can do this from the OS Admin web interface > software upgrades > TFTP file management.  The CTLFile.tlv will have to be at the '/' directory and it will overwrite the current CTL file.

Now restart your TFTP service to make the CTL file active.  You'll have to go to Servicability for this.

Now reset a phone.  The phone with the old CTL file will trust the old TFTP server so the phone will download the new CTL file.  But after the phone downloads the new CTL file it won't trust the old UCM so the phone won't register to anything right now.

What you can do is setup a new VLAN and a new DHCP pool that has the new TFTP server in it that the phone now trusts.

Change the voice vlan on the interface the phone is connected to, to the new VLAN so the phone will get a new ip and the ip address of the tftp server that it trusts.

The phone should now register to your new cluster.

If any phones reboot on the old cluster while the new CTL file is in place they won't be able to register to anything until they are told about the new TFTP server so you have to be careful no one else is working on the system when you are doing this.  You can always upload the old CTL file back to the old cluster using the same process.  Just make sure you restart the TFTP service anytime you upload anything to the TFTP server.

Let me know how it turns out.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎08-10-2011 07:02 AM

So, not sure if I'm following this correctly.

3. Add the ip addresses from the 2 new nodes to the old ctl list

If this are separate clusters you need to be running a separate CTL file for each, not sure what you're doing there.

You delete the certificates from the phone and remove the security settings, then you move them to the othe cluster and add the new CTL file from this cluster and re-enable security.

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk

HTH

java

if this helps, please rate
0 Helpful

Go to solution
s.lehmann
Level 1
Level 1
In response to Jaime Valencia

‎08-10-2011 07:21 AM

Hi,

You're right, I'm trying to move between 2 separate clusters.

On the new cluster I have tried with and without security enabled, but I always have to delete the old ctl manually.

That was the reason why I thought I may have to add the 2 new nodes (pub + sub) to the ctl list...

How can I avoid this manual step ?

Kind regards

Steffen

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to s.lehmann

‎08-10-2011 08:13 AM

The new CTL file would have to be signed by a token included in the "old" CTL file. If you're using new token(s), add them to the old CTL file on the 8.0 cluster and ensure the phones download this before pushing them to the 8.6 cluster.

0 Helpful

Go to solution
s.lehmann
Level 1
Level 1
In response to Jonathan Schulenberg

‎08-10-2011 08:36 AM

Hi, Jonathan,

I did this step, but unfortunatley it does not make a difference.

I also have set the cluster to mixed mode and back... but no change...

0 Helpful

Go to solution
jleehawkins
Level 1
Level 1

‎08-10-2011 09:16 AM

okay what you're trying to do is possible but requires a very specific order of events.

Before I get started I want to ensure we are on the same sheet of music.

The certificate trust list (CTL) is well a list of trusted servers.  You cannot add servers from different clusters to the CTL so you will have to have different CTL files for each of the clusters.  During the phone bootup process the first file a phone asks for is the CTL file.

So the first thing you will want to do is download the CTL files from each of the clusters to your PC.  Make sure you keep track of which CTL file is from which cluster.  The file that you want to download is CTLFile.tlv.  You can use any tftp client to download it. 

Now you have to be careful here and make sure no phones are restarted or reset that you aren't ready to move.

Take the CTL file from the new cluster and upload it to the old cluster.  You can do this from the OS Admin web interface > software upgrades > TFTP file management.  The CTLFile.tlv will have to be at the '/' directory and it will overwrite the current CTL file.

Now restart your TFTP service to make the CTL file active.  You'll have to go to Servicability for this.

Now reset a phone.  The phone with the old CTL file will trust the old TFTP server so the phone will download the new CTL file.  But after the phone downloads the new CTL file it won't trust the old UCM so the phone won't register to anything right now.

What you can do is setup a new VLAN and a new DHCP pool that has the new TFTP server in it that the phone now trusts.

Change the voice vlan on the interface the phone is connected to, to the new VLAN so the phone will get a new ip and the ip address of the tftp server that it trusts.

The phone should now register to your new cluster.

If any phones reboot on the old cluster while the new CTL file is in place they won't be able to register to anything until they are told about the new TFTP server so you have to be careful no one else is working on the system when you are doing this.  You can always upload the old CTL file back to the old cluster using the same process.  Just make sure you restart the TFTP service anytime you upload anything to the TFTP server.

Let me know how it turns out.

0 Helpful

Go to solution
s.lehmann
Level 1
Level 1
In response to jleehawkins

‎08-17-2011 01:37 AM

Hi All,

https://supportforums.cisco.com/docs/DOC-15799.pdf

I have used the "prepare Cluster for Rollback" , worked pretty well.

Thanks for your Ideas.

Regards

Steffen

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents