08-10-2011 04:45 AM - last edited on 03-25-2019 08:08 PM by ciscomoderator
Hi all,
I am trying to move phones from one secure cucm 8.0 cluster to another 8.6 cluster (no upgrade).
I thought do this steps:
1. Delete LSCs
2. Set the phones to non-secure
3. Add the ip addresses from the 2 new nodes to the old ctl list
4. Change the dhcp tftp option.
Unfortunately I see a "error updating ctl" and the phone is registering to the "old" cucm
What is my mistake ?
Thanks for any help.
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
08-10-2011 08:13 AM
The new CTL file would have to be signed by a token included in the "old" CTL file. If you're using new token(s), add them to the old CTL file on the 8.0 cluster and ensure the phones download this before pushing them to the 8.6 cluster.
08-10-2011 09:16 AM
okay what you're trying to do is possible but requires a very specific order of events.
Before I get started I want to ensure we are on the same sheet of music.
The certificate trust list (CTL) is well a list of trusted servers. You cannot add servers from different clusters to the CTL so you will have to have different CTL files for each of the clusters. During the phone bootup process the first file a phone asks for is the CTL file.
So the first thing you will want to do is download the CTL files from each of the clusters to your PC. Make sure you keep track of which CTL file is from which cluster. The file that you want to download is CTLFile.tlv. You can use any tftp client to download it.
Now you have to be careful here and make sure no phones are restarted or reset that you aren't ready to move.
Take the CTL file from the new cluster and upload it to the old cluster. You can do this from the OS Admin web interface > software upgrades > TFTP file management. The CTLFile.tlv will have to be at the '/' directory and it will overwrite the current CTL file.
Now restart your TFTP service to make the CTL file active. You'll have to go to Servicability for this.
Now reset a phone. The phone with the old CTL file will trust the old TFTP server so the phone will download the new CTL file. But after the phone downloads the new CTL file it won't trust the old UCM so the phone won't register to anything right now.
What you can do is setup a new VLAN and a new DHCP pool that has the new TFTP server in it that the phone now trusts.
Change the voice vlan on the interface the phone is connected to, to the new VLAN so the phone will get a new ip and the ip address of the tftp server that it trusts.
The phone should now register to your new cluster.
If any phones reboot on the old cluster while the new CTL file is in place they won't be able to register to anything until they are told about the new TFTP server so you have to be careful no one else is working on the system when you are doing this. You can always upload the old CTL file back to the old cluster using the same process. Just make sure you restart the TFTP service anytime you upload anything to the TFTP server.
Let me know how it turns out.
08-10-2011 07:02 AM
So, not sure if I'm following this correctly.
3. Add the ip addresses from the 2 new nodes to the old ctl list
If this are separate clusters you need to be running a separate CTL file for each, not sure what you're doing there.
You delete the certificates from the phone and remove the security settings, then you move them to the othe cluster and add the new CTL file from this cluster and re-enable security.
HTH
java
If this helps, please rate
www.cisco.com/go/pdihelpdesk
08-10-2011 07:21 AM
Hi,
You're right, I'm trying to move between 2 separate clusters.
On the new cluster I have tried with and without security enabled, but I always have to delete the old ctl manually.
That was the reason why I thought I may have to add the 2 new nodes (pub + sub) to the ctl list...
How can I avoid this manual step ?
Kind regards
Steffen
Sent from Cisco Technical Support iPad App
08-10-2011 08:13 AM
The new CTL file would have to be signed by a token included in the "old" CTL file. If you're using new token(s), add them to the old CTL file on the 8.0 cluster and ensure the phones download this before pushing them to the 8.6 cluster.
08-10-2011 08:36 AM
Hi, Jonathan,
I did this step, but unfortunatley it does not make a difference.
I also have set the cluster to mixed mode and back... but no change...
08-10-2011 09:16 AM
okay what you're trying to do is possible but requires a very specific order of events.
Before I get started I want to ensure we are on the same sheet of music.
The certificate trust list (CTL) is well a list of trusted servers. You cannot add servers from different clusters to the CTL so you will have to have different CTL files for each of the clusters. During the phone bootup process the first file a phone asks for is the CTL file.
So the first thing you will want to do is download the CTL files from each of the clusters to your PC. Make sure you keep track of which CTL file is from which cluster. The file that you want to download is CTLFile.tlv. You can use any tftp client to download it.
Now you have to be careful here and make sure no phones are restarted or reset that you aren't ready to move.
Take the CTL file from the new cluster and upload it to the old cluster. You can do this from the OS Admin web interface > software upgrades > TFTP file management. The CTLFile.tlv will have to be at the '/' directory and it will overwrite the current CTL file.
Now restart your TFTP service to make the CTL file active. You'll have to go to Servicability for this.
Now reset a phone. The phone with the old CTL file will trust the old TFTP server so the phone will download the new CTL file. But after the phone downloads the new CTL file it won't trust the old UCM so the phone won't register to anything right now.
What you can do is setup a new VLAN and a new DHCP pool that has the new TFTP server in it that the phone now trusts.
Change the voice vlan on the interface the phone is connected to, to the new VLAN so the phone will get a new ip and the ip address of the tftp server that it trusts.
The phone should now register to your new cluster.
If any phones reboot on the old cluster while the new CTL file is in place they won't be able to register to anything until they are told about the new TFTP server so you have to be careful no one else is working on the system when you are doing this. You can always upload the old CTL file back to the old cluster using the same process. Just make sure you restart the TFTP service anytime you upload anything to the TFTP server.
Let me know how it turns out.
08-17-2011 01:37 AM
Hi All,
https://supportforums.cisco.com/docs/DOC-15799.pdf
I have used the "prepare Cluster for Rollback" , worked pretty well.
Thanks for your Ideas.
Regards
Steffen
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide