cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4345
Views
16
Helpful
5
Replies

anyone tried "Prepare Cluster for Rollback to Pre-8.0"?

baselzind
Level 6
Level 6

im shifting my phones from cucm 8.5 to cucm 12.5 , im trying to remove the cucm trust list from the old phones so that they register to the new one without factory resetting them one by one , it is said there is this feature "Prepare Cluster for Rollback to Pre-8.0" which remove the cucm trust list but im wondering have anyone tried it? do i just set it to true then restart all my phones and the trust list would be removed? then change my option 150 to the new cucm and the phones will register right away to the new cucm 12.5?

1 Accepted Solution

Accepted Solutions

Set to true then restart the phones.
Check a random phone if the ITL file has been removed then once confirmed, change option 150 to new Call Manager IP then restart the phones again, it should register to your new Call Manager.

View solution in original post

5 Replies 5

Jaime Valencia
Cisco Employee
Cisco Employee

There's a lot of material which references the use of that parameter, how to use it and how it works, which material have you reviewed?

HTH

java

if this helps, please rate

jason-mcgee
Level 3
Level 3

baselzind,

 

Migrate IP Phones Between Clusters with Cisco Unified Communications Manager and ITL Files

Unified Communications Manager 8.0(1) and later introduced the new Security By Default feature and the use of Initial Trust List (ITL) files. With this new feature, you must be careful when moving phones between different Unified CM clusters and ensure that you follow the proper steps for migration.

Caution

Failure to follow the proper steps may lead to a situation where thousands of phones must manually have their ITL files deleted.


Cisco IP Phones that support the new ITL file must download this special file from their Unified CM TFTP server. Once an ITL file is installed on a phone, all future configuration files and ITL file updates must be signed by one of the following items:

  • The TFTP server certificate that is currently installed on the phone or

  • A TFTP certificate that can be validated TVS services on one of the clusters. You can find the certificates of TVS services within the cluster listed in the ITL file.

With this new security functionality in mind, three problems can occur when moving a phone from one cluster to another cluster:

  1. The ITL file of the new cluster is not signed by the current ITL file signer, so the phone cannot accept the new ITL file or configuration files.

  2. The TVS servers listed in the existing ITL of the phone may not be reachable when the phones are moved to the new cluster.

  3. Even if the TVS servers are reachable for certificate verification, the old cluster servers may not have the new server certificates.

If one or more of these three problems are encountered, one possible solution is to delete the ITL file manually from all phones being moved between clusters. However, this is not a desirable solution since it requires massive effort as the number of phones increases.

The most preferred option is to make use of the Cisco Unified CM Enterprise Parameter Prepare Cluster for Rollback to pre-8.0. Once this parameter is set to True, the phones download a special ITL file that contains empty TVS and TFTP certificate sections.

When a phone has an empty ITL file, the phone accepts any unsigned configuration file (for migrations to Unified CM pre-8.x clusters), and also accepts any new ITL file (for migrations to different Unified CM 8.x clusters).

The empty ITL file can be verified on the phone by checking Settings > Security > Trust List > ITL. Empty entries appear where the old TVS and TFTP servers used to be.

The phones must have access to the old Unified CM servers only as long as it takes them to download the new empty ITL files.

If you plan to keep the old cluster online, disable the Prepare Cluster for Rollback to pre-8.0 Enterprise Parameter to restore Security By Default.

Flo.Matalis
Level 1
Level 1
I tried this in my previous projects and noticed that new phones such as 9971 does not really remove the ITL file. I had to remove it manually one by one.

But the process itself , is it that you just set the option to true then restart the phone? Is there further steps needed?

Set to true then restart the phones.
Check a random phone if the ITL file has been removed then once confirmed, change option 150 to new Call Manager IP then restart the phones again, it should register to your new Call Manager.