Solved: CAPF....The great mystery

shingetter · ‎12-19-2022

I have have two servers in a cluster:

PUB is X.X.24.22

SUB is X.X.24.13

If I go to "services parameters" and select my PUB the CAPF service is not listed in the next drop-down box, but if I go to the SUB it's listed there and it's active. I've verified that X.X.24.22 is my PUB with the "utils service list" command under the cli. Also, if I check the service activation option the CAPF service is only list under 24.22 and not 24.13. How would on go about getting the CAPF services running on the PUB??

Jonathan Schulenberg · ‎12-20-2022

So you have the option to activate & start CAPF on the pub but the service is missing from the Service Parameter page on the pub? Is it missing if you select the pub from the subscriber’s webpage? Either way that’s clearly a bug. TAC case or upgrade.

While on the topic, as of CUCM 14 and current generation 7800/8800 phones you can use OAuth tokens for a secure environment instead. CAPF is relegated to:

802.1x certificates-based authentication
TLS for legacy phones, eg 7900
TLS for TelePresence and Cisco Room/Desk endpoints

View solution in original post

shingetter · ‎12-19-2022

ALSO!!! We did a packet capture on our switch and see devices reaching out to X.X.24.13, but we see out responses back...just a bunch TCP retransmission from the device.

Jonathan Schulenberg · ‎12-20-2022

So you have the option to activate & start CAPF on the pub but the service is missing from the Service Parameter page on the pub? Is it missing if you select the pub from the subscriber’s webpage? Either way that’s clearly a bug. TAC case or upgrade.

While on the topic, as of CUCM 14 and current generation 7800/8800 phones you can use OAuth tokens for a secure environment instead. CAPF is relegated to:

802.1x certificates-based authentication
TLS for legacy phones, eg 7900
TLS for TelePresence and Cisco Room/Desk endpoints

shingetter · ‎12-20-2022

Your statement is correct. I've attached some screenshots.