cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

207
Views
15
Helpful
3
Replies
Highlighted
Beginner

Certain phones not registering in Secured cluster.

Hello,

 

I am working on a problem with 10.5 cluster in Mixed mode using the old type: USB token + CTL client. After an upgrade last year certain types of phones can't be switched to Secure profile. All 79XX phones are staying unregistered, while 8821 phones go Rejected. All other types (mostly 88XX) are working just fine. Both problematic types are running latest firmware. Deleting ITL+CTL doesn't help, even factory reset on 7941 didn't help.
I made a packet capture towards the 7941 phone and this is what I see:

cap.jpg

The phone is trying to register with the Subscriber where all certificates are valid, but I noticed that CAPF and TVS certs are expired long ago on the Publisher, long before the upgrade to 10.5. After that upgrade the problem with 79XX started. Strange thing is that other types even those that i switched yesterday are fine.

 

I have several questions here:

1. Is the expired TVS certificate causing the problem?

2. Is it safe to regenerate it and should I do something with the CTL client or just from OS Administration? - I read a lot of articles here and I believe that regenerating only TVS on only one server is safe and I can't lock my phones, but would like to verify.

3. If I regenerate TVS after restarting TVS and TFTP services clusterwide, should I restart all phones or just the ones that don't want to accept the Security profile?

4. What should I do with the expired CAPF certificate? It is expired since 2014 and I didn't have any problems until now.

 

Any help would be greatly appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Certain phones not registering in Secured cluster.

Focusing on why the phones won’t register first: is the LSC of the phone itself expired? That would definitely cause it and explain why older phones models - which presumably got an LSC years earlier - would have failed first.

Focusing on CPAF next, you will need to regenerate that certificate, validate the new one is added to CAPF-Trust and CallManager-trust, re-run the CTL client to add the new cert to your CTL, restart services, and finally reset phones to pick up the new CTL. After that is done you can renew the LSC on phones and they should register again.

As for TVS, those certificates are included in the ITL but are not used to sign it. You should be able to regenerate the TVS certificate, restart services to get the ITL file updated, and then reset phones to pick up the new ITL.

Read the security guide and this document before proceeding though:
https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html
3 REPLIES 3

Re: Certain phones not registering in Secured cluster.

Focusing on why the phones won’t register first: is the LSC of the phone itself expired? That would definitely cause it and explain why older phones models - which presumably got an LSC years earlier - would have failed first.

Focusing on CPAF next, you will need to regenerate that certificate, validate the new one is added to CAPF-Trust and CallManager-trust, re-run the CTL client to add the new cert to your CTL, restart services, and finally reset phones to pick up the new CTL. After that is done you can renew the LSC on phones and they should register again.

As for TVS, those certificates are included in the ITL but are not used to sign it. You should be able to regenerate the TVS certificate, restart services to get the ITL file updated, and then reset phones to pick up the new ITL.

Read the security guide and this document before proceeding though:
https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html
Beginner

Re: Certain phones not registering in Secured cluster.

Thanks a lot Jonathan!
Just one clarification - I should restart all phones after the procedures, right? Or just the ones that currently are not registering?
Rising star

Re: Certain phones not registering in Secured cluster.

1) As suggested by Jonathan check the validity of the LSC or MIC of the phones. If you need to check the vallidity of the certificate below will be helpful

https://community.cisco.com/t5/collaboration-voice-and-video/how-to-retrieve-certificates-from-cisco-ip-phones/ta-p/3110204

*** Please rate helpful post; Mark "Accept as a Solution" if applicable

Thanks,
Haris
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards