Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2053
Views
20
Helpful
3
Replies

Certain phones not registering in Secured cluster.

Go to solution
givanov
Level 1
Level 1

‎03-21-2019 01:18 AM - edited ‎03-21-2019 01:19 AM

Hello,

 

I am working on a problem with 10.5 cluster in Mixed mode using the old type: USB token + CTL client. After an upgrade last year certain types of phones can't be switched to Secure profile. All 79XX phones are staying unregistered, while 8821 phones go Rejected. All other types (mostly 88XX) are working just fine. Both problematic types are running latest firmware. Deleting ITL+CTL doesn't help, even factory reset on 7941 didn't help.
I made a packet capture towards the 7941 phone and this is what I see:

cap.jpg

The phone is trying to register with the Subscriber where all certificates are valid, but I noticed that CAPF and TVS certs are expired long ago on the Publisher, long before the upgrade to 10.5. After that upgrade the problem with 79XX started. Strange thing is that other types even those that i switched yesterday are fine.

 

I have several questions here:

1. Is the expired TVS certificate causing the problem?

2. Is it safe to regenerate it and should I do something with the CTL client or just from OS Administration? - I read a lot of articles here and I believe that regenerating only TVS on only one server is safe and I can't lock my phones, but would like to verify.

3. If I regenerate TVS after restarting TVS and TFTP services clusterwide, should I restart all phones or just the ones that don't want to accept the Security profile?

4. What should I do with the expired CAPF certificate? It is expired since 2014 and I didn't have any problems until now.

 

Any help would be greatly appreciated!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎03-23-2019 09:41 AM

Focusing on why the phones won’t register first: is the LSC of the phone itself expired? That would definitely cause it and explain why older phones models - which presumably got an LSC years earlier - would have failed first.

Focusing on CPAF next, you will need to regenerate that certificate, validate the new one is added to CAPF-Trust and CallManager-trust, re-run the CTL client to add the new cert to your CTL, restart services, and finally reset phones to pick up the new CTL. After that is done you can renew the LSC on phones and they should register again.

As for TVS, those certificates are included in the ITL but are not used to sign it. You should be able to regenerate the TVS certificate, restart services to get the ITL file updated, and then reset phones to pick up the new ITL.

Read the security guide and this document before proceeding though:
https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

View solution in original post

3 Replies 3

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎03-23-2019 09:41 AM

Focusing on why the phones won’t register first: is the LSC of the phone itself expired? That would definitely cause it and explain why older phones models - which presumably got an LSC years earlier - would have failed first.

Focusing on CPAF next, you will need to regenerate that certificate, validate the new one is added to CAPF-Trust and CallManager-trust, re-run the CTL client to add the new cert to your CTL, restart services, and finally reset phones to pick up the new CTL. After that is done you can renew the LSC on phones and they should register again.

As for TVS, those certificates are included in the ITL but are not used to sign it. You should be able to regenerate the TVS certificate, restart services to get the ITL file updated, and then reset phones to pick up the new ITL.

Read the security guide and this document before proceeding though:
https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

Go to solution
givanov
Level 1
Level 1
In response to Jonathan Schulenberg

‎03-26-2019 05:42 AM

Thanks a lot Jonathan!
Just one clarification - I should restart all phones after the procedures, right? Or just the ones that currently are not registering?
0 Helpful

Go to solution
HARIS_HUSSAIN
VIP Alumni
VIP Alumni

‎03-23-2019 11:21 PM

1) As suggested by Jonathan check the validity of the LSC or MIC of the phones. If you need to check the vallidity of the certificate below will be helpful

https://community.cisco.com/t5/collaboration-voice-and-video/how-to-retrieve-certificates-from-cisco-ip-phones/ta-p/3110204

*** Please rate helpful post; Mark "Accept as a Solution" if applicable

Thanks,
Haris
Customers Also Viewed These Support Documents