cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
0
Helpful
12
Replies

Cisco Communication Manager 8.6 Backups

aquaium79
Level 1
Level 1

We have two Cisco Call Manager appliences, a puplisher and a subscriber. I am trying to carry out a backup but it fails with the message "WARNING: Unable to contact server. Master or Local Agent could be down...". It is successful in backing up the Puplisher but fails when it comes to backing up the Subscriber. The message "Unable to contact server. Master or Local Agent could be down" appears as soon as it comes to backing up the subscriber.

 

I did some research which led me to restarting the Cisco DRF Local service on the Subscriber. However, every time I do this, the service says starting but then returns back to a not running status. Some more research led me to the certificates for IPSEC. Now on my Puplisher I have an IPSEC and an IPSEC-TRUST certificate, both these certificates have the same serial number. On my Subscriber there is only an IPSEC certificate and it has a different serial number to the IPSEC certificate on the Publisher. There is no IPSEC-TRUST certificate on the Subscriber.

 

Is this correct? We've not touched any of this and backups were working fine until recently when we did some network changes and only found out the backups weren't working because the IP address of the backup device had changed.

 

Could someone please point me in the right direction on how to get the backups working successfully, a step-by-step guide would be great. I've read so many conflicting ways the certificates should be set up it's driving me up the wall.

 

Any help would be great and if anyone needs more information from our setup please ask.

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Procedure to regenerate ipsec cert in Pub:

Regenerate IPsec
Upon regeneration, the IPsec certificate automatically uploads itself to ipsec-trust.
OS Admin > Security > Certificate Management > Find > Click ipsec certificate > Regenerate

Make sure you are restarting DRF services after regeneration.

View solution in original post

12 Replies 12

Rajan
VIP Alumni
VIP Alumni
Publisher's ipsec certificate should be available in all subscribers as a trust. Since this is missing, you need to do the following:

- Download the publisher ipsec certificate
- Upload it in subscriber as ipsec-trust

Restart DRF master and local services once. This will solve the backup issue.

HTH
Rajan
Pls rate all useful posts by clicking the star below

Hi Rajan,

 

Would restarting the DRF master and local services cause any downtime, would users be affected?

Nope. These services are only used for backup and restore. So it wont affect anything in production.

I tried that but I get the message "Certificate expired on Mon Jul 11 14:20:13 BST 2016" when uploading the ipsec file to the Subscriber. What do I do now?

In that case, you need to regenerate the ipsec cert in Pub first, followed by DRF services restart.
Once regenerated, check the expiry date of ipsec and ipsec-trust cert in Pub. Both should be the same and has a new expiry date.

Then proceed with the above mentioned process of uploading the cert in sub.

HTH
Rajan

Procedure to regenerate ipsec cert in Pub:

Regenerate IPsec
Upon regeneration, the IPsec certificate automatically uploads itself to ipsec-trust.
OS Admin > Security > Certificate Management > Find > Click ipsec certificate > Regenerate

Make sure you are restarting DRF services after regeneration.

Would doing any of this impact the service to our phones? What is IPSEC? What does it actually do? What does regenerating the certificate do and does it have any impact on our current config?

 

Sorry for the million questions, I'm new to all this and just inherited this system.

IPSEC certs in CUCM used for DRF backup and restore. If the certs are self signed certificates, then once it expires, it needs to be regenerated to make it a valid cert.

Regenerating ipsec cert wont affect any current config because as I mentioned this cert and DRF services are used only for backup and restore. So doing all these wont affect anything in production.

HTH
Rajan
Pls rate all useful posts

OK, so I did all that, didn't have to upload the ipsec-trust certificate to the subscriber because it appeared automatically. The problem now is that I can't load anything on the Disaster Recovery System page. I can log in to it fine and the page is displayed but if I select any of the menu options it just hangs and nothing happens. Any ideas?

Have you checked whether the Pub showing the same ipsec cert as ipsec and ipsec-trust ?

Also have you restarted the DRF services on both pub and sub ?

Yes, Publisher has the same ipsec and ipsec-trust certificates. I also restarted the services on both Publisher and Subscriber. Strange thing is I can access the Disaster Recover System via the subscriber and everything works fine, even a manual backup completed successfully. For some reason, it's not working the same on the Publisher. Tried all the menu options and nothing loads.

Looks like the problem resolved itself, restarted the DRF Master and DRF Local service a few more times and it started working again.

 

Thank you Rajan for the help and responding very quickly.