Showing results for 
Search instead for 
Did you mean: 



New cm 8 install and I'm having issues with the 7945 phones not being able to download files (ringlist, phone config file, etc) from TFTP.  I think it is related to ITL and the security by default.  My CM is setup with system>server set as IP address.   My voice vlan dhcp scopes are setup with IP addresses for the option 150 values.  When I look at the phone, under the security section and ITL section I see the TFTP server is referred there as the FQDN.  I think my prob is the dhcp scope is IP and its not matching the ITL value.  I've tried deleting the ITL from the phone and restarting the TVS service but still no luck.   Has anyone dealt with this or understand what is going on?  Justin

4 Replies 4


== Edit:  The problem has resurfaced and I am still working with TAC on this issue. ==

Rob Huffman
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

Hi Justin,

Thanks for posting back with your solution here

+5 for helping others with this solution.




The case has been finally resolved.

The problem was with the OU for the call manager exceeding 64 characters.

when we did a "show ITL" on the SSH session tocall manager it showed a wierd OU which had more than 64 characters. We were not expecting such an issue would cause a problem with TVS which is a newly added feature security feature on call manager 8..

Now we have a defect filed for this problem.

The call manager would accept an OU having more than 64 characters but in this case TVS would never work properly.

Till the time certificate for TVS is not generated properly the initial trust list would just be like a corrupt file causing random issues with config download.

Thanks to Justin for discussing this issue.

If we have issues like this its reccomended we take a an output for "show itl" and "show ctl"

Also make sure that we are able to download SEP.cnf.xml.sgn and make sure that the phone is able to down load the signed file from the call manager as well.

the initial troubleshooting would also include regenerating TVS certificate on the call manager.

This is my understanding from various resources on the ITL files in CUCM v8.x:


In versions prior to 8.x, there was no concept of ITL files for the non-secure clusters. So these fileds (CTL, ITL and TVS) were blank in non 8.x versions. When you upgrade to 8.x, it forces all the ip phones to have ITL files downloaded and phones dont trust any file not signed by these ITL keys then onwards.

So when you try to downgrade from version 8.x to 4.x (say), the phones wont accept the new config XML files and hence they would fail to register because of the ITL file.

But thats not all:


Its seems that above information is NOT all correct and complete. We have upgraded from 4.x-->7.1.3-->8.5.1. Now for all the ip phones, xml/http related services dont work like EM and Corp Directory. Configuration changes does not apply to phones and log shows "CTL update failed" error messages. All the above problem vanishes if we manually delete ITL files from the phones.

Could someone please help me in understanding this behaviour?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers