cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
261
Views
0
Helpful
6
Replies
Highlighted
Beginner

CME SCCP phone encryption - phones not registering

Hello, I'm trying to configure phone encryption on CME 8.6 but the phones do not get registered.

I've tried the following guides, both without success:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-voice/956-cisco-voice-cme-secure-voip.html

https://www.nsa.gov/ia/_files/voip/cucme_securityguidancedocument.pdf

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmeauth.html

On the 7965/7962 phones Settings >> Security Configuration >> Trust List CTL File is installed (including TFTP Server , Unified CM and CAPF Server certificates), but ITL File is Not Installed.

The phone remains Registering while debug ephone register shows these errors:

May 1 03:52:14.015: New Skinny socket accepted [2] from 1, sub 1 (1 active)
May 1 03:52:14.015: sin_family 2, sin_port 50484, in_addr 10.0.0.11
May 1 03:52:14.019: add_skinny_secure_socket: pid =394, new_sock=0, ip address = 10.0.0.11
May 1 03:52:14.019: skinny_secure_handshake: pid =394, sock=0, args->pid=394, ip address = 10.0.0.11
May 1 03:52:14.023: Start TLS Handshake 0 10.0.0.11 50484
May 1 03:52:14.027: TLS Handshake retcode OPSSLReadWouldBlockErr
May 1 03:52:15.027: TLS Handshake retcode OPSSLReadWouldBlockErr
May 1 03:52:16.027: TLS Handshake retcode OPSSLReadWouldBlockErr
May 1 03:52:17.035: TLS Handshake error -6992
May 1 03:52:17.035: TLS context configuration FAILED for 0 10.10.10.11 5048
Everyone's tags (6)
6 REPLIES 6
Beginner

Hello. Have you found a

Hello. Have you found a workaround for this issue?

Thank you.

Beginner

Not yet, still trying to find

Not yet, still trying to find a solution...

Beginner

Hi, You need network team to

Hi, You need network team to check ISE configs on the port or you can do show run interface ....phone port..... to check if its having dot1x configs.

else you can contact security team so that they can add the port into ISE config.

if the phone port is having dot1x config then remove them , just assign voice and access vlan , once the phones register you can again paste in dot1x configs. 

Beginner

if the phone port are having

if the phone port are having ISE configs then it can create an issue.

also you can check the dhcp network mask if its correct or no.

and also you need to check the source-address in telephony-service

Beginner

Hi salmandhunna1, thanks for

Hi salmandhunna1, thanks for your reply!

The dhcp network mask and telephony-service ip source-address are correct.

How can I check if the phone port has ISE configs?

Beginner

Hi, You need network team to

Hi, You need network team to check ISE configs on the port or you can do show run interface ....phone port..... to check if its having dot1x configs.

else you can contact security team so that they can add the port into ISE config.

if the phone port is having dot1x config then remove them , just assign voice and access vlan , once the phones register you can again paste in dot1x configs. 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards