The problem was temporarily fixed by changing the Secured Directory URL to be the same as the URL Directories (http://IP_OF_CUCM1:8080/ccmcip/xmldirectory.jsp).

But now it doesn't work that way either. Any idea how to proceed?

Are you using DNS instead of IP in CUCM?

http://CUCM-IP:80/ccmcip/xmldirectoryinput.jsp

http://CUCM-IP:8080/ccmcip/xmldirectoryinput.jsp

Use only Internet Explorer, the page will be blank, right click and select view source.

If use see the below message: 

<?xml version="1.0"?>
<CiscoIPPhoneInput>
 <Title>Directory Search</Title>
 <Prompt>Enter search criteria</Prompt>
 <URL>http://172.20.20.15:8080/ccmcip/xmldirectorylist.jsp</URL>
  
    <InputItem>
      <DisplayName>First Name</DisplayName>
      <QueryStringParam>f</QueryStringParam>
      <InputFlags>A</InputFlags>
      <DefaultValue></DefaultValue>
    </InputItem>
  
 <InputItem>
  <DisplayName>Last Name</DisplayName>
  <QueryStringParam>l</QueryStringParam>
  <InputFlags>A</InputFlags>
  <DefaultValue></DefaultValue>
 </InputItem>
  
 <InputItem>
  <DisplayName>Number</DisplayName>
  <QueryStringParam>n</QueryStringParam>
  <InputFlags>T</InputFlags>
  <DefaultValue></DefaultValue>
 </InputItem>
 <SoftKeyItem>
  <Position>1</Position>
  <Name>Search</Name>
  <URL>SoftKey:Submit</URL>
 </SoftKeyItem>
 <SoftKeyItem>
  <Position>2</Position>
  <Name>&lt;&lt;</Name>
  <URL>SoftKey:&lt;&lt;</URL>
 </SoftKeyItem>
 <SoftKeyItem>
  <Position>3</Position>
  <Name>Cancel</Name>
  <URL>SoftKey:Cancel</URL>
 </SoftKeyItem>
</CiscoIPPhoneInput>

Go to Enterprise Parameters > Phone URL Parameters

And make sure the Urls are poiting to the IP Address of the CUCM running tftp services.

If you don't receive the above output, restart the tftp service and check again.

I almost forgot, this might be caused by the phone not accepting response from tftp.

Have you added an new server, changed ip address or changed host name in your cluster.

Also post the status messages from ip-phone. 

CSC thread with the same problem.

CSC document with possible solution

Cisco Doc

Rate if helpful.

Hi,

Both url's you mention open xml and seem to be fine.

In the Enterprise Parameters > Phone URL Parameters we setup URL Directories to point to http://THE_IP_ADDRESS_OF_THE_CUCM1:8080/ccmcip/xmldirectory.jsp

and also setup the same for Secured Directory URL but it doesn't work.

Please post the status message from the ip-phone

When trying to access the directory the phone displays "requesting" and then after a while it says "host not found".

Directories or corporate directories?

As for the status messages, you can find them from:

Settings > Status > Status Messages

I'm suspecting that the issue is with the Trust list:

Try deleting the Trust list from the IP-Phone by going to:

Settings (you will see a lock that is locked), unlock it by pressing **#

Once its unlocked proceed:

Security Connfiguration  > Trust List > ITL File 

Once reach this section you will see the ITL File(ITL File, CAPF Server,TVS, TFTP Server)

to verify if its the same files from you tftp servers(login to cucm) and issue the below command

show itl

admin:show itl
Length of ITL file: 5438
The ITL File was last modified on Wed Jul 27 10:16:24 EDT 2011

        Parse ITL File
        ----------------

Version:        1.2
HeaderLength:   296 (BYTES)

BYTEPOS TAG             LENGTH  VALUE
------- ---             ------  -----
3       SIGNERID        2       110
4       SIGNERNAME      76      CN=CUCM8-Publisher.bbbburns.lab;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
5       SERIALNUMBER    10      21:00:2D:17:00:00:00:00:00:05
6       CANAME          15      CN=JASBURNS-AD
*Signature omitted for brevity*

The next sections each contain their purpose inside of a special Function parameter. The first function is the System Administrator Security Token. This is the signature of the TFTP public key.

        ITL Record #:1
                  ----
BYTEPOS TAG             LENGTH  VALUE
------- ---             ------  -----
1       RECORDLENGTH    2       1972
2       DNSNAME         2
3       SUBJECTNAME     76      CN=CUCM8-Publisher.bbbburns.lab;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
4       FUNCTION        2       System Administrator Security Token
5       ISSUERNAME      15      CN=JASBURNS-AD
6       SERIALNUMBER    10      21:00:2D:17:00:00:00:00:00:05
7       PUBLICKEY       140
8       SIGNATURE       256
9       CERTIFICATE     1442    0E 1E 28 0E 5B 5D CC 7A 20 29 61 F5 
                                8A DE 30 40 51 5B C4 89 (SHA1 Hash HEX)
This etoken was used to sign the ITL file.

The next function is CCM+TFTP. This is again the TFTP public key that serves to authenticate and decrypt downloaded TFTP configuration files.

        ITL Record #:2
                  ----
BYTEPOS TAG             LENGTH  VALUE
------- ---             ------  -----
1       RECORDLENGTH    2       1972
2       DNSNAME         2
3       SUBJECTNAME     76      CN=CUCM8-Publisher.bbbburns.lab;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
4       FUNCTION        2       CCM+TFTP
5       ISSUERNAME      15      CN=JASBURNS-AD
6       SERIALNUMBER    10      21:00:2D:17:00:00:00:00:00:05
7       PUBLICKEY       140
8       SIGNATURE       256
9       CERTIFICATE     1442    0E 1E 28 0E 5B 5D CC 7A 20 29 61 F5 
                                8A DE 30 40 51 5B C4 89 (SHA1 Hash HEX)

The next function is TVS. There is an entry for the public key of each TVS server to which the phone connects. This allows the phone to establish a Secure Sockets Layer (SSL) session to the TVS server.

        ITL Record #:3
                  ----
BYTEPOS TAG             LENGTH  VALUE
------- ---             ------  -----
1       RECORDLENGTH    2       743
2       DNSNAME         2
3       SUBJECTNAME     76      CN=CUCM8-Publisher.bbbburns.lab;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
4       FUNCTION        2       TVS
5       ISSUERNAME      76      CN=CUCM8-Publisher.bbbburns.lab;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
6       SERIALNUMBER    8       2E:3E:1A:7B:DA:A6:4D:84
7       PUBLICKEY       270
8       SIGNATURE       256
11      CERTHASH        20      C7 E1 D9 7A CC B0 2B C2 A8 B2 90 FB 
                                AA FE 66 5B EC 41 42 5D
12      HASH ALGORITHM  1       SHA-1

        ITL Record #:4
                  ----
BYTEPOS TAG             LENGTH  VALUE
------- ---             ------  -----
1       RECORDLENGTH    2       455
2       DNSNAME         2
3       SUBJECTNAME     61      CN=CAPF-9c4cba7d;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
4       FUNCTION        2       CAPF
5       ISSUERNAME      61      CN=CAPF-9c4cba7d;
                                OU=TAC;O=Cisco;L=RTP;ST=North Carolina;C=US
6       SERIALNUMBER    8       0A:DC:6E:77:42:91:4A:53
7       PUBLICKEY       140
8       SIGNATURE       128
11      CERTHASH        20      C7 3D EA 77 94 5E 06 14 D2 90 B1 
                                A1 43 7B 69 84 1D 2D 85 2E
12      HASH ALGORITHM  1       SHA-1

If they dont match, go back to the below steps and erase the ITL File

Security Configuration  > Trust List > ITL File 

At this point you will see ITL File, there will be a more button.

press more and click on erase it will says "earsing CTL and ITL Files" and reboot

We had a similar issue on all web services from the phone. We restarted TFTP and the problem has not re occurred since. We are running 10.5.SU1a CUCM

Hi,

Attached are the messages from the phone.

Phone was completely reset and reconnected to CUCM.

Restarting the TFTP service doesn't help.

At the moment there are phones on which it doesn't work and I have some phones which it IS working. If I restart a phone on which it is working, directory will stop working (Both Personal and Corporate dir. are not working). Also if I don't restart it it will work for a while than it will stop working by itself.

Edit:added new messages file.

I think I'm pretty much where you were.. (CUCM 10.5(2), IP Phones 7841 and 8851).

Did you find the root cause or a permanent workaround after all?

Thx,

/David

Hi ,

We actually have the same issue aswell , and restarting the TFTP and TVS don't seem to have an affect.Phones will work one day and not the next.

CUCM 10.5.1(SU1a) - Phone types 8945,79xx,9951,8851 etc

Can't seem to find anything in the bug search tool

I'm replying to my own question but after another look I found this

This part from the messages seems relevant?

9113 NOT 14:16:45.331254 JAVA: before push tos = 0, socket=50
9114 NOT 14:16:45.332062 JAVA: before push tos = 0, socket=50
9115 NOT 14:16:53.619936 SECUREAPP-SSL_READ error 2
9116 NOT 14:16:53.620083 SECUREAPP-TVS process request - secSend() of certificate Authentication request to TVS server returning EAGAIN, will retry
9117 NOT 14:17:03.511258 SECUREAPP-REQ_TO_ABORT: Req timeout, aborting [request type=(34)(null)]
9118 NOT 14:17:03.511671 SECUREAPP-REQ_ABORT_THREAD: Aborting req thread, tid [1095754864], clnt[/tmp/secClnt_pid_31652_518586435]
9119 NOT 14:17:03.511902 SECUREAPP-REQ_REASON_CODE: Reason  code:[1]([INTERNAL]) subcode:[7]([TIMEOUT])
9120 NOT 14:17:03.512075 SECUREAPP-REQ_CANT_CANCEL: Unable to cancel req thread, tid [1095754864]
9121 INF 14:17:03.565004 JAVA: SSL session setup Cert Verification - Certificate validation helper plugin returned.
9122 ERR 14:17:03.565158 JAVA: SSL session setup Cert Verification - Certificate is invalid.
9123 DEB 14:17:03.565212 JAVA: SSL session setup Cert Verification - returning validation result = 0
9124 ERR 14:17:03.565255 JAVA: Sec SSL Connection - Handshake failed.
9125 DEB 14:17:03.565294 JAVA: SSL shutdown.
9126 DEB 14:17:03.565332 JAVA: BIO reset.
9127 DEB 14:17:03.565369 JAVA: SSL free.
9128 DEB 14:17:03.565406 JAVA: Closing socket.
9129 NOT 14:17:03.565445 JAVA: Sec SSL Close Connection successful.
9130 NOT 14:17:03.565484 JAVA: HTTP JNI| Curl_ssl_secd_connect: return from secSSLConnect, rc=-2
9131 NOT 14:17:03.565523 JAVA: HTTP JNI| Curl_ssl_secd_connect: exit
9132 NOT 14:17:03.565563 JAVA: HTTP JNI| Curl_setup_conn: return from Curl_protocol_connect, result=35
9133 ERR 14:17:03.565602 JAVA: Sec SSL session handle Sanity Check Failed
9134 NOT 14:17:03.565640 JAVA: HTTP JNI| Curl_do_perform: connect_host res=35
9135 NOT 14:17:03.565683 JAVA: HTTP JNI| processHttpRequest: return from http response, url: https://10.157.1.250:8443/ccmcip/xmldirectoryinput.jsp?name=SEP84802DD58EC0, [res] = 35
9136 NOT 14:17:03.565726 JAVA: HTTP JNI| processHttpRequest: request aborted, url: https://10.157.1.250:8443/ccmcip/xmldirectoryinput.jsp?name=SEP84802DD58EC0, [res] = 35
9137 NOT 14:17:03.565766 JAVA: HTTP JNI| processHttpRequest: calling user callback
9138 NOT 14:17:03.566277 JAVA: HTTP JNI| processHttpResponseFromJava: req_id=0, status=19, response code=0
9139 NOT 14:17:03.566495 JAVA: HTTP JNI| processHttpResponseFromJava: content-length=0, content-type=0, charset=, www-authenticate=,             location: , refresh: 0, refreshPath: , date: 0, expires: 0, response file: http_resp_0_0.x
9140 INF 14:17:03.585287 JAVA: HttpClientThread|cip.http.HttpClientConnection:? - response status: 19 for https://10.157.1.250:8443/ccmcip/xmldirectoryinput.jsp?name=SEP84802DD58EC0
9141 WRN 14:17:03.586244 JAVA: HttpClientThread|cip.http.HttpClientConnection:? - listener.httpFailed:  https://10.157.1.250:8443/ccmcip/xmldirectoryinput.jsp?name=SEP84802DD58EC0
9142 NOT 14:17:03.595405 JAVA: HTTP JNI| processHttpResponseFromJava: complete sending response to Java
9143 NOT 14:17:03.596030 JAVA: HTTP JNI| processHttpRequest: complete processing connection 0
9144 NOT 14:17:03.596272 JAVA: HTTP JNI| httpClientProcssingFunc: step 3, complete processing request, req_id=0
9145 NOT 14:17:03.596476 JAVA: HTTP JNI| httpClientProcssingFunc: step 4, update request queue index, new_index=1
9146 NOT 14:17:03.596649 JAVA: HTTP JNI| isHttpClientRunning: is_client_running 1
9147 NOT 14:17:03.653547 JAVA: HTTP JNI| isHttpClientRunning: is_client_running 1
9148 ERR 14:17:03.654042 JAVA: HTTP JNI| cancelHttpRequest: cancel req_id=0 failed, incorrect state=5
 

It seems that restarting the "Cisco Trust Verification Service" fixes the problem for a while.

When the problem occurs the service still shows as started but for some reason dicectory search doesnt work. After stoping and starting the service the directory starts working. For some reason after some time the directory search stops working even though the Cisco Trust Verification Service shows as started.