CTL update when replacing a CUCM cluster

dlignier · ‎01-23-2013

Hi All,

We are planning an upgrade from CUCM 7 on MCS to CUCM 9 on ESXi.
The 2 clusters will be online during 1 or 2 weeks, for tests and trainings.

The CUCM 9 will be provisionned by a bridge upgrade > drs backup > fresh install on EsXi > DrS Restore.
Then we will change the CUCM 9 IP adresses to turn it online without impacting the CUCM 7.

The cluster is in the mixed mode state.
I have red that the certificates are part of the DRS backup and restore process.

Before moving the phones from CUCM 7 to 9 (by changing option 150 in DHCP), I'm planning to update the CTL of the phones by adding the CUCM 9 IP adresses. Can I do this ? The CTL can contain the IP adresses of 2 CuCM clusters ?

Matthieu

Sent from Cisco Technical Support iPad App

William Bell · ‎09-02-2013

Matthieu,

I am on a similar upgrade path where I have a CUCM 6.1.3 cluster running in mixed mode and plan to upgrade to 9.1 (using Jump Upgrade Process). I was wondering if you would be willing to share an update on how you moved forward with your upgrade.

-Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Dennis Mink · ‎09-02-2013

Interesting question, more interested in the outcome.

I dont think it is a matter of "can I do this?". It is a matter of having to. remember the whole purpose of CTL files is trust, on which encryption and and integrity is based. Remember that the phones will only communicate with devices that are in the CTL.

Your problem is essentially that you will need have two sets of servers in your CTL file; one for v7 and one for v9.

Check this link out, it suggests to take the cluster out of mixed mode, do you upgrade and run CTL on your 9 cluster, putting it back into mixed mode. I personally would follow this approach

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_6_1/secugd/secuauth.html#wp1028944

I dont think you can update the CTL file with the new cucm9 servers. Because you will connect your CTL client to your 7 cluster, and it will have nothing to update, because it is not aware of any cucm9 servers.

if you dont do the CTL file update prior to changing option 150, the phones will NOT communicate with your 9 cluster, because it is not trrusted according to it CTL, it will not connect to TFTP and will not trust the CAPF.

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

William Bell · ‎09-03-2013

Yeah. Well, I considered the option of reverting the cluster to non-secure mode. My customer is fine with that idea. The challenge is that, AFAIK, the CTL file is still left on the phones. According to the doc you posted:

Tip

To revert the phone to the default nonsecure mode, you must delete the CTL file from the phone and all Cisco Unified Communications Manager servers.

The only way to delete the CTL from the phones is to manually do it or purchase software that can do it remotely.

I need to see if I can mock this up in the lab.