CUCM 8.5 Corporate Directory "Host Not Found" after adding domai

chrishiebert · ‎11-30-2011

Hi all,

I have a CUCM 8.5 cluster (2 servers) that was originally set up to be DNS NON-reliant. Recently, the customer requested that RTMT email alerting be activated which, according to Cisco documentation, requires a domain name be enabled in the cluster (CLI commands "set network domain" and "set network dns primary". I used those commands and now email alerting is working. Hooray!

Unfortunately, ever since then, the corporate directory and ringtones are now unavailable on almost all phones. My CIPC gets the directory okay but all the physical sets (7900 series) give me the "Host Not Found" error. The difference appears to be that the CIPC is accessing the service URLs via HTTP whereas the 7900s are using HTTPS.

I've tried removing the Secure Directory URL statement from Enterprise Services but for some reason it just gets repopulated. If I pull ALL the Secure URLs out, they seem to stay blank, at least until a server restart. While those fields were blank, resetting the phones would make no difference even though I examined the configuration file for a set and saw that the Secure Directory field was indeed blank. After a factory reset of the phone, it seemed to grab it's configuration file and was then able to access the corporate directory, but factory resetting 1000+ phones is out of the question. In any case, after a server restart, the Secure URLs in Enterprise Services had repopulated and phone configuration files now contained that information.

I assume this issue is related to certificates and the TVS, as from what I understand, making changes to DNS will effect that. I'm just not sure how to proceed...do I remove the domain configurations (thus stopping email alerts from working), and if I do will that correct the problem? Or is there a way to force the sets to only use HTTP for accessing services even if Secure URLs are defined? I'd rather not back out of the email alerting configuration so if there's a way to make the sets speak in HTTP, that would be ideal.

Jonathan Schulenberg · ‎11-30-2011

Just to ask the basic question: Does the DHCP lease the phones receive in the voice VLAN include DNS servers? CIPC will use your Windows IP configuration, not the voice VLAN.

Assuming you've covered that ground it would be useful to get the console log off of a phone to see whether TVS is the culprit or not. I would expect a slightly different error if the certificate regeneration didn't get compiled into the ITL causing TLS negotiation to fail.

To get a console log:

Browse to http://
Choose Console Logs
Figure out which log.log file the phone is currently on based on the timestamps.
Reproduce the error.
Right-click on that log file (make sure it hasn't rolled into a new one) and click Save As.
Compress it and attach it to this thread for review if the error isn't obvious to you.

chrishiebert · ‎12-01-2011

Thanks for the reply!

I'll work on getting a log. In the meantime, I just put out some more sets at one of the customer sites and they all can access the corporate directory, even with the Secure Phone URL Parameters populated in Enterprise Services. The sets are indeed using HTTPS.

So far, I know that I can get the directory working again with a factory reset of the phone (or new installation, same thing), but there must be a way to force the sets remotely to reacquire their configs? A simple reset doesn't do what I need it to do. I just can't manually factory reset these phones.

For now, I'll look at a phone log and try a few more experiments to try narrowing down the issue.

chrishiebert · ‎12-01-2011

I confirmed that a factory reset will solve the problem. So now I guess I'm just looking for a more realistic way to achieve the same result.

Here's a log from a non-working set that attempted to access the corporate directory. I'm seeing SSL handshakes failing, references to bad certificates, cert errors...Pretty clearly pointing to certificate issues but what is it about a factory reset that fixes this?

|== Syslogd TNP== Thu Dec 1 14:43:07 2011
====================================================
819: NOT 14:43:07.183293 SECD: clpSetupSsl: TCP connected, c:14 s:15
820: NOT 14:43:07.184415 SECD: clpSetupSsl: start SSL/TLS handshake, c:14 s:15
821: NOT 14:43:07.195621 SECD: srvr_cert_vfy: Server Certificate Validation needs to be done
822: NOT 14:43:07.197248 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from CTL file
823: NOT 14:43:07.198131 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from ITL file
824: WRN 14:43:07.198984 SECD: WARN:getSubjectCTLentry: default lookup failed, try lookup using DN
825: NOT 14:43:07.199611 SECD: findByCertAndRoleInTL: Searching TL from CTL file
826: NOT 14:43:07.200764 SECD: findByCertAndRoleInTL: Searching TL from ITL file
827: ERR 14:43:07.202734 SECD: EROR:tvs_cert_vfy: TVS cert not in TL,
828: NOT 14:43:07.203604 SECD: srvr_cert_vfy: ** srvr cert verify FAILED **
829: ERR 14:43:07.204820 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:
830: ERR 14:43:07.206084 SECD: EROR:clpSetupSsl: ** SSL handshake failed, c:14 s:15
831: ERR 14:43:07.206786 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, c:14 s:15
832: ERR 14:43:07.207659 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, c:14 s:15
833: ERR 14:43:07.208320 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr
834: ERR 14:43:07.209190 SECD: EROR:secErr_errStr: *** bad err table ***
835: ERR 14:43:07.211769 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
836: ERR 14:43:07.212471 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
837: NOT 14:43:07.213467 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 13
838: ERR 14:43:07.214452 SECD: EROR:secSock_isConnected: ** ssl conn failed due to cert error
839: ERR 14:43:07.215124 SECD: EROR:secErr_errStr: *** bad err table ***
840: ERR 14:43:07.215937 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
841: ERR 14:43:07.216591 SECD: EROR:secSock_isConnected: ** SEC-ERR: desc
842: ERR 14:43:07.217481 SECD: EROR:checkTvsSrvrConn: Failed to get TVS TLS session - Bad Certificate
843: NOT 14:43:07.218195 SECD: cleanupTvsSrvrSock: Clearing TVS proxy server socket, fd : 13
844: NOT 14:43:07.219187 SECD: getTvsSrvrSock: Obtained the TVS server ip address : XXX.XXX.XXX.XX1 for index : 1
845: NOT 14:43:07.220249 SECD: secSock_send_clnt_reqs: trying conn to <2445>
846: NOT 14:43:07.222919 SECD: secSock_send_clnt_reqs: SSL/TLS waiting, <2445>, fd 13
847: NOT 14:43:07.223681 SECD: connectToTvsServer: Successfully started a TLS connection establishment to the TVS server: IP:XXX.XXX.XXX.XX1, port:2445(default); Waiting for it to get connected.
848: NOT 14:43:07.224686 SECD: clpTvsInit: Pending client connection at index: 0 - not closing TVS server socket
849: NOT 14:43:07.231865 SECD: clpGetConnParams: IP Mode is 0, addr : XXX.XXX.XXX.XX1

850: NOT 14:43:07.233227 SECD: clpSetupSsl: TVS SSL/TLS req
851: WRN 14:43:07.235253 SECD: WARN:clpSetupSsl: no LSC for TVS, will try MIC, c:16
852: NOT 14:43:07.235942 SECD: clpSetupSsl: TVS, TLSv1, cert MIC, cipher [AES256-SHA:AES128-SHA:DES-CBC3-SHA]
853: NOT 14:43:07.237114 SECD: clpSetupSsl: binding to lport
854: NOT 14:43:07.238025 SECD: clpSetupSsl: binding to , <(null)>:<0>
855: NOT 14:43:07.238753 SECD: clpSetupSsl: Trying to connect to IPV4, IP: XXX.XXX.XXX.XX1, Port : 2445
856: NOT 14:43:07.239915 SECD: clpSetupSsl: TCP connect() waiting, c:16 s:17 port: 2445
857: NOT 14:43:07.241376 SECD: clpSetupSsl: TCP connected, c:16 s:17
858: NOT 14:43:07.242387 SECD: clpSetupSsl: start SSL/TLS handshake, c:16 s:17
859: NOT 14:43:07.253464 SECD: srvr_cert_vfy: Server Certificate Validation needs to be done
860: NOT 14:43:07.255229 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from CTL file
861: NOT 14:43:07.256255 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from ITL file
862: WRN 14:43:07.256929 SECD: WARN:getSubjectCTLentry: default lookup failed, try lookup using DN
863: NOT 14:43:07.257711 SECD: findByCertAndRoleInTL: Searching TL from CTL file
864: NOT 14:43:07.258377 SECD: findByCertAndRoleInTL: Searching TL from ITL file
865: ERR 14:43:07.260726 SECD: EROR:tvs_cert_vfy: TVS cert not in TL,
866: NOT 14:43:07.261412 SECD: srvr_cert_vfy: ** srvr cert verify FAILED **
867: ERR 14:43:07.262636 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:
868: ERR 14:43:07.263827 SECD: EROR:clpSetupSsl: ** SSL handshake failed, c:16 s:17
869: ERR 14:43:07.264818 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, c:16 s:17
870: ERR 14:43:07.265537 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, c:16 s:17
871: ERR 14:43:07.266345 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr
872: ERR 14:43:07.266963 SECD: EROR:secErr_errStr: *** bad err table ***
873: ERR 14:43:07.267777 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
874: ERR 14:43:07.268408 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
875: NOT 14:43:07.269539 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 13
876: ERR 14:43:07.283037 SECD: EROR:secSock_isConnected: ** ssl conn failed due to cert error
877: ERR 14:43:07.283760 SECD: EROR:secErr_errStr: *** bad err table ***
878: ERR 14:43:07.284630 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
879: ERR 14:43:07.285440 SECD: EROR:secSock_isConnected: ** SEC-ERR: desc
880: ERR 14:43:07.286079 SECD: EROR:checkTvsSrvrConn: Failed to get TVS TLS session - Bad Certificate
881: NOT 14:43:07.286954 SECD: cleanupTvsSrvrSock: Clearing TVS proxy server socket, fd : 13
882: ERR 14:43:07.287745 SECD: EROR:getTvsSrvrSock: secReq_getTvsServer succeeded but got an empty ip address for index : 2
883: NOT 14:43:07.288704 SECD: sendErrRespToClient: Sending the failed response to all TVS client and cleaning up
884: NOT 14:43:07.294843 SECD: sendRespToClient: Sent the response to the TVS client, len : 2056
885: NOT 14:43:07.295859 SECD: clpTvsInit: No pending client connection - closing the TVS server socket : -1
886: NOT 14:43:07.297349 SECD: clpDelClnt: closing conn to , c:14, s:15
887: NOT 14:43:07.299080 SECD: clpDelClnt: Closing the local socket now

888: NOT 14:43:07.303271 SECD: tvsReqAuthenticateCertificate: Received the response from TVS proxy, status: 1
889: ERR 14:43:07.305531 SECD: Authentication failed for the HTTPS conn via TVS
890: NOT 14:43:07.306527 SECD: srvr_cert_vfy: ** srvr cert verify FAILED **
891: ERR 14:43:07.308073 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:
892: ERR 14:43:07.309145 SECD: EROR:clpSetupSsl: ** SSL handshake failed, c:12 s:9
893: ERR 14:43:07.309834 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, c:12 s:9
894: ERR 14:43:07.310726 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, c:12 s:9
895: ERR 14:43:07.311379 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr
896: ERR 14:43:07.312226 SECD: EROR:secErr_errStr: *** bad err table ***
897: ERR 14:43:07.312890 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
898: ERR 14:43:07.313795 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
899: NOT 14:43:07.315302 SECD: clpDelClnt: closing conn to , c:16, s:17
900: NOT 14:43:07.316976 SECD: clpDelClnt: Closing the local socket now

901: ERR 14:43:07.321692 JVM: Entering StcpOpenActiveSSL
902: ERR 14:43:07.322642 JVM: Attempting HTTPS connect to XXX.XXX.XXX.XX2
903: ERR 14:43:07.325718 JVM: TLS connect pending
904: ERR 14:43:07.326511 JVM: Leaving StcpOpenActiveSSL
905: NOT 14:43:07.331180 SECD: clpDelClnt: closing conn to , c:12, s:9
906: NOT 14:43:07.333561 SECD: clpDelClnt: Closing the local socket now

907: NOT 14:43:07.336072 SECD: clpGetConnParams: IP Mode is 0, addr : XXX.XXX.XXX.XX2

908: NOT 14:43:07.337482 SECD: clpSetupSsl: HTTPS SSL/TLS req
909: WRN 14:43:07.339556 SECD: WARN:clpSetupSsl: no LSC for HTTPS, will try MIC, c:11
910: NOT 14:43:07.341968 SECD: clpSetupSsl: HTTPS, TLSv1, cert MIC, cipher [AES256-SHA:AES128-SHA:DES-CBC3-SHA]
911: NOT 14:43:07.343203 SECD: clpSetupSsl: binding to lport
912: NOT 14:43:07.343878 SECD: clpSetupSsl: setsockopt SOL_SOCKET set

913: NOT 14:43:07.344670 SECD: clpSetupSsl: Set the TCP keepalive option

914: NOT 14:43:07.345322 SECD: clpSetupSsl: binding to , <(null)>:<0>
915: NOT 14:43:07.346217 SECD: clpSetupSsl: Trying to connect to IPV4, IP: XXX.XXX.XXX.XX2, Port : 8443
916: NOT 14:43:07.347565 SECD: clpSetupSsl: TCP connect() waiting, c:11 s:9 port: 8443
917: NOT 14:43:07.348906 SECD: clpSetupSsl: TCP connected, c:11 s:9
918: NOT 14:43:07.349722 SECD: clpSetupSsl: start SSL/TLS handshake, c:11 s:9
919: NOT 14:43:07.359580 SECD: srvr_cert_vfy: Server Certificate Validation needs to be done
920: NOT 14:43:07.363400 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from CTL file
921: NOT 14:43:07.364393 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from ITL file
922: WRN 14:43:07.365056 SECD: WARN:getSubjectCTLentry: default lookup failed, try lookup using DN
923: NOT 14:43:07.365838 SECD: findByCertAndRoleInTL: Searching TL from CTL file
924: NOT 14:43:07.366472 SECD: findByCertAndRoleInTL: Searching TL from ITL file
925: ERR 14:43:07.367268 SECD: EROR:https_cert_vfy: HTTPS cert not in CTL,
926: NOT 14:43:07.370721 SECD: setupSocketToTvsProxy: TVS client sock fd 12 bound to
927: NOT 14:43:07.372147 SECD: setupSocketToTvsProxy: Connected to TVS proxy server
928: NOT 14:43:07.373517 SECD: clpTvsInit: Client message received on TVS proxy socket
929: NOT 14:43:07.374764 SECD: processTvsClntReq: Success reading the client TVS request, len : 2684
930: NOT 14:43:07.375707 SECD: processTvsClntReq: TVS Certificate Authentication request
931: NOT 14:43:07.376377 SECD: lookupAuthCertTvsCacheEntry: No matching entry found at cache
932: NOT 14:43:07.377268 SECD: processTvsClntReq: No server sock exists, must be created
933: NOT 14:43:07.383510 SECD: getTvsSrvrSock: Obtained the TVS server ip address : XXX.XXX.XXX.XX2 for index : 0
934: NOT 14:43:07.384578 SECD: secSock_send_clnt_reqs: trying conn to <2445>
935: NOT 14:43:07.387153 SECD: secSock_send_clnt_reqs: SSL/TLS waiting, <2445>, fd 13
936: NOT 14:43:07.388150 SECD: connectToTvsServer: Successfully started a TLS connection establishment to the TVS server: IP:XXX.XXX.XXX.XX2, port:2445(default); Waiting for it to get connected.
937: NOT 14:43:07.388902 SECD: tvsReqAuthenticateCertificate: Sent Request to TVS proxy, len: 2684
938: NOT 14:43:07.389817 SECD: tvsReqAuthenticateCertificate: Waiting for response from TVS Proxy
939: NOT 14:43:07.391242 SECD: clpGetConnParams: IP Mode is 0, addr : XXX.XXX.XXX.XX2

940: NOT 14:43:07.392632 SECD: clpSetupSsl: TVS SSL/TLS req
941: WRN 14:43:07.394207 SECD: WARN:clpSetupSsl: no LSC for TVS, will try MIC, c:14
942: NOT 14:43:07.395156 SECD: clpSetupSsl: TVS, TLSv1, cert MIC, cipher [AES256-SHA:AES128-SHA:DES-CBC3-SHA]
943: NOT 14:43:07.396117 SECD: clpSetupSsl: binding to lport
944: NOT 14:43:07.397010 SECD: clpSetupSsl: binding to , <(null)>:<0>
945: NOT 14:43:07.397902 SECD: clpSetupSsl: Trying to connect to IPV4, IP: XXX.XXX.XXX.XX2, Port : 2445
946: NOT 14:43:07.398883 SECD: clpSetupSsl: TCP connect() waiting, c:14 s:15 port: 2445
947: NOT 14:43:07.402057 SECD: clpSetupSsl: TCP connected, c:14 s:15
948: NOT 14:43:07.402964 SECD: clpSetupSsl: start SSL/TLS handshake, c:14 s:15
949: NOT 14:43:07.412580 SECD: srvr_cert_vfy: Server Certificate Validation needs to be done
950: NOT 14:43:07.414222 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from CTL file
951: NOT 14:43:07.415113 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from ITL file
952: WRN 14:43:07.416093 SECD: WARN:getSubjectCTLentry: default lookup failed, try lookup using DN
953: NOT 14:43:07.416779 SECD: findByCertAndRoleInTL: Searching TL from CTL file
954: NOT 14:43:07.417568 SECD: findByCertAndRoleInTL: Searching TL from ITL file
955: ERR 14:43:07.419529 SECD: EROR:tvs_cert_vfy: TVS cert not in TL,
956: NOT 14:43:07.421984 SECD: srvr_cert_vfy: ** srvr cert verify FAILED **
957: ERR 14:43:07.423274 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:
958: ERR 14:43:07.424523 SECD: EROR:clpSetupSsl: ** SSL handshake failed, c:14 s:15
959: ERR 14:43:07.425266 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, c:14 s:15
960: ERR 14:43:07.426088 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, c:14 s:15
961: ERR 14:43:07.426751 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr
962: ERR 14:43:07.427558 SECD: EROR:secErr_errStr: *** bad err table ***
963: ERR 14:43:07.428201 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
964: ERR 14:43:07.429074 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
965: NOT 14:43:07.430124 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 13
966: ERR 14:43:07.430884 SECD: EROR:secSock_isConnected: ** ssl conn failed due to cert error
967: ERR 14:43:07.431710 SECD: EROR:secErr_errStr: *** bad err table ***
968: ERR 14:43:07.432363 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
969: ERR 14:43:07.433448 SECD: EROR:secSock_isConnected: ** SEC-ERR: desc
970: ERR 14:43:07.434306 SECD: EROR:checkTvsSrvrConn: Failed to get TVS TLS session - Bad Certificate
971: NOT 14:43:07.434977 SECD: cleanupTvsSrvrSock: Clearing TVS proxy server socket, fd : 13
972: NOT 14:43:07.435931 SECD: getTvsSrvrSock: Obtained the TVS server ip address : XXX.XXX.XXX.XX1 for index : 1
973: NOT 14:43:07.436980 SECD: secSock_send_clnt_reqs: trying conn to <2445>
974: NOT 14:43:07.439387 SECD: secSock_send_clnt_reqs: SSL/TLS waiting, <2445>, fd 13
975: NOT 14:43:07.447235 SECD: connectToTvsServer: Successfully started a TLS connection establishment to the TVS server: IP:XXX.XXX.XXX.XX1, port:2445(default); Waiting for it to get connected.
976: NOT 14:43:07.448221 SECD: clpTvsInit: Pending client connection at index: 0 - not closing TVS server socket
977: NOT 14:43:07.449041 SECD: clpGetConnParams: IP Mode is 0, addr : XXX.XXX.XXX.XX1

978: NOT 14:43:07.450531 SECD: clpSetupSsl: TVS SSL/TLS req
979: WRN 14:43:07.452477 SECD: WARN:clpSetupSsl: no LSC for TVS, will try MIC, c:16
980: NOT 14:43:07.453189 SECD: clpSetupSsl: TVS, TLSv1, cert MIC, cipher [AES256-SHA:AES128-SHA:DES-CBC3-SHA]
981: NOT 14:43:07.454311 SECD: clpSetupSsl: binding to lport
982: NOT 14:43:07.455190 SECD: clpSetupSsl: binding to , <(null)>:<0>
983: NOT 14:43:07.455917 SECD: clpSetupSsl: Trying to connect to IPV4, IP: XXX.XXX.XXX.XX1, Port : 2445
984: NOT 14:43:07.457064 SECD: clpSetupSsl: TCP connect() waiting, c:16 s:17 port: 2445
985: NOT 14:43:07.458536 SECD: clpSetupSsl: TCP connected, c:16 s:17
986: NOT 14:43:07.459541 SECD: clpSetupSsl: start SSL/TLS handshake, c:16 s:17
987: NOT 14:43:07.466983 SECD: clpDelClnt: closing conn to , c:14, s:15
988: NOT 14:43:07.468719 SECD: clpDelClnt: Closing the local socket now

989: NOT 14:43:07.475122 SECD: srvr_cert_vfy: Server Certificate Validation needs to be done
990: NOT 14:43:07.477003 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from CTL file
991: NOT 14:43:07.477956 SECD: findByIssuerAndSerialAndRoleInTL: Searching TL from ITL file
992: WRN 14:43:07.478800 SECD: WARN:getSubjectCTLentry: default lookup failed, try lookup using DN
993: NOT 14:43:07.479446 SECD: findByCertAndRoleInTL: Searching TL from CTL file
994: NOT 14:43:07.481992 SECD: findByCertAndRoleInTL: Searching TL from ITL file
995: ERR 14:43:07.483932 SECD: EROR:tvs_cert_vfy: TVS cert not in TL,
996: NOT 14:43:07.484839 SECD: srvr_cert_vfy: ** srvr cert verify FAILED **
997: ERR 14:43:07.486057 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:
998: ERR 14:43:07.487374 SECD: EROR:clpSetupSsl: ** SSL handshake failed, c:16 s:17
999: ERR 14:43:07.488078 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, c:16 s:17
1000: ERR 14:43:07.488903 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, c:16 s:17
1001: ERR 14:43:07.489565 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr
1002: ERR 14:43:07.490479 SECD: EROR:secErr_errStr: *** bad err table ***
1003: ERR 14:43:07.491322 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
1004: ERR 14:43:07.491970 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
1005: NOT 14:43:07.492981 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 13
1006: ERR 14:43:07.493718 SECD: EROR:secSock_isConnected: ** ssl conn failed due to cert error
1007: ERR 14:43:07.494621 SECD: EROR:secErr_errStr: *** bad err table ***
1008: ERR 14:43:07.495482 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
1009: ERR 14:43:07.496120 SECD: EROR:secSock_isConnected: ** SEC-ERR: desc
1010: ERR 14:43:07.497024 SECD: EROR:checkTvsSrvrConn: Failed to get TVS TLS session - Bad Certificate
1011: NOT 14:43:07.497692 SECD: cleanupTvsSrvrSock: Clearing TVS proxy server socket, fd : 13
1012: ERR 14:43:07.498649 SECD: EROR:getTvsSrvrSock: secReq_getTvsServer succeeded but got an empty ip address for index : 2
1013: NOT 14:43:07.499730 SECD: sendErrRespToClient: Sending the failed response to all TVS client and cleaning up
1014: NOT 14:43:07.502991 SECD: sendRespToClient: Sent the response to the TVS client, len : 2056
1015: NOT 14:43:07.503963 SECD: clpTvsInit: No pending client connection - closing the TVS server socket : -1
1016: NOT 14:43:07.504894 SECD: tvsReqAuthenticateCertificate: Received the response from TVS proxy, status: 1
1017: ERR 14:43:07.507184 SECD: Authentication failed for the HTTPS conn via TVS
1018: NOT 14:43:07.508067 SECD: srvr_cert_vfy: ** srvr cert verify FAILED **
1019: ERR 14:43:07.509104 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:
1020: ERR 14:43:07.510452 SECD: EROR:clpSetupSsl: ** SSL handshake failed, c:11 s:9
1021: ERR 14:43:07.511333 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, c:11 s:9
1022: ERR 14:43:07.512220 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, c:11 s:9
1023: ERR 14:43:07.512907 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr
1024: ERR 14:43:07.513809 SECD: EROR:secErr_errStr: *** bad err table ***
1025: ERR 14:43:07.514483 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
1026: ERR 14:43:07.515288 SECD: EROR:clpSndStatus: ** SEC-ERR: desc
1027: WRN 14:43:07.525635 JVM: Startup Module Loader|cip.http.ae:? - listener.httpFailed: https://XXX.XXX.XXX.XX2:8443/ccmcip/xmldirectoryinput.jsp?name=SEP24B657440BEF
1028: NOT 14:43:07.546077 SECD: clpDelClnt: closing conn to , c:16, s:17
1029: NOT 14:43:07.547898 SECD: clpDelClnt: Closing the local socket now

1030: NOT 14:43:07.550833 SECD: clpDelClnt: closing conn to , c:11, s:9
1031: NOT 14:43:07.553224 SECD: clpDelClnt: Closing the local socket now

chrishiebert · ‎12-02-2011

Deleting ITL file from the sets is the ultimate resolution. Only problem is it has to be done manually. Expensive third party management applications are out of the question for a one-off issue like this so I have some travelling in my future...

Aaron Harrison · ‎12-02-2011

Hi Chris

Maybe I can put you something together... I'm working on various bits of code at the moment...

How soon do you need it to work??

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

mstrvoip5 · ‎06-07-2012

Hi,

Did everyone find a workaround apart from using expensive third party application?

Thanks

David Vasquez · ‎02-05-2015

We came across this issue when we migrated from our MCS 7835 servers to VMware. We built the new cluster in VMware on an isolated VLAN with the same IP addresses and hostnames, then did a DRS to restore the configuration. When trying to access any of our Directories or Extension Mobility, we would get the "Host Not Found" error.

I opened a TAC case and they immediately identified the catastrophic bug CSCtn50405 (https://tools.cisco.com/bugsearch/bug/CSCtn50405/?reffering_site=dumpcr) that affects our version 8.5.1.11900. The only workaround suggested in the bug report that worked for us was to manually delete the ITL file on each phone, but make sure to try workaround 3B; especially if "show itl" from the CLI displays anything besides "The ITL file was verified successfully." I regenerated the callmanger.pem and TVS.pem on one of our subscribers because the ITL verification failed, then restarted the node, but that did not work for us.--I even tried pointing a few phones to one of the nodes where "The ITL file was verified successfully," but that did not work either. Neither did deleting Secure URLs under Enterprise Parameters. Don't bother messing with DNS either as this is not the issue.-- We manually deleted the ITL file on a few phones, restarted TFTP, and Trust Verification Service (TVS), then reset the phones, just to make sure this was the root cause of the issue, and it was. Deleting the ITL file is not a viable option for clusters with more than a few phones (which would be just about every cluster out there), the solution TAC gave us was really quite easy to implement, provided old cluster is still running or can be turned on again and accessed by the phones.

For us this was not an issue because when we migrated from the MCS 7835 servers to VMware, we simply shutdown the switchports connected to the Publisher and two Subscribers, then edited the VNIC network adapter network connection to bring it into our Production environment (a word to the wise on doing this...when you change the VNIC settings it changes the License MAC and makes your licenses "invalid" so you must get them rehosted http://www.cisco.com/go/licensing). All of the phones reset and connected to the new cluster. So in order to move them back to the old cluster we just reversed the steps...change VNIC network back to isolated network, then no shut the switchports connected to the Publisher and two subscribers and now your phones are back on the old cluster. Now time for the fix.

In order for the phones to accept new ITL file, you must perform the steps 1 through 10 under "Rolling Back the Cluster to a Pre-8.0 Release" found at http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm/secusbd.html#wp1092162

Once those steps have been completed you can move the phones back over to the new cluster which causes them to reset and pull the new ITL file. All of our Directories and Extension Mobility are functioning just as they were prior to the migration.

Hope this helps someone.

Cheers,

David

tbergquist · ‎07-17-2012

We just hit this issue for a customer as well. Is this perhaps fixed in an updated phone firmware? Going to try upgrading tonight.

Ayodeji Okanlawon · ‎07-17-2012

Chris, this is definetly a certificate issue. When you changed the domain name, the server certificate will change, however the phones still have the old cert, hence when they attempt to make an HTTPS connection they wont trust the cert they receive from cucm because its different from theirs. Did you restart the tftp server when you changed the domain name? Did you restart the server as well. Deleting ITL works because the phones will then contact the tftp server to download a new ITL file, which whill be the correct one. Or plugging a new phone beacuse they will download the correct certificates as they dont have the old one.

I suggest you either restart TFTP server and then reset a few phones, ensure they download a new ITL file from the tftp server. If this works then you may need to reset all the phones..

Please rate all useful posts

"'Nature is too thin a screen, the glory of the omnipresent God bursts through it everywhere"-Ralph Waldo Emerson

Please rate all useful posts

chrishiebert · ‎07-19-2012

My issue was resolved back in December, by deleting the ITL on each phone. The servers (and thus the TFTP services) were restarted a couple of times during the DNS configuration process for various reasons. Restarting the servers and then the phones did not fix the issue. The only way to get the phones to retrieve the new certificate was to manually remove the old one they were using.

CUCM 8.5 Corporate Directory "Host Not Found" after adding domain name