04-30-2013 06:42 AM - edited 03-16-2019 05:04 PM
08-11-2016 06:22 PM
Great.... and ...Thank you...... restarting service resolve the issue...
01-23-2018 06:46 AM
Restarting Resolved the issue. Gr8
05-01-2013 05:26 AM
Hi Deepesh,
As we can see in the screenshot, you are facing the issue with CUCM Subscriber.
The most probable cause of the issue is that the IPSec-trust doesn’t match with the Publisher and the Subscriber.
To start with, check if the Subscriber is not in read-only mode (can be verified by accessing the CLI/SSH of the subscriber. It should not show any java error as soon as you login)
verify if the IPSec.pem and IPSec-trust certificates are valid and not expired on the Publisher and the Subscriber.
If that is fine, verify that the certificate Serial Number for matches for the following certs.
* IPSec.pem on the Publisher.
* IPSec-trust on the Publisher.
* IPSec-trust on the Subscriber(s).
NOTE: IPSec.pem on the Sub would have a different serial number but IPSec-trust on the Sub should match with Publisher.
If they do not match, you can download the IPSec.pem from the Publisher and upload it as IPSec-trust on the Subscriber and remove the mismatched IPSec-trust cert.
Steps:
1. Log on to CUCM OS Admin page of affected node.
2. Choose Security > Certificate Management. The Certificate List window displays.
3. You can use the Find controls in order to filter the certificate.
4. Click on ipsec.pem file and download that certificate from the Publisher.
5. Find the existing ipsec-trust with the filename of the hostname of the publisher, click on the file name and Delete.
6. Upload the downloaded ipsec.pem file with the caption ipsec-trust.
7. Restart the DRF Master Agent(MA)/DRF Local Agent (LA).
HTH,
Jagpreet Singh Barmi
05-01-2013 05:45 AM
Hi Jagpreet,
I think u are talikng about the bug which was found in 8.6.1
regds,
aman
05-01-2013 07:22 AM
Hi Aman,
This bug was filed for similar conditions and errors, however, the cause is different and the version as well.
As per the bug, the certs would not be expired and there will be no mismatch. Also, regenerating the certs would not help as the ipsec-trust.keystore exists in the database but with size zero showing. The only way to clear it is through the root access.
I would suggest to start with the verification of the certs expiration date and any mismatch between the certs on the Pub and Sub before we proceed further.
Regards,
Jagpreet Singh Barmi
05-16-2016 06:02 PM
Thanks Jagpreet, this resolved my issue.
Thanks,
Vaijanath
03-08-2018 01:22 PM
Should both the publisher and subscriber have a DRF Master and a DRF Local?
01-22-2018 03:57 AM
Also, Please check the ipsec and ipsec-trust certificates and it's expiry dates in Pub and Sub's
09-18-2019 11:28 AM
Thanks; just ran into the same issue with the ipsec cert having expired after five years. Problem solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide