Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8151
Views
27
Helpful
6
Replies

CUCM backup problems

ellenthomson
Level 1
Level 1

‎09-29-2016 06:58 AM - edited ‎03-17-2019 08:13 AM

Hello

I have recently noticed that our CUCM servers are not backing up (problem with the backup server), while trying to resolve this I carried out a manual backup but noticed that getting following error from the SUB server

"unable to contact server. Master or Local agent could be down"

I suspected this was just a problem with the DRF agents so have restarted them on both the PUB and SUB servers then re-ran the manual backup but still got the problem.

I have had a look around this forum and found people reporting similar issues that were caused by corrupted IPsec certificates so I have had a check on both servers and found a couple of issues that I would like some advice on :

- I have noticed that the ipsec.(IPsec.perm) certificate on the PUB and SUB has an expiry date of a while ago, so this could be one of issues. However the expiry date was last year and have only just had the backup problem

- I noticed that while there is an IPsec-trust on the PUB server but this is missing on the SUB, so I am guessing this might be the issue.

From the forum post I believe I need to regenerate the IPsec-trust certificate on the PUB server then upload this onto the SUB server but don't really want to break anything so would be grateful for any advice

Regards

Ellen

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Mohammed Khan
Cisco Employee
Cisco Employee

‎09-29-2016 07:13 AM

Pub don't need the Sub's IPSEC-Trust , because SUB DRF local agent is the initiator of SSL connection with publisher. Hence thats expected.

Follow my steps on Pub and Sub :-

1-Log in to the Cisco Unified Communications Manager OS Administration page. Choose Security > Certificate Management. The Certificate List window displays.

2-Use the Find controls in order to filter the certificate list. Choose the ipsec.pem file, and click Regenerate.

Upon regeneration, the IPsec certificate automatically uploads itself to ipsec-trust.

3- Restart DRF MA and LA on Pub

4- Restart DRF  LA on Sub

ellenthomson
Level 1
Level 1
In response to Mohammed Khan

‎09-29-2016 07:50 AM

Hi Mohammed and Manish

Thanks for the super super quick response to my question

I will have a read through the information in the link you provided Manish so I understand the process a bit better then I will carry out the regeneration/upload

One question Mohammed, once the IPsec.perm file has been regenerated and has automatically uploaded itself to the IPsec-trust and the servers restarted, is this pushed out automatically to the sub server? guessing it is from your description but thought I would check

Thanks again for your quick response

Regards

Ellen

0 Helpful

Mohammed Khan
Cisco Employee
Cisco Employee
In response to ellenthomson

‎09-29-2016 09:35 AM

Yes it  will be pushed automatically.Cisco Certificate Change Notification will take care of it

0 Helpful

ellenthomson
Level 1
Level 1
In response to Mohammed Khan

‎09-30-2016 02:21 AM

Hi Mohammed

Did not get a chance to do this yesterday afternoon but just have and it seems to have worked.

Did notice that the IPsec.perm file on the SUB server is still the same as it was (only regenerated the IPsec.perm on the PUB server so don't know if I need to regenerate on the SUB also)??

However the manual backup is now working fine so at least the initial problem has been fixed.

Might leave it a bit then try regenerating the IPsec.perm file on the SUB also??

Thanks again for your assistance

Regards

Ellen

0 Helpful

Mohammed Khan
Cisco Employee
Cisco Employee
In response to ellenthomson

‎09-30-2016 02:32 AM

If Subs IPsec is expired then you should regenerate. I am glad this issue is resolved.

Please rate/mark answer if you find the post helpful.

Manish Gogna
Cisco Employee
Cisco Employee

‎09-29-2016 07:15 AM

Hi Ellen,

As per the DRF admin guide:

The Disaster Recovery Systemuses an SSL-based communication between the Master Agent and the Local Agent for authentication and encryption of data between the Cisco Unified Communications Manager cluster nodes. DRS makes use of the IPSec certificates for its Public/Private Key encryption. Be aware that if you delete the IPSEC truststore(hostname.pem) file from the Certificate Management pages, then DRS will not work as expected. If you delete the IPSEC-trust file manually, then you must ensure that you upload the IPSEC certificate to the IPSEC-trust.

The procedure of verifying and uploading IPsec certs on Pub and subscribers is detailed here

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118928-configure-cucm-00.html#anc8

Manish

0 Helpful
Customers Also Viewed These Support Documents