Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3697
Views
15
Helpful
18
Replies

CUCM Cluster mode change from Mixed to Non secure

Go to solution
fgasimzade
Level 4
Level 4

‎07-30-2014 07:32 AM - edited ‎03-16-2019 11:34 PM

Hello everyone

 

We have a CUCM cluster 6.1.2 and we have lost the tokens we used to create CTL

The problem is that our certificates has expired and there is no way to renew them without the security tokens

 

Moreover, I have manually regenerated CallManager.pem certificate, and apparently it has resigned all configuration files (correct me if I am wrong) and now some of the phones do not accept these configuration files with this error:

877: xxx 17:30:28.895819 SECD: EROR:verifyFile: sgn verify file failed </usr/ram/SEPB4A4E329D635.cnf.xml>, errclass 8, errcode 19 (signer not in CTL)

and register on the subscriber (dont know why).

 

Some of the phones are not able to register (rejected) with Security Mode set to Non secure, and I need to configure them with LCS, but looks like if I hard reset the phone, the CTL file on the phone will change and it will not accept the configuration file

Is there any way to disable this functionality and change the cluster mode from mixed to non-secure or somehow "unsign" the configuration files so the phones could take it?

 

Thank you in advance

1 person had this problem
Labels:
0 Helpful
18 Replies 18

Go to solution
Brian Meade
Level 7
Level 7
In response to fgasimzade

‎08-18-2014 07:09 AM

The config files are generated dynamically each time a phone requests them.  They are not saved on the system.  After the CTL is deleted from a phone and it doesn't get a new CTL from CUCM, it will start requesting unsigned config files (SEP*.cnf.xml).

0 Helpful

Go to solution
fhunter
Level 1
Level 1
In response to Brian Meade

‎10-07-2014 08:03 AM

Hi Brian,

I had the same issue, and had reset the mode back to non-secure, and all worked OK until some phones were factory reset.

Thanks for the CTL delete information.

I have noticed that the phones don't seem to get an ITL.

I am not a fan of ITL infact they have been a pain in the @rse at times, but do you know why an ITL has not been generated / distributed in my security reset cluster.

Thanks

Frank

0 Helpful

Go to solution
Brian Meade
Level 7
Level 7
In response to fhunter

‎10-07-2014 08:33 AM

What CUCM version are you on and what model phone?  Do you see anything running "show itl" on the nodes?

0 Helpful

Go to solution
shawnangelo
Level 1
Level 1
In response to Brian Meade

‎04-07-2015 07:34 PM

Thanks for the sql query bro! Just helped me fix this situation!

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents