06-06-2013 04:06 AM - edited 03-16-2019 05:44 PM
Hi,
We have CUCM ver 8.5 (Cluster of 2 servers, publisher & subscriber) registered with multiple 7940, 6941, 6921, 8961 phones along with few ATA 187 boxes. Everything is working fine but suddenly now business wants to enable security by encrypting data flow from few of these phones. These include 7940, 6921 and 8961 series phones, for testing purpose we had arranged the 2 security dongles needed for certificate generation. Followed each step whatever has been given in the below link.
https://supportforums.cisco.com/docs/DOC-18834
Observation :- Cisco 7940 Phones (SCCP)
CTL file is succesfully downloaded but when trying to push LSC from call manager through "CAPF information" using "Authentication String" getting "TLS error to x.x.x.x" after the phone power cycles (reset). Also once the authentication string is put on "LSC" under the "security settings" we get a "Connection Failed" error.
Due to which we are unable to register the phones using secure profile (LSC not getting downloaded).
Cisco 69xx Phones(SCCP)
No security related settings seen on the phone itself --- do we need a specific firmware load / Call manager version for security to work on these phones (Cisco 69xx phones).
Update - Upgraded cisco 69xx phones to load version 9.1.1, now able to see the securuty settings
But still facing the same issue faced for 7940 phones, also the logs int the .txt file are similar. (pasted below)
Also as per cisco document these phones support security, link below...
Didnt try any further with 8961 & 6921 phones as got stuck with the above 2 phones.
Troubleshooting Done:
Checked & verified the serial number of the certificates on call manager (CAPF.pem & CallManager.pem with CTL contents), verified the hash value of CTL file with the CTL file downloaded on phone everythings is perfect and matching but still the LSC`s are not getting downloaded on the phone.
Also there is no cer files generated in the path below except for the .txt file (screenshot below).
"file list activelog /cm/trace/capf/sdi"
common error seen in the .txt file is as pasted below..
16:20:21.474 | debug ERROR:10.1.200.45: SSL3 alert write fatal handshake failure
16:20:21.474 | debug ERROR:10.1.200.45: capfSSLHandShake Handshake failure
16:20:21.474 | debug ERROR:Failed SSL handshake, calling capfReleaseSession() on deviceId: (null)
16:20:45.549 | debug FD_ISSET i=0, SockServ=15
16:20:45.549 | debug Accepted TCP connection from socket 0x00000015
CUCM ver - 8.5.1.10000-26
7940 Load information - P00308010200
6941 Load INformation - 8.5.1.66.22
Any help will be highly appreciated.....
11-08-2013 12:53 AM
Hello, did you solve this issue?
We are facing a similar situation, kindly add any solution
Appreciate your reply
Regards,
Mathew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide