6494 ERR May 28 14:43:28.697857 (344-3946) SECUREAPP-filterOutCiphers:0 ret:1
06-01-2021 08:58 AM - edited 06-01-2021 08:58 AM
Recently upgraded to 12.5.1 and took the opportunity to replace the self signed certs with CA Signed certs.
For the Call Manager / Tomcat and IPSec , certs. Also added root ca/issueing ca to the trust store of these.
Everything (and Jabber) works perfect no cert errors anywhere - wonderfully smooth.
However.. an issue has arose.. a percentage of phones maybe 10%
- get 'host not found ' when you press the services and extension mobility.
The fault is the phone doesnt trust the server - probably due to the new cert- see below.
So Im thinking I have forgot to add the CA Root / Issueing to a store somewhere..
Question - how do I get the phones to trust the new cert ? but also - why some phones working and some not.
I cant find any common factors between the failing phones - difference models/ sites other models confgured the same at the same site - work perfect.
Is there a trust store somewhere that the phones import???
Any help appreacited.
James
06-01-2021 09:53 AM
I suggest you start by reading documentation related to ITL/TVS, that has been around since 8.x and anyone who manages a CUCM needs to be familiar with both concepts.
If you were able to upload your CA signed certificates to CUCM, all the necessary certificates are in the -trust stores.
Did you follow the proper documentation while uploading the new certificates and gave enough time in between them?
06-01-2021 12:17 PM
Thanks for the response Jamie
I have replaced all the tomcat / cups/ certs and rebooted everything. I kinda presumed rebooting all the servers in sequence was the same thing.
Keep in mind - a lot of the phones are working perfect.
Could it be that some phones may have been powered off and didn't get the new trust list ?
Also some phones are failing on UCCX services , their tomcat is also now signed by the same local CA
I'll regenerate the TVS cert I think and follow the procedure closely.
Using this guide -
I'll let you know my progress !
Thanks
James
06-02-2021 07:19 AM
Followed the procedure EXACTLY - so TVS cert replaced across the cluster..restarted the services in the right order and waited till everything was done before moving on. Last but not least - rebooted all devices in the cluster (glup)
Still not working !!
Phone getting error -
8238 ERR Jun 02 15:07:43.483659 (348-15866) SECUREAPP-No match found in trust list against the item
Getting annoying now..
So just to summarise - the phone loads, gets config - everything works perfect , but when they select the application 'extension mobility) they get 'host not found'
Service setup - XML Service
with
https://HOSTNAMEGOOD:8443/emapp/EMAppServlet?device=#DEVICENAME#
Thanks
James
06-02-2021 08:28 AM - edited 06-02-2021 08:30 AM
can you remove the old ITL/CTL by going to security setting on the phone and see if it resolve your issue. if the phone hold old it wont accept the new.
You can find many contents about how to remove the CTL/ITL on google.
06-01-2021 10:48 AM
You have to Remove the old ITL files from Phones which has issue.
you can try the below tool to do it in bulk.
https://www.unifiedfx.com/products/phoneview-itl-delete
06-01-2021 12:37 PM
Nithin
Sorry - this isnt the correct solution
But thanks for responding.
06-03-2021 01:01 PM - edited 06-03-2021 01:01 PM
Have you tried this on at least one phone before you wrote it off as not being the solution?
What you describe matches perfectly with phones loosing trust with the CM. This is controlled by two certificates, Callmanager and TVS. This is the reason for why these should never be renewed at the same time. At best there should be a period of a few weeks in between the renewal of these to let the phones get the new certificate.
06-09-2021 01:42 AM
Roger
Deffo not working - tried the security and factory reset
4790 ERR Jun 09 09:36:02.464823 (344-30586) SECUREAPP-Failed to validate cert using TVS 4791 INF Jun 09 09:36:02.466008 (29822-29950) JAVA-SSL session setup Cert Verification - Certificate validation helper plugin returned. 4792 ERR Jun 09 09:36:02.466063 (29822-29950) JAVA-SSL session setup Cert Verification - Certificate is invalid. 4793 DEB Jun 09 09:36:02.466084 (29822-29950) JAVA-SSL session setup Cert Verification - returning validation result = 0 4794 ERR Jun 09 09:36:02.466472 (29822-29950) JAVA-Sec SSL Connection - Handshake failed.
Please note - I only reset the TVS cert after this fault occurred
Thanks
James
06-03-2021 06:38 AM
Hi there,
Is EM the only thing which is affected? Have you tried updating the subscriptions under the IP phone service?
Also, not sure if you've seen this thread at all. It's quite a number of years old, but could be still applicable to your issue:
06-09-2021 02:55 AM
All services impacted - setup another service and its the same
the old thread isnt relevant
This is 8841 on
Active Load ID: | sip88xx.12-8-1-0101-482 |
.
But thanks
06-17-2021 01:41 AM
Just an update here -
This fault it still happening ... its an odd one.
Basically have a Call Manager Certificate update- moved to company issued certs and loaded the root CAs into the trust stores...
everything works perfect .. EXCEPT extension mobility - about 10-20% of the handsets have this 'host not found' error.
Its NOT an ITL reset. We have two models showing the error 8841 and 7945. You can do an ITL reset on the 7945 and 'security settings reset' on a 8841 - both dont fix the issue. Also tried factory reset.
07-01-2021 03:50 AM
Folks
Appreciate all the feedback - one final cluster reset did the trick here. The issue was the CUCM publishers / subscribers need to be reloaded to activate the new certificate TVS configuration. Then the phones needs to be reset in the enterprise settings to pickup that TVS configuration.
The order of the reset & reboots is important.
Thanks
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide