Solved: Re: IP Phone won't register with 4.2.3 Publisher after registeri

Brian Houston · ‎02-01-2011

I'm upgrading from CM4.2.3 to UCM8.0.3.

I've installed the new servers with different IP addresses at v7.1.3, imported 4.2.3 DMA data, an upgraded to 8.0.3.

As a test, I've created a test Vlan/subnet and configured DHCP option 150 for the new subnet to point to the new UCM8 Publisher IP address.

I moved a phone into the new Vlan and it correctly upgraded its firmware from the new Publisher and then registered with the new Publisher. All good so far.

When I move the phone back into its original Vlan, it correctly obtains an IP address in the original subnet (from the DHCP server running on the 4.2.3 Publisher). The phone also has the correct default gateway and TFTP server addresses.

The problem is that despite all this, it stays registered with the new UCM8 Publisher. The phone knows that its TFTP server is the 4.2.3 Publisher (whose DHCP option 150 is unchanged and pointing to itself) but seems to ignore this and instead registers with the UCM8 server.

I have to factory reset the phone in order for it to point to the 4.2.3 Publisher and revert back to its original firmware load.

I need to have a clean way of rolling back to 4.2.3 in case of problems when cutting over to UCM8. I thought I had a good method but this problem would mean factory resetting 170 phones - not an option.

Any ideas would be welcome.

srsivara · ‎02-01-2011

Guru is right. A phone will download an ITL file from 8.x version of CallManager, even if cluster is non-secure. Do the following on the phone :

Settings > Network Configuration > IPv4 Configuration >

- Alternate TFTP - Yes

- TFTP Server 1 - give the IP address of your 4.2.3 TFTP server

(If settings are locked, press **# to unlock them)

The phone will reset and try registering to the 4.2.3 network, but will fail (as per design) due to ITL files it has from the 8.x server.

Settings > Security Configuration > Trust List > ITL File > Select >

- If 'Exit' is the only option displayed, press **#

- You should see options 'Unlock', 'Exit' and 'more'. select 'more', and then 'Erase'

Phone should reset, contact the 4.2.3 TFTP server, and register to the 4.2.3 CallManager, based on UCM Group.

Let me know if this works.

- Sriram

Please rate helpful posts !

View solution in original post

Guru Murthy A · ‎02-01-2011

Glad your question was answered today.

If you are going to be registering your phones back to pre 8.x CUCM, you could consider the solution provided by phoogen.

According to this document, http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_2/secugd/secusbd.html#wp1092162

If you are going to be doing a planned movement of all your phones from 8.x to 4.2 you could prepare the phones for rollback as described in the document. I beleive these steps remove the ITL files from the phones, thus removing the 'Security by Default' feature. Now the phones will be ready to register to any pre 8.x CUCM without any trust issues.

Hope this helps.

View solution in original post

Ayodeji Okanlawon · ‎02-01-2011

what happens when you shut down the 8.0.3 publisher? or make it unreachable

Please rate all useful posts

Brian Houston · ‎02-01-2011

In that case the phone just sits there "registering", it only seems to try to register with the UCM Publisher.

Brian Houston · ‎02-01-2011

I see what you're getting at but I'm not rolling the UCM8 cluster back to an earlier version. I have the UCM8 and CM4.2.1 cluster running in parallel; I want to be able to rehome phones from the UCM8 cluster back to the CM4.2.1 cluster, if need be.

phooghen · ‎02-01-2011

Please consider changing the following Enterprise parameter on CUCM 8.x before reverting back to CUCM 4.3

Prepare Cluster for Rollback to pre 8.0:	This parameter prepares the cluster for rollback to pre 8.0. Cisco Unified Communications Manager release.
	This is a required field.
	Default: False
	: Enable this option ONLY if you are preparing to rollback your cluster to a pre 8.0 Cisco Unified Communications Manager release. Phone services (for example, extension mobility) will NOT work when this parameter is set to True, however, users will be able to continue making and receiving basic phone calls. IMPORTANT: You must restart the following services on all nodes, in the order described, immediately after setting this parameter to True: First, restart the Trust Verification Service (TVS) on all nodes; next, restart the TFTP service on all nodes that have TFTP activated; last, return to the Enterprise Parameters Configuration window and click the Reset button to reset all phones. When those three steps are completed and have been performed in the specified order, the cluster will be ready for rollback.

Guru Murthy A · ‎02-01-2011

By default 8.x CallManager versions have Initial Trust List (ITL) enabled, after you register the phone to 8.x CUCM, it stops trusting the TFTP of the old CUCM.

Can you check if you find any entries under ITL files, which can be accessed from Security Configuration > Trust List > ITL File.

Erase the ITL file to register the phone back to the old CUCM.

Also check, http://www.cisco.com/en/US/customer/docs/voice_ip_comm/cucmbe/security/8_0_2/secugd/secusbd.html

Hope that helps.

Brian Houston · ‎02-01-2011

Apologies, but cna you clarify where the Security Configuration is to be found? I don't see it anywhere.

Guru Murthy A · ‎02-01-2011

Can you tell me what phone models you are using ?

On a 7945, i can find it under Settings > Security Config > Trust List > ITL File

Brian Houston · ‎02-01-2011

Sorry, I had assumed you were referring to configuration settings on UCM itself.

I've checked on a 7961 phone I've been testing. When I select Trust List from the security settings, the phone displays "Trust List" with a ticked checkbox to the left. There is no mention of ITL files.

Guru Murthy A · ‎02-01-2011

Is the Setting menu unlocked on the phone ? If not please unlock it ( **# ) and check if you can erase CTL/ITL files.

I will try to get hold of a 7961 and find out how to manually delete ITL files , also do you have any other phone models available to test with ?

srsivara · ‎02-01-2011

Guru is right. A phone will download an ITL file from 8.x version of CallManager, even if cluster is non-secure. Do the following on the phone :

Settings > Network Configuration > IPv4 Configuration >

- Alternate TFTP - Yes

- TFTP Server 1 - give the IP address of your 4.2.3 TFTP server

(If settings are locked, press **# to unlock them)

The phone will reset and try registering to the 4.2.3 network, but will fail (as per design) due to ITL files it has from the 8.x server.

Settings > Security Configuration > Trust List > ITL File > Select >

- If 'Exit' is the only option displayed, press **#

- You should see options 'Unlock', 'Exit' and 'more'. select 'more', and then 'Erase'

Phone should reset, contact the 4.2.3 TFTP server, and register to the 4.2.3 CallManager, based on UCM Group.

Let me know if this works.

- Sriram

Please rate helpful posts !

Brian Houston · ‎02-01-2011

Siram/Guru

Thanks to both of you for your advice; I re-tested this and you are absolutely correct. When I delete the ITL file that was downloaded fromUCM8, the phone resets and re-homes to the 4.2.3 cluster.

Its good to have the answer but I'm still left with a problem for my implementation/rollback plan. If for any reason I have to roll back from the UCM8 cluster to the 4.2.3 cluster (hopefully not, but you never know), I'm going to have this problem on all phones and will have to go to all 170 of them and manually delete the ITL file.

Is there no way of preventing the phones from downloading the ITL file from UCM?

Guru Murthy A · ‎02-01-2011

Glad your question was answered today.

If you are going to be registering your phones back to pre 8.x CUCM, you could consider the solution provided by phoogen.

According to this document, http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_2/secugd/secusbd.html#wp1092162

If you are going to be doing a planned movement of all your phones from 8.x to 4.2 you could prepare the phones for rollback as described in the document. I beleive these steps remove the ITL files from the phones, thus removing the 'Security by Default' feature. Now the phones will be ready to register to any pre 8.x CUCM without any trust issues.

Hope this helps.

Brian Houston · ‎02-01-2011

Thanks Guru

I've tested again, this time using the steps in the document that you and (phooghen in an earlier post) provided. This works perfectly so I now have the option of rolling back without having to visit each phone and delete the ITL file.

A couple of points to note for future reference:

Following the rollback procedure, the ITL file is not deleted from the phone - I can still see it via the security settings.

Its also worth noting that once a phone has been rolled back once, it can be rolled back again without repeating the procedure. A further confirmed that the phone registered back on 4.2.3 without me having to carry out the rollback procedure again on 8.0.3.

Thanks to all who responded.

srsivara · ‎02-01-2011

Hi Brian,

First of all, good to know that the steps worked !

AFAIK, there is no way to prevent the phone from downloading an ITL file when it registers to an 8.x CUCM server, even if it is a non-secure cluster. The ITL file contains a bunch of certificates from the 8.x server (namely CAPF, TVS, System Admin Security Token and TFTP). TVS (Trust Verification Service) certificate lets the phone know which CallManager servers it can trust. TFTP cert lets the phone know which Tftp server it can trust. You can SSH to your 8.x Pub, and run 'show itl' to see the list of certifcates that form the ITL file.

Thanks,
Sriram

Please rate helpful posts !

IP Phone won't register with 4.2.3 Publisher after registering with 8.0.3 Publisher