02-01-2011 02:53 AM - edited 03-16-2019 03:11 AM
I'm upgrading from CM4.2.3 to UCM8.0.3.
I've installed the new servers with different IP addresses at v7.1.3, imported 4.2.3 DMA data, an upgraded to 8.0.3.
As a test, I've created a test Vlan/subnet and configured DHCP option 150 for the new subnet to point to the new UCM8 Publisher IP address.
I moved a phone into the new Vlan and it correctly upgraded its firmware from the new Publisher and then registered with the new Publisher. All good so far.
When I move the phone back into its original Vlan, it correctly obtains an IP address in the original subnet (from the DHCP server running on the 4.2.3 Publisher). The phone also has the correct default gateway and TFTP server addresses.
The problem is that despite all this, it stays registered with the new UCM8 Publisher. The phone knows that its TFTP server is the 4.2.3 Publisher (whose DHCP option 150 is unchanged and pointing to itself) but seems to ignore this and instead registers with the UCM8 server.
I have to factory reset the phone in order for it to point to the 4.2.3 Publisher and revert back to its original firmware load.
I need to have a clean way of rolling back to 4.2.3 in case of problems when cutting over to UCM8. I thought I had a good method but this problem would mean factory resetting 170 phones - not an option.
Any ideas would be welcome.
Solved! Go to Solution.
02-01-2011 05:28 AM
Guru is right. A phone will download an ITL file from 8.x version of CallManager, even if cluster is non-secure. Do the following on the phone :
Settings > Network Configuration > IPv4 Configuration >
- Alternate TFTP - Yes
- TFTP Server 1 - give the IP address of your 4.2.3 TFTP server
(If settings are locked, press **# to unlock them)
The phone will reset and try registering to the 4.2.3 network, but will fail (as per design) due to ITL files it has from the 8.x server.
Settings > Security Configuration > Trust List > ITL File > Select >
- If 'Exit' is the only option displayed, press **#
- You should see options 'Unlock', 'Exit' and 'more'. select 'more', and then 'Erase'
Phone should reset, contact the 4.2.3 TFTP server, and register to the 4.2.3 CallManager, based on UCM Group.
Let me know if this works.
- Sriram
Please rate helpful posts !
02-01-2011 06:05 AM
Glad your question was answered today.
If you are going to be registering your phones back to pre 8.x CUCM, you could consider the solution provided by phoogen.
According to this document, http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_2/secugd/secusbd.html#wp1092162
If you are going to be doing a planned movement of all your phones from 8.x to 4.2 you could prepare the phones for rollback as described in the document. I beleive these steps remove the ITL files from the phones, thus removing the 'Security by Default' feature. Now the phones will be ready to register to any pre 8.x CUCM without any trust issues.
Hope this helps.
02-01-2011 03:05 AM
what happens when you shut down the 8.0.3 publisher? or make it unreachable
02-01-2011 03:08 AM
In that case the phone just sits there "registering", it only seems to try to register with the UCM Publisher.
02-01-2011 03:31 AM
I see what you're getting at but I'm not rolling the UCM8 cluster back to an earlier version. I have the UCM8 and CM4.2.1 cluster running in parallel; I want to be able to rehome phones from the UCM8 cluster back to the CM4.2.1 cluster, if need be.
02-01-2011 03:06 AM
Please consider changing the following Enterprise parameter on CUCM 8.x before reverting back to CUCM 4.3
02-01-2011 03:18 AM
By default 8.x CallManager versions have Initial Trust List (ITL) enabled, after you register the phone to 8.x CUCM, it stops trusting the TFTP of the old CUCM.
Can you check if you find any entries under ITL files, which can be accessed from Security Configuration > Trust List > ITL File.
Erase the ITL file to register the phone back to the old CUCM.
Also check, http://www.cisco.com/en/US/customer/docs/voice_ip_comm/cucmbe/security/8_0_2/secugd/secusbd.html
Hope that helps.
02-01-2011 03:42 AM
Apologies, but cna you clarify where the Security Configuration is to be found? I don't see it anywhere.
02-01-2011 03:46 AM
Can you tell me what phone models you are using ?
On a 7945, i can find it under Settings > Security Config > Trust List > ITL File
02-01-2011 03:55 AM
Sorry, I had assumed you were referring to configuration settings on UCM itself.
I've checked on a 7961 phone I've been testing. When I select Trust List from the security settings, the phone displays "Trust List" with a ticked checkbox to the left. There is no mention of ITL files.
02-01-2011 04:45 AM
Is the Setting menu unlocked on the phone ? If not please unlock it ( **# ) and check if you can erase CTL/ITL files.
I will try to get hold of a 7961 and find out how to manually delete ITL files , also do you have any other phone models available to test with ?
02-01-2011 05:28 AM
Guru is right. A phone will download an ITL file from 8.x version of CallManager, even if cluster is non-secure. Do the following on the phone :
Settings > Network Configuration > IPv4 Configuration >
- Alternate TFTP - Yes
- TFTP Server 1 - give the IP address of your 4.2.3 TFTP server
(If settings are locked, press **# to unlock them)
The phone will reset and try registering to the 4.2.3 network, but will fail (as per design) due to ITL files it has from the 8.x server.
Settings > Security Configuration > Trust List > ITL File > Select >
- If 'Exit' is the only option displayed, press **#
- You should see options 'Unlock', 'Exit' and 'more'. select 'more', and then 'Erase'
Phone should reset, contact the 4.2.3 TFTP server, and register to the 4.2.3 CallManager, based on UCM Group.
Let me know if this works.
- Sriram
Please rate helpful posts !
02-01-2011 05:50 AM
Siram/Guru
Thanks to both of you for your advice; I re-tested this and you are absolutely correct. When I delete the ITL file that was downloaded fromUCM8, the phone resets and re-homes to the 4.2.3 cluster.
Its good to have the answer but I'm still left with a problem for my implementation/rollback plan. If for any reason I have to roll back from the UCM8 cluster to the 4.2.3 cluster (hopefully not, but you never know), I'm going to have this problem on all phones and will have to go to all 170 of them and manually delete the ITL file.
Is there no way of preventing the phones from downloading the ITL file from UCM?
02-01-2011 06:05 AM
Glad your question was answered today.
If you are going to be registering your phones back to pre 8.x CUCM, you could consider the solution provided by phoogen.
According to this document, http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_2/secugd/secusbd.html#wp1092162
If you are going to be doing a planned movement of all your phones from 8.x to 4.2 you could prepare the phones for rollback as described in the document. I beleive these steps remove the ITL files from the phones, thus removing the 'Security by Default' feature. Now the phones will be ready to register to any pre 8.x CUCM without any trust issues.
Hope this helps.
02-01-2011 08:56 AM
Thanks Guru
I've tested again, this time using the steps in the document that you and (phooghen in an earlier post) provided. This works perfectly so I now have the option of rolling back without having to visit each phone and delete the ITL file.
A couple of points to note for future reference:
Following the rollback procedure, the ITL file is not deleted from the phone - I can still see it via the security settings.
Its also worth noting that once a phone has been rolled back once, it can be rolled back again without repeating the procedure. A further confirmed that the phone registered back on 4.2.3 without me having to carry out the rollback procedure again on 8.0.3.
Thanks to all who responded.
02-01-2011 06:08 AM
Hi Brian,
First of all, good to know that the steps worked !
AFAIK, there is no way to prevent the phone from downloading an ITL file when it registers to an 8.x CUCM server, even if it is a non-secure cluster. The ITL file contains a bunch of certificates from the 8.x server (namely CAPF, TVS, System Admin Security Token and TFTP). TVS (Trust Verification Service) certificate lets the phone know which CallManager servers it can trust. TFTP cert lets the phone know which Tftp server it can trust. You can SSH to your 8.x Pub, and run 'show itl' to see the list of certifcates that form the ITL file.
Thanks,
Sriram
Please rate helpful posts !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide