Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
2
Replies

Is regeneration of CAPF after mixed mode needed?

esther.tan
Level 1
Level 1

‎09-29-2019 07:20 PM - edited ‎10-01-2019 08:01 PM

Is regeneration of CAPF and re-sign by CA needed after changing CUCM to mixed mode, if previously LSC is installed during non-secure mode?

 

1. Phones were previously signed with CA signed LSC and had 802.1x enabled for NAC. CUCM v12.5 was in non secured mode.

2. Customer requires encryption on the phones thus we have converted the CUCM v12.5 to mixed mode

3. Phones are not able to register after we applied the secure sip profile. NAC is working as phone is still getting IP but just cannot register to CUCM.  If we delete the LSC from the phone, the phone can register using secure profile.

 

Phone (with LSC) getting the below error.

 

7851 ERR Sep 23 15:01:20.320158 (348:2292) SECUREAPP-Secure Connection Handshake failed.
7852 NOT Sep 23 15:01:20.322478 (348:2292) SECUREAPP-Close and free connection handler at 0x2a1c63b0
7853 NOT Sep 23 15:01:20.323210 (348:2292) SECUREAPP-Sec SSL Close Connection successful.
7854 ERR Sep 23 15:01:20.323699 (348:2292) SECUREAPP-PXY_SSL_CLNT: SSL CLNT ERR, srvr[10.178.23.16]
7855 ERR Sep 23 15:01:20.324523 (348:2292) SECUREAPP-SECERR_DETAIL: ** SEC-ERR: code:[11]([UNKNOWN_ERR]) subcode:[0]([N/A])
7856 ERR Sep 23 15:01:20.325041 (348:2292) SECUREAPP-SECERR_DESC: ** SEC-ERR: desc [ssl setup failed]

 

From CUCM, we are getting this:

07275357.000 |14:58:46.457 |AppInfo  |[3, 100, 247, 138]: HandleSSLError - Certificate verification failed:(Verification error:2)- unable to get issuer certificate for 10.178.99.71:51537

 

ITL and CTL checksum on the phone are the same as the publisher, so no error on that.  This is confirmed by the below phone logs

 

UREAPP-validateSignedCTL: new TL matches old, not updating

 

 

 

 

0 Helpful
2 Replies 2

Rajan
VIP Alumni
VIP Alumni

‎09-30-2019 01:50 AM

Hi Esther,

Was this cluster in mixed mode ever before and had CTL file ? If so, then you need to delete the CTL file before moving to mixed mode again. Please refer the below link for more detailed procedure:

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html#anc5

HTH
Rajan
Please rate all useful posts by clicking the star below and mark solutions as accepted wherever applicable
0 Helpful

esther.tan
Level 1
Level 1
In response to Rajan

‎10-01-2019 08:01 PM

Hi Rajan

 

No. There was no CTL file before we switched to mixed mode.

 

 

Regards

Esther

0 Helpful
Customers Also Viewed These Support Documents