Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25256
Views
20
Helpful
17
Replies

Issue with MRA Cisco IP Phones 7800/8800

Go to solution
Eduardo Leon Dominguez
Level 1
Level 1

‎02-27-2017 09:44 AM - edited ‎03-17-2019 09:39 AM

Hello all,

I have deployed Expressway C-E (8.9) with CUCM 11.5. and I'm trying to register one 8841 from Internet using MRA feature and when I try to do the login process in the ip phone, appear:

"Error: Server certificate validation failed. Contact your administrator" and in the Status messages "Invalid server certificate: expe.domain.com"

Trying to find info about this problem I found

"For Mobile and Remote Access through Expressway, the Expressway server must be signed against one of these Certificate Authorities"

in this doc:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/dx/series/ca/CA-Trust-List.docx

I suppose the error appear because our Internal CA is not trusted.

Any way to register a 8800/7800 Phone through MRA feature without a signed certs by this Authorities? Usually we manage Internal CAs.

Thank so much!

3 people had this problem
Labels:
0 Helpful
17 Replies 17

Go to solution
Chris Deren
Hall of Fame
Hall of Fame

‎02-27-2017 10:48 AM

Jamie is correct, the cert on the Expressway-E needs to be publicly signed, your Expressway-C and CUCM, IMP, CUC can run internally signed certs.

Go to solution
Tofaz
Level 1
Level 1
In response to Chris Deren

‎08-15-2019 01:20 PM

I have faced this issue as well where certain 7821 phones are registering fine through the EXP-E and other are not, reporting that they cannot trust the EXP-E certificate. Unfortunately you have to stage all the phones first on premises to avoid this issue since the Cisco documentation is reporting the following:

 

"Certificate provisioning to remote endpoints is not supported over MRA. For example, the Certificate Authority Proxy Function (CAPF). If you can do the first-time configuration on premises (inside the firewall) including CAPF enrolment, then these endpoints can use encrypted TFTP configuration files over MRA. But you can't do the CAPF enrolment over MRA, so you must bring the endpoints back on-premises for subsequent certificate operations."

 

So likely phones with old firmware will not able trust the certificate and to log in through the EXP-E. That was my case.

0 Helpful

Go to solution
Adam Pawlowski
VIP Alumni
VIP Alumni
In response to Tofaz

‎08-28-2019 09:00 AM

That doesn't make a lot of sense though

 

The root CA list may be in the firmware and may be updated , I could see that happening . CAPF doesn't really have anything to do with it which is what that's referring to.

 

Granted if the firmware were out of date and need updating, and it can't connect to the Expressway to find out what it needs to do, then it won't work.

0 Helpful
Customers Also Viewed These Support Documents