cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1549
Views
0
Helpful
8
Replies

Registration issues since upgrade to 11.5.1 SU3b

drbabbers
Level 3
Level 3

All,

Have just upgraded a CUCM cluster to 11.5.1 SU3b and since then I am unable to register any phones to the previously used TFTP server.

However if I use the secondary TFTP the phone registers fine. (Phone downloads CTL all OK - Mixed mode cluster, but this is a Non-Secure Profile/Phone..)

On this point also, the TFTP node with the issue has no CTL installed, the working node DOES have a CTL.. This is the only obvious inconsistency I can see.

From the phones perspective I see this:

image.png

Also Event Viewer shows me ReasonforOutOfService=14

The phone console log shows me this with an error about not finding the key for the signer:

image.png

 

'show itl' on this node does look OK and I can see entries within the ITL for CCM/TFTP and no invalid certs etc...

Any ideas? Possibly a bulk ITL reset/recovery?

https://supportforums.cisco.com/t5/collaboration-voice-and-video/unified-communications-manager-itl-enhancements-in-10-0-1/ta-p/3147395#anc2

1 Accepted Solution

Accepted Solutions

drbabbers
Level 3
Level 3
FYI everyone - the fix for this was the Sub 1 was missing the CTL file!
Regenerated the CTL from the Pub and this resolved the issue.

View solution in original post

8 Replies 8

Ratheesh Kumar
VIP Alumni
VIP Alumni

Hi there

 

Does this involved any movement of phones from one cluster to another, or just an upgrade ? You could try the bulk migration method as mentioned in this doc.

https://supportforums.cisco.com/t5/collaboration-voice-and-video/migrating-ip-phones-between-clusters-with-cucm-8-and-itl-files/ta-p/3108501

 

The Bulk Certificate Export method works in the following way from the OS Adminstration > Security > Bulk Certificate page:

  1. Export certificates from new destination cluster (TFTP only) and original cluster to a central SFTP server.
  2. From original cluster, run Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface.
  3. On the old origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server.
  4. Restart TVS services on old origination cluster.
  5. Use DHCP option 150, or some other method, to point the phones to the new destination cluster.
  6. Phones will download the new destination cluster ITL file and attempt to verify it against their existing ITL file.
  7. The cert will not be in the existing ITL file so the phone will ask the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request.
  8. If the certificate export/consolidate/import process worked correctly then TVS returns success, and the phone replaces the in memory ITL file with the newly downloaded ITL file.
  9. The phones can now download and verify the signed configuration files from the new cluster.

 

 

Hope this helps!

Cheers
Rath!


***Please rate helpful posts***

Hi Rathessh,

This is a single cluster only. The only relationship with another cluster is for EMCC purposes.

We followed the upgrade guide in Cisco documentation for 11.5.1 SU3b.

Thanks.

R0g22
Cisco Employee
Cisco Employee
Does the phone already have an ITL ? How was the upgrade done or was this is a migration ?
Can you attach the complete phone console log ?

Hi Nipun,

The phone doesn't have an ITL, it is failing to download it on boot.

The process followed was a Standard Upgrade.

I will attempt to get the full log for you.

Thanks.

If the phone does not have a CTL and/or an ITL, it would accept one blindly.
Also, since you upgraded it, the phone should have a trust list already, ITL due to sbd or ctl and itl if mixed mode.

The phone must be verifying the identity of ITL against something. If a CTL is already
there, it would verify ITL against it. If it fails, it will verify it against TVS. Attach the logs. We should be able
to see all this in there.

Also you upgraded from which version to 11.5.1 ?

Hi Nipun,

Just to be clear, the issue is only impacting NEW phones out of the box.

Existing phones are fine.

I will obtain logs..

Thanks.

Hi there

 

What are the models you are trying to register ? whats the Boot load firmware on the phone ? Whats the phone firmware on the CUCM (Device > Device Defaults)

 

 

Hope this helps!

Cheers
Rath!


***Please rate helpful posts***

drbabbers
Level 3
Level 3
FYI everyone - the fix for this was the Sub 1 was missing the CTL file!
Regenerated the CTL from the Pub and this resolved the issue.