Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
2
Helpful
4
Replies

Secure SIP integration between CUCM 14SU3 & CUC 14SU3 Brain Check

RAustin70
Level 1
Level 1

‎01-31-2024 10:26 AM

Currently running the connection as non secure but have been tasked to move to Secure SIP Profile on the trunk.

Playing with this guide https://www.cisco.com/c/en/us/support/docs/unified-communications/unity-connection/211622-Configuration-Example-for-Secure-SIP-Int.html  from 2018.

under "2. Add the TFTP server reference" it states I have to use the FQDN, and it has to match the CN= of the call manager Cert.  Well, my CallManager Cert is a singe multisan cert that covers all 5 nodes in my cluster, and the FQDN does not resolve in DNS, but all the Subj Alt names in the cert do resolve.

Ideally I would like to put my 2 TFTP server FQDNs in there and have it work like magic, but I have a feeling I may have to reach out to our DNS crew and request something like a CNAME to make the CN= entry resolvable, but then that would limit me to just one IP and if that happens to be down I have no backup to go to.

Has anyone run into this yet?  Any recommendations?  I am going to try the FQDNs of the TFTP servers tonight in a maint window to see if it goes, but if it doesn't I will need a solid plan-B

Labels:
0 Helpful
4 Replies 4

Roger Kallberg
VIP
VIP

‎01-31-2024 10:58 AM

Not sure I understand what you mean by “FQDN does not resolve in DNS”, can you please elaborate and clarify? With multi SAN certificate you would have all the nodes in your cluster in the SAN and that would make the certificate check succeed whatever server FQDN you use as long as it’s in the SAN of the multi SAN certificate.



Response Signature


RAustin70
Level 1
Level 1
In response to Roger Kallberg

‎01-31-2024 11:05 AM

Oh, yes of course.  in the CallManager Certificate when I created the CSR back in 2021 Cisco automatically put in:

CN = ULDF-VLSC-UCMP1V-ms."domain snippped"
OU = USAF
OU = PKI
OU = DoD
O = U.S. Government
C = US

Well, that CN is not resolvable because of the -ms at the end of the hostname.

But under Subj Alt names I have:

DNS Name=ULDF-AS-TFTP1V."domain snipped"
DNS Name=ULDF-AS-TFTP2V."domain snipped"
DNS Name=ULDF-VLSC-UCMP1V."domain snipped"
DNS Name=ULDF-VLSC-UCMS2V."domain snipped"
DNS Name=ULDF-VLSC-UCMS1V."domain snipped"

Which are all resolvable.

0 Helpful

Roger Kallberg
VIP
VIP
In response to RAustin70

‎01-31-2024 01:12 PM

Thanks! That is the name of the multi SAN certificate, not a FQDN of anything in your cluster.



Response Signature


RAustin70
Level 1
Level 1
In response to Roger Kallberg

‎01-31-2024 01:18 PM

And Thank YOU as well!!  That is what I figured, but any time a Cisco guide states "must match the ..." even though it makes no sense to me I get tense heh.

 

All if for naught for tonight anyhow.  for some reason My Unity Nodes throw an error when I try to get to Cisco Unity Connection Servicability -> Tools -> Service Management about my account being disabled or expired even though I use that account daily in RTMT and Web Admin Recovery URL when my SSO isn't working.  Put up a TAC case to have them take a look in Root to figure that out.

 

Regards,

Rob

0 Helpful
Customers Also Viewed These Support Documents