Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23342
Views
75
Helpful
14
Replies

Status: Local Agent is not responding. This may be due to Master or Local Agent being down - after upgrade 8 to 11.5

Go to solution
kasper123
Level 4
Level 4

‎07-19-2017 02:00 PM - last edited on ‎03-25-2019 08:43 PM by Community Manager

We just upgraded our cluster running 8.0.3 that was running on MCS servers to CUCM cluster running 11.5 using Prime Collaboration Deployment (PCD).

Everything else seems to be OK but when I go to Disaster recovery / Backup Device it waits for about 20 seconds and then it says:

Status:  Local Agent is not responding. This may be due to Master or Local Agent being down

This is on both servers.

Does anyone know what could have caused this?

Regards and thank you for your time.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to kasper123

‎07-19-2017 11:42 PM

You must have changed some information related to the certs during this upgrade that had cause the existing certs to expire. In order to get this working again, you will need to regenerate the IPSec and Tomcat certificates and that will take care of the issue. For this particular issue, IPSec certs are the one that you will need to regenerate but since your Tomcat certs had also been expired it would be good to regenerate them as well.

Refer below on how to regenerate various certs within CM:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc12

Regards

Deepak

View solution in original post

Go to solution
Jitender Bhandari
Cisco Employee
Cisco Employee
In response to Deepak Rawat

‎07-19-2017 11:59 PM

Hi

Once you regenerate IPSec cert don't forget to restart DRS services also.

1) Regenerated ipsec.pem certificate on all server.

2) Restarted DRS Master and local on PUB, DRS local on SUB.

JB

View solution in original post

14 Replies 14

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎07-19-2017 03:20 PM

Have you already restarted those services?

HTH

java

if this helps, please rate

Go to solution
kasper123
Level 4
Level 4
In response to Jaime Valencia

‎07-19-2017 11:17 PM

Hi Jaime,

Yes, I restarted the services and also both servers but that didn't help.

I found another thread where certificates are pointed out as a cause for this behaviour.

When I see the certificates I do see that some of them have expired. For instance the ipsec and the tomcat certificates on both the publisher and the subscriber but this worked before the upgrade.

0 Helpful

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to kasper123

‎07-19-2017 11:42 PM

You must have changed some information related to the certs during this upgrade that had cause the existing certs to expire. In order to get this working again, you will need to regenerate the IPSec and Tomcat certificates and that will take care of the issue. For this particular issue, IPSec certs are the one that you will need to regenerate but since your Tomcat certs had also been expired it would be good to regenerate them as well.

Refer below on how to regenerate various certs within CM:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html#anc12

Regards

Deepak

Go to solution
Jitender Bhandari
Cisco Employee
Cisco Employee
In response to Deepak Rawat

‎07-19-2017 11:59 PM

Hi

Once you regenerate IPSec cert don't forget to restart DRS services also.

1) Regenerated ipsec.pem certificate on all server.

2) Restarted DRS Master and local on PUB, DRS local on SUB.

JB

Go to solution
kasper123
Level 4
Level 4
In response to Jitender Bhandari

‎07-22-2017 03:50 PM

After regenerating the certs I was able to start the services.

Thank you very much!

0 Helpful

Go to solution
kasper123
Level 4
Level 4
In response to Deepak Rawat

‎07-20-2017 12:07 AM

Thank you Deepak,

The procedure you sent is for changing CallManager, ipsec, tomcat, TVS and CAPF.

I really see all those are expired on our servers.

If I understood correctly this needs to be done on both servers?

-Will this impact the phones?

-Should I upload some certificates from the publisher on the subscriber and the other way arround? I read somewhere that after regenerating some of the certs have to be uploaded on the other servers to establish trust?

0 Helpful

Go to solution
Deepak Rawat
Cisco Employee
Cisco Employee
In response to kasper123

‎07-20-2017 12:43 AM

Yes, you will need to regenerate the certificates on both the servers. The document I shared lists the impact for all those certificates and also mention the order in which you should regenerate them. There is no need of uploading certs from publisher on to subscriber or vice versa.

Regards

Deepak

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to Deepak Rawat

‎07-20-2017 07:05 AM

Actually, it's more likely that he did NOT change something related to the certificates, that's why those old certificates were in the system, if he had changed something (hostname, domain, etc), that would have triggered an automatic certificate regeneration and some of them would have been regenerated with that new info, and would not be expired.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
dsobrinho
Level 9
Level 9
In response to Jaime Valencia

‎10-10-2018 03:44 PM

Hi Guys,

Is there some step by step of how can we do this? The documentation is not user friendly.

Something like this:

Problems with backups DRS:
- Check the certificate ipsec and tomcat certificates (if expired go to step 2)



step2: regenerated ipsec and tomcat cert in boths servers Pub and Sub.

Regenerate IPsec
Upon regeneration, the IPsec certificate automatically uploads itself to ipsec-trust.
OS Admin > Security > Certificate Management > Find > Click ipsec certificate > Regenerate

Regenerate Tomcat
Upon regeneration, the Tomcat certificate automatically uploads itself to tomcat-trust.
OS Admin > Security > Certificate Management > Find > Click tomcat certificate > Regenerate
Daniel Sobrinho
0 Helpful

Go to solution
ahmed
Level 1
Level 1
In response to Deepak Rawat

‎01-07-2020 02:01 AM

Hi,

i have problem like that, but i only have single PUB (not cluster), when i did backup on CUCM with IM Presence options checked, i got message due to "local agent not responding". but when i unchek the IM presence options, cucm backup 100% succeed.

i've checked cucm certificates expired about months ago.

what i need to do

 

Regards,

ahmed

0 Helpful

Go to solution
Jose Gomez
Level 1
Level 1
In response to ahmed

‎01-28-2020 11:07 AM

Hi,

I already have the same issue, do you have any workaround to fix this?

0 Helpful

Go to solution
j.dewiele
Level 1
Level 1
In response to Deepak Rawat

‎01-02-2021 07:25 AM

 

I had no idea the IPSec cert was used internally .... Most of the cert best practices documents don't talk much about it. I know now not to disrespect the IPSec cert.

 

This was very helpful and fixed my problem.

 

 

Thanks,

 

 

Joey

Go to solution
Roger Kallberg
VIP
VIP
In response to j.dewiele

‎01-02-2021 10:25 AM - edited ‎01-02-2021 10:38 AM

For more information about what a few of the certificates are used for and how to renew each one of them please have a look at this document that I’ve created.

https://community.cisco.com/t5/collaboration-voice-and-video/cisco-uc-certificates-renewal-guide/ta-p/4077131



Response Signature


Go to solution
David Vasquez
Level 1
Level 1
In response to Deepak Rawat

‎12-08-2021 04:46 AM - edited ‎12-08-2021 04:47 AM

DRS quit working on Subscribers after a hard reboot of Publisher.
Once I did the "set cert regen ipsec" from the CLI on the Subscribers and Publisher, then "utils service restart Cisco DRF Master" on Publisher and "utils service restart Cisco DRF Local" on the Subscribers, DRS began to work again. No need to do Tomcat regen unless you are having different issue. BTW, prior to regenerating the IPSEC cert, I attempted to just restart the DRF services and also rebooted the entire cluster one at a time, which did not solve the issue.

Thanks Deepak!

0 Helpful
Customers Also Viewed These Support Documents