TFTP not authorized is showing on the 7921 IP Phone

abeebvm · ‎03-30-2015

Hi,

I have recently migrated a cluster from 6.1 to 10.5.1.10000-7. Old cluster is secure cluster. New cluster is non-secure. Before migrating phones

I have change all the phones to non-secure and registered with old cluster. When I moved to new cluster(10.5) all the phones registered.

When I remove ctl from the all the phones registered except 7921 and 7925 wirless phones.

I tried to delete ctl files from wireless phone, I have given manually ip , I have removed and added the phone, I have changed firmware manually,I tried even factory reset. But no use.

Still I am getting the same error TFTP not authorised and DNS host un known.

Please help me to figure out. Wireless phone are using by very important users. Please find the attached log from the phone

Regards

Habeeb.

Wilson Samuel · ‎03-30-2015

Check the Server .PEM certificates, at times if those certs are expired (common when we do an upgrade), I have seen random issues and totally illogical issues.

HTH

juancastillo · ‎02-10-2016

we have a similar problem...on CUCM 11.0.1

we changed the cluster mode to mixed and then changed it back to unsecure...

now the 7925 won't register...i've done factory reset and deleted the ctl file about a thousand times, and no success. i even deleted the phone form CUCM and recreated it....nothing...same error, TFTP not authorized and DNS host unknown to a CiscoCM1, which i don't know where he got that name from.

phones get IP address, TFTP, DNS all correct...

we don't have any other SCCP phones in the CUCM, so I cannot test if it's a SCCP related issue...SIP phones are totally fine.

i already have a TAC case open, but so far, no solution....

abeebvm · ‎02-10-2016

Hi,

Can you please let me know how many call managers you have. what is the status message on the phone.

juancastillo · ‎02-10-2016

1 CUCM...

messages:

"tftp not authorized"

"cfg file not found"

"ctl update failed"

"dns unknown host"...."CiscoCM1"

"XMLDefault.cnf.xml:TFTP Error"

abeebvm · ‎02-10-2016

What is the firmware on the phone. Can you please try to upgrade phone firmware

sven.stubbe · ‎05-22-2016

Hi juancastillo,

did you solve the problem with Cisco TAC? I have a similar problem. I upgraded CUCM version 9.1(2)SU2a to version 10.5(2)SU3 via PCD Server. During the upgrade, I changed the hostnames and IP addresses from the CUCM servers. The Cluster was configured in nonsecure mode. After the upgrade all 7925 WLAN phones are not able to register to CUCM. I got the following error messageson the phones:

"tftp not authorized"

"XMLDefault.cnf.xml:TFTP Error

The WLAN phones are running on firmware version CP7925G-1.4.5.3. I already tested with latest firmware cmterm-7925-sccp.1-4-8-4.k3. Factory Reset of the WLAN phones did not solve the problem. The WLAN phones do not register to old or to the new CUCM cluster.

In the past, the cluster was configured to secure mode but then it was deactivated.

Thank you.

juancastillo · ‎05-23-2016

Hello Sven,

In our case, the issue was that the CUCM was still sending the CTL file to the wireless phones for some reason, even if you would do factory reset on them.

logs form the phones had something like this:

2016-02-12 16:28:46:0080 CP-7925G user.err secd: EROR:updateCTL: ** CTL tftp FAILED (have old CTL) ** tftp-err 0
2016-02-12 16:28:46:0240 CP-7925G user.err CFGTFTP[22284]: downloading WLANRootCA.cer failed: None of our TFTP servers were found in the CTL list[18]
2016-02-12 16:28:46:0320 CP-7925G user.err CFGTFTP[22284]: downloading WLAN80E01D39B987.xml failed: None of our TFTP servers were found in the CTL list[18]

In the end, we had to delete the CTL file from the CUCM Pub (via CLI)....i think the command was something like this:

file delete tftp CTLFile.tlv

Since the cluster is non-secure CTL files should not be used...

Regards,

sven.stubbe · ‎05-25-2016

Hi Juan,

that worked. Thanks a lot.

For the others, I did the follwing:

- deactivated services "Cisco CTL Provider" and "Cisco Certificate Authority Proxy Function" on CUCM publisher via GUI

- deactivated service "Cisco CTL Provider" on CUCM subscriber via GUI

- deleted CTL file on CUCM publisher and CUCM subscriber via CLI command "file delete tftp CTLFile.tlv

" (you can check if CTL file was found on CUCM via CLI command "show ctl")

- restarted services "Cisco TFTP" and "Cisco CallManager" on CUCM publisher and CUCM subscriber

- deleted CTL files on 7925 WLAN phone

After the last action the WLAN phone was able to register to new cluster. Thanks again!! =)

juancastillo · ‎05-25-2016

you're welcome, glad it worked out!

cheers!

cfursten · ‎01-18-2017

We have seen the same issue. Mixed mode security was turned on for video conferencing project. However, that broke auto register. (We are 10.5.2) so we turned mixed mode security off. The 7925's were the only model affected. We worked with TAC and performed the same steps as above. This corrects the problem.

However, now if a 7925 phone is reset to factory defaults, the CTL file "somehow" comes back. Delete the CTL file and it will register. Is this a remnant that we will be stuck with? Why is the CTL file returning when it is no longer on the Pub or Subs?

Phillip Ratliff · ‎09-06-2017

As several have noted in this thread returning the cluster to non-secure mode doesn't actually delete the CTL file from the Publisher or TFTP server. You must manually delete this file with the command file delete tftp CTLFile.tlv before TFTP will stop handing this file out to endpoints that request it.

This was not covered very well in older versions of the Security Guide.

This document is a good summary of the process.

The reason you saw this particular error with 7925 phones is because that phone model, similar to the 7940/60, validate that the TFTP server the phone is using is actually in the CTL file. This is a security mechanism that was removed from the other phone models because it was too onerous for customers that move phones between clusters. If you were to check your other phones they would also show a CTL file installed, though it will not be used for anything in a non-secure cluster.

If you are seeing this error on a 7925 (or an older 7940/60) do the following:

Check that the phone is using the correct TFTP server
Check to see if your TFTP server is handing out a CTL file when it should not be (file list tftp CTLFile.tlv from the UCM CLI or curl http://tftp.server:6970/CTLFile.tlv from a linux shell).
Delete any CTL file that shouldn't be there on the publisher and all TFTP servers via file delete tftp CTLFile.tlv.
Delete the CTL file on all phones.

As others have observed if you delete the CTL file on the phone without confirming it's not on the server it's just going to come back. All Cisco phones are hard-coded to ask for the CTL file as the first step registration.