What version of cucm are you using?

8.5.1.15900-4

How many TFTP servers are in the cluster?

Two

Please find the attached logs

I am downloading now. Please provide the following:

From the CLI of the publisher:

run sql select paramname,paramvalue from processconfig where paramname='ClusterSecurityMode'

From the CLI of the two TFTP servers:

show myself

show ctl

show itl

please find the attached show commands output.

I am getting the below output and I am not sure about the parameters, can you help here?

admin:run sql ?
Syntax:
run sql [car | ccm ] sql_statement
[car | ccm ] optional parameters
sql_statement mandatory the sql command to run

run sql select paramname,paramvalue from processconfig where paramname='ClusterSecurityMode'

the command should go in just like that. Copy it to a notepad and make sure it isn't showing as two lines then paste it in the CLI of the publisher.

The output from that command should be the last thing I need depending on what I see in the output.

find the output, please

admin:run sql select paramname,paramvalue from processconfig where paramname='Cl usterSecurityMode'
paramname paramvalue
=================== ==========
ClusterSecurityMode 0

Syed,

Thank you. Also, I wanted to say I liked working with you on this one. You answered every question, every time, with all the data (including full version of CCM when I asked for the version). It is too bad this is uncommon. Also, thank you for the rating.

Anyway,

In my scenario, I am in mixed mode and I do have a CTL file on my cluster. So all I did was update the CTL. In older versions you would need the security tokens as shown here: https://supportforums.cisco.com/document/73611/ip-phone-security-and-ctl-certificate-trust-list#Obtain_USB_eTokens

In newer versions you can update it from the CLI "utils ctl update CTLFile".

From my lab:

admin:utils ctl update CTLFile
This operation will update the CTLFile. Do you want to continue? (y/n):
This operation will update the CTLFile. Do you want to continue? (y/n):

Updating CTL file
CTL file Updated
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster that run these services
admin:

Also from my lab:

admin:run sql select paramname,paramvalue from processconfig where paramname='ClusterSecurityMode'
paramname           paramvalue
=================== ==========
ClusterSecurityMode 1

In the logs of my CIPC I was seeing "phone's CTL doesn't seem valid" and this is what prompted me to look into the validity of the CTL.

Bro, 

One last question to you.

What is the difference between non-mixed, secure & mixed modes?

How does it help me in production?

How do I change it?

What is impact if I want to change it now?

Thank you

I am going to reword one of your questions because it makes things easier:

What is the difference between non-mixed & mixed mode?

The difference is you have the ability to do more security in mixed mode. One of the things is that you will have a CTL file on your cluster in mixed mode. This will allow you to do authentication (secured signalling) or encryption (secure signalling and secure media as SRTP).

Without mixed mode you can still get an LSC on the phone using the ITL and this will allow you to do things like 802.1x, encrypted configuration files, etc...

What are some of the cons of using mixed mode? You will need to update the CTL file manually when it comes time to do so whereas the ITL should update automatically (this is often forgotten and causes problems). You will not be able to do auto registration in mixed mode.

Some things should be changing soon enough in newer versions yet to be released that will be enhancements (i.e. using auto registration while in mixed mode).

How does mixed mode help me in production?

Unless you are looking to do authentication, or encryption, for your calls it doesn't help.

How do I change it?

You are running 8.5.1.15900-4 so you would need to get the USB tokens then download the CTL Client and move your cluster to mixed mode. In newer versions you just execute a CLI command.

For the older versions you can reference this document:

https://supportforums.cisco.com/document/73611/ip-phone-security-and-ctl-certificate-trust-list#Configuration

For newer versions you can reference this document"

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118893-technote-cucm-00.html#anc5

What is impact if I want to change it now?

You will need to buy the USB tokens, follow the process to put the cluster in mixed mode, find a fool proof way to not lose the USB tokens, and update the CTL file when necessary.

Once I am in mixed mode do I go directly to using SRTP, do all devices use it?

Once in mixed mode the only things that a definite change are the addition of a CTL file and the fact you no longer can user auto-registration.

In order to use authentication or encryption for your phone calls you will need to create Phone Security Profiles that are secure, put an LSC on the devices, then add the Phone Security Profile to the phone's Device Security Profile after the LSC is installed. This would be a phone by phone thing. Some of the devices in my lab cluster are able to do SRTP while others are not simply because I only added LSC's and secure Phone Security Profiles to some of my phones rather than all.

Why be particular about when to use the term mixed mode versus the term secure?

Because even when you are in mixed mode, you are not obligated to use secure Phone Security Profiles. Phones with secure Phone Security Profiles are secure while phones that use non-secure Device Security Profile are non-secure. They can both exist on the same cluster that is in mixed mode.

If you have no need to move to mixed mode, I recommend you don't. If you have a need to move to mixed mode, I recommend you upgrade then move to mixed mode so you are not dependent on maintaining the USB tokens.

Excellent...it has been informative to me.

Will get in touch with you going forward

Thank you very much