Joe,

We are running firmware version 9.1.1 on the phones and they are registered to 8.5.1 without any sort of ITL file.  This is what's puzzling.

Any ideas?

Thanks,

Chad

From the pub when doing show itl, the following error pops up:

        ITL Record #:7

                  ----

BYTEPOS TAG             LENGTH  VALUE

------- ---             ------  -----

1       RECORDLENGTH    2       719

2       DNSNAME         2

3       SUBJECTNAME     64      CN=jp01-cucm-01;OU=Synopsys;O=Synopsys;L=Synopsy                                s;ST=Japan;C=JP

4       FUNCTION        2       TVS

5       ISSUERNAME      64      CN=jp01-cucm-01;OU=Synopsys;O=Synopsys;L=Synopsy                                s;ST=Japan;C=JP

6       SERIALNUMBER    8       5B:6D:0C:1E:09:23:E8:95

7       PUBLICKEY       270

8       SIGNATURE       256

11      CERTHASH        20      5D 21 EC EE 21 07 4A 0C DB 4E 0C E9 80 2E 01 D3                                 88 22 19 F9

12      HASH ALGORITHM  1       SHA-1

Verification of the ITL file failed.

Error parsing the ITL File !!!

admin:

Thanks for sharing that.  It looks like the ITL file is corrupt, I haven't seen that before.  Do you have a TAC case open for this by chance?

By sheer coincidence, I'm having a very similar problem. The ITL file on my primary TFTP server is permantly corrupt. (My backup TFTP server on my publisher is fine)

TAC's initial suggestion was to stop the TFTP process, delete the ITL file, then restart the TFTP process. This worked once, and the ITL file stayed valid for about a week. After that, the ITL file became corrupt and won't get valid again.

TAC are going to WebEx onto my system tomorrow. I'll let you know if they fix it.

BTW - I'm on CUCM 8.6

GTG

Here is the fix:

Regenerate the following under OS and Security:

Call Manager pem/der

TVS pem/der

Tomcat pem/der

Perform a BACKUP!!!!

Restart TVS then TFTP services. Then, you are all set.

Chad

Hmm. With those certificates being regenerated, I'm surprised you don't have to bounce the box !

I'll have a play with that on my test cluster.

Thanks for the suggestion.

GTG

No need to bounce the server. Just restart the Trust Services and TFTP server on the node in which you regenerate the licenses.

Chad

I'd have thought the Tomcat cert would require Tomcat restarting, at least. I haven't clue what relies on the CallManager cert (Such an innocent sounding name for a certificate on a CallManager system...)

GTG

Be careful if these are production systems with regenerating the callmanager certificate.  Doing this changes the TFTP private key used for the ITL, meaning if you regenerate the callmanager certificate, you will have to manually delete the ITL from your phones because they will not trust the new one.  If you have multiple servers (some without corrupt ITL files) you can follow this guide to not have to delete each phone's ITL manually (

https://supportforums.cisco.com/docs/DOC-17679#Regenerating_Certificates__Rebuilding_a_Cluster__Certificate_Expiry).

Deleting the ITL file from every phone is not an option for me.

Thanks for the heads-up.

GTG

In my case this is not applicable as I don’t have any ITl’s… mine are corrupt.

Chad