05-02-2017 06:35 AM
Hey Guys, hope I can get some help here. I have a situation where I have some Cisco IP Phones same model but different hardware revisions, (7841 v01 and v04) We had ISE 1.2 in place and everything worked great. Phone would authenticate no problem. The ISE was upgraded to 2.1 and now a subset of phones(seem to be the version 04) will not authenticate.If I revert the phones back to use the 1.2 version, they work again. The ISE is saying it is getting an empty TLS packet. Looking at the PCAP coming from the ISE to the Phone we see the ISE send the Server Hello. According to the phone logs we are sending our certificate. Interesting thing, and my question here: both phones are talking to the same ISE 2.1 using the same switch port.(I unplug one phone and plug the other one in) In the working phone in the PCAP I can see something called a heartbeat extension in the Server hello frames under TLS. I don't see that in the non working version. even though both are using the same TLS version according to the PCAP. Is there any configuration in the ISE that would cause the heartbeat extension in one scenario but not another?
Above is the working
Solved! Go to Solution.
05-02-2017 01:25 PM
ISE 2.0 adds support for TLS 1.1 and 1.2. Prior to ISE 2.0, the TLS exchange will be negotiated to TLS 1.0.
Thus, it seems possibly some incompatibility of TLS 1.2 between the IP phone firmware and ISE 2.0+.
If not already done, please open a case with our Cisco TAC so we may gather more data to ensure re-producibility for a bug filing.
05-02-2017 01:25 PM
ISE 2.0 adds support for TLS 1.1 and 1.2. Prior to ISE 2.0, the TLS exchange will be negotiated to TLS 1.0.
Thus, it seems possibly some incompatibility of TLS 1.2 between the IP phone firmware and ISE 2.0+.
If not already done, please open a case with our Cisco TAC so we may gather more data to ensure re-producibility for a bug filing.
05-02-2017 05:48 PM
Thank you for the reply.
I have a TAC case open with the CUCM team for the phones which has the Des engaged. I will get them to open a collaboration with the ISE TAC as well.
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide