Solved: CMS 1000 SIP trunk to CUCM error SIP Trunk status "down". "Reason Local=2"

amit611988 · ‎05-23-2018

Hello Guys,

As CMS deployment is a little bit new for me, I am facing the issue while configuring the secure SIP trunk from CUCM (Mixed Mode) to CMS 1000. On CUCM I see the SIP Trunk Status as "down" and reason as "local=2".

> I had look on the CMS Event Logs and it states the below message:-

"handshake error 336151576" on incoming connection XXX from <IP address of CUCM:variable port number> to <IP address of CMS 1000:5061>.

"media module status 1"

I think that it is probably due to the certificates. But I don't know what could it be. I have uploaded the CMS certificates and the bundled-root CA certificates on CMS 1000. Also I have uploaded the CMS signed certificates on CUCM Trust-List. Another question would be, as the CUCM has self-signed certificates and no CA signed certificates, do we need to upload any certificates from CUCM into CMS server. I haven't installed certificates from CUCM into CMS as I believe CMS doesn't need any certificate from CUCM.

Current infrastructure:

1. CUCM Pub

1. CMS 1000 server.

Thanks to point me in the right direction.

Kind Regards,

Amit

R0g22 · ‎05-23-2018

I am assuming you would are going to be using escalated ad-hoc calls with the CMS and have the CMS as a CFB on CUCM. The documentation does not specify this correctly but CUCM will need to have the CMS Web admin certs in it's tomcat-trust store and call bridge certs in the callmanager-trust store.
Regarding CMS, CMS will need to trust the CUCM certificate hence it is recommended to have CUCM and CMS certs signed by the same root CA/cert chain.
Also ensure on CUCM sip security profile, you have the CN for the CMS call bridge to the X.509 field.

View solution in original post

R0g22 · ‎05-23-2018

I am assuming you would are going to be using escalated ad-hoc calls with the CMS and have the CMS as a CFB on CUCM. The documentation does not specify this correctly but CUCM will need to have the CMS Web admin certs in it's tomcat-trust store and call bridge certs in the callmanager-trust store.
Regarding CMS, CMS will need to trust the CUCM certificate hence it is recommended to have CUCM and CMS certs signed by the same root CA/cert chain.
Also ensure on CUCM sip security profile, you have the CN for the CMS call bridge to the X.509 field.

amit611988 · ‎05-23-2018

Thanks for your feedback. Indeed it is correct that Cisco documentation doesn't mention this. Even the Cisco PDI member has only mentioned to have the root certificates on both the server's. but this is something new. As I have the same certs installed for both CMS Webadmin and Call bridge. I will try to upload the same cert for Tomcat-trust and Call Manager-trust store. As I am also getting the CUCM and TOMCAT application certificates signed by CA now, I would give it a try for your suggestion after signing the CUCM certificates.

Regards,

Amit

R0g22 · ‎05-23-2018

So irrespective of the fact whether you have a secure or non-secure SIP trunk (secure trunk is mandate for escalated ad-hoc calls) certs are required in the CUCM trust store. The reason is that for ad-hoc calls, CUCM needs to have an API access to CMS. CMS requires an HTTPS connection. Check section 4.2 of CMS-CUCM deployment guide.

amit611988 · ‎05-26-2018

Thanks man.. It worked and now my SIP Trunks and Conference bridge is registered. I will open-up another discussion an I hope to receive some helpful feedback again from you.

Have a Great Day!!

R0g22 · ‎05-26-2018

Good to hear that. Remember, it depends upon scenario. If you are going to use CMS only for scheduled or rendezvous calls with non-secure SIP trunk, there is no need for certificates.

Nikhil Jayan Kandampully · ‎09-20-2020

Hi Nipun,

If CUCM is using self signed certificate, can we trust the same certificate in CMS and make a TLS Trunk between CUCM and CMS..