08-10-2017 12:09 AM - edited 03-18-2019 01:23 PM
Hi Everybody,
I am going to create an adhoc conference with Internal CA
But CUCM still showing the CMS registration "unknown" state
By following the guide (section 4: Setting up escalated ad hoc calls)
https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-2-2/Cisco-Meeting-Server-2-2-Deployments-with-CUCM.pdf
Version
CUCM 11.5
CMS 2.2.5
SX20 ce 8.3.2
mx800 ce 8.3.2
Cisco TelePresence DX70 ce 8.3.2
acano> webadmin
Enabled : true
TLS listening interface : a
TLS listening port : 443
Key file : webadmin.key
Certificate file : webadmin.crt
CA Bundle file : cacert.pem
HTTP redirect : Enabled
STATUS : webadmin running
acano>
acano>
acano>
acano> callbridge
Listening interfaces : a
Preferred interface : a
Key file : callbridge.key
Certificate file : callbridge.crt
Address : none
CA Bundle file : cacert.pem
acano>
In CUCM,
HTTP inferface info
Override sip trunk destination as http address: <Tried checked and unchecked>
username : <tried the username with admin role and API role>
HTTPS port: 443
Anybody know what's the problem why CMS cannot register to CUCM?
Thanks in advance
Sam
08-10-2017 03:06 AM
Your SIP trunk security profile, do you have the correct FQDN of the CMS server in this field X.509 Subject Name?
08-11-2017 12:40 AM
Don't know is it correct or not ...
but the conference bridge (CMS) cannot register to CUCM
08-10-2017 06:33 AM
I show that configuration here:
https://youtu.be/FFcGHWb718c
08-11-2017 12:44 AM
Thanks for sharing the link
i have followed the instruction, but it seems failed...
and i found some error in CUCM, but no idea how to interrupt
00292605.001 |14:17:46.154 |AppInfo |HttpManager - wait_HttpHandlerInd pkid[85d57a25-90e1-0b3a-040d-ab42fd866a2f], pURI[https://10.10.20.13:443/RPC2/], sURI[], RReqTimer[10000], enableLB[0]
00292605.002 |14:17:46.156 |AppInfo |ConnectionFailureToPDP - A connection request from Unified CM to the policy decision point failed Policy Decision Point:https://10.10.20.13:443/RPC2/ The cause of the connection failure:The Handler profile will be deleted App ID:Cisco CallManager Cluster ID:StandAloneCluster Node ID:CUCMMLM
00292605.003 |14:17:46.156 |AlarmErr |AlarmClass: CallManager, AlarmName: ConnectionFailureToPDP, AlarmSeverity: Error, AlarmMessage: , AlarmDescription: A connection request from Unified CM to the policy decision point failed, AlarmParameters: PolicyDecisionPoint:https://10.10.20.13:443/RPC2/, FailedToConnectReason:The Handler profile will be deleted, AppID:Cisco CallManager, ClusterID:StandAloneCluster, NodeID:CUCMMLM,
00292605.004 |14:17:46.156 |AppInfo |HttpManager - (delete) profile req, route req to the httpHandlerPid=(1,39,11) with appType[2] for ECCProfPkid[85d57a25-90e1-0b3a-040d-ab42fd866a2f], send alarm ConnectionFailureToPDP
00292606.000 |14:17:46.156 |SdlSig |UpdateHandlerReq |wait |HttpHandler(1,100,39,11) |HttpManager(1,100,38,1) |1,100,42,1.51^*^* |[R:N-H:0,N:0,L:0,V:0,Z:0,D:0] eccPkid=85d57a25-90e1-0b3a-040d-ab42fd866a2fpURI=https://10.10.20.13:443/RPC2/sURI=enableLB=FRReqTimer=10000eccBitMask=00292606.001 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath https://10.10.20.13:443/RPC2/
00292606.002 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token https
00292606.003 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token https
00292606.004 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token 10.10.20.13
00292606.005 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token 443
00292606.006 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token RPC2
00292606.007 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath hScheme https, and hHost 10.10.20.13 , and value size 4
00292606.008 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): - updateRouteServerInfo - update route server for current total connection count (2): total(2) of route server[0]
00292607.000 |14:17:46.164 |SdlSig |DeviceEventReceiptMonitoringTimer |wait |StationInit(1,100,63,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[R:H-H:1,N:0,L:0,V:0,Z:0,D:0]
00292608.000 |14:17:46.164 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292609.000 |14:17:46.336 |AppInfo |HttpConnection - checkConnQueue found no connData
00292610.000 |14:17:47.035 |AppInfo |HttpConnection - checkConnQueue found no connData
00292611.000 |14:17:47.180 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292612.000 |14:17:47.699 |AppInfo |HttpConnection - checkConnQueue found no connData
00292613.000 |14:17:48.188 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292614.000 |14:17:48.988 |AppInfo |HttpConnection - checkConnQueue found no connData
00292615.000 |14:17:49.196 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292616.000 |14:17:49.673 |SdlSig |ConnStartInd |wait |HttpHandler(1,100,39,11) |HttpHandler(1,100,39,11) |1,100,39,11.1^*^* |[R:N-H:0,N:2,L:0,V:0,Z:0,D:0] host=10.10.20.13
00292617.000 |14:17:49.673 |SdlSig |ConnOosInd |wait |HttpHandler(1,100,39,11) |HttpHandler(1,100,39,11) |1,100,39,11.2^*^* |[R:N-H:0,N:1,L:0,V:0,Z:0,D:0] host=10.10.20.13
00292617.001 |14:17:49.673 |AppInfo |ConnectionFailureToPDP - A connection request from Unified CM to the policy decision point failed Policy Decision Point:https://10.10.20.13:443/RPC2/ The cause of the connection failure:No response from PDP App ID:Cisco CallManager Cluster ID:StandAloneCluster Node ID:CUCMMLM
00292617.002 |14:17:49.673 |AlarmErr |AlarmClass: CallManager, AlarmName: ConnectionFailureToPDP, AlarmSeverity: Error, AlarmMessage: , AlarmDescription: A connection request from Unified CM to the policy decision point failed, AlarmParameters: PolicyDecisionPoint:https://10.10.20.13:443/RPC2/, FailedToConnectReason:No response from PDP, AppID:Cisco CallManager, ClusterID:StandAloneCluster, NodeID:CUCMMLM,
09-27-2017 08:02 AM
09-27-2017 10:40 AM - edited 09-27-2017 10:40 AM
1. Do you have a signed certificate assigned to your CMS webadmin? (i.e. not CMS self-signed)
2. Does your CUCM trust this certificate? (i.e. the issuing CA's root is added as a CallManger-trust certificate to all nodes?)
3. does the certificate have Client and Server authentication Extended Key usage set?
4. is the CB on CUCM configured with port used by the webadmin if not on 443?
5. Does the FQDN in the CB configuration appear as CN or SAN of the webadmin certificate?
10-02-2017 06:44 AM
I'll answer for my case.
1. Do you have a signed certificate assigned to your CMS webadmin? (i.e. not CMS self-signed)
Yes.
2. Does your CUCM trust this certificate? (i.e. the issuing CA's root is added as a CallManger-trust certificate to all nodes?)
Yes, but are you sure that it must be in Callmanager-trust rather than in tomcat-trust?
3. does the certificate have Client and Server authentication Extended Key usage set?
Yes, both enabled:
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
4. is the CB on CUCM configured with port used by the webadmin if not on 443?
Yes, 445 port is defined.
5. Does the FQDN in the CB configuration appear as CN or SAN of the webadmin certificate?
Yes
10-02-2017 10:49 AM
To answer your question, yes, I am quite certain.
To register CMS as a CFB resource, the CallManager service will be reaching out to the CMS with API commands (reminder, CMS API is run by the webadmin service on CMS). Tomcat does not act as a client here (thus it does not need totrust webadmin's certificate)
to investigate further, you can:
10-03-2017 07:17 AM
Yes, you are right, it must be CallManager-trust, otherwise this trunk will not work.
I've re-uploaded the certificates and Conference Bridge now successfully registers to CMS.
Also note that we must upload Root CA/Intermediate CA certs to the CUCM. If they are missing, CUCM won't be able to trust to the CMS webadmin certificate issuer.
02-21-2018 09:38 AM
Hi ,
I have configured CMS only for ad-hoc conference, i have performed the below steps on CMS and CUCM(nothing more than this)
1. installed CMS 2.3
2. installed License
3. configure webadmin and callbridge (CA signed certs installed)
4. set TLS min version to 1.0 as CUCM is not 11.5 SU3
5. added root and intermediate root in certificate store as callmanage-trust in CUCM
6. create sip trunk with non secure sip security profile
7. configured conf bridge on CUCM
Last point to mention that CMS DNS entry is not added into DNS server yet, and i have created sip trunk with IP of CMS
still my conf bridge is not registering with CMS. did i miss anything?
I need your help, please help on this
02-21-2018 01:08 PM
How did you add the CFbridge to CUCM?
CUCM will have to make a https connection to the webadmin (make sure you are connecting to the correct port) and will be comparing the hostname in the SIP trunk or CFB HTTP Interface destination with the contents of CN or SAN fields of the received certificate.
Since your CMS name is not yet in DNS, CUCM either can't resolve this address, or if you have entered an IP here, it will not be able to find the IP in the certificate of CMS webadmin. So first of all I would fix that problem if i were you.
Other than that it can always be helpful to take a packet capture to see if https traffic is working between CUCM and webadmin (also if TLS handshake is successful or not)
and a look onCMS side logs to see if you get anything from CUCM or not. perhaps the credentials for webadmin are incorrect or do not have API priviledges.
02-21-2018 08:42 PM
Hi,
CFB type is telepresence conductor and now i have added the DNS entry.
when i checked the logs on CMS it is showing that CUCM is accessing it but still not registered.
CMS credentials that i put on CFB has admin role and it supposed to work with this credentials.
02-23-2018 12:04 AM
Hi Zolten,
Issue got fixed and adhoc CFB is now registered after issue commands tls webadmin min-tls-version 1.0 & tls sip min-tls-version 1.0
thank you for your support and quick response
04-27-2018 05:39 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide