cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1467
Views
0
Helpful
4
Replies

CUCM Exxpresway-C Trunk TLS connection

macieknowak
Level 1
Level 1

Hello,

I am on customer site. I am configurtin SIP TLS trunk beetwen CUCM 10.5 and Expressway C 8.6. I have problem, because I see on Expressway C TLS negotiation Failed.

I am using this documentaion :
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-6/Cisco-Expressway-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-10-and-X8-6.pdf

The CUCM in in mixed mode.
I uploded the same CA root certyficate to CUCM and Expresway - C and Expresway E.
I generated servers CSR tomcat, CSRcallmenager,CS Expressway C.
I use CA root certyfocate to sing server certyficate.
I upload the server certyficate to CUCM (tomcat, callmenager) nad Expressway C.

Could you check my configuration ?

2 Accepted Solutions

Accepted Solutions

Jaime Valencia
Cisco Employee
Cisco Employee

Did you create the right SIP trunk security profile for that??

Are you using the right set of ports??

Are you using the right CN or SAN from the certs??

HTH

java

if this helps, please rate

View solution in original post

Yes, that's supposed to be the FQDN, or whatever you have in the CN/SAN of the certificate, of the VCS-C, not the CN from CUCM.

HTH

java

if this helps, please rate

View solution in original post

4 Replies 4

Jaime Valencia
Cisco Employee
Cisco Employee

Did you create the right SIP trunk security profile for that??

Are you using the right set of ports??

Are you using the right CN or SAN from the certs??

HTH

java

if this helps, please rate

Hello,

Thaks for replay.


I have checked all seting twice ( with http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-6/Cisco-Expressway-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-10-and-X8-6.pdf ).

I think I have wrong setting in X.509 Subject name in SIP Profile seting.


What should I write in  "X.509 Subject name" FQDN adress of VCS C ?

I have ddres of cucm now in X.509 Subject name.

 

Yes, that's supposed to be the FQDN, or whatever you have in the CN/SAN of the certificate, of the VCS-C, not the CN from CUCM.

HTH

java

if this helps, please rate

I will check this tommorow I don't have remote addres to client site.
I will check the certyficatesCN/SAN on VCS-C. I shold use the Common Name from cert in my opinion,.

Regarding generaly about CERT on CUCM and VSC.

1.Should I add the CARoot cert to VCS C and the same cert to CUCM in first step ?

2.Generatet the CSR on VCS and CSR callmenager on CUCM.

3.Use the CARoot cert to sing CSR file ( I will have server certyficates).

4.Upload serwer certyficates to CUCM as option callmenager and VCS.

I configured the travelsal zone betwen VCS-C and VCS-E. Trawersal zone working OK.