ā06-24-2018 12:13 PM - edited ā03-18-2019 02:12 PM
Hi;
I created a new zone in my old VCS version 7.2.2 A524 ***** to interconnect it with a new VCS version 8.10.x for H323 it's ok but for sip tls I have this message that s displays "TLS negotiation failure".
I check the server certificate it has expired also I can't registre my endpoints in secure mode
attached some screenshots
please anyone can help me to solve this problem
regards;
Solved! Go to Solution.
ā06-25-2018 11:32 AM
I would suggest the upgrade for sure, there have been many fixes done, also the latest 1gen can support is x8.6.1 I believe (52AX SNs). Nonetheless, an upgrade will definitely save you a lot of compatibility problems in the future.
For the problem at hand, if you want TLS to work you definitely need a valid certificate, I am assuming these are VCS control systems so you should be ok to use an internal CA to sign them if the cost is a concern.
ā06-26-2018 07:46 PM - edited ā06-26-2018 07:54 PM
@@mecharek1 wrote:
I saw that the 1st generation Platforms only supports version 8.8.3 is confirmed.
The older X7 and X8 VCSes can talk fine to other X8 versions regardless of their minor version number. This is mentioned in the release notes: "we do support a traversal zone link from one Cisco VCS system to another that is running the previous major release of Cisco VCS", so any X7.x can talk to any X8.x release, and similar with any X8.x talking to another X8.x. It is however recommended that you run the same version on all of your VCSes if possible.
The older hardware is only not supported if upgraded to the newer software running on the old hardware. Having a neighbour or traversal to a newer version VCS is still supported.
Gen1 hardware appliances with serial numbers 52A0#### will only be supported when running up to version X8.7.n.
Gen1 hardware appliances with a serial number of 52A1#### can run up to version X8.8.3.
There is a table describing this (Table 2) in the Cisco VCS Release Notes for X8.8.3 (Page 5).
Please remember to mark helpful responses and to set your question as answered if appropriate.
ā06-24-2018 10:28 PM - edited ā06-24-2018 10:29 PM
The correct way to fix it would be to update your certificate to one that hasn't expired.
As a temporary fix, you could try changing the Certification revocation checking mode setting in the SIP configuration of the VCS to Off.
Please remember to mark helpful responses and to set your question as answered if appropriate.
ā06-24-2018 10:49 PM
Hi Wayne,
Thanks for the solution, i will try to update the expired certificate and inform you if the problem is resolved but do you think it is recommended to upgrade my old VCS. I saw that the 1st generation Platforms only supports version 8.8.3 is confirmed.
Regards,
ā06-25-2018 11:32 AM
I would suggest the upgrade for sure, there have been many fixes done, also the latest 1gen can support is x8.6.1 I believe (52AX SNs). Nonetheless, an upgrade will definitely save you a lot of compatibility problems in the future.
For the problem at hand, if you want TLS to work you definitely need a valid certificate, I am assuming these are VCS control systems so you should be ok to use an internal CA to sign them if the cost is a concern.
ā06-26-2018 07:46 PM - edited ā06-26-2018 07:54 PM
@@mecharek1 wrote:
I saw that the 1st generation Platforms only supports version 8.8.3 is confirmed.
The older X7 and X8 VCSes can talk fine to other X8 versions regardless of their minor version number. This is mentioned in the release notes: "we do support a traversal zone link from one Cisco VCS system to another that is running the previous major release of Cisco VCS", so any X7.x can talk to any X8.x release, and similar with any X8.x talking to another X8.x. It is however recommended that you run the same version on all of your VCSes if possible.
The older hardware is only not supported if upgraded to the newer software running on the old hardware. Having a neighbour or traversal to a newer version VCS is still supported.
Gen1 hardware appliances with serial numbers 52A0#### will only be supported when running up to version X8.7.n.
Gen1 hardware appliances with a serial number of 52A1#### can run up to version X8.8.3.
There is a table describing this (Table 2) in the Cisco VCS Release Notes for X8.8.3 (Page 5).
Please remember to mark helpful responses and to set your question as answered if appropriate.
ā06-27-2018 06:27 AM
Hi;
For a major upgrade, I think that you must have a release key, but I do not know how to get it.
I used OpenSSL to generate a new certificate for my old VCS as explained in: Cisco_VCS_Certificate_ Creation_and_Use_Deployment_Guide_X7-2
but to have this certificate signed I still have this error message:
PS C: \ OpenSSL-Win32 \ bin> ./openssl ca-outdir. -config openssl_vcs.cfg -cert ca.crt -keyfile ca.key -in certcsr.pem -out server.pem -md sha1
Using configuration from openssl_vcs.cfg
Enter pass sentence for ca.key:
5708: error: 02001003: system library: fopen: No such process: crypto \ bio \ bss_file.c: 74: fopen ('./ demoCA / index.txt', 'r')
5708: error: 2006D080: BIO routines: BIO_new_file: no such file: crypto \ bio \ bss_file.c: 81:
Since the client does not have an alternative to generate a trusted CA I have disabled SIP TLS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide