Solved: Re: Interconnect two VCS system issue - TLS negotiation failure

mecharek1 · ‎06-24-2018

Hi;

I created a new zone in my old VCS version 7.2.2 A524 ***** to interconnect it with a new VCS version 8.10.x for H323 it's ok but for sip tls I have this message that s displays "TLS negotiation failure".

I check the server certificate it has expired also I can't registre my endpoints in secure mode

attached some screenshots

please anyone can help me to solve this problem

regards;

Randy Valverde Rojas · ‎06-25-2018

I would suggest the upgrade for sure, there have been many fixes done, also the latest 1gen can support is x8.6.1 I believe (52AX SNs). Nonetheless, an upgrade will definitely save you a lot of compatibility problems in the future.

For the problem at hand, if you want TLS to work you definitely need a valid certificate, I am assuming these are VCS control systems so you should be ok to use an internal CA to sign them if the cost is a concern.

View solution in original post

Wayne DeNardi · ‎06-26-2018

@@mecharek1 wrote:
I saw that the 1st generation Platforms only supports version 8.8.3 is confirmed.

The older X7 and X8 VCSes can talk fine to other X8 versions regardless of their minor version number. This is mentioned in the release notes: "we do support a traversal zone link from one Cisco VCS system to another that is running the previous major release of Cisco VCS", so any X7.x can talk to any X8.x release, and similar with any X8.x talking to another X8.x. It is however recommended that you run the same version on all of your VCSes if possible.

The older hardware is only not supported if upgraded to the newer software running on the old hardware. Having a neighbour or traversal to a newer version VCS is still supported.

Gen1 hardware appliances with serial numbers 52A0#### will only be supported when running up to version X8.7.n.

Gen1 hardware appliances with a serial number of 52A1#### can run up to version X8.8.3.

There is a table describing this (Table 2) in the Cisco VCS Release Notes for X8.8.3 (Page 5).

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

View solution in original post

Wayne DeNardi · ‎06-24-2018

The correct way to fix it would be to update your certificate to one that hasn't expired.

As a temporary fix, you could try changing the Certification revocation checking mode setting in the SIP configuration of the VCS to Off.

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

mecharek1 · ‎06-24-2018

Hi Wayne,

Thanks for the solution, i will try to update the expired certificate and inform you if the problem is resolved but do you think it is recommended to upgrade my old VCS. I saw that the 1st generation Platforms only supports version 8.8.3 is confirmed.

Regards,

Randy Valverde Rojas · ‎06-25-2018

I would suggest the upgrade for sure, there have been many fixes done, also the latest 1gen can support is x8.6.1 I believe (52AX SNs). Nonetheless, an upgrade will definitely save you a lot of compatibility problems in the future.

For the problem at hand, if you want TLS to work you definitely need a valid certificate, I am assuming these are VCS control systems so you should be ok to use an internal CA to sign them if the cost is a concern.

Wayne DeNardi · ‎06-26-2018

@@mecharek1 wrote:
I saw that the 1st generation Platforms only supports version 8.8.3 is confirmed.

The older X7 and X8 VCSes can talk fine to other X8 versions regardless of their minor version number. This is mentioned in the release notes: "we do support a traversal zone link from one Cisco VCS system to another that is running the previous major release of Cisco VCS", so any X7.x can talk to any X8.x release, and similar with any X8.x talking to another X8.x. It is however recommended that you run the same version on all of your VCSes if possible.

The older hardware is only not supported if upgraded to the newer software running on the old hardware. Having a neighbour or traversal to a newer version VCS is still supported.

Gen1 hardware appliances with serial numbers 52A0#### will only be supported when running up to version X8.7.n.

Gen1 hardware appliances with a serial number of 52A1#### can run up to version X8.8.3.

There is a table describing this (Table 2) in the Cisco VCS Release Notes for X8.8.3 (Page 5).

Wayne

Please remember to mark helpful responses and to set your question as answered if appropriate.

mecharek1 · ‎06-27-2018

Hi;

For a major upgrade, I think that you must have a release key, but I do not know how to get it.

I used OpenSSL to generate a new certificate for my old VCS as explained in: Cisco_VCS_Certificate_ Creation_and_Use_Deployment_Guide_X7-2

but to have this certificate signed I still have this error message:

PS C: \ OpenSSL-Win32 \ bin> ./openssl ca-outdir. -config openssl_vcs.cfg -cert ca.crt -keyfile ca.key -in certcsr.pem -out server.pem -md sha1
Using configuration from openssl_vcs.cfg
Enter pass sentence for ca.key:
5708: error: 02001003: system library: fopen: No such process: crypto \ bio \ bss_file.c: 74: fopen ('./ demoCA / index.txt', 'r')
5708: error: 2006D080: BIO routines: BIO_new_file: no such file: crypto \ bio \ bss_file.c: 81:

Since the client does not have an alternative to generate a trusted CA I have disabled SIP TLS.