As CMS deployment is a little bit new for me, I am facing the issue while configuring the secure SIP trunk from CUCM (Mixed Mode) to CMS 1000. On CUCM I see the SIP Trunk Status as "down" and reason as "local=2".
> I had look on the CMS Event Logs and it states the below message:-
"handshake error 336151576" on incoming connection XXX from <IP address of CUCM:variable port number> to <IP address of CMS 1000:5061>.
"media module status 1"
I think that it is probably due to the certificates. But I don't know what could it be. I have uploaded the CMS certificates and the bundled-root CA certificates on CMS 1000. Also I have uploaded the CMS signed certificates on CUCM Trust-List. Another question would be, as the CUCM has self-signed certificates and no CA signed certificates, do we need to upload any certificates from CUCM into CMS server. I haven't installed certificates from CUCM into CMS as I believe CMS doesn't need any certificate from CUCM.
1. CUCM Pub
1. CMS 1000 server.
Thanks to point me in the right direction.
Solved! Go to Solution.
Thanks for your feedback. Indeed it is correct that Cisco documentation doesn't mention this. Even the Cisco PDI member has only mentioned to have the root certificates on both the server's. but this is something new. As I have the same certs installed for both CMS Webadmin and Call bridge. I will try to upload the same cert for Tomcat-trust and Call Manager-trust store. As I am also getting the CUCM and TOMCAT application certificates signed by CA now, I would give it a try for your suggestion after signing the CUCM certificates.
So irrespective of the fact whether you have a secure or non-secure SIP trunk (secure trunk is mandate for escalated ad-hoc calls) certs are required in the CUCM trust store. The reason is that for ad-hoc calls, CUCM needs to have an API access to CMS. CMS requires an HTTPS connection. Check section 4.2 of CMS-CUCM deployment guide.
Thanks man.. It worked and now my SIP Trunks and Conference bridge is registered. I will open-up another discussion an I hope to receive some helpful feedback again from you.
Have a Great Day!!
If CUCM is using self signed certificate, can we trust the same certificate in CMS and make a TLS Trunk between CUCM and CMS..