Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6908
Views
58
Helpful
18
Replies

CMS 2.2 ad hoc call not work

samhopealpha
Level 1
Level 1

‎08-10-2017 12:09 AM - edited ‎03-18-2019 01:23 PM

Hi Everybody, 

I am going to create an adhoc conference with Internal CA

But CUCM still showing the CMS registration "unknown" state

By following the guide (section 4: Setting up escalated ad hoc calls)
https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-2-2/Cisco-Meeting-Server-2-2-Deployments-with-CUCM.pdf


Version
CUCM 11.5
CMS 2.2.5
SX20 ce 8.3.2
mx800 ce 8.3.2
Cisco TelePresence DX70 ce 8.3.2

  • The endpoints are all updated to ce 8.3.2
  • Rendezvous call is tested successfully
  • The SIP trunk is TLS already between CUCM and CMS.

acano> webadmin
Enabled : true
TLS listening interface : a
TLS listening port : 443
Key file : webadmin.key
Certificate file : webadmin.crt
CA Bundle file : cacert.pem
HTTP redirect : Enabled
STATUS : webadmin running
acano> 
acano> 
acano> 
acano> callbridge 
Listening interfaces : a
Preferred interface : a
Key file : callbridge.key
Certificate file : callbridge.crt
Address : none
CA Bundle file : cacert.pem
acano>

In CUCM,

HTTP inferface info
Override sip trunk destination as http address: <Tried checked and unchecked>
username : <tried the username with admin role and API role>
HTTPS port: 443

Anybody know what's the problem why CMS cannot register to CUCM?

Thanks in advance


Sam

3 people had this problem
Labels:
0 Helpful
18 Replies 18

Oleg Serstjuk
Level 1
Level 1

‎08-10-2017 03:06 AM

Your SIP trunk security profile, do you have the correct FQDN of the CMS server in this field X.509 Subject Name?

samhopealpha
Level 1
Level 1
In response to Oleg Serstjuk

‎08-11-2017 12:40 AM

Don't know is it correct or not ... 

  • if Rendezvous call is tested successfully, the SIP trunk and X.509 subject name should be fine

but the conference bridge (CMS) cannot register to CUCM

0 Helpful

Jaime Valencia
Cisco Employee
Cisco Employee

‎08-10-2017 06:33 AM

I show that configuration here:

https://youtu.be/FFcGHWb718c

HTH

java

if this helps, please rate

samhopealpha
Level 1
Level 1
In response to Jaime Valencia

‎08-11-2017 12:44 AM

Thanks for sharing the link

i have followed the instruction, but it seems failed... 

and i found some error  in CUCM, but no idea how to interrupt

00292605.001 |14:17:46.154 |AppInfo |HttpManager - wait_HttpHandlerInd pkid[85d57a25-90e1-0b3a-040d-ab42fd866a2f], pURI[https://10.10.20.13:443/RPC2/], sURI[], RReqTimer[10000], enableLB[0]
00292605.002 |14:17:46.156 |AppInfo |ConnectionFailureToPDP - A connection request from Unified CM to the policy decision point failed Policy Decision Point:https://10.10.20.13:443/RPC2/ The cause of the connection failure:The Handler profile will be deleted App ID:Cisco CallManager Cluster ID:StandAloneCluster Node ID:CUCMMLM
00292605.003 |14:17:46.156 |AlarmErr |AlarmClass: CallManager, AlarmName: ConnectionFailureToPDP, AlarmSeverity: Error, AlarmMessage: , AlarmDescription: A connection request from Unified CM to the policy decision point failed, AlarmParameters: PolicyDecisionPoint:https://10.10.20.13:443/RPC2/, FailedToConnectReason:The Handler profile will be deleted, AppID:Cisco CallManager, ClusterID:StandAloneCluster, NodeID:CUCMMLM,
00292605.004 |14:17:46.156 |AppInfo |HttpManager - (delete) profile req, route req to the httpHandlerPid=(1,39,11) with appType[2] for ECCProfPkid[85d57a25-90e1-0b3a-040d-ab42fd866a2f], send alarm ConnectionFailureToPDP
00292606.000 |14:17:46.156 |SdlSig |UpdateHandlerReq |wait |HttpHandler(1,100,39,11) |HttpManager(1,100,38,1) |1,100,42,1.51^*^* |[R:N-H:0,N:0,L:0,V:0,Z:0,D:0] eccPkid=85d57a25-90e1-0b3a-040d-ab42fd866a2fpURI=https://10.10.20.13:443/RPC2/sURI=enableLB=FRReqTimer=10000eccBitMask=00292606.001 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath https://10.10.20.13:443/RPC2/
00292606.002 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token https
00292606.003 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token https
00292606.004 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token 10.10.20.13
00292606.005 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token 443
00292606.006 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath token RPC2
00292606.007 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): -setHostPortPath hScheme https, and hHost 10.10.20.13 , and value size 4
00292606.008 |14:17:46.156 |AppInfo |HttpHandler(1,39,11): - updateRouteServerInfo - update route server for current total connection count (2): total(2) of route server[0]
00292607.000 |14:17:46.164 |SdlSig |DeviceEventReceiptMonitoringTimer |wait |StationInit(1,100,63,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[R:H-H:1,N:0,L:0,V:0,Z:0,D:0]
00292608.000 |14:17:46.164 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292609.000 |14:17:46.336 |AppInfo |HttpConnection - checkConnQueue found no connData
00292610.000 |14:17:47.035 |AppInfo |HttpConnection - checkConnQueue found no connData
00292611.000 |14:17:47.180 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292612.000 |14:17:47.699 |AppInfo |HttpConnection - checkConnQueue found no connData
00292613.000 |14:17:48.188 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292614.000 |14:17:48.988 |AppInfo |HttpConnection - checkConnQueue found no connData
00292615.000 |14:17:49.196 |SdlSig |DbObjectCacheTimer |initialized |Db(1,100,211,1) |SdlTimerService(1,100,3,1) |1,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0
00292616.000 |14:17:49.673 |SdlSig |ConnStartInd |wait |HttpHandler(1,100,39,11) |HttpHandler(1,100,39,11) |1,100,39,11.1^*^* |[R:N-H:0,N:2,L:0,V:0,Z:0,D:0] host=10.10.20.13
00292617.000 |14:17:49.673 |SdlSig |ConnOosInd |wait |HttpHandler(1,100,39,11) |HttpHandler(1,100,39,11) |1,100,39,11.2^*^* |[R:N-H:0,N:1,L:0,V:0,Z:0,D:0] host=10.10.20.13
00292617.001 |14:17:49.673 |AppInfo |ConnectionFailureToPDP - A connection request from Unified CM to the policy decision point failed Policy Decision Point:https://10.10.20.13:443/RPC2/ The cause of the connection failure:No response from PDP App ID:Cisco CallManager Cluster ID:StandAloneCluster Node ID:CUCMMLM
00292617.002 |14:17:49.673 |AlarmErr |AlarmClass: CallManager, AlarmName: ConnectionFailureToPDP, AlarmSeverity: Error, AlarmMessage: , AlarmDescription: A connection request from Unified CM to the policy decision point failed, AlarmParameters: PolicyDecisionPoint:https://10.10.20.13:443/RPC2/, FailedToConnectReason:No response from PDP, AppID:Cisco CallManager, ClusterID:StandAloneCluster, NodeID:CUCMMLM,

0 Helpful

msubby
Level 1
Level 1
In response to samhopealpha

‎09-27-2017 08:02 AM

Did you ever get anywhere with this? I am in the exact same point. My SIP Trunk is connected between CUCM and CMS but the Conference Bridge remains in a State of None and it doesn't show the IP address of the CMS in the CUCM, even though the SIP trunk is fully operational.
0 Helpful

Zoltan Kelemen
Cisco Employee
Cisco Employee
In response to msubby

‎09-27-2017 10:40 AM - edited ‎09-27-2017 10:40 AM

1. Do you have a signed certificate assigned to your CMS webadmin? (i.e. not CMS self-signed)
2. Does your CUCM trust this certificate? (i.e. the issuing CA's root is added as a CallManger-trust certificate to all nodes?)

3. does the certificate have Client and Server authentication Extended Key usage set?

4. is the CB on CUCM configured with port used by the webadmin if not on 443?

5. Does the FQDN in the CB configuration appear as CN or SAN of the webadmin certificate?

iamnewborn
Level 1
Level 1
In response to Zoltan Kelemen

‎10-02-2017 06:44 AM

I'll answer for my case.

 

1. Do you have a signed certificate assigned to your CMS webadmin? (i.e. not CMS self-signed)

Yes.

 

2. Does your CUCM trust this certificate? (i.e. the issuing CA's root is added as a CallManger-trust certificate to all nodes?)

Yes, but are you sure that it must be in Callmanager-trust rather than in tomcat-trust?

 

3. does the certificate have Client and Server authentication Extended Key usage set?

Yes, both enabled:

Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)

 

4. is the CB on CUCM configured with port used by the webadmin if not on 443?

Yes, 445 port is defined.

 

5. Does the FQDN in the CB configuration appear as CN or SAN of the webadmin certificate?

Yes

Zoltan Kelemen
Cisco Employee
Cisco Employee
In response to iamnewborn

‎10-02-2017 10:49 AM

To answer your question, yes, I am quite certain.

To register CMS as a CFB resource, the CallManager service will be reaching out to the CMS with API commands (reminder, CMS API is run by the webadmin service on CMS). Tomcat does not act as a client here (thus it does not need totrust webadmin's certificate)

 

to investigate further, you can:

  • try packet capture on the webadmin interface. If it's a TLS issue, you should be able to see it
  • look at CallManager traces while the CFB has been reset
  • enable detailed API logs on CMS and look into the "log" file to see what is coming from CUCM / see if you can spot some errors

iamnewborn
Level 1
Level 1
In response to Zoltan Kelemen

‎10-03-2017 07:17 AM

Yes, you are right, it must be CallManager-trust, otherwise this trunk will not work.

I've re-uploaded the certificates and Conference Bridge now successfully registers to CMS.

 

Also note that we must upload Root CA/Intermediate CA certs to the CUCM. If they are missing, CUCM won't be able to trust to the CMS webadmin certificate issuer.

0 Helpful

Farrukh '
Level 1
Level 1
In response to Zoltan Kelemen

‎02-21-2018 09:38 AM

Hi ,

I have configured CMS only for ad-hoc conference, i have performed the below steps on CMS and CUCM(nothing more than this)

1. installed CMS 2.3
2. installed License
3. configure webadmin and callbridge (CA signed certs installed)
4. set TLS min version to 1.0 as CUCM is not 11.5 SU3
5. added root and intermediate root in certificate store as callmanage-trust in CUCM
6. create sip trunk with non secure sip security profile
7. configured conf bridge on CUCM

Last point to mention that CMS DNS entry is not added into DNS server yet, and i have created sip trunk with IP of CMS

still my conf bridge is not registering with CMS. did i miss anything?
I need your help, please help on this

Zoltan Kelemen
Cisco Employee
Cisco Employee
In response to Farrukh '

‎02-21-2018 01:08 PM

How did you add the CFbridge to CUCM?

CUCM will have to make a https connection to the webadmin (make sure you are connecting to the correct port) and will be comparing the hostname in the SIP trunk or CFB HTTP Interface destination with the contents of CN or SAN fields of the received certificate.

Since your CMS name is not yet in DNS, CUCM either can't resolve this address, or if you have entered an IP here, it will not be able to find the IP in the certificate of CMS webadmin. So first of all I would fix that problem if i were you.

Other than that it can always be helpful to take a packet capture to see if https traffic is working between CUCM and webadmin (also if TLS handshake is successful or not) 
and a look onCMS side logs to see if you get anything from CUCM or not. perhaps the credentials for webadmin are incorrect or do not have API priviledges.

Farrukh '
Level 1
Level 1
In response to Zoltan Kelemen

‎02-21-2018 08:42 PM

Hi,

 

CFB type is telepresence conductor and now i have added the DNS entry.

 

when i checked the logs on CMS it is showing that CUCM is accessing it but still not registered.

 

CMS credentials that i put on CFB has admin role and it supposed to work with this credentials.

0 Helpful

Farrukh '
Level 1
Level 1
In response to Zoltan Kelemen

‎02-23-2018 12:04 AM

Hi Zolten,

 

Issue got fixed and adhoc CFB is now registered after issue commands tls webadmin min-tls-version 1.0 & tls sip min-tls-version 1.0

 

thank you for your support and quick response

Adviser
Level 1
Level 1
In response to Farrukh '

‎04-27-2018 05:39 AM

Absolutely correct answer. Respect you.
0 Helpful
Customers Also Viewed These Support Documents