cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
597
Views
0
Helpful
5
Replies
jbaly
Enthusiast

Expressway not communicating to CUCM

Hi,

I suspect it may be due to a recent CUCM upgrade (11.5.1) but my Expressway C cannot communicate with it:

SIP: Failed to connect to 10.1.16.1:5065 : No response from system

Both systems have been rebooted, but still not working.

Any thoughts?

5 REPLIES 5

What software version is your Expressway running?

When running CUCM 11.5(1),  due to changes in the IM&P Service, you should be running Expressway X8.8 and later as earlier versions are not compatible, refer to the Interoperability section of the Expressway X8.8 Release Notes.

Has anything else changed, other than upgrading CUCM?

I think it's down to a certificate issue (when isn't it!). When I change the SIP trunk security profile to TCP from TLS, connectivity is restored. I'll refresh the certs to confirm.

Do certs change when upgrading?

I don't think so, but I'm not sure for CUCM.

Jaime Valencia
Hall of Fame Cisco Employee

No, upgrading does not change anything in the CUCM's certificates.

HTH

java

if this helps, please rate

First thing first, are you using a self signed certificate or CA signed ?

CUCM 11.5 brings support for ECDSA certificate. 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1/secugd/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151/CUCM_BK_SEE2CFE1_00_cucm-security-guide-1151_chapter_011.html#CUCM_TP_G6593FBA_00

Is this for MRA ? or a normal CUCM neighbour zone on TLS for CUCM B2B Calls ?

If its for B2B calls, Can you go to CUCM Enterprise parameter and then check for "security parameters" and you will see TLS ciphers. what do you have configured there ?

By default its "All Ciphers RSA Preferred". Just make sure you have set that under enterprise parameter.

Also check the security profile to verify if the correct port is configured( 5065 as you mentioned) along with the correct FQDN for the incoming certificate.

If it still fails then do a tcp dump at both the end and check the certificates, what you are sending and what is getting received and then make sure certificates are trusted at both the ends.

Regards,

Alok

Content for Community-Ad

Spotlight Awards 2021