Hi B. Winter, 

I have reset the phones multiple times. I'm aware that this has been covered before the but previous discussions are all quite old and do not cover CUCM 14. I wasn't sure if something in the new release could cause this problem. I've tried many of the solutions in the older discussions without success, hence the reason for the new thread.

What do the phone logs say? Normally easy to find out, what's the problem when checking the phone logs.
What about my other point with the DNS server in the phones?
What about standard IP connectivity? Are the phones in different subnets? IP routing, FW, ...

Troubleshooting 101: Starting from Layer 1 up to Layer 7

All phones show the correct IP address for our DNS server.

This is a classified gov't system so I'm unable to post up the phone logs but I'm not seeing any trust or HTML errors or the typical errors associated with the Host Not Found problem as described in the old discussions. I'm going to review them again, in case I missed something.

I should add- these features were working correctly up until recently. I'm not aware of any changes in the lab that may have caused this but I'm asking around with my co-workers.

When pressing the Directory button, then Corporate Directory, the phone presents the following log entries:

SSL/TLS handshake failed

Bad Table

I know that our cluster is running TLS v1.2 when running the command: show tls min-version

Have you checked that the phones that has the issue supports TLS 1.2? Most older models, like 79xx does not support this. What model of phones do you have the issue on?

In addition to @Roger Kallberg's info: Does it work, when the phones use unsecure URLs?
If phones of a specific type work and some not, maybe the have an old ITL/CTL file and the don't trust the CUCM-certs

7975 doesn't support tl1.2, Make sure the phones are on the version it support tls1.2.

Erase the security settings and try..

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/communications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html

This all makes sense because my 8841's work correctly and the one 7975G that is working, is using HTTP, not HTTPS.

I'm regressing the lab back to TLS v1.1.

As long as you have older phones models present in your system you cannot use TLS 1.2. It’s not just the directory service that relies on this, for example the phones won’t be able to get the configuration file from the TFTP service if you use a TLS version that they don’t support.

Hi Roger,

Understood. Since this is a lab environment I can safely make changes. I've regressed the cluster back to TLS v1.1 but the older phones are still giving the same SSL/TLS handshake failure and BAD TABLE.  I've deleted the security certificates in the older phones and reset them without success.  Obviously I'm missing some other key step. Do I need to regenerate any certificates?

The nodes reboot when setting the TLS version so that should reset any services?

Maybe the old phones don't support TLS 1.1 either, or TLS at all. Have you checked that before you do the change of TLS version? You are a technician, so you should check compatibilities before you do any changes and it's not the task of the forum, to search such info for you. All you need to know is available in the internet. You just have to search for it.

B. Winter,

All of these phones worked perfectly a few weeks ago before I flipped the switch to TLS v1.2. We've had these phones in our lab and our field environments for years. 

Down below you wrote "I'm not aware of any changes in the lab that may have caused this but I'm asking around with my co-workers."
And now you tell us, that it doesn't work since you activated TLS 1.2? Why open a forum post then? WTF

I'm out.