09-24-2020 08:35 AM
Hi everyone,
i have a question for you.
We need to migrate phones (models 6921, 7821, 7942 and 7975) between two clusters by avoiding phone manual reset.
The source cluster (version 10.5.2.12900-14) is in mixed-mode and destination cluster (version 12.0.1.23900-9) is in non-secure-mode.
Both clusters have 3 nodes: one publisher and two subscribers (only the two subscribers have the call Manager service and tftp service active).
We found the following method (https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/213407-migrate-phones-between-secure-clusters.html).
It works fine but we found a problem.
It leaves 6921 and 7821 models without ITL certificate at the end of the migration, that is at the end of registration on destination cluster.
Which advices can you give us?
Thanks in advance.
10-12-2020 05:44 AM - edited 10-12-2020 05:51 AM
first, check if the tftp server on your cucm have an existing ITL file for those phones.
go to "http://<cucm>:6970/ITLSEP<phone's mac>.tlv" or "https://<cucm>:6972/ITLSEP<phone's mac>.tlv"
if it exists, you will need to check the phone side to understand why the phone doesn't load this file
if not,
you can try two thing,
1. remove the phone and create it again, this proccess should let the cucm to create uniquely ITL file to the specific phone.
2. to regenerate the ITL file on the destination cluster to see if after this updating the TFTP created ITL files for those phones.
to do this, you can change the ITL signer from the default signer which is the tftp server's callmanager.pem to the ITLRecovery.pem.
this process done following the command "utils itl reset localkey" on one of the tftp servers
10-13-2020 09:02 AM
The certificate exists, how can we proceed further?
10-14-2020 06:38 AM
what do u mean "the certificate exists"?
what exactly you checked and what does the result?
I just remind you, ITL is not a certificate but is a file who contains all relevant trust certificates.
10-14-2020 07:34 AM
I connected to the URL "http: // <cucm>: 6970 / ITLSEP <phone's mac> .tlv" and I downloaded the ".tlv" file related to the phone that does not load the ITL file, thus verifying that it exists.
How can I proceed to verify why the phone in question does not load the ITL file correctly?
10-14-2020 08:54 AM
Have you checked on the phones if you see any messages in the logs that could explain why it doesn’t download the ITL?
10-15-2020 01:42 AM
The log messages of the cisco 6921 phone not obtaining the ITL certificate are as follows:
10-15-2020 01:52 AM
Looks like the phone doesn't trust the CM that it asks the TVS for verification. Have you tried to do a reset of the security settings on a phone to see if it would download the ITL? What I suspect is that these phones had issues with trust prior to you started all this and now you happen to find out. If that's the case your only option is to clear the current ITL of these phones to make it trust again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide