Showing results for 
Search instead for 
Did you mean: 

Prepare Cluster for Rollback to pre 8.0

Level 1
Level 1

Hi Experts,


Current CUCM: Unrestricted

Target CUCM: Unrestricted


I have upgraded our UC servers (currently in an isolated environment) from 9.1.2 to 11.5 and will be migrating the phones to 11.5.


Our CUCM 9.1.2 (which phones are currently registered at) Call Manager, Tomcat, IPSec, CAPF certificates (cluster security mode is set as 0) have already been expired, so on my 11.5 environment, all certificates have already been regenerated.


My question is: If I will swing the phones to 11.5, will I encounter any issues? Or it is safe to enable "Prepare Cluster for Rollback to pre 8.0" as when I checked the servers ITL, they are different since certificates have been regenerated.


Any help will be appreciated. Thanks!





6 Replies 6

Ratheesh Kumar
VIP Alumni
VIP Alumni

Hi there

If the upgrade was done using PCD, then you shouldn't have any issues. If not and you used a manual method, you can merge the ITL files using Bulk Certificate Migration method 


Below is the guide and procedure.


Bulk Certificate Export


The Bulk Certificate Export method will only work if both clusters are online with network connectivity while the phones are being migrated.


Another possible option if both the old and new clusters will be online at the same time is to use the Bulk Certificate migration method.


Remember that the IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file the new cluster presents must be trusted by the old cluster's TVS certificate store.


The Bulk Certificate Export method works in the following way from the OS Adminstration > Security > Bulk Certificate page:

  1. Export certificates from new destination cluster (TFTP only) and original cluster to a central SFTP server.
  2. From original cluster, run Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface.
  3. On the old origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server.
  4. Restart TVS services on old origination cluster.
  5. Use DHCP option 150, or some other method, to point the phones to the new destination cluster.
  6. Phones will download the new destination cluster ITL file and attempt to verify it against their existing ITL file.
  7. The cert will not be in the existing ITL file so the phone will ask the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request.
  8. If the certificate export/consolidate/import process worked correctly then TVS returns success, and the phone replaces the in memory ITL file with the newly downloaded ITL file.
  9. The phones can now download and verify the signed configuration files from the new cluster.



Hope this helps!


***Please rate helpful posts***

Hello Satheesh Kumar,

If I have used PCD for the migration I do not need to do Bulk Certificate Migration, I have used PDC, but the IP and the Hostname have changed in the new cluster.

I hope you can clarify this doubt, I have already read a lot of documentation but it is not clear to me.

Cisco Employee
Cisco Employee
You should be good with using Rollback feature if you are planning to migrate all the phones at the same time. If you are doing this on a per location basis, then this won't be recommended.
During rollback feature, the old servers need to be online only till the time phones download the empty ITL files. Once that happens, the old servers can be powered down.

You would prefer to use bulk tool if both your old and new servers are going to be on the network and online at the same time. From your initial post you mentioned your new servers are on an isolated network.

Hi Nipun,

It is correct is an isolated network, my best option is to use bulk tool.

Thanks for your answer.

Hi Nipun,

Could you please explain what are the risks if the Rollback feature is used on a per location basis?

We are migrating phones from CUCM to Avaya system.




Since your question is quite off topic to the OP it is advisable to create your own post with your question.

Response Signature