Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5452
Views
20
Helpful
6
Replies

Prepare Cluster for Rollback to pre 8.0

Flo.Matalis
Level 1
Level 1

‎06-11-2018 12:09 AM - edited ‎03-19-2019 01:24 PM

Hi Experts,

 

Current CUCM: 9.1.2.11900-12 Unrestricted

Target CUCM: 11.5.1.14900-11 Unrestricted

 

I have upgraded our UC servers (currently in an isolated environment) from 9.1.2 to 11.5 and will be migrating the phones to 11.5.

 

Our CUCM 9.1.2 (which phones are currently registered at) Call Manager, Tomcat, IPSec, CAPF certificates (cluster security mode is set as 0) have already been expired, so on my 11.5 environment, all certificates have already been regenerated.

 

My question is: If I will swing the phones to 11.5, will I encounter any issues? Or it is safe to enable "Prepare Cluster for Rollback to pre 8.0" as when I checked the servers ITL, they are different since certificates have been regenerated.

 

Any help will be appreciated. Thanks!

 

Regards,

Florence

 

0 Helpful
6 Replies 6

Ratheesh Kumar
VIP Alumni
VIP Alumni

‎06-11-2018 05:59 AM

Hi there

If the upgrade was done using PCD, then you shouldn't have any issues. If not and you used a manual method, you can merge the ITL files using Bulk Certificate Migration method 

 

Below is the guide and procedure.

 

https://supportforums.cisco.com/t5/collaboration-voice-and-video/migrating-ip-phones-between-clusters-with-cucm-8-and-itl-files/ta-p/3108501

 

Bulk Certificate Export

Note

The Bulk Certificate Export method will only work if both clusters are online with network connectivity while the phones are being migrated.

 

Another possible option if both the old and new clusters will be online at the same time is to use the Bulk Certificate migration method.

 

Remember that the IP Phones verify every downloaded file against either the ITL file, or against a TVS server that exists in the ITL file. If the phone needs to move to a new cluster, the ITL file the new cluster presents must be trusted by the old cluster's TVS certificate store.

 

The Bulk Certificate Export method works in the following way from the OS Adminstration > Security > Bulk Certificate page:

  1. Export certificates from new destination cluster (TFTP only) and original cluster to a central SFTP server.
  2. From original cluster, run Consolidate certificates (TFTP only) on the SFTP server using the Bulk Certificate interface.
  3. On the old origination cluster use the Bulk Certificate function to import the TFTP certificates from the central SFTP server.
  4. Restart TVS services on old origination cluster.
  5. Use DHCP option 150, or some other method, to point the phones to the new destination cluster.
  6. Phones will download the new destination cluster ITL file and attempt to verify it against their existing ITL file.
  7. The cert will not be in the existing ITL file so the phone will ask the old TVS server to verify the signature of the new ITL file. The phone sends a TVS query to the old origination cluster on TCP port 2445 to make this request.
  8. If the certificate export/consolidate/import process worked correctly then TVS returns success, and the phone replaces the in memory ITL file with the newly downloaded ITL file.
  9. The phones can now download and verify the signed configuration files from the new cluster.

 

 

Hope this helps!

Cheers
Rath!


***Please rate helpful posts***

stobar1101
Level 1
Level 1
In response to Ratheesh Kumar

‎04-07-2019 02:51 PM

Hello Satheesh Kumar,

If I have used PCD for the migration I do not need to do Bulk Certificate Migration, I have used PDC, but the IP and the Hostname have changed in the new cluster.

I hope you can clarify this doubt, I have already read a lot of documentation but it is not clear to me.

0 Helpful

R0g22
Cisco Employee
Cisco Employee

‎06-11-2018 06:14 AM

You should be good with using Rollback feature if you are planning to migrate all the phones at the same time. If you are doing this on a per location basis, then this won't be recommended.
During rollback feature, the old servers need to be online only till the time phones download the empty ITL files. Once that happens, the old servers can be powered down.

You would prefer to use bulk tool if both your old and new servers are going to be on the network and online at the same time. From your initial post you mentioned your new servers are on an isolated network.

stobar1101
Level 1
Level 1
In response to R0g22

‎04-08-2019 05:56 PM

Hi Nipun,

It is correct is an isolated network, my best option is to use bulk tool.

Thanks for your answer.
0 Helpful

impromptu
Level 1
Level 1
In response to R0g22

‎09-02-2022 01:21 AM

Hi Nipun,

Could you please explain what are the risks if the Rollback feature is used on a per location basis?

We are migrating phones from CUCM to Avaya system.

Thanks,

Ana

 

0 Helpful

Roger Kallberg
VIP
VIP
In response to impromptu

‎09-02-2022 04:40 AM

Since your question is quite off topic to the OP it is advisable to create your own post with your question.



Response Signature


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents