i have a question for you.
We need to migrate phones (models 6921, 7821, 7942 and 7975) between two clusters by avoiding phone manual reset.
The source cluster (version 10.5.2.12900-14) is in mixed-mode and destination cluster (version 22.214.171.12400-9) is in non-secure-mode.
Both clusters have 3 nodes: one publisher and two subscribers (only the two subscribers have the call Manager service and tftp service active).
It works fine but we found a problem.
It leaves 6921 and 7821 models without ITL certificate at the end of the migration, that is at the end of registration on destination cluster.
Which advices can you give us?
Thanks in advance.
first, check if the tftp server on your cucm have an existing ITL file for those phones.
go to "http://<cucm>:6970/ITLSEP<phone's mac>.tlv" or "https://<cucm>:6972/ITLSEP<phone's mac>.tlv"
if it exists, you will need to check the phone side to understand why the phone doesn't load this file
you can try two thing,
1. remove the phone and create it again, this proccess should let the cucm to create uniquely ITL file to the specific phone.
2. to regenerate the ITL file on the destination cluster to see if after this updating the TFTP created ITL files for those phones.
to do this, you can change the ITL signer from the default signer which is the tftp server's callmanager.pem to the ITLRecovery.pem.
this process done following the command "utils itl reset localkey" on one of the tftp servers
what do u mean "the certificate exists"?
what exactly you checked and what does the result?
I just remind you, ITL is not a certificate but is a file who contains all relevant trust certificates.
I connected to the URL "http: // <cucm>: 6970 / ITLSEP <phone's mac> .tlv" and I downloaded the ".tlv" file related to the phone that does not load the ITL file, thus verifying that it exists.
How can I proceed to verify why the phone in question does not load the ITL file correctly?
The log messages of the cisco 6921 phone not obtaining the ITL certificate are as follows:
Looks like the phone doesn't trust the CM that it asks the TVS for verification. Have you tried to do a reset of the security settings on a phone to see if it would download the ITL? What I suspect is that these phones had issues with trust prior to you started all this and now you happen to find out. If that's the case your only option is to clear the current ITL of these phones to make it trust again.