Showing results for 
Search instead for 
Did you mean: 

Phone migration between clusters from 10.5.2 to 12.0.1

Hi everyone,

i have a question for you.

We need to migrate phones (models 6921, 7821, 7942 and 7975) between two clusters by avoiding phone manual reset.

The source cluster (version is in mixed-mode and destination cluster (version is in non-secure-mode.

Both clusters have 3 nodes: one publisher and two subscribers (only the two subscribers have the call Manager service and tftp service active).

We found the following method (


  1. Manually export the Callmanager.pem and ITLrecovery.pem certificate from the subscriber 1 and the subscriber 2 of the destination cluster.
  2. Upload the CallManager.pem and ITLrecovery certificates to the source publisher.
  3. Restart TVS on all nodes of the source cluster
  4. Set the tftp with the destination TFTP node
  5. reset the phones from the old CUCM.


It works fine but we found a problem.

It leaves 6921 and 7821 models without ITL certificate at the end of the migration, that is at the end of registration on destination cluster.

Which advices can you give us?

Thanks in advance.


first, check if the tftp server on your cucm have an existing ITL file for those phones.

go to "http://<cucm>:6970/ITLSEP<phone's mac>.tlv" or "https://<cucm>:6972/ITLSEP<phone's mac>.tlv"

if it exists, you will need to check the phone side to understand why the phone doesn't load this file

if not,

you can try two thing,

1. remove the phone and create it again, this proccess should let the cucm to create uniquely ITL file to the specific phone.


2. to regenerate the ITL file on the destination cluster to see if after this updating the TFTP created ITL files for those phones.


to do this, you can change the ITL signer from the default signer which is the tftp server's callmanager.pem to the ITLRecovery.pem.

this process done following the command "utils itl reset localkey" on one of the tftp servers



The certificate exists, how can we proceed further?


what do u mean "the certificate exists"?

what exactly you checked and what does the result?


I just remind you, ITL is not a certificate but is a file who contains all relevant trust certificates.


I connected to the URL "http: // <cucm>: 6970 / ITLSEP <phone's mac> .tlv" and I downloaded the ".tlv" file related to the phone that does not load the ITL file, thus verifying that it exists.
How can I proceed to verify why the phone in question does not load the ITL file correctly?


Have you checked on the phones if you see any messages in the logs that could explain why it doesn’t download the ITL?

Please rate all useful posts

The log messages of the cisco 6921 phone not obtaining the ITL certificate are as follows:

  • ITLSEP <phone's mac> .tlv updating
  • ITLSEP <phone's mac> .tlv(HTTP)
  • authenticate fail
  • ITLSEP <phone's mac> .tlv
  • (HTTP)
  • SEP <phone's mac>.cnf.xml.sgn
  • authenticated fail. Reason:12.
  • SEP <phone's mac>.cnf.xml.sgn
  • invalid file

Looks like the phone doesn't trust the CM that it asks the TVS for verification. Have you tried to do a reset of the security settings on a phone to see if it would download the ITL? What I suspect is that these phones had issues with trust prior to you started all this and now you happen to find out. If that's the case your only option is to clear the current ITL of these phones to make it trust again.

Please rate all useful posts
Content for Community-Ad