Phone migration between clusters from 10.5.2 to 12.0.1

Leonardo Cupellaro · ‎09-24-2020

Hi everyone,

i have a question for you.

We need to migrate phones (models 6921, 7821, 7942 and 7975) between two clusters by avoiding phone manual reset.

The source cluster (version 10.5.2.12900-14) is in mixed-mode and destination cluster (version 12.0.1.23900-9) is in non-secure-mode.

Both clusters have 3 nodes: one publisher and two subscribers (only the two subscribers have the call Manager service and tftp service active).

We found the following method (https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/213407-migrate-phones-between-secure-clusters.html).

Manually export the Callmanager.pem and ITLrecovery.pem certificate from the subscriber 1 and the subscriber 2 of the destination cluster.
Upload the CallManager.pem and ITLrecovery certificates to the source publisher.
Restart TVS on all nodes of the source cluster
Set the tftp with the destination TFTP node
reset the phones from the old CUCM.

It works fine but we found a problem.

It leaves 6921 and 7821 models without ITL certificate at the end of the migration, that is at the end of registration on destination cluster.

Which advices can you give us?

Thanks in advance.

lior look · ‎10-12-2020

first, check if the tftp server on your cucm have an existing ITL file for those phones.

go to "http://<cucm>:6970/ITLSEP<phone's mac>.tlv" or "https://<cucm>:6972/ITLSEP<phone's mac>.tlv"

if it exists, you will need to check the phone side to understand why the phone doesn't load this file

if not,

you can try two thing,

1. remove the phone and create it again, this proccess should let the cucm to create uniquely ITL file to the specific phone.

2. to regenerate the ITL file on the destination cluster to see if after this updating the TFTP created ITL files for those phones.

to do this, you can change the ITL signer from the default signer which is the tftp server's callmanager.pem to the ITLRecovery.pem.

this process done following the command "utils itl reset localkey" on one of the tftp servers

Leonardo Cupellaro · ‎10-13-2020

The certificate exists, how can we proceed further?

lior look · ‎10-14-2020

what do u mean "the certificate exists"?

what exactly you checked and what does the result?

I just remind you, ITL is not a certificate but is a file who contains all relevant trust certificates.

Leonardo Cupellaro · ‎10-14-2020

I connected to the URL "http: // <cucm>: 6970 / ITLSEP <phone's mac> .tlv" and I downloaded the ".tlv" file related to the phone that does not load the ITL file, thus verifying that it exists.
How can I proceed to verify why the phone in question does not load the ITL file correctly?

Roger Kallberg · ‎10-14-2020

Have you checked on the phones if you see any messages in the logs that could explain why it doesn’t download the ITL?

Leonardo Cupellaro · ‎10-15-2020

The log messages of the cisco 6921 phone not obtaining the ITL certificate are as follows:

ITLSEP <phone's mac> .tlv updating
ITLSEP <phone's mac> .tlv(HTTP)
authenticate fail
ITLSEP <phone's mac> .tlv
(HTTP)
SEP <phone's mac>.cnf.xml.sgn
authenticated fail. Reason:12.
SEP <phone's mac>.cnf.xml.sgn
invalid file

Roger Kallberg · ‎10-15-2020

Looks like the phone doesn't trust the CM that it asks the TVS for verification. Have you tried to do a reset of the security settings on a phone to see if it would download the ITL? What I suspect is that these phones had issues with trust prior to you started all this and now you happen to find out. If that's the case your only option is to clear the current ITL of these phones to make it trust again.