Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
5
Helpful
6
Replies

HTTP provisioning no longer working since upgrading to firmware version 7.5.2b with SPA504G

PippoFanciu
Level 1
Level 1

‎08-23-2018 02:02 AM

Hi,
I have an Asterisk based cloud provisioning server.

With firmware version 7.4.9a provisioning works normally.
Upgrading to 7.5.2 or to latest 7.6.2d the HTTP provisioning is no longer working.

The device request and find the template, afterthat it stops and it seems blocked.


This is the error reported from syslog debug:

  <134>SPA504G "MAC_ADDRESS" -- Requesting resync http://"SERVER_IP":80/provisioning/public/Cisco/SPA504G/"MAC_ADDRESS".cfg
  <159>FMM >>>> Requesting profile
  <159>[create_tcp_netstrm1] use async to create tcp connection
  <159>connect timeout
  <134>SPA504G "MAC_ADDRESS" -- Resync failed: http_get failed
  <134>SPA504G "MAC_ADDRESS" -- Resync failed: http_get failed
  <159>FMM >>>> Failed profile


Thanks,

Filippo

Labels:
0 Helpful
6 Replies 6

Dan Lukes
VIP Alumni
VIP Alumni

‎08-23-2018 02:32 AM

I see "connect timeout" in your log - so it seems SSL connection has not been established at all. Post 7.5.2b firmwares use newer encryption algorithms and 2048b Diffie-Hellman groups (instead of 1024b). DH key exchange is CPU intensive and it take very long time to generate one.

You may consider to pre-generate DHparams with "openssl dhparam -2 2048" (I asume you have 2048b private key), output should look like

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAwBcw/P+Vq3B/4i8nHq+DwoAPmUz34ebfOwqbE7eYmvdS3YmuC31D
6hXdEwVay8CRGcga3Blglz0UxSLG4HGva3JVzIaO04RTyd4kzwXhZJlggPPu7T2v
bgZMZ6pmicEYhRP6tl3AN3wKRSoh1xo4PXisi5H8lC6aapVm7dDOPafPEgBHirPi
0ApG/Ji63qrdAekDmMAWQdhkoX1ezVFjtAa7j6v9yh2t4GTjrHZ9xiIR0jdyXnPz
PB9PyRnFYrlhQW/kaZZExaqdaH9oJuWuQyn8kIB1VGe5rtQrI5xYydXUmXE5QBBR
nIiBgMAzrNFPgKsG6f7FLy4Z5d3D3ZRQqwIBAg==
-----END DH PARAMETERS-----

Such text needs to be appended to the end of file with server's certificate. It may speed up SSL setup enough.

0 Helpful

PippoFanciu
Level 1
Level 1
In response to Dan Lukes

‎08-24-2018 01:39 AM - edited ‎08-24-2018 02:29 AM

I'm checking with PBX manteiner if is possible modify server's certificate. Do you think that's the only way?

 

I have many devices under provisioning. Should pre-generate DHparams compromise the SSL connection security?

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to PippoFanciu

‎08-24-2018 06:30 AM - edited ‎08-24-2018 09:17 AM

Use tcpdump or so to capture network communication between phone and provisioning server. With saved dump we can verify hypothesis first. If we verify the server is not responding in reasonable time, ask server's administrator for help.

 

The workaround I described works on Apache HTTP server only. If your PBX use other server it will not work. Server administrator should know how to do with server in question.

0 Helpful

Sujoy Paria
Cisco Employee
Cisco Employee

‎08-24-2018 04:41 AM

Hi Filippo,

It will be better if you can open a service request by contacting our support centre based on your region so that we can gather the additional details required on this case to investigate further.

Contact numbers are available on the following link…

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to Sujoy Paria

‎08-24-2018 06:34 AM

Assuming you are expert on the matter - are you willing to disclose what additional information should be obtained ? Thanks.

 

0 Helpful

Sujoy Paria
Cisco Employee
Cisco Employee
In response to Dan Lukes

‎08-24-2018 08:16 AM

Hi,

We have some basic template/ requirements to work on some specific issue. For this case packet capture, device configuration file will be helpful to proceed further.

 

Customers Also Viewed These Support Documents