03-12-2016 03:14 AM - edited 03-21-2019 08:53 AM
Hi - I spent an entire day trying to get automate the zero touch provisioning of SPA504G phones from the lowest possible F/W 7.3.7 up to the current 7.6.1.
So I am a bit stuck, I need to ensure I can get phones from the lowest possible F/W revision up to 7.6.1.
I know I have to get them to at least 7.5.2b before 7.6.1.
I want the spa504G.cfg file to come via a http server, not TFTP, and I then want to replace the profile_rule with a https:// URL to the proper config file.
The initial spa504G.cfg file needs to get the phone up to F/W 7.5.2b and then I can do the 7.6.1 F/W upgrade via the final xml profile_rule URL.
I found that in the spa504G.cfg file I could put the downgrade revision limit to 7.6.1 ad then the would prevent a 7.6.1 phone being downgraded to 7.5.2b after a factory reset.
I also thought that if the DHCP 66 option could not set the path as well as the IP to the initial .cfg file I may need to set up a virtual host for the URL name and just put it in the root of the virtual server.
Any help would be appreciated but the requirement is simple to get an SPA504G witg F/W 7.3.7 up to 7.6.1 with my current XML config on it.
On a side note, the 7.6.1 SPC tool would not run under Linux - kept giving a 'segmentation fault'.
Solved! Go to Solution.
03-14-2016 01:19 AM
I have just tested DHCP option 159 vs 150 on firmware 7.6.1. I can confirm that I get no HTTP request from the phone to web server if I use DHCP option 150 but I do if I use DHCP option 159 for the php URL.
03-14-2016 01:30 AM
I'm unsure here - 159 with IP or 160 with name may be used on SPA5xx interchangeably. But 159 will not work on some other models (SPA112) - the CN in certificate needs to be the same as name in URL. Thus IP with option 159 can't be used.
Option 160 works with all modes (with the exception of SPA1xx with 1.0.x firmware - it doesn't support such kind of provisioning at all).
03-14-2016 01:22 AM
So sorry - I'm using it for so long time, so I remembered it incorrectly. We use neither option 150 nor 159 but option 160.
I will edit all previous comments to correct it (so futire readers will not be confused).
03-14-2016 01:27 AM
OK great !
03-14-2016 06:07 AM
Out of interest, why do you pass the SW ver back in via the upgrade_rule URL ?
SW='.$_GET["SW"];
if (cmp_ver($_GET["SW"], ">=", "7.5.2b")) {
$upgrade_rule = 'https://$A/Cisco/spa50x-30x-7-5-5.bin?SW='.$_GET["SW"];
} else {
$upgrade_rule = 'https://$(A)/Cisco/spa50x-30x-7-5-2b.bin?SW='.$_GET["SW"];
}
03-14-2016 06:34 AM
Well, I have syslog&debug turned on on all phones connected - and we are collecting all those messages. But it's a lot of data and it's not easy to filter it.
Such option allow me to see what firmware version has been upgrade easilyd in the Apache log.
If you are interested in my upgrade rule, you may be interested in my Profile_rule as well ? ;-) :
'https://$(A)'.$_SERVER['SCRIPT_NAME'].'?MAC=$MA;PSN=$PSN;Product=$PN;Serial=$SN;SW=$SWVER;HW=$HWVER;CERT=$CCERT;IP=$IP;EXTIP=$EXTIP;PRVST=$PRVST;UID1=$UID1;GPP_O=$O;GPP_P=$P'
Note the $EMS and $MUID must not be used here. Moreover, $CERT must not be used in Report_Rule.
03-13-2016 04:53 AM
Dan - You said, "But you can request certificate signed by CA recognized by both 7.3.7 as well as 7.6.1 firmware."
I don't see where the self service portal gives me an option to generate a cert signed by both old and new CA's. I get the option to choose one or the other:
03-13-2016 06:55 AM
You has misunderstood. A firmware may recognize more than one CA as trusted. SO you need no certificate signed by two authorities - you need certificate signed by the authority recognized by both (all) firmwares supported.
For SPA504G use the CA listed on first line (under 'Select product'). It should work for 7.3.7 as well as 7.6.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide