Solved: Cisco Spa 30x and spa 50x - Failed - Not Reachable

d.shleg · ‎03-02-2020

After flashing 7.6.2f(SR6) firmware, phones lost registration via TLS transport, i enabled debug and see some messages.

TLS certificate is valid. other phones works correctly.

<143>RSE_DEBUG: find a rse that has name [name]and type [type] in rse pool [rp],return address of the found rse  or NULL if not found !!! 
	172.17.4.57	02/03 17:31:51.646	
<143>RSE_DEBUG:rse was found is not NULL and this rse is safe!!! 
	172.17.4.57	02/03 17:31:51.664	
<134>Getting a SIP TCP port for line 0
	172.17.4.57	02/03 17:31:51.683	
<134>Getting a SIP TCP port for line 0
	172.17.4.57	02/03 17:31:51.700	
<134>### Get Sip Tcp Port = 5069
	172.17.4.57	02/03 17:31:51.715	
<134>### Get Sip Tcp Port = 5069
	172.17.4.57	02/03 17:31:51.731	
<134>[0]SIP/TCP:Connecting...(11)
	172.17.4.57	02/03 17:31:51.747	
<134>[0]SIP/TCP:Connecting...(11)
	172.17.4.57	02/03 17:31:51.762	
<134>[0]SIP/TCP:Connect=0, errno=54 
	172.17.4.57	02/03 17:31:57.455	
<134>[0]SIP/TCP:Connect=0, errno=54 
	172.17.4.57	02/03 17:31:57.467	
<134>[0]SIP/TLS:Connecting ...
	172.17.4.57	02/03 17:31:57.472	
<134>[0]SIP/TLS:Connecting ...
	172.17.4.57	02/03 17:31:57.476	
<134>[0]SIP/TLS:Connect Failed -1
	172.17.4.57	02/03 17:31:57.481	
<134>[0]SIP/TLS:Connect Failed -1
	172.17.4.57	02/03 17:31:57.486

Please help, any ideas???

d.shleg · ‎03-02-2020

I founded solution:

all links to SPA Certificate Authority (CA) List is broken, but i founded other information here

according information from top phones have preloaded Root Certificate Authority embedded in the firmware:

- Cisco Small Business CA Certificate

- CyberTrust CA Certificate

- Verisign CA certificate

- Sipura Root CA Certificate

- Linksys Root CA Certificate

for solve my problem i implemented option Custom CA RULE with value http://myvoipserver.com/ca_certificate.pem

and phone successly registered, thx all for answers!

View solution in original post

Dan Lukes · ‎03-02-2020

According log you disclosed, phone is trying to connect, but connection attempts is refused by peer. So check log of peer - there may be a notice related to refused connection, including reason. And/Or use an tool to capture packets - it may help to identify the issue cause.

d.shleg · ‎03-02-2020

I created dump via wireshark and see Tls error Unknown CA, but i use paid wildcard certificate!

Dan Lukes · ‎03-02-2020

"Paid" doesn't mean "known". Known mean known. While known mean "found on list of known CA".

But first we need distinguish - who is refusing connection to whom ? Even phone contain certificate and may use it during handshaking if requested by server. Phone certificate is not "paid" certificate you are speaking of ...

d.shleg · ‎03-02-2020

How to list of known ca on phone?

i will try to find who is refusing connection and come back again

d.shleg · ‎03-02-2020

based on dump posted by me , Unknown CA originated from Phone Device

d.shleg · ‎03-02-2020

I founded solution:

all links to SPA Certificate Authority (CA) List is broken, but i founded other information here

according information from top phones have preloaded Root Certificate Authority embedded in the firmware:

- Cisco Small Business CA Certificate

- CyberTrust CA Certificate

- Verisign CA certificate

- Sipura Root CA Certificate

- Linksys Root CA Certificate

for solve my problem i implemented option Custom CA RULE with value http://myvoipserver.com/ca_certificate.pem

and phone successly registered, thx all for answers!

Dan Lukes · ‎03-02-2020

Just for completeness ...

Custom CA RULE based solution have major disadvantage - virgin phone (or cleared to factory default) have Custom CA Rule empty, thus it can't download provisioning from server (because considered untrusted). Phone needs to be manually pre-configured. It increases total cost of ownership.

SPA[35]xx models are ready for secure zero-touch provisioning. They accepts initial provisioning URL supplied by DHCP. Provisioning server needs to have certificate issued by a embedded trusted CA. Those certificates are issued free of charge by Cisco.

d.shleg · ‎03-02-2020

Hmm, maybe you know how to obtain free certificates from Cisco?
Yes, if reset phones to factory default custom ca cleared, but I configured
provisioning option 66 on my dhcp server. Phones configured from tftp server

d.shleg · ‎03-03-2020

I can`t find valid information of embedded CA list on SPA devices

https://community.cisco.com/t5/small-business-support-documents/small-business-ip-phone-documentation/ta-p/3293900

offical link is broken (

for example Verisign in now Symantec, if i paid Symantec it will works for SPA devices?

need up-to-date information about embedded CA

d.shleg · ‎03-03-2020

founded here https://web.archive.org/web/20151203011339/https://supportforums.cisco.com/document/96471/spa-certificate-authority-ca-list and converted to pdf, see attach.

remains to find how to make a request for a certificate...

Dan Lukes · ‎03-03-2020

Good job. I has failed searching for the document in question despite I'm co-author of it. I has republished it here.

remains to find how to make a request for a certificate...

It's easy to make certificate request. I assume you are asking where to submit CSR to.

Cisco Sales Representative should issue certificate for you. Cisco SMB Support should you to identify a Cisco Sales Representative.

If everything else will fail, write private message to me.

d.shleg · ‎03-03-2020

Wow, thx you for republication post!

I do not have contact cisco sales or smb support and emailed to ciscosb-certadmin@cisco.com with question and wait answer.

If i have the problems with obtain certificate i will ask you.