cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3975
Views
0
Helpful
5
Replies

CISCO IP Communicator registration rejected: security error

amine..dahel
Level 1
Level 1

Hi,

I'm working on a cluster of CUCM7.1 and using CISCO IP Communicator 7.0.1 

Recently a CUCM sub was and still down, since then all the CISCO IP Comunicators can't register showing the error message: "Registration Rejected: security Error",  I've checked the CMG in the device pool config, I found out that this down server isn't on the list.

The action that I have tried so far:

- Resetting the CIPC

- Reinstall the CIPC

- On the PC, going to start -> Run -> certmgr.msc-> Personal -> Certificates, but I didn't find any certificate

- Deleting the CIPC then add it again

Knowing that:

-Physical Ip phones on site register correctly

- I could ping the TFTP servers on the user's PC

- I get in the status messages: "TFTP timeout SEP..." message on the user's PC

- When I connected to the client's LAN using VPN tunnel I managed to register the same CIPC correctly

Can you, guys, help me?

Any tip to solve this issue will be so much appreciated, guys.

Thanks in advance, guys.

5 Replies 5

Jawad Ahmad
Level 1
Level 1

Check the Directory numbers that are still in the database. Once you delete the DN that was associated with the phone, then reset the phone, it should Auto Register once again. You can find the DNs listed that are configured in the system under Call Routing > Directory Numbers.

Hi Jawad,

thank you for your feedback.

There is no auto-reg, all the IP phones are added manually.

Leszek Wojnarski
Cisco Employee
Cisco Employee

Amine,

Can you share some more information.

How many servers are there in the cluster?

To which of the CIPC should register? 

Since there were some issues with the cluster, then it might be related with replication between the servers? To confirm can try to configure CMG in the way CIPC should try to register to Publisher instead Subscriber servers?

For the CIPC that fails to register, can you collect the output of the following SQL on Pub and on Sub that it tries to register to?

run sql select * from device where name='SEPnameofCIPC'

Leszek

Hi Leszek,

Thanks for your feedback.

To answer your questions

- there are 7 nodes in the cluster: 1 PUB, 2 TFTP, 4 SUB

The CIPC should register with SUB04

The publisher doesn't have the Call Manager service enabled.

I have typed the command, which is a very interesting command by the way, thank you so much for that, i have compared the value on each server, and it's the same.

Now I have a new piece of information, when I used a VPN tunnel to the client's LAN, I managed to register correctly.

But on the client's PC, even though I could ping the TFTP servers and the physical Ip phones register correctly,   I had the on the CIPC status messages "TFTP timeout SEP... "

Any tips how to solve this issue?

Can you try to use Wireshark on customer PC to collect pcap from when the phone tries to register? This should tell from which server Phone is downloading config an to which it's trying to register.

It might be useful to see what's the configuration file on the TFTP for this phone. You can download XML file directly from TFTP bu using any TFTP client or Windows command

> tftp <IP_of_TFTP> GET SEP<MAC>.cnf.xml

I've seen those errors as you see when phone tries to register to CCM server that is not a part of call-manager group for this phone. Thsi would usually happen when the phone has incorrect configuration file (like old configuration file or it cannot get it).

From those 2 things I request pcap would be desired one.

Leszek