Solved: DX70 registration by MRA

luis_Borja · ‎03-31-2016

HI,

I had a DX70 and I tried to register by MRA, when I reset the network configuration and the page of configuration of service domain, user and password appears, I put my domain, user and password a error messages says: "secure connection failed, Please contact customer service”

.load of DX70: 10.2.5

expway E version: X8.7

Is there any Idea what it´s happening???

Rajkumar Yadav · ‎04-01-2016

Hi Luis,

Please see the below lines from release notes.

Mobile and Remote Access through Expressway requires Cisco Expressway 8.6 or later and Cisco Unified Communications Manager 10.5.2 SU2 or Cisco Unified Communications Manager 11.0 or later.

I suggest you have minimum version for CUCM as 10.5.2SU2 and make sure your expressway certificate signed by public CA, as phones may not work with expressway self signed certificate.

____________________________________________________________________________

To establish a TLS session, the device must authenticate an Expressway certificate signed by a public Certificate Authority trusted by the device firmware. It is not possible to install or trust other CA certificates on DX Series devices for authenticating an Expressway certificate. See the Cisco DX Series Administration Guide for the list of trusted CA certificates embedded in the devices.

____________________________________________________________________________

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/dx/series/rel-notes/1024/DX00_BK_RF53F53D_00_release-notes-dx-series-1024.pdf

For Certificate, please refer the below link.

http://www.cisco.com/c/en/us/support/collaboration-endpoints/desktop-collaboration-experience-dx600-series/products-technical-reference-list.html

Procedure:

DX70:
Factory Reset: Apply power and wait for the Mute LED to blink, then hold the volume up till the Mute red LED is lit. Then release volume key and hold the Mute key for 3 seconds.
Alt-boot: Apply power and wait for the Mute LED to blink, then hold the volume down till the Mute red LED is lit. Then release volume key and hold the Mute key for 3 seconds.

Connect to a public internet connection. Wait and verify device has acquired an IP address
On DX device settings, select Settings > More > Reset Network Settings
Note: If the DX firmware is upgrading this option may be greyed out until the upgrade is complete
Uncheck the checkbox Enable automatic local telephony service discovery at the Prompt then select Reset
The device will reboot andDetecting Network message will appear
At the TFTP Server Prompt Screen select Collaboration Edge
Enter the following information:

Expressway login details

Service Name: domain.com
Username: your username
Password: Password

Note: If the details screen disappears while entering, go to Settings > More > select the checkbox next to Service Options > Reset Network Settings to get the prompt to show again

7. If prompted select OK at Multi User Mode
8. The device will then register to the CUCM over Expressway. Successful MRA through Expressway connectivity will show your number in the bottom left hand corner of the screen

Regards,

Raaj

View solution in original post

Jaime Valencia · ‎03-31-2016

Does it work with other clients??

Are you running a CUCM release which supports that??

And was the certs on EXP-E signed by an approved public CA??

Finally, what troubleshooting have you done so far???

HTH

java

if this helps, please rate

Rajkumar Yadav · ‎04-01-2016

Hi Luis,

Please see the below lines from release notes.

Mobile and Remote Access through Expressway requires Cisco Expressway 8.6 or later and Cisco Unified Communications Manager 10.5.2 SU2 or Cisco Unified Communications Manager 11.0 or later.

I suggest you have minimum version for CUCM as 10.5.2SU2 and make sure your expressway certificate signed by public CA, as phones may not work with expressway self signed certificate.

____________________________________________________________________________

To establish a TLS session, the device must authenticate an Expressway certificate signed by a public Certificate Authority trusted by the device firmware. It is not possible to install or trust other CA certificates on DX Series devices for authenticating an Expressway certificate. See the Cisco DX Series Administration Guide for the list of trusted CA certificates embedded in the devices.

____________________________________________________________________________

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/dx/series/rel-notes/1024/DX00_BK_RF53F53D_00_release-notes-dx-series-1024.pdf

For Certificate, please refer the below link.

http://www.cisco.com/c/en/us/support/collaboration-endpoints/desktop-collaboration-experience-dx600-series/products-technical-reference-list.html

Procedure:

DX70:
Factory Reset: Apply power and wait for the Mute LED to blink, then hold the volume up till the Mute red LED is lit. Then release volume key and hold the Mute key for 3 seconds.
Alt-boot: Apply power and wait for the Mute LED to blink, then hold the volume down till the Mute red LED is lit. Then release volume key and hold the Mute key for 3 seconds.

Connect to a public internet connection. Wait and verify device has acquired an IP address
On DX device settings, select Settings > More > Reset Network Settings
Note: If the DX firmware is upgrading this option may be greyed out until the upgrade is complete
Uncheck the checkbox Enable automatic local telephony service discovery at the Prompt then select Reset
The device will reboot andDetecting Network message will appear
At the TFTP Server Prompt Screen select Collaboration Edge
Enter the following information:

Expressway login details

Service Name: domain.com
Username: your username
Password: Password

Note: If the details screen disappears while entering, go to Settings > More > select the checkbox next to Service Options > Reset Network Settings to get the prompt to show again

7. If prompted select OK at Multi User Mode
8. The device will then register to the CUCM over Expressway. Successful MRA through Expressway connectivity will show your number in the bottom left hand corner of the screen

Regards,

Raaj

luis_Borja · ‎04-07-2016

Hi Jaime, the certs on EXP-E & C has make in open SSL, so these certs have to be signed by any approved public CA fo the lonk bellow??

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/dx/series/admin/1024/DX00_BK_C12F3FF5_00_cisco-dx-series-ag1024/DX00_BK_C12F3FF5_00_cisco-dx-series-ag1024_appendix_01111.html

thanks.

Rajkumar Yadav · ‎04-07-2016

Hi Luis,

Public CA is prerequsite, since DX phones have root certificate for valid public CA provider's.

Self signed and open SSL will never work.

"make sure your expressway certificate signed by public CA, as phones may not work with expressway self signed certificate"

Regards,

Raaj

Jaime Valencia · ‎04-07-2016

Yes, the root CAs that the phone has, is limited to the ones outlined in the link, it HAS to be a public CA who signs the EXP-E certificate, you can make it work for Jabber (assuming you're willing to take on the huge overhead it would require, but we definitely advise against it), but for endpoints, there's no way around this.

HTH

java

if this helps, please rate

gken2015moncada · ‎04-12-2016

Hi Jaime .

Iam working with Luis Borja
about the Phone security Profile, is necessary to include it in CSR ??

the csr shoud be generated in expressway core and edge ??

which are the parameters required to generate the CRS for DX device ??

The jabber is working fine .
the new certificate, authenticated for public CA, replace

the old certificates ??

Jaime Valencia · ‎04-12-2016

The phone security profile is only if you are using mixed mode

You need to have a signed cert on BOTH servers, EXP-C can be a local/internal CA, the EXP-E has to be a public CA if you want hard endpoints to use MRA.

You don't generate a CSR for endpoints...

Yes, you can only have one server certificate.

I STRONGLY suggest you watch the video on certificates management I have here in the update

http://docwiki.cisco.com/wiki/Certificates_FAQ

HTH

java

if this helps, please rate

servicios_ciscon2 · ‎11-24-2021

Hi Jaime

Is there a way to see the league you sent?

I am in the same situation trying to sign a DX80 through the Expressway (MRA) and I would like to know the procedure and I have read several documents and I understand that it is necessary to load the Public CA certificate that contains the host name of the Expressway E, correct ?

luis_Borja · ‎04-04-2016

no, it doesn´t working in another devices.

CUCM: ver 11

the certs on expway, works, in jaber´s client since out of network register fine on CUCM.

when I try register DX a messages appears: secure failed.