[cisco-voip] 79xx and Firmware 9-2-1
Jason Aarons (AM)
jason.aarons at dimensiondata.com
Thu Jan 5 21:31:07 EST 2012
I can vouch for the product! It has saved some large enterprises from a huge headaches when they've lost the security USB token! The touchscreen phone feature really saved the customer from having someone visit each phone to delete the trust.
From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Stephen Welsh
Sent: Thursday, January 05, 2012 8:33 AM
To: Mike King
Cc: Cisco VoIPoE List
Subject: Re: [cisco-voip] 79xx and Firmware 9-2-1
Mike,
Sorry to jump on your email thread, but the problem of managing ITL Files on phones has become a real pain for some people, and something we have considerable experience with, so it's worth some clarification on our software (PhoneView from Unified FX<http://www.unifiedfx.com> - http://www.unifiedfx.com)
Pricing:
We have a FREE ITL Edition of PhoneView, yes free as in beer, if you email itl at unifiedfx.com<mailto:itl at unifiedfx.com> we can provide you with details to obtain a license, we will release a demo video soon showing how simple it now is to manage ITL files, not just erase them.
We have several different Editions and licensing models of software from $0, $299 and upwards that include unlimited installations, so always best to qualify any requirements first. Almost all of our products have full functionality, no need to buy multiple separate products. The pricing typically varies on the number of phones in the estate, number of installations and if bulk actions are required, if you try to do a like for like comparison we will always be more cost effective as you get more bang for your buck.
Beta:
PhoneView Version 2 came out of beta in December, a number of companies were claiming remote key press macro capabilities to delete ITL files, but our product was the only true solution as it can use CTI to control the phone avoiding some really painful scenarios when the Authentication URL on the phone no longer works. This scenario caused all other remote control based products to fail when deleting ITL files, so we have been able to assist several organisations and save them having to physically attend 10,000's of phones to delete ITL files manually.
We are constantly adding new features, at the moment we are about to start another beta for the next set of enhancements, as always with some very unique capabilities that others will try to copy ;)
* Phone model independent macros (i.e. Set the IP Phone Switch Port to Auto on all phones of any model in a single mouse click)
* Extract ITL Status from all phones (saves hours when trying to find the phones with the ITL problem)
* Remote Audio (receive a copy of the audio from a remote IP Phone to your PC, the ultimate remote phone experience)
If anyone is interested in joining the next beta drop an email to beta at unifiedfx.com<mailto:beta at unifiedfx.com>
Final thought:
With the release of UCM v8 ITL files are here to stay, Cisco are very aware of the problems caused by Security by Default (SBD) and I'm certain over time they will improve the upgrade experience to hopefully avoid the need to delete ITL files. However in the meantime whenever you have an upgrade to UCM v8, or even between UCM8 versions be very mindful of the impact of SBD, we have seen people upgrade to UCS on UCM 8.6 and hit ITL problems due to the capitalisation of the server name being different than it was before. I recommend reading the short document "Security by Default and Managing ITL Files<https://supportforums.cisco.com/docs/DOC-18964>" (https://supportforums.cisco.com/docs/DOC-18964) to get a quick heads-up on the impact of ITL files and what to watch out for.
>From our point of view the introduction of ITL files adds to the "Phone Local" configuration (i.e. the configuration details on the phone and not in UCM), this would normally be something that would need a visit to the IP Phone to manage, however our software is designed to do almost anything remotely with one, many or all phones, so you never need to go to site(s) again ;)
Thanks
Stephen
On 5 Jan 2012, at 03:41, Matthew Berry wrote:
Cool! They finally released that version out of beta.
Have you tried to use the free lab edition? Their website doesn't designate if that feature is limited to their more expensive versions ($3499 - ouch!) or not.
Thanks,
Matthew Berry, CCIE #26721 (Voice)
Sr. Unified Communications Engineer, CDW
+1.763.592.5987 | protocol.by/matthewberry
From: Dennis Heim <Dennis.Heim at cdw.com<mailto:Dennis.Heim at cdw.com>>
Date: Wed, 4 Jan 2012 21:36:30 -0600
To: Matthew Berry <matthew.berry at cdw.com<mailto:matthew.berry at cdw.com>>, Mike King <me at mpking.com<mailto:me at mpking.com>>, Cisco VoIPoE List <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: RE: [cisco-voip] 79xx and Firmware 9-2-1
Unified FX makes a product the can remotely wipe ITL's.
Dennis Heim
Senior Engineer (Unified Communications)
CDW Advanced Technology Services
10610 9th Place
Bellevue, WA 98004
425.310.5299 Single Number Reach (WA)
317.569.4255 Single Number Reach (IN)
317.569.4201 Fax
dennis.heim at cdw.com<mailto:dennis.heim at cdw.com>
cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>
From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Matthew Berry
Sent: Wednesday, January 04, 2012 7:29 PM
To: Mike King; Cisco VoIPoE List
Subject: Re: [cisco-voip] 79xx and Firmware 9-2-1
Aside from a factory reset, you could try deleting the ITL file off the phone. Yes, it is still a manual process, but it isn't as time consuming as a factory reset (process below).
I spoke with a TAC engineer last month about this. It has been identified as a bug and will be resolved in a future release. Unfortunately, I can't locate the bug ID for it. I will email him and see if I can get a response.
Steps to delete ITL file:
1. Select Settings
2. Select Security Configuration (4)
3. Select Trust List (5)
4. Press * * # (Padlock in upper righthand corner will unlock)
5. Select ITL File (2)
6. Select More
7. Select Erase
8. Phone will display "Erasing CTL and ITL files" and reset
9. Phone will optionally upgrade firmware
Thanks,
Matthew Berry, CCIE #26721 (Voice)
Sr. Unified Communications Engineer, CDW
+1.763.592.5987 | protocol.by/matthewberry
From: Mike King <me at mpking.com<mailto:me at mpking.com>>
Date: Wed, 4 Jan 2012 22:06:24 -0500
To: Cisco VoIPoE List <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] 79xx and Firmware 9-2-1
Ok.
Any idea's on how this happened? I'm very interested in not repeating this experience.
We added the latest devicepack, the Cius 9-2-3.cop file, and then rebooted all servers in our cluster.
Since the latest devicepack included 9-2-1 for our phones, all our phones updated. At this point, I have no idea how many phones are affected, but I have reports from nearly all of my sites, so it must be a significant number.
No settings where changed on the PUB/SUB's other than the addition of the the two .cop files. I find it very disheartening/disturbing that such a minor *normal* maintenance item is going to cost me the amount of hours it's going to take to fix this.
Other than buying 3rd party software (Thanks Steve!), Cisco needs to put some serious thought in a way to fix this. I'm not the first sad story involving this *Feature*. I know I won't be the last. Touching every single phone in my environment (Because how else can you verify if it's failing or not) is not really a solution. We have sites in other states, and most of our operation is remote support.
Is factory default the only Cisco answer?
On Wed, Jan 4, 2012 at 6:24 PM, Mike King <me at mpking.com<mailto:me at mpking.com>> wrote:
I have one of those sinking feelings in my stomache...........
(Clip of the phone web interface)
1856: NOT 18:01:32.717962 SECD: tvsReqAuthenticateCertificate: Received the response from TVS proxy, status: 1
1857: ERR 18:01:32.719531 SECD: Authentication failed for the HTTPS conn via TVS
1858: NOT 18:01:32.720438 SECD: srvr_cert_vfy: ** srvr cert verify FAILED ** <10.1.1.1>
1859: ERR 18:01:32.721527 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:<10.1.1.1>
1860: ERR 18:01:32.722625 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <10.1.1.1> c:9 s:11
1861: ERR 18:01:32.723402 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <10.1.1.1> c:9 s:11
1862: ERR 18:01:32.724086 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <10.1.1.1> c:9 s:11
1863: ERR 18:01:32.724720 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<10.1.1.1>
1864: ERR 18:01:32.725353 SECD: EROR:secErr_errStr: *** bad err table ***
1865: ERR 18:01:32.726020 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
1866: ERR 18:01:32.726704 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <HTTPS cert failed auth via TVS>
1867: ERR 18:01:32.727436 SECD: EROR:clpWriteToClntSock: write() err, clnt closed ?!, errno 32, <10.1.1.1> c:9 s:11
1868: ERR 18:01:32.728124 SECD: EROR:clpSndStatus: failed to send SSL/TLS conn status, <10.1.1.1> c:9 s:11
1869: NOT 18:01:32.730813 SECD: clpDelClnt: closing conn to <10.201.27.5>, c:14, s:-1
1870: NOT 18:01:32.731684 SECD: clpDelClnt: Closing the local socket now
1871: NOT 18:01:32.740853 SECD: clpDelClnt: closing conn to <10.1.1.1>, c:9, s:11
1872: NOT 18:01:32.742630 SECD: clpDelClnt: Closing the local socket now
On Wed, Jan 4, 2012 at 6:17 PM, Mike King <me at mpking.com<mailto:me at mpking.com>> wrote:
I've seen mention of TVs failure on the logs. What impact would that be?
On Jan 4, 2012 6:08 PM, "Dennis Heim" <Dennis.Heim at cdw.com<mailto:Dennis.Heim at cdw.com>> wrote:
I know I have seen that where there were issues with SBD/TVS certificate issues in the past.
Dennis Heim
Senior Engineer (Unified Communications)
CDW Advanced Technology Services
10610 9th Place
Bellevue, WA 98004
425.310.5299<tel:425.310.5299> Single Number Reach (WA)
317.569.4255<tel:317.569.4255> Single Number Reach (IN)
317.569.4201<tel:317.569.4201> Fax
dennis.heim at cdw.com<mailto:dennis.heim at cdw.com>
cdw.com/content/solutions/unified-communications/<http://www.cdw.com/content/solutions/unified-communications/>
From:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Mike King
Sent: Wednesday, January 04, 2012 3:04 PM
To: Cisco VoIPoE List
Subject: [cisco-voip] 79xx and Firmware 9-2-1
I'm having a weird problem with our 7900's (7941/7945 7961/7965)
The Corporate Directory won't work on some of the phones. (We've eliminated everything but the phone's themselves, I actually have two phones, on the same subnet, one exhibits behavior, one doesn't)
It says "requesting...." then eventually says Host does not respond.
We finally decided to try downgrading the phone back to 9.1.1 SR1s.
The phones that don't display the corporate directory, they also don't downgrade.
I've Reset/Restarted from CM
I've done the **#** from the keypad
I've unplugged the phone, and plugged it back in.
I've unplugged the phone, waited 5 minutes, and plugged it back in. Doesn't downgrade.
I tried a factory reset, (# key, then 123456789*0#) and the phone will then download the correct version. (I guess it has to at this point)
(And the corporate directory started working again.)
Idea's besides visiting every phone?
_______________________________________________ cisco-voip mailing list cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
itevomcid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120105/969e2283/attachment.html>
More information about the cisco-voip
mailing list