[cisco-voip] TLS Error on Phone after reset

Reto Gassmann voip at mrga.ch
Fri Feb 15 02:06:03 EST 2013


Hello

I opened a TAC for this issue.
We had to renew all certificates on the phones.
(Install/Update CAPF on Device with BAT and restart all phones to get new
certificate)

TAC also told me that the LSC ist valid for five years. After five years
you have to renew the certificate even if you upgraded the CUCM in the
meantime.

Regards and thanks for your Input.
Reto


2013/2/8 Jason Burns <burns.jason at gmail.com>

> Give this a read through and see if any of the troubleshooting steps help
> you out. It has a "Step by Step" of every item in the process that you need
> to check. If you walk through those and things are still broken then I
> would say you need a TAC case and to dig into some advanced logs.
> https://supportforums.cisco.com/docs/DOC-18834
>
> I would compare the CallManager.pem certificates in OS Administration to
> the certificates inside of "show ctl", then go through the rest as well.
>
> Also, Chris did have some good questions about the model, firmware
> version, and extent of the problem.
>
>
> On Thu, Feb 7, 2013 at 11:06 AM, Reto Gassmann <voip at mrga.ch> wrote:
>
>> Hi Jason
>>
>> thanks for your Input. I have set an email address to get a notification
>> if a certificate expires.
>> I have also checked all the certificates and they are valid at least
>> until 2015. (CAPF.pem ist valid until May 5 22:00:41 2015 GMT)
>>
>> Any other ideas?
>>
>> Thanks
>> Reto
>>
>>
>> 2013/2/7 Jason Burns <burns.jason at gmail.com>
>>
>>> Reto and Chris,
>>>
>>> I wonder how long this cluster has been installed and using security.
>>> The CAPF certificates and LSC Certificates have a lifetime of 5 years from
>>> the date of generation. It could be possible that these certificates
>>> (Either CAPF or the individual LSC certificates) have expired.
>>>
>>> I would check the OS Administration page under Security > Certificates
>>> and view the validity period of the CAPF.pem certificate. Also, now would
>>> be a good time to go into OS Admin > Security > Certificate Monitor and
>>> configure a valid email address so you can be emailed for future
>>> certificate expiration. Keep in mind that this means you'll need to enter a
>>> valid SMTP server under  OS Admin > Settings > SMTP
>>>
>>> Even if I'm wrong hopefully you got some good info ;)
>>>
>>> -Jason
>>>
>>>
>>> On Thu, Feb 7, 2013 at 9:53 AM, Chris Ward (chrward) <chrward at cisco.com>wrote:
>>>
>>>>  What is the model and firmware version of the phones facing this
>>>> issue? Is it all phones or just a subset?****
>>>>
>>>> ** **
>>>>
>>>> +Chris****
>>>>
>>>> Unity Connection TME****
>>>>
>>>> ** **
>>>>
>>>> *From:* cisco-voip-bounces at puck.nether.net [mailto:
>>>> cisco-voip-bounces at puck.nether.net] *On Behalf Of *Reto Gassmann
>>>> *Sent:* Thursday, February 07, 2013 9:45 AM
>>>> *To:* cisco-voip at puck.nether.net
>>>> *Subject:* [cisco-voip] TLS Error on Phone after reset****
>>>>
>>>> ** **
>>>>
>>>> Hello group
>>>>
>>>> we have a problem with our phones that started this afternoon. If a
>>>> phone restarts for any reason (reset oder network unplugged) it shows a TLS
>>>> Error (TLS Error: [CUCM IP]).****
>>>>
>>>> We can fix the problem, when we go to the device in the CUCM
>>>> Administration and choose Install/Upgrade in the CAPF Information section.
>>>> After resetting the Device the IPPhone starts and updates the
>>>> certificate. ** **
>>>>
>>>>
>>>> What could cause such a behaviour and how could we fix it?****
>>>>
>>>> We have a CUCM 7.1(3a) and have the phones authenticated.****
>>>>
>>>> Thanks Reto****
>>>>
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130215/4e201895/attachment.html>


More information about the cisco-voip mailing list