[cisco-voip] unexpected behaviour with "Prepare Cluster for Rollback" and migrating phones between v9 and v7 cluster

Brian Meade (brmeade) brmeade at cisco.com
Thu Feb 20 11:21:03 EST 2014


Lelio,

The trust list definitely contains the certificates.  The actual ITL will be signed by the CallManager.pem certificate of the TFTP node the phone downloaded it from.  It will also have a TFTP entry for that node with the same CallManager.pem certificate.  The ITL should then have a bunch of TVS certificates for all of your nodes in order to be used for authenticating any unknown certificates.

So you said the old cluster it was registering to was 7.x, right?

If so, the phones with a valid ITL should be requesting signed config files which the 7.x should be responding to with File Not Found errors.

If the phones used their cached config files, they would probably be able to register to the old cluster since the IP addresses are the same and there’s nothing preventing the phone from sending SCCP register messages to the old cluster.  Things like line changes are done via SCCP so adding a second DN would probably work but any changes on the device itself would probably fail such as enabling or disabling web access since that is set in the actual config file.

Thanks,
Brian Meade
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Thursday, February 20, 2014 10:50 AM
To: cisco-voip voyp list
Subject: Re: [cisco-voip] unexpected behaviour with "Prepare Cluster for Rollback" and migrating phones between v9 and v7 cluster


As a follow up to this, I'm still a little confused.

I have confirmed

  *   that the phone that I removed after setting the "Prepare Cluster for Rollback" to True, had an empty trust list
  *   that the phone that I removed after setting the "Prepare Cluster for Rollback" to False, had an non-empty trust list

     *   TFTP: fqdn of TFTP server
     *   TVS: fqdn of PUB
     *   TVS: fqdn of SUB1

  *   this was with only changing the parameter and resetting phones, no restarts of TFTP or TVS services.

I was also able to confirm that:

  *   both the phone with an empty trust list AND non-empty trust list were able to register to the old cluster
  *   I was able to change the configuration (adding a secondary DN) to both phones and they both accepted them

Is the trust list simply a _list_ of acceptable hosts? And because the (fqdn) hostnames and IP addresses are the same on both clusters the phones are still able to register and accept changes?



If not simply a list, and it uses the host certificates, i.e. it uses host certificates to either build the list hash or push the certificates down to the phones, is what I am seeing the same certificate being generated on each host? I mean, I'm using all the same information, could that be possible? I don't know which certificates to compare, or I would have provided the results of that test.



Thoughts?



Lelio











---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1

________________________________
From: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
To: "cisco-voip voyp list" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Wednesday, February 19, 2014 4:37:35 PM
Subject: unexpected behaviour with "Prepare Cluster for Rollback" and migrating phones between v9 and v7 cluster

OK, now I am officially confused. ;)

I was under the impression that once a phone has registered to a v9 cluster, it downloads an ITL trust list/file which prevents it from registering to a v7 cluster. To help with this, the "Prepare Cluster for Rollback" enterprise parameter was introduced.

Here's what I did:

  *   upgraded offline cluster (all servers had same hostname and IP address)
  *   set the "Prepare Cluster for Rollback" parameter to True and clicked Save (because there were no phones registered, I did not "Apply Changes")
  *   plugged phones into the offline network
  *   phones registered to the new offline v9 cluster
  *   checked phone security pages - they showed ITL files listed (that long string of numbers)
  *   thinking it was the "Apply Changes" that missed something, I clicked that
  *   phones restarted, but still showed an ITL file
  *   brought a phone back to the live network, phone registered to the v7 cluster (still has an ITL file listed)
  *   on offline cluster, change the "Prepare Cluster for Rollback" to False, clicked Save, clicked Apply Changes (phones restarted, and showed an ITL file)
  *   I picked up one of the phones from the offline network (now in rollback=false mode) and brought it to the live network. It registered to the v7 cluster.

So what I see are a few things confusing me:

  *   Why do phones still have ITL files if the cluster is in rollback mode. This is not a big deal, but I'd like to be able to tell from the phone when it's registered with the "Prepare Cluster for Rollback" set to TRUE.
  *   Why does a phone that registers to a v7 cluster still have it's ITL file set?
  *   Why (and this is the one that gets me) does a phone that was on v9 with "Prepare Cluster for Rollback" set to FALSE successfully register to the v7 cluster?

Is the ITL trust list a simple hash of the IP addresses and host names of the cluster members? If I don't change anything, things will continue to work?



Is something wrong with my logic and steps? I was testing with a 7942 and a 7962.



Lelio


---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph

519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140220/ce233b7a/attachment.html>


More information about the cisco-voip mailing list