[cisco-voip] CTL question

Thu Jan 23 12:45:47 EST 2014

You may want to grab a packet capture and see what these files look like.  I did find a similar case where the TFTP server lost connection to the other nodes causing some TFTPEngine::"stopAsyncIO" error messages and they had to restart the TFTP service on the TFTP server to resolve.

From: Ed Leatherman [mailto:ealeatherman at gmail.com]
Sent: Thursday, January 23, 2014 12:37 PM
To: Brian Meade (brmeade)
Cc: Cisco VOIP
Subject: Re: [cisco-voip] CTL question

Only thing that changed has been publisher node. Subs are unchanged also.

Interestingly enough, I pulled a brand new 8945 out of box, changed the config on one of the sets that wouldn't register on site, and plugged it in here at my desk, and it loads up just fine. Waiting for them to get back with one of the ones that wouldn't load up.

Here's the console log from one of the sets:
17:29:37, 06/07/2012 : CTLSEP20BBC0DFE737.tlv updating

17:29:37, 06/07/2012 : CTLSEP20BBC0DFE737.tlv updated successfully

17:29:37, 06/07/2012 : ITLSEP20BBC0DFE737.tlv updating

17:29:38, 06/07/2012 : ITLSEP20BBC0DFE737.tlv updated successfully

17:29:38, 06/07/2012 : CTL and ITL installed

ERROR: Authenticating configuration file SEP20BBC0DFE737.cnf.xml.sgn
17:29:38, 06/07/2012 : invalid file SEP20BBC0DFE737.cnf.xml.sgn, authenticated fail. Reas
n:14.

--> dot1x_activate(468) :

On Thu, Jan 23, 2014 at 12:32 PM, Brian Meade (brmeade) <brmeade at cisco.com<mailto:brmeade at cisco.com>> wrote:
Would probably want to look at the console logs on one of those 8945s with the authentication errors.  First verify they are getting the CTL okay.  Possible the TFTP address on the phones isn’t pointed to the TFTP server?

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net>] On Behalf Of Ed Leatherman
Sent: Thursday, January 23, 2014 12:01 PM

To: Cisco VOIP
Subject: [cisco-voip] CTL question

Hi folks,

I have a cluster in mixed mode, last weekend we were scheduled to replace the publisher and TFTP server hardware (migrate to VMWare), cm 8.6. No version upgrade just a re-install onto VMWare.

We ran out of maintenance window waiting for publisher to restore and db replication, so I left the TFTP server alone for another weekend. Also since pub is not registering phones or running TFTP, I did not resign the CTL file to avoid any more cluster wide phone reboots. I plan on resigning it after I migrate TFTP this weekend.

Up until now i haven't had any issues with leaving the CTL file alone; however this morning we tried deploying some brand new 8945's and they are coming up with authentication error on their config files, which I can't figure out why at this point. I can't reproduce the issue on my office phone (also a 8945), it happily downloads the current config files without complaint, even if I delete CTL/ITL.

Am I barking up the wrong tree here with this? shouldn't the phones just be checking the TFTP server's signature, which didnt change, against the CTL or ITL?

I asked the technician to delete the security files on the 8900s in case for some reason they had a CTL or ITL from the factory, said it didnt help. I'm having him bring a couple phones back to troubleshoot with and verify though.

We are only doing signed configs right now, not encrypted files or control/media.

--
Ed Leatherman

--
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140123/7f369bad/attachment.html>