[cisco-voip] cisco phone-vpn cert expiration

Erick Wellnitz ewellnitzvoip at gmail.com
Fri Jan 31 11:27:38 EST 2014


Something to try on the next cluster.




On Thu, Jan 30, 2014 at 4:45 PM, Justin Steinberg <jsteinberg at gmail.com>wrote:

> This can also happen if you used a wildcard cert.
>
> The workaround is to upload the new wildcard cert to a sub's osadmin page.
> Then on ccmadmin, both the old and new are available.
> On Jan 30, 2014 4:15 PM, "Erick Wellnitz" <ewellnitzvoip at gmail.com> wrote:
>
>> We aren't terribly worried because there are only about 7 of these phones
>> out there.  We'll let them have their temper tantrum and then they'll bring
>> their phones back.
>>
>> We've had really bad luck with these phone vpn setups.
>>
>>
>> On Thu, Jan 30, 2014 at 3:07 PM, Brian Meade (brmeade) <brmeade at cisco.com
>> > wrote:
>>
>>>  What you could do to resolve the phones without bringing them in would
>>> be to temporarily set up a NAT with a static IP for one of your TFTP
>>> servers just for TFTP traffic and use the Alternate TFTP settings on the
>>> phones so they can pull the new config files with the new certificate in
>>> them.  But it may be a little risky opening up the TFTP service on one node
>>> to the outside world temporarily.
>>>
>>>
>>>
>>> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
>>> *Sent:* Thursday, January 30, 2014 3:51 PM
>>> *To:* Brian Meade (brmeade)
>>> *Cc:* cisco-voip
>>> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>>>
>>>
>>>
>>> The old one was expired.  That might make the difference.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Jan 30, 2014 at 2:40 PM, Brian Meade (brmeade) <
>>> brmeade at cisco.com> wrote:
>>>
>>> Erick,
>>>
>>>
>>>
>>> It shouldn't have replaced the other VPN-trust in certificate
>>> management.    I've done this scenario successfully with many customers.
>>> I'll try this in the lab.  It may be due to the same Common Name on the
>>> certificate but usually it will just rename the new one to like
>>> commonname-1.pem.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Brian
>>>
>>>
>>>
>>> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
>>> *Sent:* Thursday, January 30, 2014 3:24 PM
>>> *To:* Brian Meade (brmeade)
>>> *Cc:* cisco-voip
>>> *Subject:* Re: [cisco-voip] cisco phone-vpn cert expiration
>>>
>>>
>>>
>>> This dd not work as described.
>>>
>>>
>>>
>>> The new cert took the place of the old one in certificate management now
>>> if a VPN phone reboots for any reason they cannot reconnect.
>>>
>>>
>>>
>>> On Tue, Jan 28, 2014 at 9:27 AM, Brian Meade (brmeade) <
>>> brmeade at cisco.com> wrote:
>>>
>>> Erick,
>>>
>>>
>>>
>>> You can add a 2nd cert to the VPN Gateway configuration after you add
>>> it as a VPN-Trust.
>>>
>>>
>>>
>>> So what you want to do is create a new trustpoint on the ASA with the
>>> new certificate, upload that to CUCM as a phone-vpn-trust, and then add it
>>> as a 2nd cert to the VPN Gateway.
>>>
>>>
>>>
>>> You'll then want to make sure all the VPN phones get reset so they get
>>> the new certificate as well.
>>>
>>>
>>>
>>> After all the VPN phones have both certificates, you can then change SSL
>>> on the ASA to bind to the other trustpoint and start using the new
>>> certificate.
>>>
>>>
>>>
>>> If you follow that method, you want have to bring any of the VPN phones
>>> back in as long as they're connected.  The main problem with this method is
>>> some people have VPN phones that they rarely connect so you'll need to make
>>> sure everyone connects their phones to get the new certificate before you
>>> make the change on the ASA.
>>>
>>>
>>>
>>> Brian
>>>
>>>
>>>
>>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>>> Behalf Of *Erick Wellnitz
>>> *Sent:* Tuesday, January 28, 2014 10:20 AM
>>> *To:* cisco-voip
>>> *Subject:* [cisco-voip] cisco phone-vpn cert expiration
>>>
>>>
>>>
>>> I have a situation I'm sure isn't unique.
>>>
>>>
>>>
>>> What happens when I upload a new phone-vpn cert to the CUCM to replace
>>> an expired/expiring one?
>>>
>>>
>>>
>>> Are vpn phones going to freak out and stop authenticating to the VPN or
>>> should everything be smooth sailing?
>>>
>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20140131/e521737c/attachment.html>


More information about the cisco-voip mailing list