Justin,<br><br>I worked with your TAC engineer on this service request and just wanted to bring this conversation back full circle.<br><br>I took a closer look at this problem and noticed the Certificate being used for TVS:<br>
<br>"show itl" from the SSH Admin CLI of the CUCM Server<br><br>was invalid. The OU was longer than 64 characters.<br><br>I've filed this defect:<br><br>CSCtl45017 CUCM should validate length of X.500 O, OU, Locale, and State strings<br>
<br>to address the problem.<br><br>You correct the issue by running <br><br>"set web-security" again with and specifying shorter values in the fields.<br><br>So just a heads up to anyone on the list, if you enter too many characters in your certificate (>64 for the O, or OU.... >128 for Locality and State) you may experience odd behavior with TVS and other security operations. This should be corrected moving forward (the command will disallow entry of extra characters past the X.500 specification).<br>
<br>-Jason<br><br><br><div class="gmail_quote">On Tue, Dec 14, 2010 at 4:12 AM, Ahmed Elnagar <span dir="ltr"><<a href="mailto:ahmed_elnagar@rayacorp.com">ahmed_elnagar@rayacorp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">What CUCM version exactly are you facing the below problem with?</span></p><p class="MsoNormal">
<span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Best Regards,</span></p><p class="MsoNormal" style="background: none repeat scroll 0% 0% white;">
<span style="font-size: 11pt; color: rgb(31, 73, 125);">Ahmed Elnagar | CCIE#24697 Voice</span><span style="font-size: 11pt; color: rgb(31, 73, 125);"></span></p><p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>] <b>On Behalf Of </b>Justin Steinberg<br>
<b>Sent:</b> Tuesday, December 14, 2010 2:13 AM<br><b>To:</b> Jason Burns<br><b>Cc:</b> cisco voip<br><b>Subject:</b> Re: [cisco-voip] CM 8 ITL and TFTP problems</span></p><div><div></div><div class="h5"><p class="MsoNormal">
</p><div><p class="MsoNormal">What firmware are your phones running ?</p></div><div><p class="MsoNormal"> </p></div><p class="MsoNormal">I have a TAC case open on this. It is definitely a problem with the Trust Verification Services (TVS) and Initial Trust List (ITL) setup.</p>
<div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">A new out of the box phone connects to CM TFTP, downloads the proper firmware (CM 8.0.3a and 7945 SCCP 9.0.3). Then the phone registers. Immediately after that, the phone updates the ITL file. Then the phone begins to reject the configuration file (phone doesn't get proper time zone among other things). The ringlist.xml.sgn, background images, corporate directory (https i guess), personal directory (https?) also don't work. </p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">TAC has tried a few things but still having the problem and we will look into it more tomorrow.</p></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">
I did upload 8.5.2sr1 firmware to CM TFTP including term45.defaults. I then factory reset a 7945 phone having the ITL problem with firmware 9.0.3 and when the phone resets and applys 8.5.2sr1 everything works fine. </p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Documentation on exactly how ITL works and what it is verifying is not good. In my case, the phone is definitely getting an ITL file, but for whatever reason the subsequent files it receives from the same CM server are being rejected by the ITL verification.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">This is a new install of 8.0.3a precutover. This makes me nervous about any existing deployments upgrading to a CM8 version with ITL - especially since I don't really understand the ITL process and can't find much doc on it. Having to manually go around and delete ITL files off of phones would be a pain. I'm not sure if that will be required in my case, but I'll update the list as I learn more.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal"> </p><div><p class="MsoNormal">On Sun, Dec 12, 2010 at 9:34 PM, Jason Burns <<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>> wrote:</p>
<p class="MsoNormal">Justin,</p><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Option 150 is usually an array of IPv4 addresses. This is how I have it setup with my CUCM 8 cluster and my phones are downloading their configuration files successfully. Your config as you've described it should be fine.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">I'd be curious to see if the phone is downloading the config file and then rejecting it, or if the phone isn't able to contact the TFTP server.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">One great way to check is to go to the webserver on the IP Phone (if it's in a state where the web server is active) and download the console log files.</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">The phone is going to try downloading the config file, and then compare the signature in the file with the ITL file contents. Post back the contents of the console logs, or let us know if you see any errors there. A good first troubleshooting step is to restart the TFTP service on CUCM and then delete the ITL from the phone. This will make sure the phone and the server have the same copy of the ITL file. (The phone will download the new ITL as soon as you delete it.)</p>
</div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">-Jason</p></div><div><p class="MsoNormal"> </p><div><div><div><p class="MsoNormal">On Thu, Dec 9, 2010 at 10:34 PM, Justin Steinberg <<a href="mailto:jsteinberg@gmail.com" target="_blank">jsteinberg@gmail.com</a>> wrote:</p>
</div></div><blockquote style="border-width: medium medium medium 1pt; border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;">
<div><div><p class="MsoNormal">New cm 8 install and I'm having issues with the 7945 phones not being<br>able to download files (ringlist, phone config file, etc) from TFTP.<br><br>I think it is related to ITL and the security by default.<br>
<br>My CM is setup User system>server as IP address. My voice vlan dhcp<br>scopes are setup with IP addresses for the option 150 values.<br><br>When I look at the phone, under the security section and ITL section I<br>
see the TFTP server is referred there as the FQDN.<br><br>I think my prob is the dhcp scope is IP and do it's not matching the ITL value.<br><br>Has anyone dealt with this or understand what is going on?<br><br>Justin</p>
</div></div><p class="MsoNormal">_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a></p>
</blockquote></div><p class="MsoNormal"> </p></div></div><p class="MsoNormal"> </p></div></div></div></div><div> </div>Disclaimer: NOTICE The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Raya will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any malicious code or virus being passed on. Views expressed in this communication are not necessarily those of Raya.If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message. </div>
</blockquote></div><br>