<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In summary sounds like this thread from couple weeks ago? Or is it a different issue?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://www.gossamer-threads.com/lists/cisco/voip/151203?search_string=itl;#151203">http://www.gossamer-threads.com/lists/cisco/voip/151203?search_string=itl;#151203</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#660066'>CSCtr27100 TVS inaccurately reports New </span><b><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:black;background:#FFFF80'>ITL</span></b><span style='font-size:10.0pt;font-family:"Verdana","sans-serif";color:#660066'> File has been generated</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jason Aarons<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Consultant<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Dimension Data<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>904-338-3245 mobile</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of </b>Nathan Reeves<br><b>Sent:</b> Wednesday, August 17, 2011 10:47 AM<br><b>To:</b> cisco-voip@puck.nether.net<br><b>Subject:</b> [cisco-voip] Issues with certificate security following upgrade to 8.6<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><br><br>Upgraded our cluster from 8.0.3 to 8.6.1 last weekend. Upgrade<br>completed successfully (took a while but given it was a major jump I<br>expected that). Everything appeared to be working fine but come<br>Monday I started getting calls from users who couldn't use the<br>corporate directory on their phones. When they attempted to access<br>it, a 'host not found' error occurred. Ended up tracing this back to<br>the phones being unable to access https based links due to a tvs /<br>certain issue.<br><br>At this point, the manual deletion of the phones security tlv file<br>fixes the issue. I think i've got about 100 phones affected, so the<br>process isn't too bad to get done, just going to be time consuming.<br><br>What I want to try and work out is what I've done wrong in the upgrade<br>process which has caused this issue. Basic overview of the steps<br>taken is as follows:<br>- upgraded pub to 8.6.1. Booted back into 8.0.3 following upgrade.<br>- upgraded sub to 8.6.1. For some reason, even though I marked not<br>to boot to the upgraded partition, it booted into 8.6.1.<br>- booted pub into 8.6.1.<br>- waited for phones to settle down. Eg from switchback to sub and<br>firmware upgrades etc.<br>- updated servers to use dns (previously dns was not set).<br>- checked that db replication was successful (saw some issues which a<br>reboot and updating reverse dns entries appeared to fix.)<br>- 48 hours later installed new tomcat certs which had been signed by<br>our windows domain CA.<br><br>In troubleshooting the cert issue on the phones, I can see it heads to<br>the tvs to do a cert verify when it tries to access ssl links and<br>secured tftp. On the phones I can see it send a request to the tvs<br>and it lists a certificate serial which I'm assuming it is trying to<br>verify. The request then fails and the phone fails to load the<br>cnf.XML etc. If I check the two servers, both have a certificate<br>which matches the serial listed on the phone when it is requesting the<br>tvs to check the cert.<br><br>I saw the previus issue with 8.5.1 and the tftp tlv file failing to be<br>written but it's a different issue to that. In looking at the tvs<br>logs, I do see a file failed to be written but with an error -2. The<br>file was ctlfile.tlv.<br><br>Have I caused this issue with the update of the dns settings on the<br>servers and a possible regeneration of the certifates at this point.<br>Was there a process I should have followed.<br><br>I'm considering contacting tac in the morning to see if theres<br>anything obvious I've done wrong and if there's a way to resolve the<br>issue without touching phones manually, but if it's obvious to someone<br>here what I've screwed up it would be great to hear it.<br><br>Thanks<br><br>Nathan<br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a> <br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a> <br><br><br><span style='color:white'>itevomcid</span> <o:p></o:p></p></div></body></html>