Hello Ryan<div><br></div><div>Thanks for the information. Here's my replies and sorry for the delay:</div><div>- customer not available for manual tftp download test. will update asap</div><div>- dedicated tftp</div><div>
- replication status is at 2. I do however see a high number of replicates that are queued in the replication queue. I also saw that the publisher has lost synchronization with the NTP server. Could this cause the issue?</div>
<div>- I tried to do the modification directly on the TFTP server so it knew about the device</div><div><br></div><div>Ovidiu</div><div><br></div><div><br><div class="gmail_quote">On Tue, May 22, 2012 at 3:43 AM, Ryan Ratliff <span dir="ltr"><<a href="mailto:rratliff@cisco.com" target="_blank">rratliff@cisco.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>For starters Ed's original response is correct. If a phone has an ITL or CTL it will always request a signed config file. </div>
<div><br></div>To your issue first of all can you even do a manual TFTP download of the phone's config file? Unless there's some serious cert issues and TFTP just isn't able to sign a config file then the file not being present is unlikely to be a security issue.<div>
is the TFTP server the publisher or a sub? If it's a sub then what's your database replication look like? TFTP can only build config files for phones it knows about via the local database. If you can't save a device from CCMAdmin then you've got some database issues that could be impacting TFTP as well.<span class="HOEnZb"><font color="#888888"><div>
<br></div></font></span><div><span class="HOEnZb"><font color="#888888"><div>
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div>
-Ryan</div></span>
</div></font></span><div><div class="h5">
<br><div><div>On May 21, 2012, at 5:53 PM, Ovidiu Popa wrote:</div><br>
<div bgcolor="#FFFFFF" text="#000000">
It appears that I was focused in the wrong direction. The problem is
not the fact that the phones request a signed configuration file
it's the fact that the TFTP answers with "File not found". <br>
<br>
The test cluster is based on a restore from a production backup and
the the same phone works correctly with the production cluster.<br>
If I try to generate the signed configuration file nothing seems to
work (restarted tftp, deleted itl, rebooted the phone several times,
deleted phone security and network settings, apply config
button)... If I try to modify and save the configuration the
operation is rejected with the following message " Update failed.
Could not insert new row - duplicate value in a UNIQUE INDEX column
(Unique Index:x_device_name)". <br>
<br>
This is weird since I'm not trying to add a new phone, I'm only
modifying the existing phone.<br>
<br>
<br>
<br>
On 21/May/12 10:40 PM, Jason Aarons (AM) wrote:
<blockquote type="cite">
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There
is the Pre-8.0 Rollback Service Parameter that disables ITL
but you need it set before phones see the upgraded
CallManager. So any upgrade you need to shutdown phones
first I suspect.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>
[<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>] <b>On
Behalf Of </b>Ed Leatherman<br>
<b>Sent:</b> Monday, May 21, 2012 4:35 PM<br>
<b>To:</b> Ovidiu Popa<br>
<b>Cc:</b> cisco-voip<br>
<b>Subject:</b> Re: [cisco-voip] cnf.xml.sgn for
non-secure cluster?<u></u><u></u></span></p>
</div>
</div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><br>
<br>
Per my understanding, being on CUCM 8+ implies
security-by-default is in use and your phone is going to get
an ITL file and thus request signed config files:<u></u><u></u></p>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal"><a href="https://supportforums.cisco.com/docs/DOC-17679" target="_blank">https://supportforums.cisco.com/docs/DOC-17679</a><u></u><u></u></p>
<div><p>Security By Default provides these three functions for
supported IP Phones:<u></u><u></u></p>
<ol start="1" type="1">
<li class="MsoNormal">Default authentication of TFTP downloaded
files (configuration, locale, ringlist, etc) using a
signing key. <u></u><u></u></li>
<li class="MsoNormal">Optional encryption of TFTP configuration
files using a signing key. <u></u><u></u></li>
<li class="MsoNormal">Certificate verification for phone
initiated HTTPS connections using a remote certificate
trust store on Communications Manager (Trust
Verification Service).<u></u><u></u></li>
</ol>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">On Mon, May 21, 2012 at 4:28 PM,
Ovidiu Popa <<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>>
wrote:<u></u><u></u></p>
<div><p class="MsoNormal">My understanding is that ITL is
required for several reasons:<br>
- used to store the trusted certificates required for
the TLS session to the TVS web service (not related to
cluster mixed mode as https web services can be
activated even if the cluster is unsecure)<br>
- used to validate file signatures (only if the
cluster is in mixed mode)<br>
<br>
If this is correct I think it is normal that I have an
ITL file but my question still stands: how come the
phone requests a signed file if the cluster not secure
?<br>
<br>
Thanks,<br>
Ovidiu<u></u><u></u></p>
<div>
<div><p class="MsoNormal"><br>
<br>
<br>
<br>
On 21/May/12 8:03 PM, Ed Leatherman wrote: <u></u><u></u></p><p class="MsoNormal">Hello, <u></u><u></u></p>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">My understanding is that the
phone requests a CTL or ITL file when it boots.
If it ever actually gets a CTL or ITL file, from
that point on it will always request a signed
configuration file, unless the CTL or ITL files
are manually deleted from the phone. If i'm
incorrect hopefully someone will chime in :)<u></u><u></u></p>
</div>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal" style="margin-bottom:12.0pt">Ed<u></u><u></u></p>
<div><p class="MsoNormal">On Mon, May 21, 2012 at
1:12 PM, Ovidiu Popa <<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>>
wrote:<u></u><u></u></p>
<div><p class="MsoNormal">Hello everyone <u></u><u></u></p>
</div>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">Anyone know how a phone
detects if it needs to download a signed or
unsigned configuration file? <u></u><u></u></p>
</div>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">I have a few phones that
keep requesting signed file even though the
cluster is not in mixed mode and I cannot
identify why they behave this way. Does the
ITL file contain information about the
cluster security mode? <u></u><u></u></p>
</div>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">The phone logs say that
the TFTP server is secure and keep trying
for the cnf.xml.sgn files. Where does it get
this information?<u></u><u></u></p>
</div>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">Thank for any input.<u></u><u></u></p>
</div>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div>
<div><p class="MsoNormal">Regards.<u></u><u></u></p>
</div>
<div><p class="MsoNormal"><span style="color:#888888">Ovidiu<u></u><u></u></span></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><u></u><u></u></p>
</div><p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt">--
<br>
Ed Leatherman<u></u><u></u></p>
</div><p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div><p class="MsoNormal"><u></u> <u></u></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt">-- <br>
Ed Leatherman<u></u><u></u></p>
</div>
</div><p class="MsoNormal"><br>
<br>
<span style="color:white">itevomcid</span> <u></u><u></u></p>
</div>
</blockquote>
<br>
</div>
_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div><br></div></div></div></div></div></blockquote></div><br></div>