<div dir="ltr"><div>Hello</div><div> </div><div>I opened a TAC for this issue.</div><div>We had to renew all certificates on the phones.</div><div>(Install/Update CAPF on Device with BAT and restart all phones to get new certificate)</div>
<div> </div><div>TAC also told me that the LSC ist valid for five years. After five years you have to renew the certificate even if you upgraded the CUCM in the meantime.</div><div> </div><div>Regards and thanks for your Input.</div>
<div>Reto</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/2/8 Jason Burns <span dir="ltr"><<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Give this a read through and see if any of the troubleshooting steps help you out. It has a "Step by Step" of every item in the process that you need to check. If you walk through those and things are still broken then I would say you need a TAC case and to dig into some advanced logs.<div>
<a href="https://supportforums.cisco.com/docs/DOC-18834" target="_blank">https://supportforums.cisco.com/docs/DOC-18834</a><br></div><div><br></div><div>I would compare the CallManager.pem certificates in OS Administration to the certificates inside of "show ctl", then go through the rest as well.</div>
<div><br></div><div>Also, Chris did have some good questions about the model, firmware version, and extent of the problem.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 7, 2013 at 11:06 AM, Reto Gassmann <span dir="ltr"><<a href="mailto:voip@mrga.ch" target="_blank">voip@mrga.ch</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div>Hi Jason</div><div> </div><div>thanks for your Input. I have set an email address to get a notification if a certificate expires.</div>
<div>I have also checked all the certificates and they are valid at least until 2015. (<span>CAPF</span>.<span>pem</span> <span>ist</span> valid until May 5 22:00:41 2015 GMT)</div>
<div> </div><div>Any other ideas?</div><div> </div><div>Thanks</div><span><font color="#888888"><div><span>Reto</span></div></font></span></div><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote">2013/2/7 Jason Burns <span dir="ltr"><<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div><div><div>Reto and Chris,<br><br></div>
I wonder how long this cluster has been installed and using security. The CAPF certificates and LSC Certificates have a lifetime of 5 years from the date of generation. It could be possible that these certificates (Either CAPF or the individual LSC certificates) have expired.<br>
<br></div>I would check the OS Administration page under Security > Certificates and view the validity period of the CAPF.pem certificate. Also, now would be a good time to go into OS Admin > Security > Certificate Monitor and configure a valid email address so you can be emailed for future certificate expiration. Keep in mind that this means you'll need to enter a valid SMTP server under OS Admin > Settings > SMTP<br>
<br></div><div>Even if I'm wrong hopefully you got some good info ;)<br></div><div><br></div>-Jason<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Feb 7, 2013 at 9:53 AM, Chris Ward (chrward) <span dir="ltr"><<a href="mailto:chrward@cisco.com" target="_blank">chrward@cisco.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="color:rgb(31,73,125);font-family:"Calibri","sans-serif";font-size:11pt">What is the model and firmware version of the phones facing this issue? Is it all phones or just a subset?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125);font-family:"Calibri","sans-serif";font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125);font-family:"Calibri","sans-serif";font-size:11pt">+Chris<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125);font-family:"Calibri","sans-serif";font-size:11pt">Unity Connection TME<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125);font-family:"Calibri","sans-serif";font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-family:"Tahoma","sans-serif";font-size:10pt">From:</span></b><span style="font-family:"Tahoma","sans-serif";font-size:10pt"> <a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a> [mailto:<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Reto Gassmann<br>
<b>Sent:</b> Thursday, February 07, 2013 9:45 AM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> [cisco-voip] TLS Error on Phone after reset<u></u><u></u></span></p><div><div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hello group<br>
<br>
we have a problem with our phones that started this afternoon. If a phone restarts for any reason (reset oder network unplugged) it shows a TLS Error (TLS Error: [CUCM IP]).<u></u><u></u></p>
</div>
<p class="MsoNormal">We can fix the problem, when we go to the device in the CUCM Administration and choose Install/Upgrade in the CAPF Information section.<br>
After resetting the Device the IPPhone starts and updates the certificate. <u></u>
<u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><br>
What could cause such a behaviour and how could we fix it?<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12pt">We have a CUCM 7.1(3a) and have the phones authenticated.<u></u><u></u></p>
</div>
<p class="MsoNormal">Thanks Reto<u></u><u></u></p>
</div>
</div></div></div>
</div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</blockquote></div><br></div>