CUCM 7.1(3) TFTP Auth Fail

Answered Question
Oct 5th, 2009

Since upgrading to CUCM any new phone plugged into the system gets an "auth fail" from the TFTP server when attempting to upgrade the firmware to the version that comes with 7.1(3). Phones that were registered prior to the upgrade work just fine. I am seeing the same behanviour on our non-production environment which is also at 7.1.3-10000-11.

Phone Firmware for 7.1(3) on 7961G set is SCCP41.8-5-2SR1S

Has anyone sle seen this behaviour anyone else running 7.1(3) yet?

I have this problem too.
0 votes
Correct Answer by mwuest about 7 years 1 week ago

Hi Everybody

My Issue was taht the Phone Firmware first must be 8.5.2 and after taht the phone can go to 8.5.3. This is written in the Relase Notes


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
mwuest Tue, 10/06/2009 - 03:42


I have the same Problem with this Version

Do you have a workaround?

kelvin.blair Tue, 10/06/2009 - 05:09

I've seen this before where a CTL file was being used? Are you using any type of CTL File?

mwuest Tue, 10/06/2009 - 05:13

No I don't use any type of CTL files. I don't use secutrity.


mohammed.naviwala Sun, 04/25/2010 - 07:54


did u get answer to this?

my problem is that I can use the IP Communicator to make calls but the same settings with the same DN on the ip phone does not work and i get the auth-fail message as well. i used the ctl but revreted the mode to the non-secure mode. still the  same.

rutibuni Mon, 04/26/2010 - 07:42

Hi all,

This thread has split into two different paths.  The original purpose of the thread was to discuss why a two-step firmware upgrade was required and this has been answered.  For the other issue, where it looks like a call is failing, it is probably best to start a new discussion and get a TAC case opened.



mohammed.naviwala Mon, 04/26/2010 - 04:57

Hi kelvin,

Any updates on this? i am facing the same problems. I upgraded the firmware to 8.5.2SR1 but still the calls fail. I did use the CTL Client and updated the ctl file. strangely i can use the IP Communicator but not the IP Phones.

Any help will be appreciated

rob.huffman Tue, 10/06/2009 - 07:31

Hi Keith/Guys,

It sounds very much like this bug. I would try a TAC case and load a newer or older firmware for the devices and then change the info in the Device Defaults;

CSCsu73815 Bug Details

7945/7965 cannot recover from file Auth Failure during upgrade/downgrade


If all image files do not pass file authentication during phone load upgrades form 8.4(1)IV6.29 to a new version, phone can not come up using the previously installed image.


Test environment:

phone load : 8-4-1IV6-29S

Call Manager:, mixed mode

Reproduce steps:

1. Setup 7945 or 7965 phone with 8-4-1IV6-29S active load. Register it to the CCM.

2. Sign a different phone load on the phone configuration page, for example 8-4-1IV6-26S.

3. Modify one of the new image files on TFTP server, for example, modify 1-2 bytes in apps45.8-4-1IV6-26.sbn.

4. Reset the phone.

5. Phone resets and requests the new image. When downloading the modified image file finished, 'Auth Fail' is shown on the screen.



Further Problem Description:





3 - moderate

Last Modified

In Last Year


Cisco Unified IP Phones 7900 Series


1st Found-In





Hope this helps!


keithknowles Tue, 10/06/2009 - 07:54

I suspect it to be a firmware issue as well, but why would it only affect new phones added to the system and not the ones that were registered prior to the upgrade? I have verified that phones that were registered prior to the upgrade were able to obtain the firmware from the server without issue.

rob.huffman Tue, 10/06/2009 - 08:17

Hey Keith,

I hear you :) It's quite possible that the new phones have the factory firmware (referenced in the bug)

phone load : 8-4-1IV6-29S

(or something very similar) where your existing phones had 8-4-3x;

Just a guess here.



keithknowles Tue, 10/06/2009 - 08:19

OK, that kinda makes much as bugs generally do. :) I will give it a shot and post the result. As always, thanks for your help Rob.

keithknowles Tue, 10/06/2009 - 09:51

I hate to ask, but what is the best way of accomplishing the downgrade and then the upgrade?

fjrubiobarcena Tue, 10/06/2009 - 23:39

Hello, I have installed in a callmanager 5.1 the latest device package and I am having the same issue. What do tou think it can be the solution?

unninstall the latest device package and install an older one?

Jonathan Schulenberg Tue, 10/13/2009 - 06:21

It appears you must downgrade the firmware to 8.5(2) - NOT 8.5(2)SR1 - as mentioned in the release notes. Once the phones are at that version, you can upgrade from there.

Wilson Samuel Tue, 10/13/2009 - 06:31

I hate to ask such a simple question:

Wont a Factory Reset solve the issue?

I mean, it will rewrite practically everything on the ph.

Just a wild guess as I never had this issue till now.


keithknowles Tue, 10/13/2009 - 11:44

Depends on what the factory firmware is that your phone is running. The firmware that ships with 7 requires you to be at a certain version before it can be upgraded...if your factory version isn't at least that then the upgrade wont work.

alijames Thu, 10/22/2009 - 04:32


If you do, and a suitable rev of firmware is not able to load, the phone tries to update the firmware, fails and then just sits there displaying the Cisco Logo screen, but with a circle bottom left, instead of the usual square with a tick in it. Then after a short time, it reboots, and cycles through the above again.

I first had it with 7942 phones, but this was cured by installing 8.5.2S & 8.5.2SR1 variants.

However, I still have the same problem with brand new 7906/7911 phones, even though the above firmwares are also installed.



keithknowles Thu, 10/22/2009 - 12:15

This is very true. The fix for this, should it occur, is to change the DHCP TFTP address to a TFTP server that has an appropriate mid-level of firmware (one that is compatible to be upgraded from what your phone was running), and then let the phone upgrade. If you are fortunate, the mid-level firmware will also be compatible to upgrade to your production formware on the Communications Manager. If this is the case, simply point the DHCP TFTP server back to the CUCM. If not you will have tp upgarde your phone, yet again, to a version that is compatible before going to the CUCM firmware.

aech Fri, 10/23/2009 - 00:52

This is a big pain!

Especially when one is installing maybe 30 phones per week.

I wonder how many phones actually have left the factory with this renegade sw release and if they are now flushed through the system. How quickly did you realise the problem Cisco? Are we to be plagued by this for the next six months? Looks like we may have to setup all new phones on our development system first. Bah Humbug!!



keithknowles Fri, 10/23/2009 - 18:42

I feel your pain. Especially since everytime we get phones with this wacky firmware I have to roll my development system back to the old release just to update phones and the return it to the production release. Just think though it could be worse...not everyone has development systems with which to use. :)

Telcocapital Tue, 10/27/2009 - 00:02

I'm getting the auth fail also. After running the tftp debug, I get the following. Looks like the problem could have something to do with the following missing files:

Oct 14 08:01:28.140: TFTP: Looking for CTLSEP002584A383C1.tlv

Oct 14 08:01:52.180: TFTP: Looking for SEP002584A383C1.cnf.xml

Oct 14 08:01:53.068: TFTP: Looking for English_United_States/td-sccp.jar

Oct 14 08:01:53.224: TFTP: Looking for United_States/g3-tones.xml

As search for these on gave the following:



Here is the tftp debug info:

WFSBI#debug tftp events

TFTP Event debugging is on


Oct 14 08:01:28.140: TFTP: Looking for CTLSEP002584A383C1.tlv

Oct 14 08:01:28.216: TFTP: Looking for SEP002584A383C1.cnf.xml

Oct 14 08:01:28.216: TFTP: Opened system:/its/vrf1/XMLDefault7975.cnf.xml, fd 9,

size 1190 for process 332

Oct 14 08:01:28.216: TFTP: Finished system:/its/vrf1/XMLDefault7975.cnf.xml, tim

e 00:00:00 for process 332

Oct 14 08:01:34.968: TFTP: Looking for SCCP75.8-5-3S.loads

Oct 14 08:01:34.968: TFTP: Opened flash:/SCCP75.8-5-3S.loads, fd 9, size 650 for

process 332

Oct 14 08:01:34.972: TFTP: Finished flash:/SCCP75.8-5-3S.loads, time 00:00:00 fo

r process 332

Oct 14 08:01:52.084: TFTP: Looking for CTLSEP002584A383C1.tlv

Oct 14 08:01:52.180: TFTP: Looking for SEP002584A383C1.cnf.xml

Oct 14 08:01:52.180: TFTP: Opened system:/its/vrf1/XMLDefault7975.cnf.xml, fd 9,

size 1190 for process 332

Oct 14 08:01:52.184: TFTP: Finished system:/its/vrf1/XMLDefault7975.cnf.xml, tim

e 00:00:00 for process 332

Oct 14 08:01:53.068: TFTP: Looking for English_United_States/td-sccp.jar

Oct 14 08:01:53.224: TFTP: Looking for United_States/g3-tones.xml

Oct 14 08:01:53.632: %IPPHONE-6-REG_ALARM: 25: Name=SEP002584A383C1 Load= SCCP75

.8-3-2S Last=Initialized

Oct 14 08:01:53.668: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-92:SEP002584A383C1 I

P: Socket:2 DeviceType:Phone has unregistered abnormally.

Oct 14 08:01:53.668: %IPPHONE-6-REGISTER: ephone-92:SEP002584A383C1 IP:10.100.1.

21 Socket:3 DeviceType:Phone has registered.



Oct 14 09:42:31.051: TFTP: Looking for CTLSEP002584166896.tlv

Oct 14 09:38:55.843: TFTP: Looking for SEP002584166896.cnf.xml

Oct 14 09:38:55.843: TFTP: Opened system:/its/vrf1/XMLDefault7941.cnf.xml, fd 9,

size 1192 for process 332

Oct 14 09:38:55.847: TFTP: Finished system:/its/vrf1/XMLDefault7941.cnf.xml, tim

e 00:00:00 for process 332

Oct 14 09:38:59.739: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-91:SEP002584166896 I

P: Socket:1 DeviceType:Phone has unregistered abnormally.

Oct 14 09:39:03.071: TFTP: Looking for SIP41.8-5-2SR1S.loads

Oct 14 09:39:03.071: TFTP: Opened flash:/SIP41.8-5-2SR1S.loads, fd 9, size 654 f

or process 332

Oct 14 09:39:03.075: TFTP: Finished flash:/SIP41.8-5-2SR1S.loads, time 00:00:00

for process 332

Oct 14 09:39:28.959: TFTP: Looking for CTLSEP002584166896.tlv

Oct 14 09:39:29.047: TFTP: Looking for SEP002584166896.cnf.xml

Oct 14 09:39:29.047: TFTP: Opened system:/its/vrf1/XMLDefault7941.cnf.xml, fd 9,

size 1192 for process 332

Oct 14 09:39:29.051: TFTP: Finished system:/its/vrf1/XMLDefault7941.cnf.xml, tim

e 00:00:00 for process 332

Oct 14 09:39:30.467: TFTP: Looking for English_United_States/mk-sccp.jar

Oct 14 09:39:30.663: TFTP: Looking for United_States/g3-tones.xml

Oct 14 09:39:31.271: %IPPHONE-6-REG_ALARM: 25: Name=SEP002584166896 Load= SCCP41

.8-3-1S Last=Initialized

Oct 14 09:39:31.323: %IPPHONE-6-REGISTER: ephone-91:SEP002584166896 IP:10.100.1.

22 Socket:1 DeviceType:Phone has registered.

jgentsch Tue, 10/27/2009 - 14:09

Ok, a little annoyed as I read this post. I just installed CCM7.1(3). It came on the server pre-loaded from the factory. I plugged a brand new 7945 in and got the auth fail error. The firmware loaded on CUCMBE is 8.5.2SR1S. Anyone have a verified TAC fix for this yet?

coleman.noc Mon, 11/02/2009 - 11:26

I noticed the same issue with one of our customers. After hours of tinkering the fix seemed to be to put 8.5.2 on the affected phones, reset them, and then use SR1. Will be attempting an upgrade to FW 8.5.3 to see if this fixes it

jgentsch Mon, 11/02/2009 - 11:28

I installed 8-5-2 and 8-5-3 on my production environment, set the device default for my new phones to 8-5-2. Once those phones upgraded, I changed the device default to 8-5-3...all was well. This seemed to be the simplest solution.

zzbronski Mon, 11/02/2009 - 08:21

I agree with the previous statement about it being a major pain in the tucuss. I just made the jump from 6.1(2) to 7.1(3). I knew of this problem before the jump and pro-actively upgraded all the phones in production to baseline version 8.5.2. However, every time I add a new phone to the system it is running an old firmware version from the factory (SCCP45.8-3-2S). The minimum is 8.3.3 in order to get the 8.5.2sr1 and higher. You must first go to baseline 8.5.2 first.

I would like to know how I could setup a default in the system so that when the new phone auto registers that is will get the baseline first and then go to the new version that comes with 7.1(3).

aamercado Wed, 11/04/2009 - 12:43

Since this thread helped me...I wanted to share my story.

Here's my workaround on 7945 phones with "auth fail" It always failed on term45.default.loads so...

I only had 853 which wasn't working so I download 3 separate 7945 zip loads (832, 833, 852,), put it in tftp folder and via trial and error found the “right” “term45.default” load to use which was 852. I had to restart pub tftp service on each trial/error during testing.

Anyways, I was able to get all phones to 853 using the “term45.default” that came with 852. It was kinda weird as it load 852 first, reboot and load 853 next since my Device Defaults were 853. I would have thought it go straight to 853 and skip 852.

alijames Fri, 11/06/2009 - 02:01


Good stuff! However the above is only a partial workaround, in that it allows a new phone to be upgraded, but you have to initiate a 'Factory Reset' of the handset to start the process.

It works for all the 79xx models I have tried so far.

No response from Cisco on a fix yet via our support provider...



sebastien_michelet Fri, 11/06/2009 - 13:26

This firmware upgrade issue first appears in 8.5(2)SR1 as acknowledged in the release notes:

but nobody bothered fixing it in 8.5(3) and it is still in the release notes as noted in previous post.

It would be nice to have somebody from Cisco telling us if they think the 2-step upgrade is an acceptable workaround (until all factory phones are shipped with 8.3.3 or later) or if we can expect a fix in the next firmware release.

rutibuni Mon, 11/16/2009 - 13:04

Hi all,

My name is Rudy Tibuni and I am a product manager in IPCBU for Cisco Unified IP Phones. First, let me apologize for the issue this has created for recently purchased IP Phones. This is not something we typically do obviously, but in this case it was necessary.

First, to summarize:

The phones are currenlty shipping with 8.3(2) but must be upgraded to a firmware load greater than or equal to 8.3(3) up to a load less than or equal to 8.5(2) prior to upgrading to 8.5(3).  We realize this is an issue for new phones mostly so we are changing the default manufacturing load to be 8.3(3). The process for doing so involves testing in manufacturing as well as a control run test build.  This is being done as we speak.  The change should be in production in 2-3 weeks. For recently shipped phones, the process specified in the 8.5(3) release notes is the correct process to follow.

Why did this happen? As most of you know, Cisco firmware is signed to ensure that only Cisco-certified firmware may be loaded on our phones. It was necessary to upgrade the servers that do the signing and the loads that understand both signing keys are, not surprisingly 8.3(3) though 8.5(2). The old servers were decommissioned and no longer available so 8.5(3) only understands the new server signing keys, hence the need to upgrade first to a load that understands both keys.

skravens0929 Tue, 03/09/2010 - 08:24

I also reverted all of my default loads to the olders version I previously ran on my 4.1.3 cluster. I did this to be sure that all of my phones came back working after the upgrade. I will upgrade at a later date.

We went from 4.1.3 to 7.1.3b

bmcghee Mon, 03/15/2010 - 13:57

Hi Rudy,

     Do you know if Cisco has a fix for this available yet?  I'm running into the same issue at a customer site and they're loking for a fix.

Thank you..

nuttawut44010162 Wed, 01/27/2010 - 03:35

I installed on cucm7.1.3 and got same issue with 945G

Now, I can resolve this issue.

Here are my step.

1. i download firmware 8.4(4) in ZIP format from  (
2. extract a zip file to tftp server on my laptop. i use 3CDaemon for tftp server.
3. change the dhcp value for option 150 to tftp's ip .
4. reset the ip phone to factory default by pressing hold# and then 123456789*0# (
5. ip phone will retrieve firmware v.8.4(4) from my laptop.
6. when downloading the modified image file finished, change the dhcp value for option 150 to cucm's ip.
7. i try to register 7945G with cucm and "Auth Fail" does not appear.

Hope this help.


Aaron Harrison Tue, 03/09/2010 - 09:22


A quick(er) way to do this is just load the interim firmware (e.g. the contents of onto your CCM TFTP server.

When you are deploying handsets, put the firmware file name (minus the .loads extension) into the Phone Load field.

Phones will boot and upgrade to 8-4-4.

Once you have deployed all the phone you can run a BAT job to clear the Phone Load field and reset, and the phones will then upgrade to the correct release of code.



Please rate helpful posts...

brendand05 Thu, 08/25/2011 - 16:56

CallManager Build

7965G IP Phone 'Auth Fail'

I have a 7965G phone that was displaying 'Auth Fail' when booting up and wouldnt update the firmware.

It would then boot up and the phone would work but it just wouldnt update the firmware to the CallManager version.

A suggestion on the Cisco Support Forums was to reset the phone by pressing '0123456789*0#'

I have done this but now the phone is not booting at all. It just cycles through the boot process below

The phone now reboots to 'Upgrading'

Then displays 'term65.defaults'....'Auth Fail'

Then displays 'term65.defaults'....'Auth Fail' (does this twice

Then displays a Cisco logo for 1-2 minutes then reboots and goes through the same cycle.

keanej Tue, 11/29/2011 - 02:34

More than likely you have a phone shipped with a firmware cert issue - or else the default path points to something that doesnt exist.

You need to load two firmwares onto call manager.

One is called -  cmterm-7945_7965-sccp.8-5-2

This contains the following files - you need to upload them onto the tftp server (probably your publisher)







Please do NOT upload these files !!



The other is called  - cmterm-7945_7965-sccp.9-2-1

Its contains -







Please do NOT upload these files !!



Now goto

CMADMIN - Device / Device Settings / Device Defaults

Change your Cisco 7965 to be

SCCP45.8-5-2S  (it would have been term65.default.loads)

Now finally goto serviceability

Tools / Control Center - Features Services / Select your TFTP server and GO / Check Cisco Tftp / Press restart on top.

Now you have uploaded the TFTP files and restarted the TFTP service.

reboot the phone .. it will rebuild

Now you need to upgrade the handset to the latest and greatest.

CMADMIN - Device / Device Settings / Device Defaults

Change your Cisco 7965 to be

SCCP45.9-2-1SR2S  (it would have been SCCP45.8-5-2S)

And reboot your phone.

Your 7965 should be at 9-2-1 now.


This Discussion