registration: security error

Unanswered Question
Apr 1st, 2010

Hi,

I am experiencing an issue when auto registering a 7911G phone in that I am getting the message 'registration: security error', however, the phone is downloading firmware upgrades as normal. The 7911G phones will register if pre-built on call manager & I have restarted TFTP services on all servers but this has not rectified the problem.

Just to confirm:

We are not running security authentication certificates

CUCM Ver is 7.1.2.31900

7911 firmware is SCCP11.8.5.2S (MD5 checksum checked)

All other phone models are successfully auto registering.

Any help would be appreciated.

Thanks

Norrie.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Aaron Harrison Thu, 04/01/2010 - 04:20

Hi

What do you mean by 'The 7911G phones will register if pre-built on call manager '?

Are you saying that auto-registration is failed (i.e. you don't normally add the MAC address to CCM manually, but let it auto-reg and then reconfigure the auto registered phone)?

Aaron

norrie108 Thu, 04/01/2010 - 04:55

Hi Aaron,

Yes, I mean that auto registering is failing , as far as how we roll out the phones is concerned we use both practices ie pre-building via mac-address & auto registering, it really depends on the preference of the engineer.

Thanks

Norrie.

William Bell Thu, 04/01/2010 - 06:16

Norrie,

Are you having these issues whether you add the phone manually and attempt to use auto-register?  Or does one method work, while the other one does not?  You say that the phones are upgrading their firmware as expected, could you identify the firmware you are upgrading these phones to?  Can you also identify the firmware loaded on one of the phones giving you the error.

Can you use a TFTP client to download the phones configuration file from one of your TFTP servers?  If so, can you download a config file for the phone giving you an issue post that here.

I have only seen the message you are experiencing when a phone was misconfigured to use a "secure" profile and the phone didn't have the cert loaded.  I have also seen "security" related messages (using terms like Auth Failed, etc.) when the firmware file was either corrupt or the phone's base firmware was not able to be upgraded directly to the target firmware.

HTH.


Regards,
Bill

Please remember to rate helpful posts.

norrie108 Thu, 04/01/2010 - 06:57

Hi William,

Thanks for reply,

No, if I add a phone manually I have no problem I only have an issue with auto registration.

The firmware I am using is SCCP11.8.5.2S.

I should have said that we upgraded our cluster from CUCM Ver 7.0.1 to Ver 7.1.2  two weeks ago, as such, all telephone firmware was upgraded to recommended versions before upgrading to Ver 7.1.2

Thanks

Norrie.

William Bell Thu, 04/01/2010 - 07:10

Norrie,

I am not able to mock this up at the present moment but out of curiosity, did you check to make sure that the DN range you have reserved for auto-registered devices isn't saturated?

Regards,

Bill

norrie108 Thu, 04/01/2010 - 07:25

William,

No, that's not the problem as I mention in my initial post I have no problem auto registering any other model of phone.

Norrie.

William Bell Thu, 04/01/2010 - 07:45

Norrie,

You are correct, sorry for the erroneous reply.  Again, the only time I have seen this error is when something was fouled up with the certificates.  Even in a non-secure setup I have seen something similar when a customer was trying to deploy refurbished phones.  So, I have a few questions:

1. You say that you are going to 8.5.2 and you upgraded firmware on phones prior to upgrading to 7.1.2.  But, these phones you are trying to auto-register are "new" to your CUCM system.  So, what firmware is loaded on these phones before you attach them to the network?  A far shot, but an easy question to answer.

2. More pertinent:  Where are these 7911 phones coming from?  Are they new from Cisco?  Are they refurbished?  Were they on a lab system or other production cluster?

3. Can you check your CUCM syslog to see what message is generated by the CUCM when an auto-registration fails.  Please post.

4. Can you enable Detail tracing on CUCM, execute an auto-registration test, and post the CUCM traces?  I recommend doing this after hours if possible and in either case, post the following info when you upload the trace files:

- The IP address of the suspect phone

- The mac address of the suspect phone

- The exact time stamp for when you physically connected the phone to the nework

- The exact time stamp when you saw the error pop up on the phone

Outside of that, I am wondering if you have tried a factor reset on any of these devices to see if that resolves the issue.

Factory reset sequence:

  1. unplug it
  2. plug it in
  3. hold down #
  4. enter  123456789*0#

HTH.


Regards,
Bill

norrie108 Thu, 04/01/2010 - 08:25

William,

There is a lot to get back to you there but just to pick up on the easy ones:

1-SCCP11.8.4.4S

2-The phones are new from a Cisco supplier

3-Get back to you.

4- I tried the reset (one of the first thing I tried),however, no joy.

I am actually going off on annual leave & will return on 12th April so I will pick this up then, however, if you (or anyone else) thinks of anything please post.

Thanks

Norrie.

Actions

This Discussion