×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

78xx 7800 7821 " Host not found " Corporate Directory

Unanswered Question
Feb 4th, 2014
User Badges:

Hello Community,


Following Szenario,

Encrypted Phones SIP 7911, 7931, 7962, 7975 at CUCM 8.6.2 have access long time to the corporate directory and - works fine.


Today I add 7821 SIP Phones and they works works fine, but no access to corporate directory message "host not found" appears. Works also not with non sip secure profile.


The config is the same as the other phones, nothing different. Get the same IP Address Range, same DNS, same TFTP Server etc.........

The Cluster have 3 Servers, First PUB1, SUB1 and SUB2. The Phones are register at SUB1. For me it seems may be there is a problem with the TVS Certification.


But how could I fix this?


Please see attached Trace from the Phone.


I hope the Community could help me to solve the issue.

Really thanks in advance.




HTH, please rate all useful posts and right answers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
armin.wagenfueh... Wed, 02/05/2014 - 03:17
User Badges:

Hi, we work already w/ Ip Addresses and TVS entry is also IP based. So this point of view should not be the problem. I try it several time w/ 7962 works fine, but not w/ 7821. The 7821 and 7962 config files regarding directory service and TVS seems 100% identica.


It seems for me that has something to do w/ the new "device 7821 ". To handle the 7821 as a device in CUCM I had to install a Device Package.


CUCM not accept the XML Request w/ this error:

See also attachment


8396 NOT 09:22:05.536516 SECUREAPP-No match found in trust list against the item

8397 NOT 09:22:05.536784 SECUREAPP-Using TVS for cert validation

8398 NOT 09:22:05.536973 SECUREAPP-Waiting for TVS response - will retry; retry count: <0>

8399 NOT 09:22:05.669941 SECUREAPP-Attempting connect to TVS server addr [10.199.188.178], mode [IPv4]

8400 NOT 09:22:05.670398 SECUREAPP-TOS set to [96] on sock, [10.199.188.178][10]

8401 NOT 09:22:12.677336 SECUREAPP-[errno=Connection timed out] TCP connect() failed, [10.199.188.178] [10] mode[0] port[2445]

8402 NOT 09:22:12.677808 SECUREAPP-TVS failed connect using [IPv4] mode, will attempt to fail over to [IPv6] mode Addresses if available.

8403 NOT 09:22:12.678106 SECUREAPP-TOS set to [96] on sock, [][10]

8404 NOT 09:22:12.678645 SECUREAPP-[errno=Connection refused] TCP connect() failed, [] [10] mode[1] port[2445]

8405 NOT 09:22:12.678887 SECUREAPP-Invalid BIO object

8406 NOT 09:22:12.679078 SECUREAPP-TVS provider Init - connect returned invalid srvr sock: -1

8407 NOT 09:22:12.679301 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_COMMUNICATION_ERROR

8408 NOT 09:22:12.679573 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_SUCCESS

8409 NOT 09:22:12.680321 SECUREAPP-TVS Cert Validation - provider returned NULL response

8410 NOT 09:22:12.680430 SECUREAPP-Failed to validate cert using TVS

8411 INF 09:22:12.707173 JAVA: SSL session setup Cert Verification - Certificate validation helper plugin returned.

8412 ERR 09:22:12.707349 JAVA: SSL session setup Cert Verification - Certificate is invalid.

8413 DEB 09:22:12.707403 JAVA: SSL session setup Cert Verification - returning validation result = 0

8414 ERR 09:22:12.707449 JAVA: Sec SSL Connection - Handshake failed.

8415 DEB 09:22:12.707489 JAVA: SSL shutdown.

8416 DEB 09:22:12.707529 JAVA: BIO reset.

8417 DEB 09:22:12.707568 JAVA: SSL free.

8418 DEB 09:22:12.707607 JAVA: Closing socket 8396 NOT 09:22:05.536516 SECUREAPP-No match found in trust list against the item
8397 NOT 09:22:05.536784 SECUREAPP-Using TVS for cert validation
8398 NOT 09:22:05.536973 SECUREAPP-Waiting for TVS response - will retry; retry count: <0>
8399 NOT 09:22:05.669941 SECUREAPP-Attempting connect to TVS server addr [10.199.188.178], mode [IPv4]
8400 NOT 09:22:05.670398 SECUREAPP-TOS set to [96] on sock, [10.199.188.178][10]
8401 NOT 09:22:12.677336 SECUREAPP-[errno=Connection timed out] TCP connect() failed, [10.199.188.178] [10] mode[0] port[2445]
8402 NOT 09:22:12.677808 SECUREAPP-TVS failed connect using [IPv4] mode, will attempt to fail over to [IPv6] mode Addresses if available.
8403 NOT 09:22:12.678106 SECUREAPP-TOS set to [96] on sock, [][10]
8404 NOT 09:22:12.678645 SECUREAPP-[errno=Connection refused] TCP connect() failed, [] [10] mode[1] port[2445]
8405 NOT 09:22:12.678887 SECUREAPP-Invalid BIO object
8406 NOT 09:22:12.679078 SECUREAPP-TVS provider Init - connect returned invalid srvr sock: -1
8407 NOT 09:22:12.679301 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_COMMUNICATION_ERROR
8408 NOT 09:22:12.679573 SECUREAPP-secStartCustomTVSService stopped - SEC_TVS_REASON_SUCCESS
8409 NOT 09:22:12.680321 SECUREAPP-TVS Cert Validation - provider returned NULL response
8410 NOT 09:22:12.680430 SECUREAPP-Failed to validate cert using TVS
8411 INF 09:22:12.707173 JAVA: SSL session setup Cert Verification - Certificate validation helper plugin returned.
8412 ERR 09:22:12.707349 JAVA: SSL session setup Cert Verification - Certificate is invalid.
8413 DEB 09:22:12.707403 JAVA: SSL session setup Cert Verification - returning validation result = 0
8414 ERR 09:22:12.707449 JAVA: Sec SSL Connection - Handshake failed.
8415 DEB 09:22:12.707489 JAVA: SSL shutdown.
8416 DEB 09:22:12.707529 JAVA: BIO reset.
8417 DEB 09:22:12.707568 JAVA: SSL free.
8418 DEB 09:22:12.707607 JAVA: Closing socket


but the 7821 has load the right CTL and ITL File.



HTH, please rate all useful posts and right answers.

Nishant Savalia Wed, 02/05/2014 - 05:10
User Badges:
  • Silver, 250 points or more

Hi armin,

The log shows that connection to TVS is timed out for port 2445.


8397 NOT 09:22:05.536784 SECUREAPP-Using TVS for cert validation

8398 NOT 09:22:05.536973 SECUREAPP-Waiting for TVS response - will retry; retry count: <0>

8399 NOT 09:22:05.669941 SECUREAPP-Attempting connect to TVS server addr [10.199.188.178], mode [IPv4]

8400 NOT 09:22:05.670398 SECUREAPP-TOS set to [96] on sock, [10.199.188.178][10]

8401 NOT 09:22:12.677336 SECUREAPP-[errno=Connection timed out] TCP connect() failed, [10.199.188.178] [10] mode[0] port[2445]

8402 NOT 09:22:12.677808 SECUREAPP-TVS failed connect using [IPv4] mode, will attempt to fail over to [IPv6] mode Addresses if available.


What you can do is try to delete the CTL/ITL file or factory reset the phone and capture the logs from the wireshark.


After that you can see from the logs whether phone has downloaded the CTL/ITL file successfuly?


Also you can refer the below link which will give you idea about the certificate valdiation process.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080c1701f.shtml



Regards,

Nishant Savalia

armin.wagenfueh... Wed, 02/05/2014 - 07:45
User Badges:

Hi, really thanks for Support me. I am sure, that the CTL ITL File in the Phone load correct, because I had already verify it w/ the CUCM.



HTH, please rate all useful posts and right answers.

Tirtha Tripathy Wed, 02/05/2014 - 11:07
User Badges:
  • Cisco Employee,

Hi Amin,


Installation of Device Pack requires Cluster reboot. Hope that has been done.



Logs says that there is timout connecting TVS server.


Next Action Plan:

Restart TFTP and TVS


Next Action Plan:

Perform similar action with working and non-working phone.

e.g Delete 2 phones, one good and one bad. Add the 2 phones to the CUCM and register them. Now check the IP Phone Directory on both the phones.


If the issue persists on both the phones, then the issue persists for all the phones not 7821 only.


What are the secruity involved in the cluster? ITL/CTL/TLS?


Regards,

Tirtha

armin.wagenfueh... Thu, 02/06/2014 - 01:02
User Badges:

Hi Tirtha, yes --- > Restart Cluster after had already install dev.pack.


I restart several times TFTP and TVS, but still host not found. From 7962 works fine, but still not from the new one 7821.


The Phones are encrypted, but it is not depend from encrypten. For the traces I change to none secure -- > 7962 works and 7821 works not.


Both Phones has the same IP and Link for Corp. Directory.


I will trace good and none good case and come back.

Thanks Armin

HTH, please rate all useful posts and right answers.

armin.wagenfueh... Thu, 02/06/2014 - 04:22
User Badges:

......it works now also w/ the 7821. Strange thing!!!! Both Phones work at the same CUCM and same Network. In both traces I saw that TVS request works w/ Port 2445. But for this Network TCP 2445 is "deny". I open TCP 2445 and it works also w/ the 7821.


The Main Question is, at the time I ad deny 2445, why it works w/ 7962, 7975, 8831 etc...... and not w/ 78XX Phones?????

Attached the Phone Trace work and non work.


HTH, please rate all useful posts and right answers.

Nishant Savalia Thu, 02/06/2014 - 04:29
User Badges:
  • Silver, 250 points or more

Great armin,

As mentioned earlier and finally it was the issue with TVS port 2445.


Where this 78XX phone is located? Is it located with the existing phones which were working fine or it's a different location?


And i think you missed to attach the logs. Please attach it



Regards,
Nishant Savalia

armin.wagenfueh... Thu, 02/06/2014 - 05:07
User Badges:

Hi Nishant, the logs from the phones I had already attached. As I mentioned in my last answer...... Both Phones work at the same CUCM and same Network!


HTH, please rate all useful posts and right answers.

Nishant Savalia Thu, 02/06/2014 - 05:34
User Badges:
  • Silver, 250 points or more

Hi armin,

Can you send the successfull log of 7821 i.e.after opening 2445 port.



Regards,
Nishant Savalia

armin.wagenfueh... Thu, 02/06/2014 - 05:59
User Badges:

Hi, sure. But keep in mind, this is a 7821 working case, thanks goodness, still I have no non_working case w/ 7821 :-).


Still the Question open, why 7962, 7975 etc........ works in the same subnetz, same Subscriber etc..... with deny tcp 2445???


HTH, please rate all useful posts and right answers.

Tirtha Tripathy Thu, 02/06/2014 - 07:05
User Badges:
  • Cisco Employee,

Hi Armin,


I went through all the three files attached. Here is what I suspect you have done to deny and allow 2445 port and here is understanding.


There are 2 TVS servers in the cluster(which I can see in7962 logs)

10.199.188.178

10.199.188.177


I suspect you have blocked\deny port 2445 for IP 10.199.188.178 and not for 10.199.188.177.


From the 7962 working logs, the IP Phone tries to connect the first TVS server .178. It fails hence phone retries after 10 seconds to .177 and validates TVS, hence it works.


But in 7821, the phone seems to have only one TVS and I do not see the second TVS being invoked anywhere in the logs... and has never tried to reach .177, hence it fails.


Now if you block both the .177 and .178 port 2445, you will experience the same scenario for all the phones.


Regards,

Tirtha

armin.wagenfueh... Thu, 02/06/2014 - 08:32
User Badges:

Hi Tirtha, yes, partial right. To one Server was 2445 free and the other Server was 2445 deny. Thats true.


But, both have the same CUCM Group and both have in XML Config file the same both TVS Server w/ Prio 0 and 1. So, I expect 7821 go the same way as 7962 to the second Server, when Server 1 is not reachable over port 2445.

Nothing different!!!!!


Please see here:


7821:




2445

10.199.188.178



2445

10.199.188.177


7962:




2445

10.199.188.178



2445

10.199.188.177



May be it is a Bug that 7821 not try to reach the second one.

HTH, please rate all useful posts and right answers.

Tirtha Tripathy Thu, 02/06/2014 - 08:55
User Badges:
  • Cisco Employee,

Hi Armin,


I knew you would come back with this questions for TVS being same for both phones


To figure out the answers, ssh to the phones and show tvs to find the the TVS servers for verification.


Regards,
Tirtha

armin.wagenfueh... Thu, 02/06/2014 - 22:59
User Badges:

Hi Tirtha, show indentical.


7821:


802.1X:

        Device Authentication: Disabled

        Transaction Status: Disabled

        Protocol: NONE

        Device ID: CP-7821-SEPXXXXXXXX

        EAP-MD5:

                Shared Secret: Password Not Set

                Realm: Network

TVS Servers:

        Priority : 0

                TVS IPv4 Address : 10.111.188.31

                TVS IPv6 Address :

                TVS Port : 2445

        Priority : 1

                TVS IPv4 Address : 10.111.189.31

                TVS IPv6 Address :

                TVS Port : 2445

        Priority : 2

                TVS IPv4 Address :

                TVS IPv6 Address :

                TVS Port : 0


7962:


================================

          show tvs

=================================

Priority : 0

TVS IPv4 Address : 10.111.188.31

TVS IPv6 Address :

TVS Port : 2445

IP Mode : 0

IP Pref : 0

DSCP value : 96

Priority : 1

TVS IPv4 Address : 10.111.189.31

TVS IPv6 Address :

TVS Port : 2445

IP Mode : 0

IP Pref : 0

DSCP value : 96

Priority : 2

TVS IPv4 Address :

TVS IPv6 Address :

TVS Port : 0

IP Mode : 0

IP Pref : 0

DSCP value : 96

armin.wagenfueh... Fri, 02/07/2014 - 00:02
User Badges:

Next Strange thing. I figure out what is going on.


- 7821 and 7962 in operation. XML Works for both.

- I deny again 2445 to first SUB.

- Still works well for 7821 and 7962....................long time. Fault not appears.

- Restart both phones. Still Deny 2445.

- 7821 works not, 7962 still works.


Reason: When Networkconnection is deny from Phones to first SUB and the Phones Restart, 7821 no access to xml, 7962 still access to xml.


Bug?



HTH, please rate all useful posts and right answers.

Nishant Savalia Fri, 02/07/2014 - 06:52
User Badges:
  • Silver, 250 points or more

Hi Armin,

Little information is required.


  • Which IP address is this 10.199.188.176?
  • What was the server defintion for PUB & SUB i.e. Hostname or IP address?
  • What is the modification you have done so far for this issue?
  • From phone setttings what are the TVS servers listed on 7821 ?



Regards,
Nishant Savalia

balabin.va Tue, 05/31/2016 - 04:08
User Badges:
Hello!
How is the solution to your problem ?
I have a similar problem on CUCM 10.5
Phones 7821, 8851, 9951.

armin.wagenfueh... Fri, 02/07/2014 - 09:52
User Badges:

Hi Nishant, thanks for your support. I am leaving and in Weekend. On Monday morning, I would trace with deny 2445 the OK 7962 Case and the not OK 7821 Case and post the traces here.


The Question is, w/ deny 2445 to the first SUB (TVS) why the 7962 move to the second SUB and it works and why 7821 move not to the sencond SUB and not show Corp. Directory....


Which kind of Traces you need?


Thanks Armin


HTH, please rate all useful posts and right answers.

armin.wagenfueh... Mon, 02/10/2014 - 04:52
User Badges:

10.199.188.177 SUB2


10.199.188.178 SUB1


10.199.188.176 PUB


server defintion IP Address


modification open Port 2445 SUB1 Network -- > Phone Network


TVS

7821:


802.1X:

Device Authentication: Disabled

Transaction Status: Disabled

Protocol: NONE

Device ID: CP-7821-SEPXXXXXXXX

EAP-MD5:

Shared Secret: Password Not Set

Realm: Network

TVS Servers:

Priority : 0

TVS IPv4 Address : 10.111.188.31

TVS IPv6 Address :

TVS Port : 2445

Priority : 1

TVS IPv4 Address : 10.111.189.31

TVS IPv6 Address :

TVS Port : 2445

Priority : 2

TVS IPv4 Address :

TVS IPv6 Address :

TVS Port : 0


HTH, please rate all useful posts and right answers.

Nishant Savalia Mon, 02/10/2014 - 05:28
User Badges:
  • Silver, 250 points or more

Thank you for the information. One more input required from your side.

Please share 7821 phone config file. You can get it as below:-


tftp -i get SEP0000DEADBEEF.cnf.xml




Regards,
Nishant Savalia

armin.wagenfueh... Thu, 02/13/2014 - 11:57
User Badges:

Hello Nishant , I attach the Config file. You had a chance to look at the fault?

Thanks Armin


HTH, please rate all useful posts and right answers.

Actions

This Discussion