I have been trying to apply this to our cluster consisting of 4 call managers
10.15.1.1 … Publisher and also the tftp ( our current homeworkers using a vpn tunnel setup, point back to this address ).
10.15.1.2 … Sub ( tftp disabled )
10.73.1.1 … Sub ( tftp disabled )
10.73.1.2 … Sub ( tftp disabled )
Upon registration, our phones eventually register against one of the Subs based on the CM group configured in CUCM.
Our ASA has the default 2x Phone Proxy Sessions licenses installed.. ( We know that we will have to purchase more licenses once we proved that this work how we want it to. ! )
Can anyone with a similar Call Manager cluster setup please clarify the following for me please..
1/ As we only have the one tftp server in our cluster, do we still only require 2x public facing addresses ? .. One for the tftp address ( which gets translated to 10.15.1.1 ) and one for the MTA
2/ Ive currently only got the one phoneproxy_trustpoint configured which is associated against the Publisher in the CTL file section of ASDM ( of type… tftp-cucm )
Do I need to create further phoneproxy_trustpoints for the other Call Managers and associate each of them against a new CTL file ( type .. cucm ).
3/ For the moment, I am only testing with a 7965 phone which has a MIC installed.. I have downloaded the following certificates off the PUBLISHER and installed on the ASA and created trustpoints.
Will I need to download the equalivalent certificates off the Subs and install them on the ASA also ?.
At present, I am seeing the tftp requests from a remote phone hitting our firewall on the external tftp address… It is getting translated to the internal address, 10.15.223.10 but nothing else is happening after..
The phone display is showing as trying to register but looking in Status Message it says..
No Trust List Installed
TFTP Time out SEPxxxxxxxx.cnf.xml
As the CTL is not installing onto the remote phone, do I need to revisit my CTL file and trustpoints created on the ASA ?
I am not an expert ( yet ) on the phone proxy side but I do have some experience on this:
So hope this helps:
Media Termination Address
The Media Termination Address is an address that the firewall uses to perform the phone proxy function. It is a special address that is used to terminate secure media streams to and from remote phones. This address needs to be a unique, publicly routeable address on the outside of the firewall, and must adhere to the following guidelines:
It must not be the same as any global address for any translation on the firewall
It must be a different address than the outside interface address of the firewall (or any other firewall interface)
It must reside in the same ip subnet as the outside interface of the firewall
No other device on the outside subnet can also be assigned this IP address
So your answer is YES, got to be a different one
2- I would say yes, if not the communication between them will not be valid as the authentication will not be valid.
3-Now regarding the registration issues the following will help you:
Thank you for your reply.. I had already read through the sample documents you have provided prior to posting and although they mention other CMs in a cluster briefly, I felt they did not clear up my first two queries..
In regards to your answers to my questions..
1/ Sorry, I probably wasnt being very clear.. I am aware that I require 2 different public facing IPs for the tftp and MTA.. My query was whether I required further public IPs for the other CMs in the cluster even though they do not have the tftp service enabled.
Upon sucessful tftp download of its config file from the PUB, our phones will primarily register against one of the SUBs. So will the phone know how to to reach the other SUBs even though they are not defined on the ASA, or is that where the trustpoints to the other CMs in the cluster come into play ?..
I would be interest to know how this has been set up in your CUCM cluster environment ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :