cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
918
Views
0
Helpful
6
Replies

CME SCCP phone encryption - phones not registering

felipecarneiro
Level 1
Level 1

Hello, I'm trying to configure phone encryption on CME 8.6 but the phones do not get registered.

I've tried the following guides, both without success:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-voice/956-cisco-voice-cme-secure-voip.html

https://www.nsa.gov/ia/_files/voip/cucme_securityguidancedocument.pdf

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm/cmeauth.html

On the 7965/7962 phones Settings >> Security Configuration >> Trust List CTL File is installed (including TFTP Server , Unified CM and CAPF Server certificates), but ITL File is Not Installed.

The phone remains Registering while debug ephone register shows these errors:

May 1 03:52:14.015: New Skinny socket accepted [2] from 1, sub 1 (1 active)
May 1 03:52:14.015: sin_family 2, sin_port 50484, in_addr 10.0.0.11
May 1 03:52:14.019: add_skinny_secure_socket: pid =394, new_sock=0, ip address = 10.0.0.11
May 1 03:52:14.019: skinny_secure_handshake: pid =394, sock=0, args->pid=394, ip address = 10.0.0.11
May 1 03:52:14.023: Start TLS Handshake 0 10.0.0.11 50484
May 1 03:52:14.027: TLS Handshake retcode OPSSLReadWouldBlockErr
May 1 03:52:15.027: TLS Handshake retcode OPSSLReadWouldBlockErr
May 1 03:52:16.027: TLS Handshake retcode OPSSLReadWouldBlockErr
May 1 03:52:17.035: TLS Handshake error -6992
May 1 03:52:17.035: TLS context configuration FAILED for 0 10.10.10.11 5048
6 Replies 6

dmitrinik
Level 1
Level 1

Hello. Have you found a workaround for this issue?

Thank you.

Not yet, still trying to find a solution...

Hi, You need network team to check ISE configs on the port or you can do show run interface ....phone port..... to check if its having dot1x configs.

else you can contact security team so that they can add the port into ISE config.

if the phone port is having dot1x config then remove them , just assign voice and access vlan , once the phones register you can again paste in dot1x configs. 

salmandhunna1
Level 1
Level 1

if the phone port are having ISE configs then it can create an issue.

also you can check the dhcp network mask if its correct or no.

and also you need to check the source-address in telephony-service

Hi salmandhunna1, thanks for your reply!

The dhcp network mask and telephony-service ip source-address are correct.

How can I check if the phone port has ISE configs?

Hi, You need network team to check ISE configs on the port or you can do show run interface ....phone port..... to check if its having dot1x configs.

else you can contact security team so that they can add the port into ISE config.

if the phone port is having dot1x config then remove them , just assign voice and access vlan , once the phones register you can again paste in dot1x configs. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: