In my Lab I am setting up: 2x CUCM and 2 IMP servers (all 10.5 version)
The new IMP versions are part of the cluster, so each IMP server is a subscriber in CUCM (publisher)
I want to activate the services on the IMP server from the CUCM (Cisco Unified Serviceability: Tools/Service activation)
From the CUCM publisher I can activate the CUCM sub and the FIRST(!) IMP
When I use the drop down (Select Server) and select the second IMP server I get the error: "Connection to the Server cannot be established (Certificate Exception) "
Since this was a lab, I reinstalled everything from scratch, but the same result I can't connect from my CUCM pub to the second IMP
When I execute the comand "show network cluster" everything seems OK. Normally this error is with expired tomcat certificate, but this is a fresh install. the certificates are valid for 5 years!
Solved! Go to Solution.
Thank you, this seems to be the case.
But it is even weirder, after I posted this discussion, I configured on CUCM (Presence Redundancy Group) and added the second server. Then I had lunch and after I came back I can access the second IMP from the CUCM publisher. After reading the bug, it seems that there is an issue with sync of the databases. Especially this from the bug "But the output of utils dbreplication status shows the replicates are not in sync in various certificate related tables and replicationdynamic table" seems to be the issue.
In this case it finally worked, and the databases were synchronized.
I have this issue with CUCM 10.5.2 which looks like its not effected by this bug, 1 Pub + 4 Subs. Its not letting me add IM+P servers to the cluster either, im assuming it due to this issue (servers have been added to CUCM) but during the install fails to get passed the network connectivity validation.
I can ping the IMP server from CUCM.
I'm running into the same issue - Network Connectivity seems to loop but everything is okay (ip in server list, ping okay, DNS okay).
How did you solve this?
This bug is now internal-only on Bug Search and I can't see any fix for this.
Can anyone assist with troubleshooting steps for this? We have 2CUCM/2IMP servers. From either IMP server we cannot view the CUCM PUB from Serviceability.
I noted one the CUCM Publisher that there were 2 ipsec-trust certificates for the same node.... with different cases...
By this I mean:
I checked on the IM and P nodes, and these only had one of the certificates. On our CUCM SUB, this had both certificates, and was not having any problems.
I downloaded the ipsec-trust certificate from the PUB and uploaded this to both IM and P nodes, restarting Cisco Tomcat (not needed on the Publisher). This resolved the issue.
i just had this on a fresh build of 11.
The CUCM had no IMP related certs in it, and the IMP had no CUCM related certs.
I took the tomcat and ipsec certs from each, uploaded to the other and it worked. No tomcat restart necessary for me.
Absolutely correct carlnewton, this issue only happens when the tomcat certificates are missing on one server or both. In an ideal situation, subscriber server should have its own tomcat certificate along with the publisher certificate and vice versa. If the tomcat certificate are missing for the other server and if you connect to that sercer, the certificate exception will always appear.
Thanks for the confirmation. My post was more to highlight that I experienced this bug in version 11.0 (Even though its a 10.5 bug ID) for anyone who might stumble upon this thread running 11.0
In my case I noted that there had been a hostname case-sensitivity change, and the new ipsec-trust certificates had been propagated to the CUCM SUB, but not the IMP nodes.
I downloaded the new ipsec-trust certificate from the PUB and uploaded this to both IMP nodes, restarting the Cisco Tomcat services of the affected servers.
This resolved the issue.
Hi, I'm having this issue as well.
When I attempt to upload the missing Tomcat cert (PEM), the upload is denied with a red "X" stating "Self-signed certificate."
What am I doing wrong here?