Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
4
Replies

cucm encryption issue on 1000+ phone count

Mortaza Rohani
Level 1
Level 1

‎12-09-2017 03:08 AM - edited ‎03-17-2019 11:45 AM

Hello,

i have enabled encryption with MIC on customer's cucm 11.5 cluster (1 publisher+ 3 subscriber) and it seems there is some limitation when registered phones exceeds 1k.  about 990 phones work correctly in encrypted mode but the remaining 100 phone keep unregistered until security profile in set to non-secure mode.

unregistered phones consists of 7911,7940,7975,6941,6921 and 7821 phone types and i have tested different firmware versions with no success. 

also i guessed  that's something related to boot load id  because most of unregistered 7911's was in tnp11.3-0-1-23.bin version but later it violated because of other phone types.

does anyone have experience like this?

Labels:
0 Helpful
4 Replies 4

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎12-09-2017 12:55 PM

Are there any alarms generated (eg CodeYellow) or an obvious error in the CCM SDL log?

 

Also, have you run this through the sizing calculator to ensure you’re within per-node limits?

https://cucst.cloudapps.cisco.com/landing

 

Any firewall or IPS in the way that could be dropping packets under load?

0 Helpful

Mortaza Rohani
Level 1
Level 1
In response to Jonathan Schulenberg

‎12-16-2017 04:56 AM

Thank you Mr Schulenberg,

 

1- here is errors which are logged when a none-secure phone profile is changed to secure.

15033615.006 |12:06:49.539 |AppInfo |//SIP/Stack/Info/0x0xdb32550/sipSPIUfreeOneCCB: Freeing ccb db32550
15033616.000 |12:06:49.558 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=1,cert verification errno=0,depth=2
15033617.000 |12:06:49.558 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=1,cert verification errno=0,depth=1
15033618.000 |12:06:49.558 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=0,cert verification errno=10,depth=0
15033619.000 |12:06:49.558 |AppInfo |[16, 100, 18, 574663]: HandleSSLError - Certificate verification failed:(Verification error:10)- certificate has expired for 172.16.27.28:52942
15033620.000 |12:06:49.558 |AppInfo |[16, 100, 18, 574663]: HandleSSLError - Certificate verification failed for 172.16.27.28:52942
15033621.000 |12:06:49.558 |AppInfo |[16, 100, 18, 574663]: HandleSSLError - Certificate verification failed:(Verification error:10)- certificate has expired for 172.16.27.28:52942
15033622.000 |12:06:49.558 |AppInfo |[16, 100, 18, 574663]: HandleSSLError - TLS protocol error(ssl reason code=internal error [68]),lib=SSL routines [20],fun=SSL_clear [164], errno=0 for 172.16.27.28:52942
15033623.000 |12:06:49.558 |AppInfo |[16, 100, 18, 574663]: HandleSSLError - TLS protocol error(ssl reason code=unknown state [255]),lib=SSL routines [20],fun=ssl3_accept [128], errno=0 for 172.16.27.28:52942
15033624.000 |12:06:49.559 |SdlSig-Q |SdlConnectionInd |handshakeErr |SdlSSLTCPConnection(16,100,18,574663) |SdlSSLTCPListener(16,100,16,1) |16,100,16,1.573597^*^* |*TraceFlagOverrode
15033624.001 |12:06:49.559 |Stopping | | |SdlSSLTCPConnection(16,100,18,574663) |SdlSSLTCPConnection(16,100,18,574663) | |NumOfCurrentInstances: 973
15033625.000 |12:06:49.578 |SdlSig |DbObjectCacheTimer |initialized |Db(16,100,211,1) |SdlTimerService(16,100,3,1) |16,100,148,1.1^*^* |[T:H-H:0,N:0,L:0,V:0,Z:0,D:0] AppCorr: 0

 

 

2- it seems the mentioned tool is a restricted tool. i'm logged out automatilcaly when the page loads.

 

3- yes, there is firewalls in the path but there is many phones which are working encrypted and their Neighboring phone in the same subnet does not registers when encrypted.

0 Helpful

Mortaza Rohani
Level 1
Level 1
In response to Jonathan Schulenberg

‎12-19-2017 03:10 AM

Dear Experts!
Any resolution?

0 Helpful

oeschger01
Level 1
Level 1
In response to Mortaza Rohani

‎03-13-2018 04:17 AM

The below line indicates that the MIC on your phone has expired. Please note that a MIC is valid for 5 years only and can not be renewed. I would recommend to replace the MIC by installing an LSC instead (CAPF section in device configuration).

 

   HandleSSLError - Certificate verification failed:(Verification error:10)- certificate has expired for 172.16.27.28:52942

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents