Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Personal Directory not working

I am facing very intresting problem where Personal Directory only is not working , while the corporate is working without any issue , I am running a cluster with 7 servers running 8.6.2.22900-9 .

when the users on 7962 firmware "SCCP42.9-2-3S " is pressing directory then chossing the Personal Directory , they got message " Host not Found"

I checked the console logs on the phones and I was able to see the below error related to SSL/TLS Failure


3262: ERR 14:46:19.653594 SECD: Authentication failed for the HTTPS conn via TVS

3263: NOT 14:46:19.654235 SECD: srvr_cert_vfy:  ** srvr cert verify FAILED ** <172.16.4.11>

3264: ERR 14:46:19.655574 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:<172.16.4.11>

3265: ERR 14:46:19.656556 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <172.16.4.11> c:14 s:11

3266: ERR 14:46:19.657395 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <172.16.4.11> c:14 s:11

3267: ERR 14:46:19.658034 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <172.16.4.11> c:14 s:11

3268: ERR 14:46:19.658811 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<172.16.4.11>

3269: ERR 14:46:19.659448 SECD: EROR:secErr_errStr:  *** bad err table ***

3270: ERR 14:46:19.660295 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)

3271: ERR 14:46:19.660905 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <HTTPS cert failed auth via TVS>

3272: ERR 14:46:19.671295 JVM: Entering StcpOpenActiveSSL

3273: ERR 14:46:19.671885 JVM: Attempting HTTPS connect to 172.16.4.11

3274: ERR 14:46:19.674655 JVM: TLS connect pending

3275: ERR 14:46:19.675400 JVM: Leaving StcpOpenActiveSSL

3276: INF 14:46:19.680656 no buffer to recve, force EHOSTDOWN

3277: NOT 14:46:19.682685 SECD: clpDelClnt: closing conn to <172.16.4.11>, c:14, s:11

3278: NOT 14:46:19.684203 SECD: clpDelClnt: Closing the local socket now

I checked and i have found this problem is related to something in authentication between the CUCM and the endpoint , then i did the below setps

1-deleting the ITL File from the Phone

2-restarting the TVS service on all servers

3-restarting TFTP service

4-resetting the phones

all the above did not solve the problem . then I verified the ITL File on all servers and I got

The ITL file was verified successfully.

Did anyone see a problem like this before ?

I am attaching the console logs of the phone , by the way no FW between the IP phone and the CUCM servers and services running under HTTP are ok

the issue is only with HTTPS

12 REPLIES
New Member

Re: Personal Directory not working

Any ideas ?

Sent from Cisco Technical Support iPhone App

Re: Personal Directory not working

Hi,

Have you done any upgradation or migration of phones from one cluster to another?

From when you are facing this issue?

What other modification done with cluster?

The attached log says that "Authentication Failure with TVS"

3243: NOT 14:46:19.587520 SECD: initiateTvsCertAuth: Successfully sent the certificate Authentication request to TVS server, bytes written : 969

3244: NOT 14:46:19.588212 SECD: initiateTvsCertAuth: Done sending Certificate Validation request

3245: NOT 14:46:19.589055 SECD: sendTvsClientReqToSrvr: Authenticate Certificate : request sent to TVS server - waiting for response

3246: NOT 14:46:19.591852 SECD: clpTvsInit: Pending client connection at index: 0 - not closing TVS server socket

3247: NOT 14:46:19.634015 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 15

3248: NOT 14:46:19.635013 SECD: clpTvsInit: Pending client connection at index: 0 - not closing TVS server socket

3249: NOT 14:46:19.635701 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 15

3250: NOT 14:46:19.636782 SECD: processTvsSrvrResponse: Success reading the message from the TVS server, len : 14

3251: NOT 14:46:19.637782 SECD: tvsDecodeSrvrResponse: messageType : 2, requestid : 1011, messageLen : 4

3252: NOT 14:46:19.638407 SECD: tvsDecodeSrvrResponse: status : 1, certLen : 0

3253: NOT 14:46:19.639247 SECD: processTvsSrvrResponse: Corresponding client addr for request Id: <1011> is:

3254: NOT 14:46:19.639887 SECD: processTvsSrvrResponse: Authentication Response received, status : 1

3255: ERR 14:46:19.641002 SECD: EROR:processTvsSrvrResponse: Authentication Response received with status failure

The possible reason could be that the phones with their ITL files are not in sync with certificates used by the TFTP/TVS servers.

Please refer below link for clear idea of failure.

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

Regards,
Nishant Savalia

Regards, Nishant Savalia
New Member

Re: Personal Directory not working

Thanks for your reply
No we did not do any migration recently the last migration was done 6 months ago and the problem appears just in last month

We had a problem like this before during the migration but we managed to solve it

I do not know why the phones and the CUCM are losing the certificates SYNC

I tried also to regenerate the certificate from the severs and resync the ITL but it did not help

My next action will be change the call manager group maybe the phones are trying to authenticate with a server which is having a corrupted certificate .


Sent from Cisco Technical Support iPhone App

Re: Personal Directory not working

Hi,

How did you manage to solve the same issue before migration?

Which certificate you have regenerated till now?

You can give a try to change CUCM group but certificate will be same with all the servers. So you might be at same place again.

Try to capture wireshark for a single phone from the beginning (i.e. perform factory reset and capture till directory option) and do share with us.

Regards,
Nishant Savalia

Regards, Nishant Savalia
New Member

Re: Personal Directory not working

It was solved by erasing ITL and restart TVS and TFTP services

I will try to regenerate the certificates again tomcat trust and tvs then restart the services then check again

I will leave the packet capture as last choice in my troubleshooting

Sent from Cisco Technical Support iPhone App

Re: Personal Directory not working

I think generating Tomcat certificate will help you. But do capture logs after generating certificate of Tomcat even.

Regards,
Nishant Savalia

Regards, Nishant Savalia
New Member

Re: Personal Directory not working

I checked the logs again and i have found that the phone established a TLS connection to the TVS server on port 2445

This connection is established successfully then the phone is sending an authentication certificate request to the TVS server waiting for response

The server is sending back the authentication response buy this time the authentication response received with failure

This is first step in establishing an HTTPS connection to the personal directories which is failing

It did not continue to verify the HTTPS via tomcat to directories

Sent from Cisco Technical Support iPhone App

New Member

Re: Personal Directory not working

I checked the issue today and I noticied if i changed the server at which the phones are registering to , evreything works fine

I am attaching the logs for both a working and non working scenerio

the issue is at 172.16.4.11 is not authenticating the IP Phone for some reason I do not know

I have the traces of the TVS service of this server and I found something intresting

1:10:27.014 |<--debug

01:10:27.014 |-->CDefaultCertificateReader::GetIssuerName

01:10:27.014 |   CDefaultCertificateReader::GetIssuerName got issuer name

01:10:27.014 |<--CDefaultCertificateReader::GetIssuerName

01:10:27.014 |-->debug

01:10:27.014 |   debug tvsGetIssuerNameFromX509 - issuerName : CN=LONCM-SUB;OU=SITA;O=SITA;L=UK;ST=London;C=GB and Length: 47

01:10:27.014 |<--debug

01:10:27.014 |-->CDefaultCertificateReader::GetSerialNumber

01:10:27.014 |   CDefaultCertificateReader::GetSerialNumber got serial number

01:10:27.014 |   CDefaultCertificateReader::GetSerialNumber LenSerialNumber = 18

01:10:27.014 |   CDefaultCertificateReader::GetSerialNumber Serial Number type = 2

01:10:27.014 |<--CDefaultCertificateReader::GetSerialNumber

01:10:27.014 |-->debug

01:10:27.014 |   debug tvsGetSerialNumberFromX509 - ret : 0

01:10:27.014 |<--debug

01:10:27.014 |-->debug

01:10:27.014 |   debug tvsGetSerialNumberFromX509 - serialNumber : 60016AD30B0C0232C875FCC3B9D9CF07 and Length: 16

01:10:27.014 |<--debug

01:10:27.014 |-->debug

01:10:27.014 |   debug CertificateDBCache::getCertificateInformation - Looking up the certificate cache using Unique MAP ID : 60016AD30B0C0232C875FCC3B9D9CF07CN=LONCM-SUB;OU=SITA;O=SITA;L=UK;ST=London;C=GB

01:10:27.014 |<--debug

01:10:27.014 |-->debug

01:10:27.014 |   debug ERROR:CertificateDBCache::getCertificateInformation - Cannot find the certificate in the cache

01:10:27.014 |<--debug

I do not know how this certificate is not cache becuase it is this server certificates

I do not know why this server is not able to authenticate the phones via TVS

New Member

Re: Personal Directory not working

as per the below link

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

Remember that the connection to TVS itself is SSL/TLS (secure HTTP, or HTTPS), so it is also a certificate that needs to be authenticated against the CTL ot ITL.

can someone tell me which certificate here needs to be authenticated against the CTL or ITL ?

this is the problem I am facing , I can see the connection to the TVS via SSL succesful

6488: NOT 10:39:44.774632 SECD: checkTvsSrvrConn: Successfully obtained a TLS connection to the TVS server

6489: NOT 10:39:44.775573 SECD: tvsBldMsg: The request id in the TVS request sent out is 1025

6490: NOT 10:39:44.776441 SECD: initiateTvsCertAuth: Successfully sent the certificate Authentication request to TVS server, bytes written : 969

6491: NOT 10:39:44.777281 SECD: initiateTvsCertAuth: Done sending Certificate Validation request "Which Certficate ?"


6492: NOT 10:39:44.778172 SECD: sendTvsClientReqToSrvr: Authenticate Certificate : request sent to TVS server - waiting for response

6493: NOT 10:39:44.779805 SECD: clpTvsInit: Pending client connection at index: 0 - not closing TVS server socket

6494: NOT 10:39:44.821799 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 15

6495: NOT 10:39:44.822490 SECD: clpTvsInit: Pending client connection at index: 0 - not closing TVS server socket

6496: NOT 10:39:44.823353 SECD: clpTvsInit: select returned the TVS proxy server socket, fd : 15

6497: NOT 10:39:44.824406 SECD: processTvsSrvrResponse: Success reading the message from the TVS server, len : 14

6498: NOT 10:39:44.825158 SECD: tvsDecodeSrvrResponse: messageType : 2, requestid : 1025, messageLen : 4

6499: NOT 10:39:44.825970 SECD: tvsDecodeSrvrResponse: status : 1, certLen : 0

6500: NOT 10:39:44.826601 SECD: processTvsSrvrResponse: Corresponding client addr for request Id: <1025> is:

6501: NOT 10:39:44.827391 SECD: processTvsSrvrResponse: Authentication Response received, status : 1

6502: ERR 10:39:44.828034 SECD: EROR:processTvsSrvrResponse: Authentication Response received with status failure

thanks

New Member

Re: Personal Directory not working

is this the Tomcat certificate ?

becuase I can see in the logs that the TVS cert is verified

6680: NOT 10:39:45.496346 SECD: tvs_cert_vfy: TVS cert verified with hash from TL, <172.16.4.11>

the next phase is the phone is asking the TVS to authenticate the HTTPS certificate and this fails as per below

6703: NOT 10:39:45.672834 SECD: tvsDecodeSrvrResponse: status : 1, certLen : 0

as per the document it should be status : 0 is the HTTPS certificate is authenticated

1264: NOT 15:20:59.789738 SECD: sendTvsClientReqToSrvr: Authenticate 
Certificate : request sent to TVS server - waiting for response
1273: NOT 15:20:59.825648 SECD: processTvsSrvrResponse: Authentication Response
received, status : 0

Re: Personal Directory not working

Hi Moataz,

Can you try generating TVS certificate for which you are not able to access secure directory. (I think it's 172.16.4.11)

You can follow below procedure:-

1). Regenerate the TVS certificate.

  • Navigate to Security > Certificate Management.

          The Certificate List window displays.

  • Click Generate New.

          The Generate Certificate dialog box opens.

  • Choose a certificate name from the Certificate Name list.

           Select TVS

  • Click Generate New

2). Restart the TFTP service on the servers on which it is currently running.

3). Reset the Phone.

Regards,
Nishant Savalia

Regards, Nishant Savalia
New Member

Re: Personal Directory not working

I did it before but it did not help


Sent from Cisco Technical Support iPhone App

474
Views
0
Helpful
12
Replies
CreatePlease to create content