Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
5
Helpful
17
Replies

Trust List 8.5 BE to 9.1

Go to solution
lambay2000
Level 2
Level 2

‎01-22-2014 10:56 PM - edited ‎03-16-2019 09:23 PM

Dears

Currently we are running in 8.5 BE. i installed fresh 9.1 and exported all phones from 8.5 to 9.1 successfully. after rebooting the phones they are registering successfully to 9.1 but they are pulling the new load file of 9.1 they are still on old load file of 8.5 BE When i delete the trust list file from phone and when they reset they are successfully upgrading to new load of 9.1.

But it is not possible for me to go manually and delete trust list file for 400 phones, so how i can achieve the task in bulk.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to Stephen Welsh

‎01-23-2014 03:36 AM

If you still have both the 8.5 and 9.1 servers available, go to the OS Administration page on the 9.1 cluster and download the callmanager.pem certificate.  Then go to the OS Administration page on the 8.5 cluster and upload the Phone-SAST-Trust certificate as a Phone-SAST-Trust certificate.  When you reset the phones on the 9.1 side they will download the 9.1 TFTP information and fail to authenticate it, so the phone looks at it's old (8.5) list of Trust Verification Servers (TVS) and will connect to it.  As long as the 8.5 serves has the System Administrator Security Token (SAST) from 9.1 which you just put in place, the phone will trust the 9.1 TFTP configuration and update properly.  The ITL will also be updated during this process to the 9.1 cluster.  After all phones have been reset you can then take the 8.5 cluster offline.

*Correction in bold

View solution in original post

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee
In response to lambay2000

‎01-24-2014 03:09 AM

Hi,

You can refer the following link for migrations between clusters.

https://supportforums.cisco.com/docs/DOC-15799

HTH

Manish

View solution in original post

0 Helpful

Go to solution
Terry Cheema
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-27-2014 05:47 PM

The document Manish has referenced dicusses all the options.

If you are keeping the IP address same for new cluster and both clusters can not be online at same time, use Rollback option. As said before this will only work if its done before migration is attempted. Please do the following in same order (refer the document in the below link for details) .

1) From the CUCM Enterprise params> Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True

2) Restart the TVS service and then TFTP service

3) Reset phones: upon boot they will get an emplty ITL file. Your cluster will be ready for migration.

Reference:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secusbd.html#wp1092162

Another thing I would recommend is doing this just before migration. Because once you set this rollback parameter to true all your phone services using https will stop working. Call processing etc. will not be affected. If you have to do this weekend before or way before the actual migration, the workaround is to change the secure URLs from https to http in enterprise parameters.

-Terry

View solution in original post

0 Helpful
17 Replies 17

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee

‎01-22-2014 11:37 PM

Hi,

You can use Phoneview to delete ITL files in bulk

https://supportforums.cisco.com/docs/DOC-23501

HTH

Manish

0 Helpful

Go to solution
Terry Cheema
VIP Alumni
VIP Alumni

‎01-23-2014 12:25 AM

This is very big caveat when you are migrating phones between secure clusters. There are work arounds before you migrate that avoid this but no easy option after you encounter this issue.

There is no way to remotely delete ITL files and in bulk, either use phone view from unified fx as suggested by Manish - its not free you need to buy this product.

Apart from that one other option you can try first is to open a TAC case, though I have not personally used - I came across this post few days back on the voip list - that TAC has a tool which can help you in deleting these ITL files. Again not sure, never tried it but worth checking as you are now stuck.

Reference:
http://www.gossamer-threads.com/lists/cisco/voip/176548?page=last
----------
If you get into problems with rolling back TAC have a tool they will
send you which will erase ITL config on a handset list.
I have had to use this in the past with good results.
----------

-Terry
Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Stephen Welsh
Level 4
Level 4

‎01-23-2014 01:25 AM

Hi,

It is worth noting that PhoneView does a lot more than just delete ITL files, so you do get additional value as it reduces risk and simplifies other elements of upgrading CUCM.

One key unique feature to PhoneView is the ability to detect ITL Issues and generate a Cluster Health Report, ideal to use before, during and after an upgrade to make sure everything is in order.

Also,

With the release of PhoneView Version 4.0 on the 30th Januray it is now up to 100 times faster than any other product/tool. So for larger estates with 10,000+ Phones it takes minutes to resolve any ITL issues instead of days.

There is a launch event for PhoneView Version 4.0, register here to find out more:

http://events.unifiedfx.com

Thanks

Stephen Welsh

0 Helpful

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to Stephen Welsh

‎01-23-2014 03:36 AM

If you still have both the 8.5 and 9.1 servers available, go to the OS Administration page on the 9.1 cluster and download the callmanager.pem certificate.  Then go to the OS Administration page on the 8.5 cluster and upload the Phone-SAST-Trust certificate as a Phone-SAST-Trust certificate.  When you reset the phones on the 9.1 side they will download the 9.1 TFTP information and fail to authenticate it, so the phone looks at it's old (8.5) list of Trust Verification Servers (TVS) and will connect to it.  As long as the 8.5 serves has the System Administrator Security Token (SAST) from 9.1 which you just put in place, the phone will trust the 9.1 TFTP configuration and update properly.  The ITL will also be updated during this process to the 9.1 cluster.  After all phones have been reset you can then take the 8.5 cluster offline.

*Correction in bold

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee

‎01-23-2014 03:38 AM

Nice info Joe.

Manish

0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to Manish Gogna

‎01-23-2014 05:19 AM

Dear Joe,

How can i have a 9.1 and 8.5 together in the network as they both exist with the same ip address, Either of them has to be out of the network.

If i am wrong please correct me.

0 Helpful

Go to solution
Joseph Martini
Cisco Employee
Cisco Employee
In response to lambay2000

‎01-23-2014 06:20 AM

You are correct that you cannot have both in the same network or online at the same time in that case.  I didn't see that in the initial description that both servers have the same IP address.

0 Helpful

Go to solution
Terry Cheema
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-23-2014 02:38 PM

In this case, you have only below options:

1) TAC Case: As said in my OP - either open a case with TAC, confirm if they have anything to help you (I had been in a similar situation ~ 3 years back, TAC was of no help, not sure now if they have a tool or a strategy to deal with this)

2) Phone View: Try and buy the unifed FX tool - which you can contact them or Stephen Welsh for more information ( I am sure Stephen can provide you with a Demo license)

3) Manually delete ITL files: You can create a set of instructions and pass on to users or any field support personnel.

This again has another caveat - This will only work if users have phone settings access enabled. If phone settings access is restricted or disabled then the only work around is Phone factory reset.

I hope its helpful to you, this is the lesson I have learned the hard way.

-Terry

0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to Terry Cheema

‎01-24-2014 02:32 AM

Dear Terry,

As per your reply above,

This is very big caveat when you are migrating phones between secure  clusters. There are work arounds before you migrate that avoid this but  no easy option after you encounter this issue.

what workaround shld be done before migration to avoid this type of situation, I have many projects of migration in pipeline so that i will be caution for such type of scenarios.

0 Helpful

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee
In response to lambay2000

‎01-24-2014 03:09 AM

Hi,

You can refer the following link for migrations between clusters.

https://supportforums.cisco.com/docs/DOC-15799

HTH

Manish

0 Helpful

Go to solution
Terry Cheema
VIP Alumni
VIP Alumni
In response to lambay2000

‎01-27-2014 05:47 PM

The document Manish has referenced dicusses all the options.

If you are keeping the IP address same for new cluster and both clusters can not be online at same time, use Rollback option. As said before this will only work if its done before migration is attempted. Please do the following in same order (refer the document in the below link for details) .

1) From the CUCM Enterprise params> Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True

2) Restart the TVS service and then TFTP service

3) Reset phones: upon boot they will get an emplty ITL file. Your cluster will be ready for migration.

Reference:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secusbd.html#wp1092162

Another thing I would recommend is doing this just before migration. Because once you set this rollback parameter to true all your phone services using https will stop working. Call processing etc. will not be affected. If you have to do this weekend before or way before the actual migration, the workaround is to change the secure URLs from https to http in enterprise parameters.

-Terry

0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to Terry Cheema

‎02-02-2014 12:52 PM

thanks to all who provided a precious information

0 Helpful

Go to solution
lambay2000
Level 2
Level 2
In response to lambay2000

‎02-02-2014 09:20 PM

Dears

I have a old cluster still with me but it is out of the network, just reading the rollback feature, but little confuse to understand

can anybody elaborate more on rollback feature steps to be taken to avoid such situation.

0 Helpful

Go to solution
Terry Cheema
VIP Alumni
VIP Alumni
In response to lambay2000

‎02-02-2014 09:27 PM

Rollback feature when set to true, pushes an empty ITL file to the phone. Which means phone will not verify signatures. Its needed only when you are migrating phones between secure clusters.

Whats confusing you?

-Terry

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents