Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Trust List 8.5 BE to 9.1

Dears

Currently we are running in 8.5 BE. i installed fresh 9.1 and exported all phones from 8.5 to 9.1 successfully. after rebooting the phones they are registering successfully to 9.1 but they are pulling the new load file of 9.1 they are still on old load file of 8.5 BE When i delete the trust list file from phone and when they reset they are successfully upgrading to new load of 9.1.

But it is not possible for me to go manually and delete trust list file for 400 phones, so how i can achieve the task in bulk.

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Trust List 8.5 BE to 9.1

If you still have both the 8.5 and 9.1 servers available, go to the OS Administration page on the 9.1 cluster and download the callmanager.pem certificate.  Then go to the OS Administration page on the 8.5 cluster and upload the Phone-SAST-Trust certificate as a Phone-SAST-Trust certificate.  When you reset the phones on the 9.1 side they will download the 9.1 TFTP information and fail to authenticate it, so the phone looks at it's old (8.5) list of Trust Verification Servers (TVS) and will connect to it.  As long as the 8.5 serves has the System Administrator Security Token (SAST) from 9.1 which you just put in place, the phone will trust the 9.1 TFTP configuration and update properly.  The ITL will also be updated during this process to the 9.1 cluster.  After all phones have been reset you can then take the 8.5 cluster offline.

*Correction in bold

Re: Trust List 8.5 BE to 9.1

Hi,

You can refer the following link for migrations between clusters.

https://supportforums.cisco.com/docs/DOC-15799

HTH

Manish

Re: Trust List 8.5 BE to 9.1

The document Manish has referenced dicusses all the options.

If you are keeping the IP address same for new cluster and both clusters can not be online at same time, use Rollback option. As said before this will only work if its done before migration is attempted. Please do the following in same order (refer the document in the below link for details) .

1) From the CUCM Enterprise params> Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True

2) Restart the TVS service and then TFTP service

3) Reset phones: upon boot they will get an emplty ITL file. Your cluster will be ready for migration.

Reference:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secusbd.html#wp1092162

Another thing I would recommend is doing this just before migration. Because once you set this rollback parameter to true all your phone services using https will stop working. Call processing etc. will not be affected. If you have to do this weekend before or way before the actual migration, the workaround is to change the secure URLs from https to http in enterprise parameters.

-Terry

17 REPLIES

Trust List 8.5 BE to 9.1

Hi,

You can use Phoneview to delete ITL files in bulk

https://supportforums.cisco.com/docs/DOC-23501

HTH

Manish

Re: Trust List 8.5 BE to 9.1

This is very big caveat when you are migrating phones between secure clusters. There are work arounds before you migrate that avoid this but no easy option after you encounter this issue.

There is no way to remotely delete ITL files and in bulk, either use phone view from unified fx as suggested by Manish - its not free you need to buy this product.

Apart from that one other option you can try first is to open a TAC case, though I have not personally used - I came across this post few days back on the voip list - that TAC has a tool which can help you in deleting these ITL files. Again not sure, never tried it but worth checking as you are now stuck.

Reference:
http://www.gossamer-threads.com/lists/cisco/voip/176548?page=last
----------
If you get into problems with rolling back TAC have a tool they will
send you which will erase ITL config on a handset list.
I have had to use this in the past with good results.
----------

-Terry
Sent from Cisco Technical Support iPhone App

Trust List 8.5 BE to 9.1

Hi,

It is worth noting that PhoneView does a lot more than just delete ITL files, so you do get additional value as it reduces risk and simplifies other elements of upgrading CUCM.

One key unique feature to PhoneView is the ability to detect ITL Issues and generate a Cluster Health Report, ideal to use before, during and after an upgrade to make sure everything is in order.

Also,

With the release of PhoneView Version 4.0 on the 30th Januray it is now up to 100 times faster than any other product/tool. So for larger estates with 10,000+ Phones it takes minutes to resolve any ITL issues instead of days.

There is a launch event for PhoneView Version 4.0, register here to find out more:

http://events.unifiedfx.com

Thanks

Stephen Welsh

Cisco Employee

Re: Trust List 8.5 BE to 9.1

If you still have both the 8.5 and 9.1 servers available, go to the OS Administration page on the 9.1 cluster and download the callmanager.pem certificate.  Then go to the OS Administration page on the 8.5 cluster and upload the Phone-SAST-Trust certificate as a Phone-SAST-Trust certificate.  When you reset the phones on the 9.1 side they will download the 9.1 TFTP information and fail to authenticate it, so the phone looks at it's old (8.5) list of Trust Verification Servers (TVS) and will connect to it.  As long as the 8.5 serves has the System Administrator Security Token (SAST) from 9.1 which you just put in place, the phone will trust the 9.1 TFTP configuration and update properly.  The ITL will also be updated during this process to the 9.1 cluster.  After all phones have been reset you can then take the 8.5 cluster offline.

*Correction in bold

Trust List 8.5 BE to 9.1

Nice info Joe.

Manish

New Member

Re: Trust List 8.5 BE to 9.1

Dear Joe,

How can i have a 9.1 and 8.5 together in the network as they both exist with the same ip address, Either of them has to be out of the network.

If i am wrong please correct me.

Cisco Employee

Re: Trust List 8.5 BE to 9.1

You are correct that you cannot have both in the same network or online at the same time in that case.  I didn't see that in the initial description that both servers have the same IP address.

Re: Trust List 8.5 BE to 9.1

In this case, you have only below options:

1) TAC Case: As said in my OP - either open a case with TAC, confirm if they have anything to help you (I had been in a similar situation ~ 3 years back, TAC was of no help, not sure now if they have a tool or a strategy to deal with this)

2) Phone View: Try and buy the unifed FX tool - which you can contact them or Stephen Welsh for more information ( I am sure Stephen can provide you with a Demo license)

3) Manually delete ITL files: You can create a set of instructions and pass on to users or any field support personnel.

This again has another caveat - This will only work if users have phone settings access enabled. If phone settings access is restricted or disabled then the only work around is Phone factory reset.

I hope its helpful to you, this is the lesson I have learned the hard way.

-Terry

New Member

Re: Trust List 8.5 BE to 9.1

Dear Terry,

As per your reply above,

This is very big caveat when you are migrating phones between secure  clusters. There are work arounds before you migrate that avoid this but  no easy option after you encounter this issue.

what workaround shld be done before migration to avoid this type of situation, I have many projects of migration in pipeline so that i will be caution for such type of scenarios.

Re: Trust List 8.5 BE to 9.1

Hi,

You can refer the following link for migrations between clusters.

https://supportforums.cisco.com/docs/DOC-15799

HTH

Manish

Re: Trust List 8.5 BE to 9.1

The document Manish has referenced dicusses all the options.

If you are keeping the IP address same for new cluster and both clusters can not be online at same time, use Rollback option. As said before this will only work if its done before migration is attempted. Please do the following in same order (refer the document in the below link for details) .

1) From the CUCM Enterprise params> Prepare Cluster for Rollback to pre-8.0 enterprise parameter to True

2) Restart the TVS service and then TFTP service

3) Reset phones: upon boot they will get an emplty ITL file. Your cluster will be ready for migration.

Reference:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secusbd.html#wp1092162

Another thing I would recommend is doing this just before migration. Because once you set this rollback parameter to true all your phone services using https will stop working. Call processing etc. will not be affected. If you have to do this weekend before or way before the actual migration, the workaround is to change the secure URLs from https to http in enterprise parameters.

-Terry

New Member

Re: Trust List 8.5 BE to 9.1

thanks to all who provided a precious information

New Member

Re: Trust List 8.5 BE to 9.1

Dears

I have a old cluster still with me but it is out of the network, just reading the rollback feature, but little confuse to understand

can anybody elaborate more on rollback feature steps to be taken to avoid such situation.

Re: Trust List 8.5 BE to 9.1

Rollback feature when set to true, pushes an empty ITL file to the phone. Which means phone will not verify signatures. Its needed only when you are migrating phones between secure clusters.

Whats confusing you?

-Terry

Sent from Cisco Technical Support iPhone App

New Member

Trust List 8.5 BE to 9.1

Thanks terry,

So on my 9.1 if i set the rollback feature to true and reset the phones they shld come up with empty ITL files ??? please correct me if i am wrong and they shld pull the new frimware when they are reset.

Re: Trust List 8.5 BE to 9.1

Hi,

From the above posts it appears you have migrated 8.5 to 9.1. And you had not set the rollback parameter to true.

If thats the case, at this stage the phones are on new cluster, have ITL from old cluster. Even, if you change anything now, phones will not honour any change as they will be matching the signatures. So this work around only works if performed before the migration.

Please let me know if you have another question.

-Terry

Sent from Cisco Technical Support iPhone App

New Member

Trust List 8.5 BE to 9.1

Hello Terry

Appreciate your prompt replies thank for replying and making me understant the procedure.

From the above posts it appears you have migrated 8.5 to 9.1. And you had not set the rollback parameter to true

8.5 was on MCS and 9.1 is on UCS, configs are all same on 8.5 and new 9.1, 8.5 is still in workshop if you want me to put phones back to 8.5 by disconnecting 9.1 from network it can be done, will it help ????? i can do it pls suggest.

If thats the case, at this stage the phones are on new cluster, have ITL  from old cluster. Even, if you change anything now, phones will not  honour any change as they will be matching the signatures. So this work  around only works if performed before the migration.

from your above para i understand is that still it is possible if we migrate to old 8.5 and change the rollback feature to TRUE and reset the phones,,please correct me if i am wrong.

Thanks

486
Views
5
Helpful
17
Replies
CreatePlease to create content