Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
3
Replies

Need help with CUMA deployment

tahequivoice
Level 2
Level 2

‎01-27-2012 02:24 PM - edited ‎03-19-2019 04:18 AM

I have a TAC case going, but they have so far been of very little use.   We are trying to get an iphone to connect to Cuma. We have an ASA 8.2, and cuma 7.1.3. Geotrust certificate on the outside, self signed certs configured per the docs.  I ran a capture and can see 2 way communications between the phone, asa, and server on port 5443.

The iphone gives error 1213 after a delay during verifying.  From the iphone console,

Jan 27 15:59:17 unknown Cisco Mobile[3422] <Warning>: ERROR: Error Domain=UMCOraErrorDomain Code=1213 "Cisco Mobile experienced a problem connecting to server." UserInfo=0x312e40 {NSLocalizedDescription=Cisco Mobile experienced a problem connecting to server.}

A debug of all cry ca shows

CRYPTO_PKI(Cert Lookup) issuer="cn=GeoTrust DV SSL CA,ou=Domain Validated SSL,o=GeoTrust Inc.,c=US" serial number=

CRYPTO_PKI: looking for cert in handle=d75da4a0, digest=

1f 44 3b 81 a0 1e 39 62 44 3d 50 63 59 ce 4a 2c    |  .D;...9bD=PcY.J,

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_CA: certificate not found

CRYPTO_PKI(Cert Lookup) issuer="cn=GeoTrust DV SSL CA,ou=Domain Validated SSL,o=GeoTrust Inc.,c=US" serial number=03 f0                                                            |  ...

I have every root certificate Geotrust lists in the ASA too.

Is this a cert issue, ASA issue or a server issue?

Does teh ASA need to have UC Phone Proxy licenses installed beyond the 2 that it comes with for it to work? 

Labels:
0 Helpful
3 Replies 3

Md Hasan
Cisco Employee
Cisco Employee

‎02-09-2012 11:22 AM

Phone Proxy is different. TLS Proxy is used in this case. May be iPhone is not able to resolve the FQDN or CN of the cert installed on the outside interface of ASA. Please make sure it is resolved. Also the domain name on CUMA has the right domain name from ASA outiside.

Extremely useful step-by-step:

https://supportforums.cisco.com/docs/DOC-8402

Official Guide:

http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_1/XML/new_installs/cuma71_new_install_config_chapter1.html

0 Helpful

tahequivoice
Level 2
Level 2
In response to Md Hasan

‎02-09-2012 11:29 AM

The certificates are OK, I had TAC look at them and I got them corrected, found a name mismatch on the ASA to CUMA cert. The iphone is talking to the CUMA server, I can see it in a capture, but it never uses any other port than 5443, and from what I can tell, the server is looking for something from the phone, or vise vers. It looks like one packet gets repeated before the phone times out.

I'm starting to think the problem lies beyond the ASA and is in the CUCM realm that is preventing it from working.  I did find out CUMA uses the UC Proxy license, but since there are 2 available for testing, that shouldnt be a factor, that and if it was, there would be an error generated when the licenses are in use.

We did get Jabber working finally, turns out to be a netowrking problem with the iphones VPN, need to tunnel all traffic for it to work correctly.

0 Helpful

Md Hasan
Cisco Employee
Cisco Employee
In response to tahequivoice

‎02-09-2012 11:31 AM

Great to hear all is working now!

0 Helpful
Customers Also Viewed These Support Documents