Cisco CMS remote error

when TLS encryption was enabled on a trunk from Cisco CMS, all of a sudden calls in from Lync/SkypeforBusiness started failing, here is the output from CMS:-

call 48: recognised as Lync
call 48: incoming encrypted SIP call from “sip:julie.microsoft@XYZ.com” to local URI “sip:1004@vc.XYZ.com” (Lync)
forwarding call to ‘sip:1004@vc.XYZ.com’ to ‘1004@vc.XYZ.com’
call 49: outgoing SIP call to “1004@vc.XYZ.com”
call 49: setting up UDT RTP session for DTLS (combined media and control)
call 49: ending; remote SIP teardown with reason 14 (remote error) – not connected after 0:00
call 48: ending; local teardown – not connected after 0:00

this does not give us much information to work from, so you need to dig deeper. You can either pull logs from CMS via logs > detailed tracing and download via SFTP or get CallManager RTMT logs downloaded to see what the problem is

SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.0.180:5061;branch=z9hG4bK5d3181dbb905b9058
From: “Julie Microsoft” <sip:julie.microsoft@XYZ.com>;tag=e876910435d
To: <sip:dx80@vc.XYZ.com>;tag=2106778089
Date: Thu, 02 Nov 2017 12:49:31 GMT
Call-ID: e62d36f7-5d84-47a1-8ba4-1f3f3433g6a2
CSeq: 183141193 INVITE
Allow-Events: presence
Server: Cisco-CUCM11.5
WWW-Authenticate: Digest realm=”XYZCluster”, nonce=”L1CKj9PJ6qreX9PRZUMm”, algorithm=MD5
Content-Length: 0

401 Unauthorized, well that tells you it is not authenticated to make that call. The SIP Trunk Security profile which had Enable Digest Authentication ticked was not meant to be there.

 

Advertisements

CUCM Device Packs

I was running a DX80 with a CE firmware load but the lab CUCM we had installed did not support the CE Version of code, when i first tried registering the endpoint to the CUCM it came up with the following error: Failed: 485 Ambigious / Device Type Mismatch,i had a look at CUCM to see if the device load was installed but only the “Cisco DX80” endpoint was available. This is the Android version of the DX which is not the same as the ‘Cisco TelePresence DX80’ you see on the web browser of the endpoint.

for this you need to install the relevant device pack to get the ball rolling and endpoint registered.

These notes are applicable on the following versions but tested for 10.5(2)

  • Unified CM 11.5(1)
  • Unified CM 11.0(1)
  • Unified CM 10.5(2)
  • Unified CM 9.1(2)

Step 1: Verify the CUCM Version you are running

From web browser > About

ccm version

you can also get this information from the web browser:

admin: show version active
Active Master Version: 10.5.2.10000-5

or

admin: show  status

Host Name         : cucm01
Date                      : Tue Aug 29, 2017 14:44:48
Time Zone          : British Summer Time (Europe/London)
Locale                   : en_US.UTF-8
Product Ver        : 10.5.2.10000-5
Unified OS Version : 6.0.0.0-2

Step 2: Download the Appropriate Device Pack

Install a the relevant device pack for the endpoint that you wish to configure on the CUCM, in this case the DX80 is not a ‘native endpoint in cucm as such a device pack will need to be installed:

Device Type Device Release Unified CM 11.5(1) Unified CM 11.0(1) Unified CM 10.5(2) Unified CM 9.1(2)
DX70 and DX80 Collaboration Endpoint Software 8.3 cmterm-devicepack11.5.1

April 4, 2017

cmterm-devicepack11.0.1

April 4, 2017

cmterm-devicepack10.5.2

April 4, 2017

cmterm-devicepack9.1.2

April 13, 2017

Collaboration Endpoint Software 8.3 cmterm-devicepack11.5.1

Nov 30, 2016

cmterm-devicepack11.0.1

Nov 30, 2016

cmterm-devicepack10.5.2

Nov 30, 2016

cmterm-devicepack9.1.2

Dec 27, 2016

Please note:

  • A valid cisco support contract will be needed
  • Device package compatibility matrix is located here

 

Step 3:  Upload Device pack to CUCM

3a) in OS Administration under  >  Software Upgrades > Installation/Upgrade > Chose the Remote File system where your device pack is located.

3b) verify MD5 hash with cisco.com downloads page where you installed the file from

Step 4: Restart TFTP Service

Control Center – Feature Services > Cisco Tftp > Restart

Step 5: Install Phone

now if you go to add new phone (device>phone) or go to device defaults (Device> Device Settings>Device Defaults) you will see the new device types:

Cisco TelePresence DX70
Cisco TelePresence DX80

 

my thoughts on the CCIE Continuing Education Program..

change.pngAfter years of blood, sweat, and tears (maybe not blood but you get the idea, alot of hard work) i eventually passed my CCIE Voice in 2012. It was a moment in my life that I can never forget. The journey from my first attempt that literally left me in tears to my 6th attempt, I saw myself develop phenomenally as an engineer. I still to this day recommend anyone to go through atleast one track as it would give you many skills. Aside from mastering the topics on the blue print, it will help you develop tremendously as an individual, from my own experiences of being better able to working under pressure to being calm cool and collected when everything is going wrong but at the same time razor focused to be able to work through the problem at hand and get it resolved in a systematic and controlled fashion.

This actually proved itself for a customer for whom I recommended an redesign of an incredibly complicated CUCM deployment that started its life as a single site deployment and evolved into a multi site deployment. As the cluster expanded and new sites were added to the platform without any consideration of how it would be managed. To the point where the ‘expert’ on that deployment didn’t know how certain pieces of the puzzle actually fit together. With no documentation to go by, it was a deployment from hell…  I made a recommendation to do a complete redesign of the CUCM cluster that met its current and future needs, the customer agreed and this ‘expert’ left. Ouch! ..& Yep. Baptism by Fire!, since I made the recommendation, it fell upon me to redesign and deliver. I made the recommendation to the complete redesign of all the UK sites over two weekends to reduce the risk, the customer had other thoughts… can it be done over 1 weekend? 🙂  yep sure Mr Customer… how I regretted that statement….. To cut this story short, that weekend had many challenges but I delivered what I promised by Monday and the end users noticed virtually no difference except for the fact that when they called they noticed their numbers were now in E164, normal dialling habits retained. The LLD was written and the CUCM deployment was hailed by the company CIO as one of the best in their global estate. I can say one thing for certain, my experiences during my CCIE journey helped me keep focussed throughout. Enough! this is not a write up about my CCIE journey or lessons learnt but you get the point. Myself, as numerous CCIE’s, have their own unique experiences that we can all share but rather lets talk about the recent changes in the recertification policy

As with many IT Vendors who have struggled to keep their certification/s updated and relevant in a world where there is something new being released literally every month, the exams in many aspects however are unable to keep up. If you studying for an exam, then you need somewhere to start from and go through the topics systematically mastering each topic/domain and subsequently passing the exam, this works great. But unfortunately it does not end there. Technological innovations are constant and as you progress on with your career you now need to keep yourself relevant. You are no longer the just the engineer, but now the expert in a specific technology area so you need to pull your socks up!. In many cases, as you do well, you develop into roles that are less hands-on and more architectural.

This requires you know the reason, advantages, disadvantages, counter arguments for what you propose. This is a completely different mindset. Broadly speaking, as an engineer we were concerned with configuring and fixing problems. As an architect, we need to now understand all the moving parts of the solution you are proposing and you have the added complexity of understanding how to align technology to business processes and needs, how the solution you are recommending creates value to the organisation, what is the outcome, is it monetary, an increase in productivity etc.. this can go on and on and on…

the biggest limitation when you are progressing through the ranks is that it gets increasingly difficult to remember what specific show command you need so see X, remembering how the output calculates to X etc. We are human after all. unless ‘you’ are AI – i know a few and yes they do exist! but im not. Speaking about the Human element, we also have families. you also need to find a healthy work life balance – you cant constantly put family on hold either.

I, as you may, have read a number of posts online of people criticizing Cisco’s approach, i believe strongly being part of the solution and not the problem, now while some of the perceived negativity may have some basis, one has to understand you have to start from somewhere….that ‘somewhere’ is founded on three principles:-

  • Flexibility is achieved by offering existing Cisco certified individuals an alternative option for recertification, in addition to the already existing option of recertifying by passing the relevant exam(s).
  • Diversity is achieved by allowing individuals a wide range of preapproved items, such as online courses, instructor-led training, authoring of content, and Cisco Live training offerings (collectively called “Continuing Education items”), which can be pursued to earn credits toward recertification.
  • Integrity is achieved by having Cisco authorized content providers, who deliver the content to the individual seeking recertification, validate the credits submitted by that individual.

having some guiding principles keeps you on track…after all the integrity of the program needs to be maintained while at the same time encouraging engineers and architects to  to continue progressing…. then the penny drops and it starts making sense. The Unified Communications market as an example, involves a whole host of technologies one can specialise in that are not covered on the exam, and there is also a bigger world out there apart from UC there that needs exploring….

I certainly welcome Cisco’s new changes, While this is a great start,  im sure this will evolve into something more flexible while adhering to its principles. I, for one would like to see

  • more pre-approved options such as a “Cisco Live like” credits to the Partner training, etc
  • credits for Active participation in certain online platforms such as Cisco communities, Cisco Champions etc.
  • introducing a minimum % of the credits one acquires be in the technology one is a ‘expert’ in. that only makes sense

give it time and im sure Cisco work it out …

Rant over…

 

Additional Links:-

CE Portal
Cisco Continuing Education Program

Tokenless CTL

tokenless CTL is a new feature introduced on Cisco Unified Communications Manager from 10.0, it allows for the encryption of phone signalling and media without the need for the USB eToken as was previously mandated.

Pre-requsites:

  • have access to CLI
  • ensure the Database replication is working properly and there is full connectivity between the nodes

on the CLI of the CUCM CLI enter the command to check if a CTL is present

admin:show ctl
Length of CTL file: 0
CTL File not found. Please run CTLClient plugin or run the CLI – utils ctl.. to generate the CTL file.
Error parsing the CTL File.
admin:

on the phone check if CTL is installed, settings > Security > Enterprise Security > CTL – Not installed, ITL Installed

you can check the cluster security mode is set to 0 under CUCM Admin Page > System > Enterprise Parameters

premixedmode

place the cluster into mixed-mode

admin:utils ctl set-cluster mixed-mode
This operation will set the cluster to Mixed mode. Do you want to continue? (y/n):y

Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster
that run these services
admin:

here again you can verify that the mode has now been set to 1 – Mixed Mode

mixedmode

Now you can restart CallManager and TFTP service on CUCM and phones to ensure they receive the correct CTL file

admin:show ctl
The checksum value of the CTL file:
f8e7e823eddfd55bd661d0c0c2255c56(MD5)
2d3fcc8451313a1534b50503765bb580e17f267f(SHA1)

 

Length of CTL file: 6362
The CTL File was last modified on Sat Mar 11 13:41:42 BST 2017

Parse CTL File
—————-

Version: 1.2
HeaderLength: 420 (BYTES)

!
!

The CTL file was verified successfully.

 

 

 

Error when Adding CMS License

When uploading the the Cisco Meeting server License to the platform as you get it from Cisco you get the following error:simple solution to this is to rename the license file to cms.lic and you are now able to upload to the file to CMS without any errors

you can check the license in CMS with the following command

acano> license
Feature: callbridge status: Activated expiry: 2017-May-18 (89 days remain)
Feature: turn status: Activated expiry: 2017-May-18 (89 days remain)
Feature: webbridge status: Activated expiry: 2017-May-18 (89 days remain)
Feature: branding status: Activated expiry: 2017-May-18 (89 days remain)
Feature: recording status: Activated expiry: 2017-May-18 (89 days remain)
Feature: personal status: Activated expiry: 2017-May-18 (89 days remain)
Feature: shared status: Activated expiry: 2017-May-18 (89 days remain)

 

 

 

 

 

 

 

Death to the phones of old

As of CUCM version 11.5 Cisco has finally removed support for the legacy phones, now when i say Legacy i mean really old phones.. i understand why theyve removed its support and have always been impressed on why they have had these in for so long. They make some really tough phones, I remember visiting a customer site with a really intense call center and phone usage. they had 7940’s IP phones whose key pad was completely worn out but the phones were just slogging away.the customer saw no need to replace the perfectly functioning IP Phones. I dont think this customer will be upset that Cisco has made this announcement because they are not affected

… but i will surely be 😦 i have a 12SP phone, one of the first IP Phones from the Selsius days that i managed to get from a friend @ cisco. i still use it from time to time but looks like i will be adding it to my museum with great regret .. if i decide to upgrade 😀

CX42n3EW8AAqBLn.jpg large

enough with the reminiscing, here are the affected IP phones:-

  • Cisco IP Phone 12 S
  • Cisco IP Phone 12 SP
  • Cisco IP Phone 12 SP+
  • Cisco IP Phone 30 SP+
  • Cisco IP Phone 30 VIP
  • Cisco Unified IP Phone 7902G
  • Cisco Unified IP Phone 7905G
  • Cisco Unified IP Phone 7910
  • Cisco Unified IP Phone 7910G
  • Cisco Unified IP Phone 7910+SW
  • Cisco Unified IP Phone 7910G+SW
  • Cisco Unified IP Phone 7912G
  • Cisco Unified Wireless IP Phone 7920
  • Cisco Unified IP Conference Station 7935

 

11.5 release notes

 

PLM Password reset issue

i recently had a issue where it was not clear which application user was assigned to be the admin for PLM, this is easily resolvable by typing the following command:

admin:license management list users
App user: ItsMeSilly

now the is what if i have forgotten the password? well the user guide for 10.5 says the command to reset this password is license management change user password

admin:license management change user name password
Expected 0 mandatory and up to 0 non-mandatory parameter(s)
but 1 parameter(s) were found
Executed command unsuccessfully
Error executing command

there is a bug id for this: CSCus29004, basically a typo in the docs with the correct command being:

admin:license management reset user password
The username: ItsMeSilly
New Password: ******
Re-enter Password: ******
The administrator account password was successfully changed.

further info:-

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus29004

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/plm/10_5_1/userguide/CPLM_BK_U9B156B7_00_user-guide-rel-1052.pdf