Cisco CMS remote error

when TLS encryption was enabled on a trunk from Cisco CMS, all of a sudden calls in from Lync/SkypeforBusiness started failing, here is the output from CMS:-

call 48: recognised as Lync
call 48: incoming encrypted SIP call from “” to local URI “” (Lync)
forwarding call to ‘’ to ‘’
call 49: outgoing SIP call to “”
call 49: setting up UDT RTP session for DTLS (combined media and control)
call 49: ending; remote SIP teardown with reason 14 (remote error) – not connected after 0:00
call 48: ending; local teardown – not connected after 0:00

this does not give us much information to work from, so you need to dig deeper. You can either pull logs from CMS via logs > detailed tracing and download via SFTP or get CallManager RTMT logs downloaded to see what the problem is

SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS;branch=z9hG4bK5d3181dbb905b9058
From: “Julie Microsoft” <>;tag=e876910435d
To: <>;tag=2106778089
Date: Thu, 02 Nov 2017 12:49:31 GMT
Call-ID: e62d36f7-5d84-47a1-8ba4-1f3f3433g6a2
CSeq: 183141193 INVITE
Allow-Events: presence
Server: Cisco-CUCM11.5
WWW-Authenticate: Digest realm=”XYZCluster”, nonce=”L1CKj9PJ6qreX9PRZUMm”, algorithm=MD5
Content-Length: 0

401 Unauthorized, well that tells you it is not authenticated to make that call. The SIP Trunk Security profile which had Enable Digest Authentication ticked was not meant to be there.



my thoughts on the CCIE Continuing Education Program..

change.pngAfter years of blood, sweat, and tears (maybe not blood but you get the idea, alot of hard work) i eventually passed my CCIE Voice in 2012. It was a moment in my life that I can never forget. The journey from my first attempt that literally left me in tears to my 6th attempt, I saw myself develop phenomenally as an engineer. I still to this day recommend anyone to go through atleast one track as it would give you many skills. Aside from mastering the topics on the blue print, it will help you develop tremendously as an individual, from my own experiences of being better able to working under pressure to being calm cool and collected when everything is going wrong but at the same time razor focused to be able to work through the problem at hand and get it resolved in a systematic and controlled fashion.

This actually proved itself for a customer for whom I recommended an redesign of an incredibly complicated CUCM deployment that started its life as a single site deployment and evolved into a multi site deployment. As the cluster expanded and new sites were added to the platform without any consideration of how it would be managed. To the point where the ‘expert’ on that deployment didn’t know how certain pieces of the puzzle actually fit together. With no documentation to go by, it was a deployment from hell…  I made a recommendation to do a complete redesign of the CUCM cluster that met its current and future needs, the customer agreed and this ‘expert’ left. Ouch! ..& Yep. Baptism by Fire!, since I made the recommendation, it fell upon me to redesign and deliver. I made the recommendation to the complete redesign of all the UK sites over two weekends to reduce the risk, the customer had other thoughts… can it be done over 1 weekend? 🙂  yep sure Mr Customer… how I regretted that statement….. To cut this story short, that weekend had many challenges but I delivered what I promised by Monday and the end users noticed virtually no difference except for the fact that when they called they noticed their numbers were now in E164, normal dialling habits retained. The LLD was written and the CUCM deployment was hailed by the company CIO as one of the best in their global estate. I can say one thing for certain, my experiences during my CCIE journey helped me keep focussed throughout. Enough! this is not a write up about my CCIE journey or lessons learnt but you get the point. Myself, as numerous CCIE’s, have their own unique experiences that we can all share but rather lets talk about the recent changes in the recertification policy

As with many IT Vendors who have struggled to keep their certification/s updated and relevant in a world where there is something new being released literally every month, the exams in many aspects however are unable to keep up. If you studying for an exam, then you need somewhere to start from and go through the topics systematically mastering each topic/domain and subsequently passing the exam, this works great. But unfortunately it does not end there. Technological innovations are constant and as you progress on with your career you now need to keep yourself relevant. You are no longer the just the engineer, but now the expert in a specific technology area so you need to pull your socks up!. In many cases, as you do well, you develop into roles that are less hands-on and more architectural.

This requires you know the reason, advantages, disadvantages, counter arguments for what you propose. This is a completely different mindset. Broadly speaking, as an engineer we were concerned with configuring and fixing problems. As an architect, we need to now understand all the moving parts of the solution you are proposing and you have the added complexity of understanding how to align technology to business processes and needs, how the solution you are recommending creates value to the organisation, what is the outcome, is it monetary, an increase in productivity etc.. this can go on and on and on…

the biggest limitation when you are progressing through the ranks is that it gets increasingly difficult to remember what specific show command you need so see X, remembering how the output calculates to X etc. We are human after all. unless ‘you’ are AI – i know a few and yes they do exist! but im not. Speaking about the Human element, we also have families. you also need to find a healthy work life balance – you cant constantly put family on hold either.

I, as you may, have read a number of posts online of people criticizing Cisco’s approach, i believe strongly being part of the solution and not the problem, now while some of the perceived negativity may have some basis, one has to understand you have to start from somewhere….that ‘somewhere’ is founded on three principles:-

  • Flexibility is achieved by offering existing Cisco certified individuals an alternative option for recertification, in addition to the already existing option of recertifying by passing the relevant exam(s).
  • Diversity is achieved by allowing individuals a wide range of preapproved items, such as online courses, instructor-led training, authoring of content, and Cisco Live training offerings (collectively called “Continuing Education items”), which can be pursued to earn credits toward recertification.
  • Integrity is achieved by having Cisco authorized content providers, who deliver the content to the individual seeking recertification, validate the credits submitted by that individual.

having some guiding principles keeps you on track…after all the integrity of the program needs to be maintained while at the same time encouraging engineers and architects to  to continue progressing…. then the penny drops and it starts making sense. The Unified Communications market as an example, involves a whole host of technologies one can specialise in that are not covered on the exam, and there is also a bigger world out there apart from UC there that needs exploring….

I certainly welcome Cisco’s new changes, While this is a great start,  im sure this will evolve into something more flexible while adhering to its principles. I, for one would like to see

  • more pre-approved options such as a “Cisco Live like” credits to the Partner training, etc
  • credits for Active participation in certain online platforms such as Cisco communities, Cisco Champions etc.
  • introducing a minimum % of the credits one acquires be in the technology one is a ‘expert’ in. that only makes sense

give it time and im sure Cisco work it out …

Rant over…


Additional Links:-

CE Portal
Cisco Continuing Education Program

Tokenless CTL

tokenless CTL is a new feature introduced on Cisco Unified Communications Manager from 10.0, it allows for the encryption of phone signalling and media without the need for the USB eToken as was previously mandated.


  • have access to CLI
  • ensure the Database replication is working properly and there is full connectivity between the nodes

on the CLI of the CUCM CLI enter the command to check if a CTL is present

admin:show ctl
Length of CTL file: 0
CTL File not found. Please run CTLClient plugin or run the CLI – utils ctl.. to generate the CTL file.
Error parsing the CTL File.

on the phone check if CTL is installed, settings > Security > Enterprise Security > CTL – Not installed, ITL Installed

you can check the cluster security mode is set to 0 under CUCM Admin Page > System > Enterprise Parameters


place the cluster into mixed-mode

admin:utils ctl set-cluster mixed-mode
This operation will set the cluster to Mixed mode. Do you want to continue? (y/n):y

Moving Cluster to Mixed Mode
Cluster set to Mixed Mode
Please Restart the TFTP and Cisco CallManager services on all nodes in the cluster
that run these services

here again you can verify that the mode has now been set to 1 – Mixed Mode


Now you can restart CallManager and TFTP service on CUCM and phones to ensure they receive the correct CTL file

admin:show ctl
The checksum value of the CTL file:


Length of CTL file: 6362
The CTL File was last modified on Sat Mar 11 13:41:42 BST 2017

Parse CTL File

Version: 1.2
HeaderLength: 420 (BYTES)


The CTL file was verified successfully.




Error when Adding CMS License

When uploading the the Cisco Meeting server License to the platform as you get it from Cisco you get the following error:simple solution to this is to rename the license file to cms.lic and you are now able to upload to the file to CMS without any errors

you can check the license in CMS with the following command

acano> license
Feature: callbridge status: Activated expiry: 2017-May-18 (89 days remain)
Feature: turn status: Activated expiry: 2017-May-18 (89 days remain)
Feature: webbridge status: Activated expiry: 2017-May-18 (89 days remain)
Feature: branding status: Activated expiry: 2017-May-18 (89 days remain)
Feature: recording status: Activated expiry: 2017-May-18 (89 days remain)
Feature: personal status: Activated expiry: 2017-May-18 (89 days remain)
Feature: shared status: Activated expiry: 2017-May-18 (89 days remain)








Death to the phones of old

As of CUCM version 11.5 Cisco has finally removed support for the legacy phones, now when i say Legacy i mean really old phones.. i understand why theyve removed its support and have always been impressed on why they have had these in for so long. They make some really tough phones, I remember visiting a customer site with a really intense call center and phone usage. they had 7940’s IP phones whose key pad was completely worn out but the phones were just slogging away.the customer saw no need to replace the perfectly functioning IP Phones. I dont think this customer will be upset that Cisco has made this announcement because they are not affected

… but i will surely be 😦 i have a 12SP phone, one of the first IP Phones from the Selsius days that i managed to get from a friend @ cisco. i still use it from time to time but looks like i will be adding it to my museum with great regret .. if i decide to upgrade 😀

CX42n3EW8AAqBLn.jpg large

enough with the reminiscing, here are the affected IP phones:-

  • Cisco IP Phone 12 S
  • Cisco IP Phone 12 SP
  • Cisco IP Phone 12 SP+
  • Cisco IP Phone 30 SP+
  • Cisco IP Phone 30 VIP
  • Cisco Unified IP Phone 7902G
  • Cisco Unified IP Phone 7905G
  • Cisco Unified IP Phone 7910
  • Cisco Unified IP Phone 7910G
  • Cisco Unified IP Phone 7910+SW
  • Cisco Unified IP Phone 7910G+SW
  • Cisco Unified IP Phone 7912G
  • Cisco Unified Wireless IP Phone 7920
  • Cisco Unified IP Conference Station 7935


11.5 release notes


PLM Password reset issue

i recently had a issue where it was not clear which application user was assigned to be the admin for PLM, this is easily resolvable by typing the following command:

admin:license management list users
App user: ItsMeSilly

now the is what if i have forgotten the password? well the user guide for 10.5 says the command to reset this password is license management change user password

admin:license management change user name password
Expected 0 mandatory and up to 0 non-mandatory parameter(s)
but 1 parameter(s) were found
Executed command unsuccessfully
Error executing command

there is a bug id for this: CSCus29004, basically a typo in the docs with the correct command being:

admin:license management reset user password
The username: ItsMeSilly
New Password: ******
Re-enter Password: ******
The administrator account password was successfully changed.

further info:-

Cisco #Spark notes

Cisco Spark is broken down into three component areas

  1. Cisco Spark Platform
  2. Hybrid Services
  3. API’s
1. Cisco Spark Platform

The Cisco Spark platform is comprised of the following core services

a. Message
b. Meeting
c. Call

Message allows a participant the to have 1on1 and Team messages in Virtual rooms, it allows Persistent messages with File Sharing, share photos to the rooms which are then accessible on all devices including mobiles, you can search content, people anytime within a inbuilt search function, @mention allows you to create a kind of notification to the intended participant so that when i @yournamehere you get notified someone mentioned you thus allowing you to quickly respond all with Secure E2E encryption

this is a free service that allows you to invite and collaborate with anyone with just an email address, Spark will send a email to the user who if they do not have a Spark account they will then be able to register with the link provided… pretty straight forward and takes <1min to complete..


Meeting  allows you to easily meet with anyone at any time, meetings are initiated from a single click or can be scheduled for a later time. users can connect to these meetings face to face on a HD Voice and Video call. this offering supports upto 25 participants on a call to include Voice, Video & screen sharing, it supports any Spark client sharing and Spark room systems. if additional quantity is required WebEx meetings will need to be scheduled which supports upto 200 participants but only supports a separate Web client, PSTN integration, Video Systems. while there is no clear transition or escalation path from Spark Meeting to WebEx, i suspect this is something the WebEx/Spark teams are looking into and can imagine it to be available soon.

whats pretty cool here is that when WebEx / Spark is integrated into the on-prem environment (through the Calendar Connector), you can automatically create a room by just adding @spark and @webex to the calendar invite.

Spark Room systems…..This allows you use Spark rooms on codecs such as the SX10, such that when you are on a spark call for example you can move the meeting and content to the SX10 and when you wish to leave, you can take the call with you back on the mobile device by dropping the call back on your device


Call allows you to deploy phones to users while utilising the cloud infrastructure, it supports the latest generation of Phones, the cisco 7800 and 8800, it offers three types of features:
Basic Telephony

  • PSTN calling+
  • Video Calling
  • Single Number Reach
  • Call Forward
  • Transfer
  • DND
  • Hold/Resume


Advanced Features

  • Auto Attendant
  • Hunt Groups
  • Shared Lines
  • Video on Hold
  • deskphone control with Spark
  • Ad hoc Conferencing
  • zero touch meeting


Administrative features

  • User Self care portal;
  • customer bulk provisioning
  • customer & partner admin portal
  • external health portal
  • support tab


+PSTN service are provided from a 3rd Party provider approved by Cisco, which provide local, national, international, DDI/DID capabilities
The actual deployment of devices is straight forward, its a case of entering code into the phone or hold the QR code infront of Camera, it will then register to the cloud service.



2. Hybrid Services
This allows customers to integrate premises application to Cisco Cloud such as Cisco Call Control, Calendar and Directory.

Directory service
– extends the enterprise directory contacts into the cloud for use with both Cisco UC and Spark customers, with this AD integration when a user is deactivated in AD deactivates the cloud service and removes user from all rooms and services,

Calendar Service –
Simple Scheduling – as mentioned earlier you can schedule meetings and add @webex, and/or @spark to the location field in an invite, this does away with the need for plugins. it will add WebEx details and/or create a Spark room for all attendees to get the converation started before the meeting, this way if content is shared and intros completed, come the time for the actual meeting, and you just get the job done and waste less time. If Video rooms are included in the meeting, they are provisioned for One button to push OBTP

Call Service Connect
– connects your phone system to Cisco Spark, this allows Spark to behave like a softphone, it also provides interop between Jabber and Spark. users can use either Jabber, Spark or deskphone to make calls, users can also be reached on any device. this way you are maximising on existing investment on enterprise telephony

Call Service Aware
– Jabber and Desk phone call history is pushed to Spark, so when using in conjunction with Spark, they can be called back easily. this also creates a “Zero touch meeting” which allow you to answer incoming call on any device, once it identifies both parties have spark enabled it allows you to start a room and share content directly on the spark client, this feature also allows quick redial of missed calls from anywhere

Office 365 is currently in EFT and should be available in March 2016


3. API’s



Further Information
Spark integrations
Spark Availability