Cisco Bug: CSCvv13565 - Secure endpoints may fail to register after a refresh upgrade to CUCM 12.5
Sep 30, 2020
- Cisco Unified Communications Manager (CallManager)
Known Affected Releases
Symptom: Secure endpoints may not be able to register to Unified Communications Manager 12.5(1) running in mixed mode following a refresh upgrade. Other symptoms include endpoints displaying authentication errors when trying to connect to secure URL’s (like Corporate Directory or Phone Services). These errors are a sign that there is a problem with the ITLFile (Identify Trust List) on the endpoint. Conditions: Refresh Upgrades (RU) to Unified Communications Manager 12.5 The CTLFile (Certificate Trust List) has two root anchors for trust verification: the ITLRecovery certificate and the CallManager certificate. Additionally, updating the CTLFile when certificates are regenerated can only be done manually by an admin. Since the ITLRecovery certificate is incorrectly regenerated during the refresh upgrade, when the server is switched to the new CUCM version, the CTLFile will only have the CallManager certificate as a valid root anchor until it is updated with the new ITLRecovery certificate. Note: If the CallManager certificate is also regenerated before the CTLFile is updated with the new ITLRecovery certificate, the CTLFile will no longer have any valid root anchors for trust verification. It will need to be manually deleted from the endpoint before a new CTLFile will be accepted.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases