date:20160319

Re: [cisco-voip] Max. Partitions supported by CUCM

2016-03-19 Thread Anthony Holloway

You might find this older thread on the mailing list useful:

http://cisco-voip.markmail.org/thread/3tiny7pz3thygf5u#query:+page:1+mid:hiqupgbveame2sta+state:results

On Fri, Mar 4, 2016 at 1:03 AM, Mohit Soni 
wrote:

> Hi,
>
> Max. how many partitions and CSS can be created in Cisco CUCM?
>
> Thanks,
> Mohit Soni
>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

2016-03-19 Thread Bill Talley

Outbound calls probably go out with your CUCM domain name (or IP address) and 
not VoIP.centurylink.com.  You would want to match that in your SIP profile.

Sent from an Apple iOS device with very tiny touchscreen input keys.  Please 
excude my typtos.

> On Mar 16, 2016, at 12:12 AM, Jonathan Charles  wrote:
> 
> So, we have  a Century Link SIP trunk and we need to send a specific 
> P-Asserted Identity for the call to work.
> 
> We have: a 
> 
> voice class sip-profiles 101
> 
>  request INVITE sip-header P-Asserted-Identity modify 
> "P-Asserted-Identity:(.*)@voip.centurylink.com" "P-Asserted-Identity: 
> " 
> !
> 
> TO change the P-Asserted ID to what CL wants... however it is not making the 
> change...
> 
> 
> dial-peer voice 200 voip
>  voice-class sip asserted-id pai
>  voice-class sip profiles 101
> 
> What do we need to do to force a specific P-Asserted Identity...?
> 
> 
> TIA!
> 
> 
> 
> Jonathan
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

2016-03-19 Thread Horton, Jamin

I've always had to add it as a SAN

Sent from my iPhone forgive any typos

On Mar 17, 2016, at 6:19 PM, Erick Wellnitz 
> wrote:

Not to beat a dead horse but how does everyone typically handle the www. 
that GoDaddy likes to insert into the cert as an alternate name?  Is it okay to 
ignore that or should it be added as a domain when creating the CSR?

On Mar 17, 2016 1:25 PM, "Kevin Przybylowski" 
> wrote:
My typical process with Godaddy is to open the cert – manually copy the root 
and intermediate certs to a file.  Then upload the root, followed by inter 
certs as tomcat-trust, then upload the tomcat cert itself.  It’s been pretty 
successful with that process…  The certs on UC can be fun.

From: cisco-voip 
[mailto:cisco-voip-boun...@puck.nether.net]
 On Behalf Of Ryan Huff
Sent: Thursday, March 17, 2016 3:19 PM
To: Erick Wellnitz >
Cc: Cisco VoIP Group 
>
Subject: Re: [cisco-voip] IM - services reported in unknown state after SAN 
cert install

As much as I hate to plug for MS Windows; you can typically use the Windows 
certificate viewer to extract each CA in a bundle (speaking from Godaddy 
experience myself). However the penguin (Linux) can do it faster IMO, but not 
always as intuitive.

Sent from my iPad

On Mar 17, 2016, at 3:15 PM, Erick Wellnitz 
> wrote:
It was Go Daddy.

I uploaded the bundle they sent all at once to the tomcat-trust then the 
individual multi-server cert to tomcat.  The root was missing from that bundle. 
 Going out to their website and downloading the root, G2 root in this case, and 
uploading it to tomcat-trust was all I needed to do.

Maybe the customer didn't provide me with the file containing the entire chain 
but I remember vaguely this happening on previous jobs with Go Daddy.

On Thu, Mar 17, 2016 at 8:35 AM, Anthony Holloway 
> wrote:
Thanks for replying.  Did you use a public CA or private CA?  And did you 
upload all certs in the chain (sans the root) as one file, or as separate files?

On Wed, Mar 16, 2016 at 8:06 PM, Erick Wellnitz 
> wrote:

The root CA cert wasn't uploaded.  The bundle the CA provided didn't contain 
the root for whatever reason.  Once the root was in place and after a tomcat 
restart everything started working properly.

So, the whole thing was caused by not paying close enough attention to what got 
added to romcat-trust after the cert bundle upload.
On Mar 16, 2016 4:35 PM, "Anthony Holloway" 
> 
wrote:
What do you mean?  Was it simply not uploaded to the Tomcat Trust?  Or was the 
cert bad?

On Mon, Mar 14, 2016 at 3:31 PM, Erick Wellnitz 
> wrote:
It was the root ca cert causing this.

Thanks everyone for the input

On Mon, Mar 14, 2016 at 1:44 PM, Ryan Huff 
> wrote:
Correct; tomcat-trust is the trust store where the trusted CA chain goes and 
then the server certificate goes in the tomcat category.

Afterwards; you should only need a restart of tomcat services. However, if the 
nodes are having issues trusting one another within the cluster (assuming that 
your issue is a cert trust issue); left that way long enough will likely start 
to cause replication issues within the cluster.

After you resolve the issue, I would verify db replication is healthy.

Sent from my iPhone

On Mar 14, 2016, at 3:38 PM, Erick Wellnitz 
> wrote:
I did that as well but I'm not 100% sure if the entire Root CA chain got 
installed.  I'll check that.

What made me try inserting the multi-server SAN into the tomcat-trust is that 
the IM entries for tomcat-trust have vanished.  Maybe I'm mis-remembering 
seeing them there in the first place.

On Mon, Mar 14, 2016 at 12:54 PM, Anthony Holloway 
> wrote:
Just to clarify, your Multi-Server SAN cert should be installed to Tomcat and 
not Tomcat Trust.  The signing CA cert should go in Tomcat Trust.  Is that what 
you meant to say you did?

On Mon, Mar 14, 2016 at 1:47 PM, Erick Wellnitz 
> wrote:
I have a strange issue with CUCM 11.0.1 and IM 11.0.1

We installed the multi-server SAN cert for tomcat and now the IM data monitor 
service is in an unknown state according to the system troubleshooter.

The SAN cert is installed to tomcat-trust so it shouldn't be a cert issue.  
Done service restarts, reboots

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

2016-03-19 Thread Anthony Holloway

What do you mean?  Was it simply not uploaded to the Tomcat Trust?  Or was
the cert bad?

On Mon, Mar 14, 2016 at 3:31 PM, Erick Wellnitz 
wrote:

> It was the root ca cert causing this.
>
> Thanks everyone for the input
>
> On Mon, Mar 14, 2016 at 1:44 PM, Ryan Huff  wrote:
>
>> Correct; tomcat-trust is the trust store where the trusted CA chain goes
>> and then the server certificate goes in the tomcat category.
>>
>> Afterwards; you should only need a restart of tomcat services. However,
>> if the nodes are having issues trusting one another within the cluster
>> (assuming that your issue is a cert trust issue); left that way long enough
>> will likely start to cause replication issues within the cluster.
>>
>> After you resolve the issue, I would verify db replication is healthy.
>>
>> Sent from my iPhone
>>
>> On Mar 14, 2016, at 3:38 PM, Erick Wellnitz 
>> wrote:
>>
>> I did that as well but I'm not 100% sure if the entire Root CA chain got
>> installed.  I'll check that.
>>
>> What made me try inserting the multi-server SAN into the tomcat-trust is
>> that the IM entries for tomcat-trust have vanished.  Maybe I'm
>> mis-remembering seeing them there in the first place.
>>
>> On Mon, Mar 14, 2016 at 12:54 PM, Anthony Holloway <
>> avholloway+cisco-v...@gmail.com> wrote:
>>
>>> Just to clarify, your Multi-Server SAN cert should be installed to
>>> Tomcat and not Tomcat Trust.  The signing CA cert should go in Tomcat
>>> Trust.  Is that what you meant to say you did?
>>>
>>> On Mon, Mar 14, 2016 at 1:47 PM, Erick Wellnitz >> > wrote:
>>>
 I have a strange issue with CUCM 11.0.1 and IM 11.0.1

 We installed the multi-server SAN cert for tomcat and now the IM data
 monitor service is in an unknown state according to the system
 troubleshooter.

 The SAN cert is installed to tomcat-trust so it shouldn't be a cert
 issue.  Done service restarts, reboots and nothing seems to resolve this.

 Anyone seen something like this before?

 Thanks in advance!

 ___
 cisco-voip mailing list
 cisco-voip@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-voip


>>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

2016-03-19 Thread Anthony Holloway

If you apply it under voice service voip > sip, then it's applied to all
outgoing messages, regardless of dial-peer.  Specifying it on the dial-peer
level is redundant at that point, though it does take precedence over the
global configuration.

You can debug ccsip mess and grab an outgoing INVITE example and paste it
into the tool I linked before.

On Wed, Mar 16, 2016 at 9:32 AM, Jonathan Charles  wrote:

> Thanks, I checked and the voice class sip profile is on every dial peer
> not pointing at CCM, it is also applied under voice service voip - sip...
>
> I will run the debug after hours to see why it is not being applied...
>
>
>
> Jonathan
>
> On Wed, Mar 16, 2016 at 12:47 AM, Anthony Holloway <
> avholloway+cisco-v...@gmail.com> wrote:
>
>> Hey Jonathan,
>>
>> Make sure that the profile is on the correct outgoing dial-peer.  SIP
>> profiles are only executed in the outgoing dial-peer, after the dial-peer
>> has been matched/selected.
>>
>> You can use debug voip ccapi inout or debug voip dialpeer to find out
>> which outgoing dial-peer is being matched.  Also, you can use debug ccsip
>> all to see if and what the SIP profile is doing.
>>
>> Assuming dial-peer 200 is your guys, then you can use this tool to help
>> you design your profile:
>>
>> http://www.cisco.com/web/tsweb/tools/sip-profile/index.html
>>
>> I pasted your profile into the tool and gave it a sample input (it's
>> brief, I know) and here is the result:
>>
>> [image: Inline image 1]
>>
>> You should note that the red indicates a match and a replace happened,
>> but also note that the replaced pattern contains an extra > at the end.
>> The reason is because you told it the match ended with .com and not .com>.
>> The reason the first < was replace appropriately, is because your (.*)
>> accounts for it, as well as the space before it.
>>
>> I made a small adjustment to your profile, mainly to shorten it up, but
>> to also cleanup the extra > at the end
>>
>> [image: Inline image 2]
>>
>> I've never tried this next method before, but it seems a little cleaner
>> (less regex) than the above two modify profiles, albeit it takes two steps
>> to execute:
>>
>> [image: Inline image 3]
>>
>> That last option may not actually work in a real IOS device, as I'm not
>> sure if the message is re-read from the top after a rule matches.
>>
>> I hope that helps.
>>
>> On Wed, Mar 16, 2016 at 12:12 AM, Jonathan Charles 
>> wrote:
>>
>>> So, we have  a Century Link SIP trunk and we need to send a specific
>>> P-Asserted Identity for the call to work.
>>>
>>> We have: a
>>>
>>> voice class sip-profiles 101
>>>
>>>  request INVITE sip-header P-Asserted-Identity modify
>>> "P-Asserted-Identity:(.*)@voip.centurylink.com" "P-Asserted-Identity: <
>>> sip:3125551...@voip.centurylink.com>"
>>> !
>>>
>>> TO change the P-Asserted ID to what CL wants... however it is not making
>>> the change...
>>>
>>>
>>> dial-peer voice 200 voip
>>>  voice-class sip asserted-id pai
>>>  voice-class sip profiles 101
>>>
>>> What do we need to do to force a specific P-Asserted Identity...?
>>>
>>>
>>> TIA!
>>>
>>>
>>>
>>> Jonathan
>>>
>>> ___
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

2016-03-19 Thread Ryan Huff

As much as I hate to plug for MS Windows; you can typically use the Windows 
certificate viewer to extract each CA in a bundle (speaking from Godaddy 
experience myself). However the penguin (Linux) can do it faster IMO, but not 
always as intuitive.

Sent from my iPad

On Mar 17, 2016, at 3:15 PM, Erick Wellnitz 
> wrote:

It was Go Daddy.

I uploaded the bundle they sent all at once to the tomcat-trust then the 
individual multi-server cert to tomcat.  The root was missing from that bundle. 
 Going out to their website and downloading the root, G2 root in this case, and 
uploading it to tomcat-trust was all I needed to do.

Maybe the customer didn't provide me with the file containing the entire chain 
but I remember vaguely this happening on previous jobs with Go Daddy.

On Thu, Mar 17, 2016 at 8:35 AM, Anthony Holloway 
> wrote:
Thanks for replying.  Did you use a public CA or private CA?  And did you 
upload all certs in the chain (sans the root) as one file, or as separate files?

On Wed, Mar 16, 2016 at 8:06 PM, Erick Wellnitz 
> wrote:

The root CA cert wasn't uploaded.  The bundle the CA provided didn't contain 
the root for whatever reason.  Once the root was in place and after a tomcat 
restart everything started working properly.

So, the whole thing was caused by not paying close enough attention to what got 
added to romcat-trust after the cert bundle upload.

On Mar 16, 2016 4:35 PM, "Anthony Holloway" 
> 
wrote:
What do you mean?  Was it simply not uploaded to the Tomcat Trust?  Or was the 
cert bad?

On Mon, Mar 14, 2016 at 3:31 PM, Erick Wellnitz 
> wrote:
It was the root ca cert causing this.

Thanks everyone for the input

On Mon, Mar 14, 2016 at 1:44 PM, Ryan Huff 
> wrote:
Correct; tomcat-trust is the trust store where the trusted CA chain goes and 
then the server certificate goes in the tomcat category.

Afterwards; you should only need a restart of tomcat services. However, if the 
nodes are having issues trusting one another within the cluster (assuming that 
your issue is a cert trust issue); left that way long enough will likely start 
to cause replication issues within the cluster.

After you resolve the issue, I would verify db replication is healthy.

Sent from my iPhone

On Mar 14, 2016, at 3:38 PM, Erick Wellnitz 
> wrote:

I did that as well but I'm not 100% sure if the entire Root CA chain got 
installed.  I'll check that.

What made me try inserting the multi-server SAN into the tomcat-trust is that 
the IM entries for tomcat-trust have vanished.  Maybe I'm mis-remembering 
seeing them there in the first place.

On Mon, Mar 14, 2016 at 12:54 PM, Anthony Holloway 
> wrote:
Just to clarify, your Multi-Server SAN cert should be installed to Tomcat and 
not Tomcat Trust.  The signing CA cert should go in Tomcat Trust.  Is that what 
you meant to say you did?

On Mon, Mar 14, 2016 at 1:47 PM, Erick Wellnitz 
> wrote:
I have a strange issue with CUCM 11.0.1 and IM 11.0.1

We installed the multi-server SAN cert for tomcat and now the IM data monitor 
service is in an unknown state according to the system troubleshooter.

The SAN cert is installed to tomcat-trust so it shouldn't be a cert issue.  
Done service restarts, reboots and nothing seems to resolve this.

Anyone seen something like this before?

Thanks in advance!

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

2016-03-19 Thread Bill Talley

You're certain the PAI from CUCM to CUBE matches the pattern in your profile?

Sent from an Apple iOS device with very tiny touchscreen input keys.  Please 
excude my typtos.

> On Mar 16, 2016, at 2:13 PM, Jonathan Charles  wrote:
> 
> Yeah, did that too.. and still seeing the unmodified P-Asserted Identity...
> 
>> On Wed, Mar 16, 2016 at 11:27 AM, Anthony Holloway 
>>  wrote:
>> If you apply it under voice service voip > sip, then it's applied to all 
>> outgoing messages, regardless of dial-peer.  Specifying it on the dial-peer 
>> level is redundant at that point, though it does take precedence over the 
>> global configuration.
>> 
>> You can debug ccsip mess and grab an outgoing INVITE example and paste it 
>> into the tool I linked before.
>> 
>>> On Wed, Mar 16, 2016 at 9:32 AM, Jonathan Charles  wrote:
>>> Thanks, I checked and the voice class sip profile is on every dial peer not 
>>> pointing at CCM, it is also applied under voice service voip - sip... 
>>> 
>>> I will run the debug after hours to see why it is not being applied...
>>> 
>>> 
>>> 
>>> Jonathan
>>> 
 On Wed, Mar 16, 2016 at 12:47 AM, Anthony Holloway 
  wrote:
 Hey Jonathan,
 
 Make sure that the profile is on the correct outgoing dial-peer.  SIP 
 profiles are only executed in the outgoing dial-peer, after the dial-peer 
 has been matched/selected.
 
 You can use debug voip ccapi inout or debug voip dialpeer to find out 
 which outgoing dial-peer is being matched.  Also, you can use debug ccsip 
 all to see if and what the SIP profile is doing.
 
 Assuming dial-peer 200 is your guys, then you can use this tool to help 
 you design your profile:
 
 http://www.cisco.com/web/tsweb/tools/sip-profile/index.html
 
 I pasted your profile into the tool and gave it a sample input (it's 
 brief, I know) and here is the result:
 
 
 
 You should note that the red indicates a match and a replace happened, but 
 also note that the replaced pattern contains an extra > at the end.  The 
 reason is because you told it the match ended with .com and not .com>.  
 The reason the first < was replace appropriately, is because your (.*) 
 accounts for it, as well as the space before it.
 
 I made a small adjustment to your profile, mainly to shorten it up, but to 
 also cleanup the extra > at the end
 
 
 
 I've never tried this next method before, but it seems a little cleaner 
 (less regex) than the above two modify profiles, albeit it takes two steps 
 to execute:
 
 
 
 That last option may not actually work in a real IOS device, as I'm not 
 sure if the message is re-read from the top after a rule matches.
 
 I hope that helps.
 
> On Wed, Mar 16, 2016 at 12:12 AM, Jonathan Charles  
> wrote:
> So, we have  a Century Link SIP trunk and we need to send a specific 
> P-Asserted Identity for the call to work.
> 
> We have: a 
> 
> voice class sip-profiles 101
> 
>  request INVITE sip-header P-Asserted-Identity modify 
> "P-Asserted-Identity:(.*)@voip.centurylink.com" "P-Asserted-Identity: 
> " 
> !
> 
> TO change the P-Asserted ID to what CL wants... however it is not making 
> the change...
> 
> 
> dial-peer voice 200 voip
>  voice-class sip asserted-id pai
>  voice-class sip profiles 101
> 
> What do we need to do to force a specific P-Asserted Identity...?
> 
> 
> TIA!
> 
> 
> 
> Jonathan
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> 
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

2016-03-19 Thread Anthony Holloway

Thanks for replying.  Did you use a public CA or private CA?  And did you
upload all certs in the chain (sans the root) as one file, or as separate
files?

On Wed, Mar 16, 2016 at 8:06 PM, Erick Wellnitz 
wrote:

> The root CA cert wasn't uploaded.  The bundle the CA provided didn't
> contain the root for whatever reason.  Once the root was in place and after
> a tomcat restart everything started working properly.
>
> So, the whole thing was caused by not paying close enough attention to
> what got added to romcat-trust after the cert bundle upload.
> On Mar 16, 2016 4:35 PM, "Anthony Holloway" <
> avholloway+cisco-v...@gmail.com> wrote:
>
>> What do you mean?  Was it simply not uploaded to the Tomcat Trust?  Or
>> was the cert bad?
>>
>> On Mon, Mar 14, 2016 at 3:31 PM, Erick Wellnitz 
>> wrote:
>>
>>> It was the root ca cert causing this.
>>>
>>> Thanks everyone for the input
>>>
>>> On Mon, Mar 14, 2016 at 1:44 PM, Ryan Huff  wrote:
>>>
 Correct; tomcat-trust is the trust store where the trusted CA chain
 goes and then the server certificate goes in the tomcat category.

 Afterwards; you should only need a restart of tomcat services. However,
 if the nodes are having issues trusting one another within the cluster
 (assuming that your issue is a cert trust issue); left that way long enough
 will likely start to cause replication issues within the cluster.

 After you resolve the issue, I would verify db replication is healthy.

 Sent from my iPhone

 On Mar 14, 2016, at 3:38 PM, Erick Wellnitz 
 wrote:

 I did that as well but I'm not 100% sure if the entire Root CA chain
 got installed.  I'll check that.

 What made me try inserting the multi-server SAN into the tomcat-trust
 is that the IM entries for tomcat-trust have vanished.  Maybe I'm
 mis-remembering seeing them there in the first place.

 On Mon, Mar 14, 2016 at 12:54 PM, Anthony Holloway <
 avholloway+cisco-v...@gmail.com> wrote:

> Just to clarify, your Multi-Server SAN cert should be installed to
> Tomcat and not Tomcat Trust.  The signing CA cert should go in Tomcat
> Trust.  Is that what you meant to say you did?
>
> On Mon, Mar 14, 2016 at 1:47 PM, Erick Wellnitz <
> ewellnitzv...@gmail.com> wrote:
>
>> I have a strange issue with CUCM 11.0.1 and IM 11.0.1
>>
>> We installed the multi-server SAN cert for tomcat and now the IM
>> data monitor service is in an unknown state according to the system
>> troubleshooter.
>>
>> The SAN cert is installed to tomcat-trust so it shouldn't be a cert
>> issue.  Done service restarts, reboots and nothing seems to resolve this.
>>
>> Anyone seen something like this before?
>>
>> Thanks in advance!
>>
>> ___
>> cisco-voip mailing list
>> cisco-voip@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
 ___
 cisco-voip mailing list
 cisco-voip@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-voip


>>>
>>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

2016-03-19 Thread Erick Wellnitz

It was Go Daddy.

I uploaded the bundle they sent all at once to the tomcat-trust then the
individual multi-server cert to tomcat.  The root was missing from that
bundle.  Going out to their website and downloading the root, G2 root in
this case, and uploading it to tomcat-trust was all I needed to do.

Maybe the customer didn't provide me with the file containing the entire
chain but I remember vaguely this happening on previous jobs with Go Daddy.


On Thu, Mar 17, 2016 at 8:35 AM, Anthony Holloway <
avholloway+cisco-v...@gmail.com> wrote:

> Thanks for replying.  Did you use a public CA or private CA?  And did you
> upload all certs in the chain (sans the root) as one file, or as separate
> files?
>
> On Wed, Mar 16, 2016 at 8:06 PM, Erick Wellnitz 
> wrote:
>
>> The root CA cert wasn't uploaded.  The bundle the CA provided didn't
>> contain the root for whatever reason.  Once the root was in place and after
>> a tomcat restart everything started working properly.
>>
>> So, the whole thing was caused by not paying close enough attention to
>> what got added to romcat-trust after the cert bundle upload.
>> On Mar 16, 2016 4:35 PM, "Anthony Holloway" <
>> avholloway+cisco-v...@gmail.com> wrote:
>>
>>> What do you mean?  Was it simply not uploaded to the Tomcat Trust?  Or
>>> was the cert bad?
>>>
>>> On Mon, Mar 14, 2016 at 3:31 PM, Erick Wellnitz >> > wrote:
>>>
 It was the root ca cert causing this.

 Thanks everyone for the input

 On Mon, Mar 14, 2016 at 1:44 PM, Ryan Huff 
 wrote:

> Correct; tomcat-trust is the trust store where the trusted CA chain
> goes and then the server certificate goes in the tomcat category.
>
> Afterwards; you should only need a restart of tomcat services.
> However, if the nodes are having issues trusting one another within the
> cluster (assuming that your issue is a cert trust issue); left that way
> long enough will likely start to cause replication issues within the
> cluster.
>
> After you resolve the issue, I would verify db replication is healthy.
>
> Sent from my iPhone
>
> On Mar 14, 2016, at 3:38 PM, Erick Wellnitz 
> wrote:
>
> I did that as well but I'm not 100% sure if the entire Root CA chain
> got installed.  I'll check that.
>
> What made me try inserting the multi-server SAN into the tomcat-trust
> is that the IM entries for tomcat-trust have vanished.  Maybe I'm
> mis-remembering seeing them there in the first place.
>
> On Mon, Mar 14, 2016 at 12:54 PM, Anthony Holloway <
> avholloway+cisco-v...@gmail.com> wrote:
>
>> Just to clarify, your Multi-Server SAN cert should be installed to
>> Tomcat and not Tomcat Trust.  The signing CA cert should go in Tomcat
>> Trust.  Is that what you meant to say you did?
>>
>> On Mon, Mar 14, 2016 at 1:47 PM, Erick Wellnitz <
>> ewellnitzv...@gmail.com> wrote:
>>
>>> I have a strange issue with CUCM 11.0.1 and IM 11.0.1
>>>
>>> We installed the multi-server SAN cert for tomcat and now the IM
>>> data monitor service is in an unknown state according to the system
>>> troubleshooter.
>>>
>>> The SAN cert is installed to tomcat-trust so it shouldn't be a cert
>>> issue.  Done service restarts, reboots and nothing seems to resolve 
>>> this.
>>>
>>> Anyone seen something like this before?
>>>
>>> Thanks in advance!
>>>
>>> ___
>>> cisco-voip mailing list
>>> cisco-voip@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>>
>>
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>

>>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Failure during PCD readdress task...

2016-03-19 Thread Ryan Huff

I'm sure you verified that the reverse arpa lookup is also working for that 
forward FQDN?

Sent from my iPhone

On Mar 18, 2016, at 11:57 PM, Jonathan Charles 
> wrote:

No change to domain... this was a PCD migration cluster... we are now changing 
the cucm 11 migration cluster's hostnames and IPs to be the ones of the old 8.5 
cluster.

Jonathan

On Fri, Mar 18, 2016 at 10:43 PM, Dave Wolgast 
> wrote:
Just to be sure, is the new domain the same as the old domain? When we wanted 
to change the domain, we actually had to redo the DNS with the old domain to 
make PCD work. We then changed the domain in DNS and on the CUCM servers.

On Fri, Mar 18, 2016 at 11:39 PM Jonathan Charles 
> wrote:
We are running PCD 11 against a CUCM 11 cluster.

On the readdress, we are getting a failure:

ERROR node.domain is invalid.

We also tried running it from the CLI:

Domain is invalid.

We have verified DNS is correct for the new name, the IP is not in use... and 
Google is blank on this...

Any ideas?

Jonathan
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
--
Dave Wolgast
Livonia, NY
585.402.3375

___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

2016-03-19 Thread Jonathan Charles

Yeah, did that too.. and still seeing the unmodified P-Asserted Identity...

On Wed, Mar 16, 2016 at 11:27 AM, Anthony Holloway <
avholloway+cisco-v...@gmail.com> wrote:

> If you apply it under voice service voip > sip, then it's applied to all
> outgoing messages, regardless of dial-peer.  Specifying it on the dial-peer
> level is redundant at that point, though it does take precedence over the
> global configuration.
>
> You can debug ccsip mess and grab an outgoing INVITE example and paste it
> into the tool I linked before.
>
> On Wed, Mar 16, 2016 at 9:32 AM, Jonathan Charles 
> wrote:
>
>> Thanks, I checked and the voice class sip profile is on every dial peer
>> not pointing at CCM, it is also applied under voice service voip - sip...
>>
>> I will run the debug after hours to see why it is not being applied...
>>
>>
>>
>> Jonathan
>>
>> On Wed, Mar 16, 2016 at 12:47 AM, Anthony Holloway <
>> avholloway+cisco-v...@gmail.com> wrote:
>>
>>> Hey Jonathan,
>>>
>>> Make sure that the profile is on the correct outgoing dial-peer.  SIP
>>> profiles are only executed in the outgoing dial-peer, after the dial-peer
>>> has been matched/selected.
>>>
>>> You can use debug voip ccapi inout or debug voip dialpeer to find out
>>> which outgoing dial-peer is being matched.  Also, you can use debug ccsip
>>> all to see if and what the SIP profile is doing.
>>>
>>> Assuming dial-peer 200 is your guys, then you can use this tool to help
>>> you design your profile:
>>>
>>> http://www.cisco.com/web/tsweb/tools/sip-profile/index.html
>>>
>>> I pasted your profile into the tool and gave it a sample input (it's
>>> brief, I know) and here is the result:
>>>
>>> [image: Inline image 1]
>>>
>>> You should note that the red indicates a match and a replace happened,
>>> but also note that the replaced pattern contains an extra > at the end.
>>> The reason is because you told it the match ended with .com and not .com>.
>>> The reason the first < was replace appropriately, is because your (.*)
>>> accounts for it, as well as the space before it.
>>>
>>> I made a small adjustment to your profile, mainly to shorten it up, but
>>> to also cleanup the extra > at the end
>>>
>>> [image: Inline image 2]
>>>
>>> I've never tried this next method before, but it seems a little cleaner
>>> (less regex) than the above two modify profiles, albeit it takes two steps
>>> to execute:
>>>
>>> [image: Inline image 3]
>>>
>>> That last option may not actually work in a real IOS device, as I'm not
>>> sure if the message is re-read from the top after a rule matches.
>>>
>>> I hope that helps.
>>>
>>> On Wed, Mar 16, 2016 at 12:12 AM, Jonathan Charles 
>>> wrote:
>>>
 So, we have  a Century Link SIP trunk and we need to send a specific
 P-Asserted Identity for the call to work.

 We have: a

 voice class sip-profiles 101

  request INVITE sip-header P-Asserted-Identity modify
 "P-Asserted-Identity:(.*)@voip.centurylink.com" "P-Asserted-Identity: <
 sip:3125551...@voip.centurylink.com>"
 !

 TO change the P-Asserted ID to what CL wants... however it is not
 making the change...


 dial-peer voice 200 voip
  voice-class sip asserted-id pai
  voice-class sip profiles 101

 What do we need to do to force a specific P-Asserted Identity...?


 TIA!



 Jonathan

 ___
 cisco-voip mailing list
 cisco-voip@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-voip


>>>
>>
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

Re: [cisco-voip] Max. Partitions supported by CUCM

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

Re: [cisco-voip] IM - services reported in unknown state after SAN cert install

Re: [cisco-voip] Failure during PCD readdress task...

Re: [cisco-voip] Need to modify P-Asserted Identity in SIP message for call to work...

11 matches

Site Navigation

Mail list logo

Footer information