Re: [cisco-voip] MRA Onboarding via activation code... phone trust list?

2021-12-02 Thread Brian Meade 
The phone CA Trust List is part of the phone firmware.

I think this is still the latest-
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/all_models/ca-list/CA-Trust-List.pdf

I don't see Let's Encrypt in there.

On Wed, Nov 17, 2021 at 9:53 AM Jonathan Charles  wrote:

> OK, TAC never responded to me, but I found the solution I did a packet
> capture from the phone and saw it come back with an invalid CA for the
> Let's Encrypt certs... I uploaded the cert chain for Let's Encrypt to
> Phone-Edge-Trust on the CCM Publisher and the phone registered.
>
> Phone-Edge-Trust uploads the certs to the Cisco Cloud, so when the phone
> gets the activation code it downloads those certs into its trust store.
>
> This cert store is designed for people using their own internal certs, but
> my phone was a CP-8845-K9=V03 I got in 2017 and probably predates the Lets
> Encrypt CA so, if you see TLS error or Invalid CA in the PCAP, it is
> worth a shot to upload the E's external cert chain to the Pub.
>
>
> Jonathan
>
> On Thu, Nov 11, 2021 at 4:57 PM Jonathan Charles 
> wrote:
>
>> Yes, they will, the Expressway E was designed around an ACME cert and
>> Let's Encrypt is super free.
>>
>> Anyway, I think the issue is between the Expressway and CUCM at this
>> point... escalating to TAc...
>>
>>
>> Jonathan
>>
>> On Thu, Nov 11, 2021 at 4:49 PM Brian V  wrote:
>>
>>> WIll the phones trust a LetsEncrypt cert ?
>>> Jabber works because the OS (Windows/MAC/iOS/Droid) gets updated root CA
>>> certs on a regular basis
>>> The trusted certs in the phone have to be placed there in the software
>>> by Cisco.
>>> This might be a situation where newer code on a phone is required if the
>>> trusted Root CA (or chain) for Lets Encrypt is missing on the phone.
>>>
>>> On Thu, Nov 11, 2021 at 11:27 AM Matthew Huff  wrote:
>>>
 I wouldn’t put a lot of weight in the status on the phone with the TLS
 error, I’ve seen that with working phones. Do you have the phone MRA domain
 set? We have a separate device pool for MRA devices so it can set the time
 from external ntp sources. If the time on the phone is off, the crypto
 can fail as well.



 *Matthew Huff* | Director of Technical Operations | OTA Management LLC



 *Office: 914-460-4039*

 *mh...@ox.com  | **www.ox.com *


 *...*



 *From:* Jonathan Charles 
 *Sent:* Thursday, November 11, 2021 11:50 AM
 *To:* Matthew Huff 
 *Cc:* Brian Meade ; cisco-voip voyp list <
 cisco-voip@puck.nether.net>
 *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
 phone trust list?



 It is running 12.8... it has been locally reg'd before...



 On Thu, Nov 11, 2021 at 10:44 AM Matthew Huff  wrote:

 In the lab, have you tried setting up the phone without MRA and get the
 firmware uploaded first? Depending on how old the firmware is, you may have
 issues with onboarding. Our 8861 wouldn’t onboard until at least 12.5.



 *Matthew Huff* | Director of Technical Operations | OTA Management LLC



 *Office: 914-460-4039*

 *mh...@ox.com  | **www.ox.com *


 *...*



 *From:* cisco-voip  *On Behalf Of 
 *Jonathan
 Charles
 *Sent:* Thursday, November 11, 2021 11:10 AM
 *To:* Brian Meade 
 *Cc:* cisco-voip voyp list 
 *Subject:* Re: [cisco-voip] MRA Onboarding via activation code...
 phone trust list?



 On the phone, we see TLS connection failed... the E's cert is signed by
 Let's Encrypt...



 On the Expressway E we see some certificate exchange and then resets in
 the connection...



 MRA works fine for Jabber just 8845 Activation Code onboarding is
 failing...





 Jonathan



 On Tue, Nov 9, 2021 at 5:57 PM Brian Meade  wrote:

 What's the console logs show?



 The Expressway needs to be signed by one of the trusted CAs listed that
 are part of the phone firmware.



 The Expressway cert authenticates the phone with the MIC.



 Do you have activation code onboarding enabled under the MRA config on
 the Expressway-C?



 On Fri, Nov 5, 2021, 5:30 PM Jonathan Charles 
 wrote:

 So, I set up activation code MRA for an 8845 (lab first)...



 Cloud onboarding worked, got an activation code, tried it out...



 Phone kicks back 'check internet connectivtity' and on the status on
 the

Re: [cisco-voip] MRA calls dropping

2021-12-02 Thread Brian Meade 
Grab the CallManager traces.  They should show why CUCM is sending a BYE.

On Wed, Nov 24, 2021 at 11:34 AM Jonathan Charles  wrote:

> Both internal and external, multiple users, multiple locations
>
> We are seeing call drops, and the only things the logs (on the Expressway
> E's) show is a Bye coming from CUCM.
>
> tvcs: Event="Request Received" Service="SIP" Src-ip="10.1.28.210"
> Src-port="25845" Dst-ip="10.2.9.165" Dst-port="7001"
> Call-serial-number="b5ef5cdf-c039-48ec-91af-8ef6f4f4204c"
> Tag="dfd1d116-6100-48f6-8dcf-d2efe0b6f552" Protocol="TLS" Method="BYE"
> Request-URI="sip:4ed5aa08-624f-82a4-8c7f-6863f6545aa9@192.168.10.25:53171;transport\=tls"
> To="sip:6656...@cucms01.banana.com" Level="2" UTCTime="2021-11-24
> 16:10:45,389"
>
> CUCM is 12.5
> Expressway is v14.0.3
>
> Just wondering what to check...
>
>
> Thanks!
>
>
> Jonathan
> ___
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
___
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip