Great writeup Daniel!
I found it interesting that the CUCM 10.x SRND states:
*SIP Gateway*
*Redundancy with Cisco IOS SIP gateways can be achieved similarly to H.323.
If the SIP gateway cannot establish a connection to the primary Unified CM,
it tries a second Unified CM defined under another dia
Since you want to break it...
If you change the NTP server and reboot it should recalculate the
license MAC. Changing the NTP server back should restore the original
license MAC after another reboot. Maybe that will be enough to clear
our the old license information.
Otherwise, you could r
How can I remove all licenses from CUCM 8.6?
At the command-line, I did "file delete license *" and deleted all the license
files. Then I rebooted (twice even). The license files are all gone but the
"License Unit Report" page still shows all the license counts from before and
everything is fine
Good day all,
I am trying to setup XMPP federation via Expressway.
My IM client is Jabber for Mac (WebEx Connect). Federation works with other
WebEx Connect clients (such as Cisco).
I add the new customer contact (IM&P 10.5(1) and Expressway X8.5) and the J4W
client on the customer network re
Since we're on the topic of SIP timers, timeouts, etc., I figured why not share
some additional information with the list. Below is a write-up of SIP timers T1
and Timer-B I wrote some time ago. Hopefully someone will this useful at some
point.
This isn’t mentioned in CUCM service parameter des
If your Agents are using IE then that's all you need, otherwise, FireFox
has it's own list of Trusted Root CA's and you'll need to supply the
Trusted Root CA cert to each individual FF browser.
On Thu Feb 05 2015 at 12:41:14 PM Brian Meade wrote:
> You can run the CA on your domain controller wh
Try changing his transfer extension in unity connection.
> On Feb 5, 2015, at 11:46 AM, Brian Palmer wrote:
>
> I have a CEO that wants anybody using the directory lookup from unity
> connection(last name, first name) to find him to be directed to his secretary
> while also allowing anybody t
Thanks so much for the response Anthony. Given that these guys have two IVR’s
I would of expected an auto attendant within CVP or UCCX which would allow this
to all work much easier with far less work. I am considering all options but
the less complex the better. I truly dislike having to do
sip-ua
retry invite 2
timers trying 100
On 2015-02-05 12:32, Brian Meade wrote:
Hey all,
Does anyone know a SIP equivalent of "h225 timeout tcp establish"?
The default SIP TCP timeout is 5 seconds:
001306: Feb 4 20:44:34.164: %VOICE_IEC-3-GW: SIP: Internal Error
(Socket error): IEC=1.1.186
Within CUC there is only one way to specify a Transfer Rule for a
subscriber, so I don't think you're going to get the differentiated
services you want from within CUC so simply.
There are many options to consider, sure, to include prefix routing, PT/CSS
tricks, etc.
And if you are considering al
Shoot, I wasn't clear enough in my last email. I meant to say:
iPhone Jabber clients (or iOS in general) will required public Trusted Root
CA signed certs for all internal servers as well. Otherwise, they will
still receive a pop up warning when connecting to CUCM, IM&P, CUC, etc.
On Thu Feb 05
If we're talking about transport level timeout, it looks like the command is
available in CUBE SP Edition:
"In addition to the SIP protocol-level timers, Cisco Unified Border Element (SP
Edition) also allows modification of transport-related timer commands:
tcp-connect-timeout (how long TCP SYN
"If you are using MRA, then the Expressway-E is the only entity the should
require and external certificate."
To the best of my knowledge, if you have iPhone Jabber clients connecting
via MRA, they will require public Trusted Root CA's.
On Thu Feb 05 2015 at 12:31:45 PM Heim, Dennis wrote:
> For
Unfortunately that only seems to work for UDP trunks since the Invite never
even gets sent so that timer doesn't kick in. It's a different timer for
the TCP timeout that needs to be adjusted. May have to use
options-keepalives but trying not to.
On Thu, Feb 5, 2015 at 1:48 PM, wrote:
> Not sur
Are you trying to protect the routers from other hosts within the same network,
or just from other networks?
If the latter, then what you’re trying to do is simple, and broadcast/not using
the addresses you mentioned at the beginning isn’t an issue, as every address
in the grouping can be used
Not sure why this didn't hit the list the first time I sent it, maybe
its just slow.
Anyways:
sip-ua
retry invite 2
timers trying 100
On 2015-02-05 12:32, Brian Meade wrote:
Hey all,
Does anyone know a SIP equivalent of "h225 timeout tcp establish"?
The default SIP TCP timeout is 5 second
I have a CEO that wants anybody using the directory lookup from unity
connection(last name, first name) to find him to be directed to his secretary
while also allowing anybody that knows his direct extension to still be able to
get him directly.
This is for a UCCX 8 environment that also has CV
You could also add "voice-class sip options-keepalive" under the
dial-peers and they will be disabled when they are unreachable. You can
see their status with "sh dial-p v s".
On 2015-02-05 12:32, Brian Meade wrote:
Hey all,
Does anyone know a SIP equivalent of "h225 timeout tcp establish"?
Hey all,
Does anyone know a SIP equivalent of "h225 timeout tcp establish"?
The default SIP TCP timeout is 5 seconds:
001306: Feb 4 20:44:34.164: %VOICE_IEC-3-GW: SIP: Internal Error (Socket
error): IEC=1.1.186.7.7.4 on callID 3254
GUID=5BBD7EFBAC0F11E4997499045654EBE2
001307: Feb 4 20:44:39.16
You can run the CA on your domain controller which all domain users will
trust certificates from automatically.
On Thu, Feb 5, 2015 at 12:52 PM, Jose Colon II wrote:
> Thanks Brian, How would I go about issuing a internal CA that does not
> require the Finesse user to accept multiple certificate
For those windows clients you can run the following:
certutil -verify -urlfetch
That should show why the certificate is failing validation. If you use an
internal ca to sign your certs include the following subject alternative names:
DNS:
DNS:
DNS:
IP:
I find that overkill usually helps certs
I'm having problems with the IPMA software. When the assistant is offline
calls are being forwarded directly to the manager , even when the filters
on this and On the Divall is not selected. In this case , even if the
assistant is in offline calls should not be directed to the manager , right?
Thanks Brian, How would I go about issuing a internal CA that does not
require the Finesse user to accept multiple certificates. My users are not
that tech savvy and there are over 300 of them that will need to come
monday morning.
On Thu, Feb 5, 2015 at 11:38 AM, Kevin Przybylowski
wrote:
> Ano
> On 5 Feb 2015, at 17:33, Kevin Przybylowski wrote:
>
> Are you using real FQDN's or internal FQDNs?
> https://www.digicert.com/internal-names.htm
Real FQDNs
>
> This has been a real pain point with recent Jabber/MRA rollouts.
Tell me about it! Our CUCM/CUC/CUP cluster was built when Cisc
Do you need to buy their wildcard cert for this or would the UC work? I would
try this internally as our godaddy's are expiring soon.
-Original Message-
From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of
NateCCIE
Sent: Thursday, February 5, 2015 12:38 PM
To: 'Ga
You could just use an internal CA so you don't have to deal with all of the
requirements. Public CA's are pretty strict about things like
SANs/internal domain names.
On Thu, Feb 5, 2015 at 12:02 PM, Jose Colon II wrote:
> Thanks Gary, I am on the phone with TAC and he is saying the same thing.
Another nice CSR decoder:
https://www.networking4all.com/en/support/tools/csr+check/
-Original Message-
From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Jason
Aarons (AM)
Sent: Thursday, February 5, 2015 12:08 PM
To: Gary Parker; jcolon...@gmail.com
Cc: Cisco VO
You can't do cluster wide-certs until 10.X.
But the way digicert works, it issues the cert over and over with each CSR. I
am confident it will work great for your 8.6 environment too.
-Original Message-
From: Gary Parker [mailto:g.j.par...@lboro.ac.uk]
Sent: Thursday, February 05, 2015
I have a VCS Expressway v7.0.2 that will authenticate a user with SSH,
but not provide a usable shell over the SSH connection. This would seem
to be bug CSCty33261.
Google seems unable to locate anything information regarding the
"tmsgent_destroy_and_purge_data" command, except for the release
Are you using real FQDN's or internal FQDNs?
https://www.digicert.com/internal-names.htm
This has been a real pain point with recent Jabber/MRA rollouts.
I would take the advice of Warcop and upgrade to the latest CUCM/IM&P if
possible. This will give you the ability to use multi server certs
> On 5 Feb 2015, at 16:51, NateCCIE wrote:
>
> Use DIGICERT! You can get a wildcard cert from them, and use it over and
> over. So you just generate the cert based on the CSR from each app and it
> loads right in.
>
> Works great on CUCM, CUC, CUP, & Expressway!
Thanks Nate, good to know t
I've run into this before TX vs Texas
Use this to view your CSR and then fix via the set web-security commands etc
http://certlogik.com/decoder/
-Original Message-
From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Gary
Parker
Sent: Thursday, February 5, 2015 1
I've got dozens of clients that fall anywhere along the spectrum of never
to monthly. I'd say the majority are either patching for critical issues
only, or quarterly plus off-cycle for critical patches.
-matthew
Matthew Saskin
msas...@gmail.com
203-253-9571
On Wed, Feb 4, 2015 at 4:21 PM, Ken R
Thanks Gary, I am on the phone with TAC and he is saying the same thing.
Another issue I am seeing is the fact that I cannot get a certificate
assigned to me with a internal domain name or SAN. Do you have any
recommendations on this?
On Thu, Feb 5, 2015 at 10:55 AM, Gary Parker wrote:
>
> > On
I don't know if I follow all of it.
But if you have host with a /26 with a /29 inside of of that network. the
larger SN devices will try to go directly to the smaller SN but the Smaller
SN will not be able to get to the larger SN.
It would not be a design I would try in production.
YMMV.
S
Use DIGICERT! You can get a wildcard cert from them, and use it over and over.
So you just generate the cert based on the CSR from each app and it loads
right in.
Works great on CUCM, CUC, CUP, & Expressway!
-Original Message-
From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.
This could probably be accomplished this with a layer 2 filtering
bridge. Either with a Linux VM with multiple tagged VLANs or an ASA in
transparent mode with multiple tagged VLANs for each host (or group of
hosts you want to filter).
You would need to place the layer 2 filtering bridge betwe
> On 5 Feb 2015, at 16:37, Jose Colon II wrote:
>
> I am trying to generate certificate request from 10.5.1 UCCX box and the cert
> it generates is not working with verasign. It tells me "The State Name in the
> CSR cannot be abbreviated"
>
> Anyone have any suggestions?
Hi Jose, have a look
I am trying to generate certificate request from 10.5.1 UCCX box and the
cert it generates is not working with verasign. It tells me "The State Name
in the CSR cannot be abbreviated"
Anyone have any suggestions?
Jose
___
cisco-voip mailing list
cisco-vo
Thanks Anthony!
I should have included that I would be looking at ACLs only, nothing like
modifying router interfaces or anything like. Using DHCP reserved addresses,
the clients in question would get the appropriate IP address and be allowed
through.
---
Lelio Fulgenzi, B.A.
Senior Analy
I'm no Route/Switch engineer, so I'm likely wrong here, but I'll give my
two cents anyway.
You didn't specifically state what you are doing though. E.g., ACLs,
Interfaces, Routes, etc.
Let's pretend for a moment you wanted to carve out a new network in your
environment for this range.
I don't t
Hi folks, I’m in the process of replacing a load of self-signed certs on my
8.6.x CUCM, CUC and CUP servers.
I’ve been having issues getting certs with the correct KeyUsage extensions from
our current provider and wondered if anyone could recommend a company who can
provide certificates that ho
This group is full of it. Knowledge, that is. So who better to ask these
questions
I've got a subnet, say 192.168.45.0/26, of which I want to allow only a small
group of that subnet to access a particular host. I'm able to reserve the top
end, which falls into another subnet, 192.168.45.5
Please what is the difference between term06 file and cmterm files?
Please help.
On Mon, Jan 26, 2015 at 6:00 PM, wrote:
> Send cisco-voip mailing list submissions to
> cisco-voip@puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether
cheers mate.
On Thu, Feb 5, 2015 at 12:02 AM, Brian Meade wrote:
> Jefflin,
>
> Usually you just want to hit Default then set trace level to Detailed. If
> SIP is involved, also want to enable SIP Stack trace.
>
> Having all the default traces enabled just makes sure nothing gets missed.
>
> Br
45 matches
Mail list logo