Cisco Unified Communications Manager (CUCM) Cluster 8.x introduced a
new Security by default feature and the use of Initial Trust List (ITL) files.
With this new feature, care must be taken when you move phones between
different CUCM clusters. This document discusses how to resolve issues with
Cisco IP Phones during the migration from Cisco Unified Communications Manager
Express (CUCME) to CUCM 8.x. The issue is that those IP Phones are not able to
get the firmware load uploaded to the TFTP server.
There are no specific requirements for this document.
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
You currently migrate IP Phones from an existing CME environment onto
a new CUCM 8.x cluster. The Trust List Update
Failed messages that appear may indicate a potential issue with
ITL files that reside on these endpoints. Here the IP Phones do not receive the
load file on CUCM.
12:58:15 Trust List Update Failed
12:58:57 Trust List Update Failed
12:59:08 TFTP Timeout : SEP001D705F9EA8.cnf.xml.sgn
12:59:31 Trust List Update Failed
13:00:13 Trust List Update Failed
13:01:45 Trust List Update Failed
13:02:26 Trust List Update Failed
You have exported the IP Phones to CUCM 8.x. Since the IP Phones were
registered with CUCME 7.X and then registered to the new CUCM 8.x server, the
phone would have to have downloaded the ITL file from the CUCM server since
they do not exist in CUCME.
If the phone was just moved from CUCME to CUCME, it would blindly
accept the ITL file and save it to use for authentication/verification. In this
case it is possible that the phone somehow got an ITL that is no longer in use,
if the TFTP certificates were regenerated.
The error messages and symptoms is a new feature on CUCM 8.0 where
phones have an Initial Trust List file. This is used to authenticate HTTPS,
since services now use HTTPS instead of HTTP, and TFTP configuration files.
Since your phone has an ITL that does not match the signature of the ITL on
your CUCM, you can do one of two things:
Manually delete the ITLs from the phones and then they work
Use the Roll Back option. Refer to
Migrating IP Phones Between Clusters with CUCM 8 and ITL
for detailed steps.
Choose these steps in order to manually delete the ITL file on one of
the IP phones:
Choose Settings > Security
Press**# and erase the ITL file in order to
unlock the IP Phone.
Make sure it works properly afterwards and check that there are no
ITL errors. Then the fix for all the other IP phones would be to complete the
This allows the phones to get a blank ITL file, which allows them
to then download the new correct ITL file that can authenticate their
Even if you point the phones back to a CUCME, they still do not
accept their configuration files due to the ITL file being on the phone. It has
to be removed or a blank (empty) ITL has to be put on the phones for them to
work properly with CUCME.
The rollback option is not on CUCME . It would have to be done on
CUCM 8.x . You can power on the CUCME and the phones would register since its
old (cached) configuration file is still on the phone, however configuration
changes would not update on the phones.