Cisco IP Phone Authentication and Encryption for Cisco CallManager 4.0(1)
Troubleshooting
Downloads: This chapterpdf (PDF - 329.0KB) | Feedback

Troubleshooting

Table Of Contents

Troubleshooting

Using Alarms

Using Microsoft Performance Monitor Counters

Reviewing the Log Files

Troubleshooting the Cisco CTL Client

Changing the Security Token Password (Etoken)

Setting the Smart Card Service to Started and Automatic

Error Messages for the Cisco CTL Client

Troubleshooting the Phone When a Problem Exists with the CTL File

Comparing CTL File Versions on the Cisco IP Phone and Server

Deleting the CTL File on the Cisco IP Phone

Deleting the CTL File on the Server

Troubleshooting If You Lose One Security Token (Etoken)

Troubleshooting If You Lose All Security Tokens (Etoken)

Verifying the Security Mode for the Cisco CallManager Cluster

Verifying or Uninstalling the Cisco CTL Client

Determining the Cisco CTL Client Version

Troubleshooting the CAPF Utility

Error Messages for the CAPF Utility

Verifying or Uninstalling the CAPF Utility

Troubleshooting If You Incorrectly Enter the Authentication String on the Phone

Troubleshooting If the Locally Significant Certificate Validation Fails

Verifying That You Installed the Locally Significant Certificate on the Phone


Troubleshooting


This chapter contains information on the following topics:

Using Alarms

Using Microsoft Performance Monitor Counters

Reviewing the Log Files

Troubleshooting the Cisco CTL Client

Troubleshooting the CAPF Utility


Tip This chapter does not describe how to reset the Cisco IP Phone if it has been corrupted by bad loads, security bugs, and so on. For information on resetting the phone, refer to the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.

This chapter describes how to delete the CTL file from Cisco IP Phone models 7970, 7960, and 7940 only; for information on how to perform this task, see Table 5-3 or the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.


Using Alarms

Cisco CallManager Serviceability generates alarms for the following cases:

An authenticated device attempts to register by using a non-TLS SCCP connection, or an unauthenticated phone attempts to register by using a TLS SCCP connection.

If the device name in subject line of the peer certificate does not match the the device name that is used for device registration.

If device attempts to register to Cisco CallManager by using TLS connection that is not compatible with the Cisco CallManager configuration.

Alarms may get generated on the phone under the following conditions:

TFTP Not Authorized: <IP address>

The phone generates this alarm when the TFTP server information (alternate or otherwise) does not exist in the CTL file. The phone may issue the alarm twice if DHCP has provided primary and backup server addresses and neither address exists in the CTL file. Verify that you entered the CTL file information correctly and that you configured the DHCP server with the correct address.

File Auth Failed

The phone may generate this alarm for a variety of reasons; for example, the CTL file appears corrupt. If the CTL file is corrupt, you may need to use a sniffer trace to troubleshoot the network. If you cannot identify the problem, you may need to debug by using a console cable, as described in Cisco IP Phone Administration Guide for Cisco CallManager (available for Cisco IP Phone Models 7970, 7960, and 7940, unless otherwise indicated in the administration documentation that supports your phone model).


Tip For additional alarms that get generated on the phone, refer to the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone and to the "Troubleshooting the Phone When a Problem Exists with the CTL File" section.


Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Cisco IP Phone Administration Guide for Cisco CallManager

Using Microsoft Performance Monitor Counters

Microsoft Performance Monitor counters exist to monitor the number of authenticated phones that register with Cisco CallManager, the number of authenticated calls that are completed, and the number of authenticated calls that are active at any time.

Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Reviewing the Log Files

Before you contact the team that provides technical assistance for this product, for example, your Cisco AVVID Partner or the Cisco Technical Assistance Center (TAC), obtain and review the following log files:

Cisco CallManager—C:\Program Files\Cisco\Trace\CCM

TFTP—C:\Program Files\Cisco\Trace\TFTP

DBL—C:\Program Files\Cisco\Trace\DBL

C:\Program Files\Cisco\Trace\DBL\DBLR*

C:\Program Files\Cisco\Trace\DBL\DBLRT*

C:\Program Files\Cisco\Trace\DBL\DBL_CCM*

C:\Program Files\Cisco\Trace\DBL\DBL_TFTP*

C:\Program Files\Cisco\Trace\DBL\DBL_CTLPROVIDER*

Cisco CallManager SDL Traces—C:\Program Files\Cisco\Trace\SDL\CCM


Tip If the locally significant certificate validation fails, review the SDL trace files.


CTL Provider Service—C:\Program Files\Cisco\Trace\CTLProvider

Cisco CTL client—C:\Program Files\Cisco\CTL Client\Trace

By default, the Cisco CTL client installs in C:\Program Files\Cisco\CTL File.

Cisco CTL plugin installation file—C:\ctlinstall.log

CAPF utility—C:\Program Files\cisco\capf\Trace\capf.log (or D:\Program Files\capf\Trace\capf.log if administrator specifies a different directory during the installation)


Tip While the CAPF utility is running, if you configure logging for a different file in the CAPF CLI, subsequent logging occurs in that file.


Related Topics

Authentication, Integrity, and Encryption

Certificate Authority Proxy Function

Troubleshooting the Cisco CTL Client

The section contains information on the following topics:

Changing the Security Token Password (Etoken)

Setting the Smart Card Service to Started and Automatic

Error Messages for the Cisco CTL Client

Troubleshooting the Phone When a Problem Exists with the CTL File

Comparing CTL File Versions on the Cisco IP Phone and Server

Deleting the CTL File on the Cisco IP Phone

Deleting the CTL File on the Server

Troubleshooting If You Lose One Security Token (Etoken)

Troubleshooting If You Lose All Security Tokens (Etoken)

Verifying or Uninstalling the Cisco CTL Client

Verifying the Security Mode for the Cisco CallManager Cluster

Changing the Security Token Password (Etoken)

This administrative password retrieves the private key of the certificate and ensures that the CTL file gets signed. Each security token comes with a default password. You can change the security token password at any time. If the Cisco CTL client prompts you to change the password, you must change the password before you can proceed with the configuration.

To review pertinent information on setting passwords, click the Show Tips button. If you cannot set the password for any reason, review the tips that display.

To change the security token password, perform the following procedure:

Procedure


Step 1 Verify that you have installed the Cisco CTL client on a Windows 2000 server or workstation.

Step 2 If you have not already done so, insert the security token into the USB port on the Windows 2000 server or workstation where you installed the Cisco CTL client.

Step 3 Choose Start > Programs > etoken > Etoken Properties; right-click etoken and choose Change etoken password.

Step 4 In the Current Password field, enter the password that you originally created for the token.

Step 5 Enter a new password.

Step 6 Enter the new password again to confirm it.

Step 7 Click OK.


Related Topics

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Cisco CTL Client Configuration Settings

Setting the Smart Card Service to Started and Automatic

If the Cisco CTL client installation detects that the Smart Card service is disabled, you must set the Smart Card service to automatic and started on the server or workstation where you are installing the Cisco CTL plugin.


Tip You cannot add the security tokens to the CTL file if the service is not set to started and automatic.

After you upgrade the operating system, apply service releases, upgrade Cisco CallManager, and so on, verify that the Smart Card service is started and automatic.


To set the service to started and automatic, perform the following procedure:

Procedure


Step 1 On the server or workstation where you installed the Cisco CTL client, choose Start > Programs > Administrative Tools > Services.

Step 2 From the Services window, right-click the Smart Card service and choose Properties.

Step 3 In the Properties window, verify that the General tab displays.

Step 4 From the Startup type drop-down list box, choose Automatic.

Step 5 Click Apply.

Step 6 In the Service Status area, click Start.

Step 7 Click OK.

Step 8 Reboot the server or workstation and verify that the service is running.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Authentication and Integrity Overview

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Devices for Authentication or Encryption

Error Messages for the Cisco CTL Client

Table 5-1 displays the error messages and the corresponding corrective actions for the Cisco CTL client installation.

Table 5-1 Error Messages for CTL Client 

Error Message
Corrective Action

If you have installed intrusion detection software, you must stop and disable these applications from the Service Control Console before you continue with the Cisco CTL Client installation. Failure to do so could result in unrecoverable errors.

The error message provides the corrective action.

Error 1920: Service `Etoksrv' failed to start. Make sure that the Smart Card service or its dependent services are enabled and you have sufficient privileges on the system. Click Retry to continue.

The error message provides the corrective action.

Invalid Port Number

Make sure that port number field in the CTL client user interface is not blank.

Invalid range for Port Number

Choose a port number in the range from 0 through 99999.

Invalid HostName or IP Address

Verify that the length of the hostname ranges from 0 through 256 characters.

Invalid Username

Verify that the length of the username ranges between 0 through 256 characters.

User could not be authenticated

Enter a valid username and password.

Please insert a Security Token. Click Ok when done.

Perform the action as stated in the error message.

Please insert another Security Token. Click Ok when done.

Perform the action as stated in the error message.

You have selected to exit the CTL Client application. Are you sure you want to exit?

Choose the option that you want the application to perform.

No CTL File exists on the server but the CallManager Cluster Security Mode is in Secure Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Secure Mode.

When the clusterwide security mode is mixed mode, the CTL file should always exist on the server.

Update the CTL file; see the "Updating the CTL File" section.

There are no Security Tokens in CTL File. You must insert at least 2 security tokens. Select Update CTL File to add security Tokens.

Perform the action as stated in the error message.

Failed to create CTL File on server(s):<LIST_OF_SERVERS>

Make sure that the CTL Provider service is running on all the Cisco CallManager servers that the error message specifies.

Make sure that the Cisco CallManager or TFTP service is running on all the servers that the error message specifies.

Make sure that the alternate TFTP paths are mapped to the correct drives and that the mappings are valid.

Could not Sign CTL File. Possible Reasons:\n1. User cancelled the operation\n2.The security token does not contain signature in valid format.

Verify that you did not press Cancel. Make sure that the Cisco Certificate Authority issued the security token.

The CTL File signature is invalid. The CTL File has been signed with a security token that does not exist in the CTL File.

You must re-create the CTL File. All existing security tokens in the CTL file will be deleted.

The CTL file appears corrupt; re-create the CTL file. See the "Updating the CTL File" section.

The Security Token you have inserted does not exist in the CTL File.

Insert a security token that you previously used to create or update the CTL file.

The Security Token you have inserted already exists in the CTL File.

Insert a security token that you have not used to create or update the CTL file.

The Security Token is not issued by Cisco CA.

Insert a security token that the Cisco Certificate Authority issued.

Cannot run CTL Client from Terminal Services

You must run the CTL client locally.

Could not get Certificates from CallManager <server name>

Perform the following actions:

Make sure that the CTL Provider service runs on all the Cisco CallManager servers in the cluster.

Make sure that the Administrator username and password or the super username and password are the same on all servers in the cluster.

Make sure that you have network connectivity to the server that is specified in the error message; make sure that the server is running.

Error Occurred creating the dialog

Uninstall the Cisco CTL client; reinstall the client.

Could not add CAPF Server

Perform the following actions:

Verify that the port number for CAPF is correct.

Verify that the Administrator username and password or the super username and password are the same on all servers in the cluster.

Verify that you have network connectivity to the server that the error message specifies; make sure that the server is running.

Could not add TFTP Server

If an entry for the alternate TFTP server exists, delete the entry and add it again to the file.

You must insert at least 2 Security Tokens.

Verify that you inserted the appropriate security token; insert the correct security token and complete the configuration tasks.

You must have at least one CallManager server in the cluster.

Verify that the Cisco CallManager service or Cisco TFTP service runs on at least one server in the cluster.

The Security Token currently inserted will be used to sign the CTL File and it does not exist in the CTL File. Please insert the token in the CTL File before you click Finish.

Perform the action as stated in the error message.

Please select an item to delete.

Click on an entry in the CTL file and delete the entry.

You cannot delete Cisco TFTP Servers.

You can delete only alternate TFTP servers.

CAPF Certificate already exists in CTL File.

A CAPF server with the same hostname or IP address already exists in the CTL file. Enter a new CAPF server if you want to add another CAPF server.

Invalid Date Range

Verify the dates in the Valid From and Valid Until fields for the security token.

Delete <CERTIFICATE_ISSUER_NAME>

Click Yes to delete the CTL entry; click No if you do not want to delete the CTL entry.

An Entry for TFTP Server <TFTP_SERVER_NAME> already exists in CTL File

A TFTP server with the same hostname or IP address already exists in the new CTL file. Enter a new TFTP server if you want to add another TFTP server.

Could not get Certificates from CallManager servers because <WINDOWS_SOCKET_REASON>

The error message specifies the reason why the Cisco CallManager server could not obtain the certificate.

Verify that the CTL Provider service runs on all servers in the Cisco CallManager cluster.

Verify that the administrator username and password or the super username and password are the same on all servers in the cluster.

Cannot connect to server <SERVER_NAME> on port <CTLPORT_#>

Perform the following procedure:

1. From Cisco CallManager Administration, choose Service > Service Parameters.

2. Choose the server and the CTL Provider service in which you are connecting to the Cisco CTL client.

3. Verify that the port number in the window matches the port number that exists in the Cisco CTL client.

4. If the ports do not match, update the CTL file. See "Updating the CTL File" section.

5. Verify that you have network connectivity to the server. Configure DNS or add to the hosts file.

The computer is locked. Only administrator can unlock this computer.

When you remove the security token from the USB port, the computer locks because the NT LM Support Security Provider service is running. Perform one of the following tasks:

If you are not using the NT LM Support Security Provider service, stop and disable the service on the computer.

Unlock the computer by entering the password that has administrative privileges.

If a prompt asks you for the security token password, click Cancel in the dialog box; then, unlock the computer by entering the password that has administrative privileges.

You cannot delete this item. You can only delete security tokens, CAPF and alternate TFTP.

You can only delete the types that are specified in the error message.

TFTP certificate already exists in the CTL file.

A TFTP server with the same hostname or IP address already exists in the CTL file. To add a new TFTP server, enter a different hostname or IP address.

Could not get certificate from a CAPF server. Make sure that you are connecting to a CAPF server or the port number is correct and try again.

The error message specifies the corrective action.

You must connect to the Cisco CTL Provider service. Make sure that you are connecting to a CCM server or the port number is correct and try again.

The error message specifies the corrective action.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Troubleshooting the Phone When a Problem Exists with the CTL File

The errors in Table 5-2 may display on the phone when a problem exists with the CTL file.

To perform the corrective actions in Table 5-2, you must obtain at least one security token that you used to create the original CTL file. If you need to update the CTL file, see the "Updating the CTL File" section.

Table 5-2 CTL File Errors That Affect the Phone 

Error
Possible Cause
Corrective Action

Phone cannot authenticate CTL file.

The security token that signed the updated CTL file does not exist in the CTL file on the phone.

By using at least one security token that exists in the CTL file, update the CTL file.

Phone cannot authenticate any of the configuration files other than the CTL file.

The TFTP entry in the CTL file is wrong, and the security token does not exist in the CTL file.

By using at least one security token that exists in the CTL file, update the TFTP entry in the CTL file.

Phone reports TFTP authorization failure.

Consider the following causes:

The TFTP address for the phone does not exist in the CTL file.

If you created a new CTL file with a new TFTP record, the existing CTL file on the phone may not contain a record for the new TFTP server.

By using at least one security token that exists in the CTL file, update the TFTP entry in the CTL file.

If the new CTL file contains different TFTP information than the existing CTL file on the phone, delete the existing CTL file from the phone; see the "Deleting the CTL File on the Cisco IP Phone" section.

Phone does not register with Cisco CallManager.

The CTL file does not contain the correct information for the Cisco CallManager server.

Auto-registration may be enabled.

Verify that auto-registration is disabled.

By using at least one security token that exists in the CTL file, update the Cisco CallManager entries for the CTL file.

Phone does not interact with the correct CAPF server to obtain the locally significant certificate.

A TLS handshake error occurs.

Consider the following causes:

The CAPF utility runs on a different workstation/server than is specified in the CTL file.

The CAPF certificate has changed since the last update of the CTL file.

By using at least one security token that exists in the CTL file, update the CAPF IP address or hostname in the CTL file.

Phone does not request signed configuration files.

Consider the following causes:

The CTL file does not contain any TFTP server entry.

The CTL file contains a TFTP entry that does not have a certificate with it.

By using at least one of the security tokens that exists in the original CTL file, update the TFTP entry in the CTL file.

When you update the CTL file, verify that you set the Cisco CallManager clusterwide security mode to Mixed Mode.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Comparing CTL File Versions on the Cisco IP Phone and Server

You can identify the version of the CTL file on the phone by calculating the MD5 hash, which is a cryptographic hash computed on the file contents.

On the phone, an option exists for CTL file; this option provides the MD5 hash value. An MD5 application allows you to compute the MD5 hash of files on disc. When you compare the hash values for saved CTL files on disc with the value that displays on the phone, you can determine which version is installed on the phone.

After you determine the version of the CTL file exists on the phone, you can run an MD5 check on the server CTL file to verify that the phone uses the correct CTL file.


Tip To obtain an MD5 application, perform a search on the web. Cisco does not recommend or support any MD5 application with Cisco CallManager or the Cisco IP Phone. If you need assistance with the MD5 application, contact the MD5 software vendor directly.


Related Topics

Authentication and Integrity Overview

Configuring the Cisco CTL Client

Updating the CTL File

Cisco CTL Client Configuration Settings

Deleting the CTL File on the Cisco IP Phone


Caution Cisco recommends that you perform this task in a secure lab environment, especially if you do not plan to delete the CTL file from the Cisco CallManager servers in the cluster.

Delete the CTL file on the Cisco IP Phone if the following cases occur:

You lose all security tokens that signed the CTL file.

The security tokens that signed the CTL file appear compromised.

You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

You move a phone from an area with an unknown security policy to a secure cluster.

You change the alternate TFTP server address to a server that does not exist in the CTL file.

To delete the CTL file on the Cisco IP Phone, perform the tasks in Table 5-3.

Table 5-3 Deleting the CTL File on the Cisco IP Phone

Cisco IP Phone Model
Tasks

Cisco IP Phones 7960 and 7940

Press**##**2 on the phone where you want to delete the file.

Cisco IP Phone 7970

Perform one of the following methods:

Unlock the Security Configuration menu, as described in Cisco IP Phone Administration Guide for Cisco CallManager. Under the CTL option, press the Erase softkey.

Under the Settings menu, press the Erase softkey.

Note Pressing the Erase softkey under the Settings menu deletes other information besides the CTL file. For additional information, refer to the Cisco IP Phone Administration Guide for Cisco CallManager.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Deleting the CTL File on the Server

Delete the CTL file that exists on the server if the following cases occur:

You lose all security tokens that signed the CTL file.

The security tokens that signed the CTL file appear compromised.


Tip Remember to delete the file from all servers in the cluster where the Cisco CallManager or Cisco TFTP services run.


To delete the CTL file, perform the following procedure:

Procedure


Step 1 Browse to C:\Program Files\Cisco\tftppath (the default location) or to the location where you saved the CTLFile.tlv.

Step 2 Right-click CTLFile.tlv, and choose Delete.

Step 3 Perform this procedure on all servers in the cluster where the Cisco CallManager and Cisco TFTP services run.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Troubleshooting If You Lose One Security Token (Etoken)

If you lose one security token, perform the following procedure:

Procedure


Step 1 Purchase a new security token.

Step 2 Using a token that signed the CTL file, update the CTL file by performing the following tasks:

a. Add the new token to the CTL file.

b. Delete the lost token from the CTL file.

For more information on how to perform these tasks, see the "Updating the CTL File" section.

Step 3 Reset all phones, as described in "Resetting the Devices, Restarting Cisco CallManager Service, or Rebooting the Server/Cluster" section on page 1-9.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Troubleshooting If You Lose All Security Tokens (Etoken)


Tip Perform the following procedure during a scheduled maintenance window because you must reboot all servers in the cluster for the changes to take effect.


If you lose the security tokens and you need to update the CTL file, perform the following procedure:

Procedure


Step 1 On every Cisco CallManager, Cisco TFTP, or alternate TFTP server, browse to directory where the file, CTLFile.tlv, exists.

The following location designates the default directory: C:\program files\cisco\tftppath. To identify where you stored the CTL file, locate the File Location service parameter for the TFTP service in the Service Parameters window of Cisco CallManager Administration.

Step 2 Delete CTLFile.tlv.

Step 3 Repeat Step 1 and Step 2 for every Cisco CallManager, Cisco TFTP, and alternate TFTP server.

Step 4 Obtain at least two new security tokens.

Step 5 By using the Cisco CTL client, create the CTL File, as described in "Installing the Cisco CTL Client" section and "Configuring the Cisco CTL Client" section.


Tip If the clusterwide security mode exists in mixed mode, the Cisco CTL client displays the message, "No CTL File exists on the server but the CallManager Cluster Security Mode is in Mixed Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Mixed Mode." Click OK; then choose Set Call Manager Cluster to Mixed Mode and complete the CTL file configuration.


Step 6 After you create the CTL file on all the servers, delete the CTL file from the phone, as described in "Deleting the CTL File on the Cisco IP Phone" section.

Step 7 Reboot all the servers in the cluster.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Verifying the Security Mode for the Cisco CallManager Cluster

To verify the security mode for the Cisco CallManager cluster, perform the following procedure:

Procedure


Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 Locate the Cluster Security Mode field. If the value in the field displays as 1, you correctly configured the Cisco CallManager cluster for mixed mode.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Verifying or Uninstalling the Cisco CTL Client

Uninstalling the Cisco CTL client does not delete the CTL file. Likewise, the clusterwide security mode and the CTL file do not change when you uninstall the client. If you choose to do so, you can uninstall the CTL client, install the client on a different Windows 2000 workstation or server, and continue to use the same CTL file.

To verify that the Cisco CTL client installed, perform the following procedure:

Procedure


Step 1 Choose Start > Control Panel > Add Remove Programs.

Step 2 Double-click Add Remove Programs.

Step 3 To verify that the client installed, locate Cisco CTL Client.

Step 4 To delete the client, click Remove.


Related Topics

System Requirements, page 1-4

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Determining the Cisco CTL Client Version

To determine which version of the Cisco CTL client you are using, perform the following procedure:

Procedure


Step 1 Perform one of the following tasks:

Double-click the Cisco CTL Client icon that exists on the desktop.

Choose Start > Programs > Cisco CTL Client.

Step 2 In the Cisco CTL client window, click the icon in the upper, left corner of the window.

Step 3 Choose About Cisco CTL Client. The version of the client displays.


Related Topics

Authentication and Integrity Overview

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Troubleshooting the CAPF Utility

This section contains information on the following topics:

Error Messages for the CAPF Utility

Verifying or Uninstalling the CAPF Utility

Troubleshooting If You Incorrectly Enter the Authentication String on the Phone

Troubleshooting If the Locally Significant Certificate Validation Fails

Verifying That You Installed the Locally Significant Certificate on the Phone

Error Messages for the CAPF Utility

Table 5-4 displays error messages and corrective actions for the CAPF utility:

Table 5-4 Error Messages for the CAPF Utility 

Error
Corrective Action

Error listening on socket for phone connection

Configure a new port number for the phone connection.

Error listening on socket for CTL connection

Configure a new port number for the CTL connection.

Failed to load Cert/Private key to SSL lib

Generate key and certificate through the user interface and restart the CAPF server.

No User Credentials available for CAPF login

Enter a username and password that has administrative privileges on the CAPF workstation/server.

Couldn't connect to CCM data base

Check the connectivity to the publisher database server.

Upgrade duration expired for phoneId.

Change upgrade duration through the user interface.

Could not open/read file "CAPF.cer".

Generate certificate through the user interface.

File capfPriv.key/ capfPubKey doesn't exist

Generate key pair for the user interface.

Can not create TLS session

Generate certificate through the user interface and restart the CAPF server.

Couldn't find WinSock.DLL

Verify that the file, WinSock.DLL, exists in directory winnt\system32

Unsupported key size for phone /CAPF

Choose one of the following key sizes: 512, 1024, or 2048.

Could not connect to CTL client.

Verify that the Cisco CTL client uses the CAPF port number that is configured for the CTL connection.

Malloc failed

In the Task Manager, verify the memory and handles for the process. If the usage appears high, reboot the CAPF server.

Unable to get a new SCB

In the Task Manager, verify the memory and handles for the process. If the usage appears, restart the CAPF server.

Could not open/read file "CAPF.phone"

Generate phone record through the user interface.

Phone displays Timeout message as soon as you enter the authentication string on the phone.

The CAPF CLI may exist in Select Mode, as indicated in the title bar of the window. Press Enter in the CLI window. To disable the Select Mode, perform the following procedure:

1. Right-click the title bar.

2. Choose Properties > Options.

3. Uncheck the Quick Edit Mode check box and click OK.

CAPF cert file could not be copied to the CCM

Verify the server configuration and the username and password for the server. Ensure that the username and password that is used has administrative privileges in the cluster. Manually copy the certificate to all servers in the cluster, as per the instructions that display in the CAPF CLI.

Phones do not connect to CAPF

Verify that the phone contains a CTL file; verify that the CTL file contains a CAPF entry.

Unknown error occurred.

Issue the command, debug capf all; press Enter.

Tip These commands write all traces to C:\Program Files\Cisco\CAPF\capf*.log.
Tip If you need to contact the team that provides technical support for this product, for example, your Cisco AVVID Partner or Cisco Technical Assistance Center (TAC), issue the command, show capf all, and press Enter. The technical support team may ask for the trace file.

Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Certificate Authority Proxy Function Overview

Using CAPF to Generate Phone Certificates

CAPF Settings and Commands

Installing the Locally Significant Certificate on Supported Phones

Verifying or Uninstalling the CAPF Utility

Uninstalling the CAPF utility removes all files that exist in the CAPF directory, including certificates and keys. If you uninstall the utility and do not reinstall it, no CAPF functionality exists; that is, certificates do not get issued and certificate requests do not occur on behalf of the phone.

To verify or uninstall the CAPF utility, perform the following procedure:

Procedure


Step 1 Choose Start > Control Panel > Add Remove Programs.

Step 2 Double-click Add Remove Programs.

Step 3 To verify that the CAPF utility installed, locate CAPF Utility.

Step 4 To delete the utility, click Remove.


Related Topics

System Requirements, page 1-4

Interactions and Restrictions, page 1-4

Certificate Authority Proxy Function Overview

Using CAPF to Generate Phone Certificates

CAPF Settings and Commands

Installing the Locally Significant Certificate on Supported Phones

Troubleshooting If You Incorrectly Enter the Authentication String on the Phone

If you incorrectly enter the authentication string on the phone, an error displays on the phone. Enter the correct authentication string on the phone.

Related Topics

Installing the Locally Significant Certificate on Supported Phones

Using CAPF to Generate Phone Certificates

CAPF Settings and Commands

Troubleshooting If the Locally Significant Certificate Validation Fails

On the phone, the locally significant certificate validation may fail if the certificate is not the version that CAPF issued, the certificate has expired, the CAPF certificate does not exist on all servers in the cluster, the CAPF certificate does not exist in the CAPF directory, and so on. If the locally significant certificate validation fails, review the SDL trace files and the CAPF trace files for errors.

Related Topics

Installing the Locally Significant Certificate on Supported Phones

Using CAPF to Generate Phone Certificates

CAPF Settings and Commands

Reviewing the Log Files

Certificate Authority Proxy Function Overview

Verifying That You Installed the Locally Significant Certificate on the Phone

You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting. The LSC setting displays Yes.

Related Topics

Installing the Locally Significant Certificate on Supported Phones

Using CAPF to Generate Phone Certificates

CAPF Settings and Commands