Cisco CallManager Security Guide, Release 4.1(3)
Troubleshooting
Downloads: This chapterpdf (PDF - 495.0KB) The complete bookPDF (PDF - 1.94MB) | Feedback

Troubleshooting

Table Of Contents

Troubleshooting

Using Alarms

Using Microsoft Performance Monitor Counters

Reviewing the Log Files

Troubleshooting HTTPS

Messages That Display During HTTPS Configuration

Enabling HTTPS

Disabling HTTPS for the Virtual Directory

Deleting the HTTPS Certificate

Troubleshooting the Cisco CTL Client

Changing the Security Token Password (Etoken)

Troubleshooting a Locked Security Token After You Consecutively Enter an Incorrect Security Token Password

Setting the Smart Card Service to Started and Automatic

Messages for the Cisco CTL Client

Troubleshooting the Phone When a Problem Exists with the CTL File

Comparing CTL File Versions on the Cisco IP Phone and Server

Deleting the CTL File on the Cisco IP Phone

Deleting the CTL File on the Server

Troubleshooting If You Lose One Security Token (Etoken)

Troubleshooting If You Lose All Security Tokens (Etoken)

Verifying the Security Mode for the Cisco CallManager Cluster

Verifying or Uninstalling the Cisco CTL Client

Determining the Cisco CTL Client Version

Troubleshooting CAPF

Messages for CAPF

Troubleshooting the Authentication String on the Phone

Troubleshooting If the Locally Significant Certificate Validation Fails

Verifying That the CAPF Certificate Installed on All Servers in the Cluster

Verifying That a Locally Significant Certificate Exists on the Phone

Verifying That a Manufacture-Installed Certificate (MIC) Exists in the Phone

Uninstalling the CAPF 1.0(1) Utility

Generating a New CAPF Certificate

Troubleshooting Encryption for Phones and Cisco IOS MGCP Gateways

Packet Capturing Overview

Configuration Checklist for Packet Capturing

Configuring Packet-Capturing Service Parameters

Packet-Capturing Service Parameters

Configuring BAT for Phone Packet Capturing

Configuring Packet Capturing in the Phone Configuration Window

Configuring Packet Capturing in the MGCP Gateway Configuration Window for Enpoint Identifiers

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Analyzing Captured Packets

Messages for Packet Capturing in Cisco CallManager Administration

Message for Encryption and Barge Configuration

Troubleshooting Secure SRST References

Deleting Security from the SRST Reference

Security Message That Displays During SRST Reference Configuration

Troubleshooting When the SRST Certificate Is Deleted from the Gateway


Troubleshooting


This chapter contains information on the following topics:

Using Alarms

Using Microsoft Performance Monitor Counters

Reviewing the Log Files

Troubleshooting HTTPS

Troubleshooting the Cisco CTL Client

Troubleshooting CAPF

Troubleshooting Encryption for Phones and Cisco IOS MGCP Gateways

Troubleshooting Secure SRST References


Tip This chapter does not describe how to reset the Cisco IP Phone if it has been corrupted by bad loads, security bugs, and so on. For information on resetting the phone, refer to the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.

This chapter describes how to delete the CTL file from Cisco IP Phone models 7970, 7960, and 7940 only; for information on how to perform this task, see Table 9-4 or the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.


Using Alarms

Cisco CallManager Serviceability generates alarms for the following cases:

If an authenticated device attempts to register by using a non-TLS SCCP connection, or an unauthenticated phone attempts to register by using a TLS SCCP connection.

If the device name in subject line of the peer certificate does not match the the device name that is used for device registration.

If device attempts to register to Cisco CallManager by using TLS connection that is not compatible with the Cisco CallManager configuration.

Alarms may get generated on the phone under the following conditions:

TFTP Not Authorized: <IP address>

The phone generates this alarm when the TFTP server information (alternate or otherwise) does not exist in the CTL file. The phone may issue the alarm twice if DHCP has provided primary and backup server addresses and neither address exists in the CTL file. Verify that you entered the CTL file information correctly and that you configured the DHCP server with the correct address.

File Auth Failed

The phone may generate this alarm for a variety of reasons; for example, the CTL file appears corrupt. If the CTL file is corrupt, you may need to use a sniffer trace to troubleshoot the network. If you cannot identify the problem, you may need to debug by using a console cable, as described in Cisco IP Phone Administration Guide for Cisco CallManager (available for Cisco IP Phone Models 7970, 7960, and 7940, unless otherwise indicated in the administration documentation that supports your phone model).


Tip For additional alarms that get generated on the phone, refer to the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone and to the "Troubleshooting the Phone When a Problem Exists with the CTL File" section.


Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Cisco IP Phone Administration Guide for Cisco CallManager

Using Microsoft Performance Monitor Counters

Microsoft Performance Monitor counters exist to monitor the number of authenticated phones that register with Cisco CallManager, the number of authenticated calls that are completed, and the number of authenticated calls that are active at any time.

Related Topics

Cisco CallManager Serviceability Administration Guide

Cisco CallManager Serviceability System Guide

Reviewing the Log Files

Before you contact the team that provides technical assistance for this product, for example, your Cisco AVVID Partner or the Cisco Technical Assistance Center (TAC), obtain and review the following log files:

Cisco CallManager—C:\Program Files\Cisco\Trace\CCM

TFTP—C:\Program Files\Cisco\Trace\TFTP

DBL—C:\Program Files\Cisco\Trace\DBL

C:\Program Files\Cisco\Trace\DBL\DBLR*

C:\Program Files\Cisco\Trace\DBL\DBLRT*

C:\Program Files\Cisco\Trace\DBL\DBL_CCM*

C:\Program Files\Cisco\Trace\DBL\DBL_TFTP*

C:\Program Files\Cisco\Trace\DBL\DBL_CTLPROVIDER*

Cisco CallManager SDL Traces—C:\Program Files\Cisco\Trace\SDL\CCM


Tip If the locally significant certificate validation fails, review the SDL trace files.


HTTPS—C:\program files\common files\cisco\logs\HTTPSCertInstall.log

CTL Provider Service—C:\Program Files\Cisco\Trace\CTLProvider

Cisco CTL client—C:\Program Files\Cisco\CTL Client\Trace

By default, the Cisco CTL client installs in C:\Program Files\Cisco\CTL File on the server or workstation where the CTL client exists; C:\ctlinstall.log

Cisco Certificate Authority Proxy Function (CAPF) service—C:\Program Files\Cisco\Trace\CAPF

SRST reference—winnt\system32\Trace

Related Topics

Configuring the Cisco CTL Client

Using the Certificate Authority Proxy Function

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Troubleshooting HTTPS

This section provides information on the following topics:

Messages That Display During HTTPS Configuration

Enabling HTTPS

Disabling HTTPS for the Virtual Directory

Messages That Display During HTTPS Configuration

Table 9-1 describes the messages, corrective actions, and reasons for problems that may occur during HTTPS configuration.

Table 9-1 Messages That Display During HTTPS Configuration 

Message
Corrective Action or Reason

The security library has encountered an improperly formatted DER-encoded message.

This error occurs because the certificate that enables the HTTPS service uses the hostname as the subject name of the certificate; Netscape 4.79 considers the underscore in the subject name to be an invalid character, so HTTPS will not work.

When the message displays, click OK.

For HTTPS support, use Internet Explorer. To use Netscape 4.79 and the hostname to access the application, disable HTTPS, as described in the "Disabling HTTPS for the Virtual Directory" section.

A network error occurred while Netscape was receiving data.

(Network Error: Connection refused)

Try connecting again.

A Cisco CallManager certificate for HTTPS exists on the local Netscape 4.79 browser, but it appears that the Cisco CallManager HTTPS certificate changed. User cannot connect by using the Netscape 4.79 browser.

Connect by using one of the following methods:

Use Internet Explorer to access the application.

By using Netscape 4.79, choose Communicator -> Tools -> Security Info -> Certificates -> Web sites; highlight the HTTPS certificate for the Cisco CallManager server; click Delete; to confirm, click OK; in the Web Sites Certificates window, click OK.


Related Topics

Enabling HTTPS

Deleting the HTTPS Certificate

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Enabling HTTPS

To enable virtual directories for HTTPS, perform the following procedure:

Procedure


Step 1 Choose Start > Programs > Administrative Tools > Internet Services Manager.

Step 2 Click the name of the server where the HTTPS certificate exists.

Step 3 Click Default Web Site.

Step 4 Click the virtual directory.

Step 5 Right-click Properties.

Step 6 Click the Directory Security tab.

Step 7 Under Secure Communications, click the Edit button.

Step 8 Check the SSL Required check box.

Step 9 Perform this procedure for all virtual directories where you want to enable HTTPS.


Related Topics

Enabling HTTPS

Messages That Display During HTTPS Configuration

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Disabling HTTPS for the Virtual Directory

To disable HTTPS for a virtual directory, perform the following procedure:

Procedure


Step 1 Choose Start > Programs > Administrative Tools > Internet Services Manager.

Step 2 Click the name of the server where the HTTPS certificate exists.

Step 3 Click Default Web Site.

Step 4 Click the virtual directory; for example, CCMAdmin.

Step 5 Right-click Properties.

Step 6 Click the Directory Security tab.

Step 7 Under Secure Communications, click Edit.

Step 8 Uncheck the SSL Required check box.

Step 9 Perform this task for each virtual directory: CCMAdmin, CCMService, CCMUser, AST, BAT, RTMTReports, CCMTraceAnalysis, CCMServiceTraceCollectionTool, PktCap, and ART.


Related Topics

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Deleting the HTTPS Certificate

Enabling HTTPS

Deleting the HTTPS Certificate

To delete the HTTPS certificate, perform the following procedure:

Procedure


Step 1 Choose Start > Programs > Administrative Tools > Internet Services Manager.

Step 2 Click the name of the server where the HTTPS certificate exists.

Step 3 Click the Directory Security tab.

Step 4 Under Secure Communications, click the Server Certificate button.

Step 5 Click Next.

Step 6 Choose Remove the Current Certificate.

Step 7 Click Next.

Step 8 Click Finish.


Related Topics

Enabling HTTPS

Messages That Display During HTTPS Configuration

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Troubleshooting the Cisco CTL Client

The section contains information on the following topics:

Changing the Security Token Password (Etoken)

Troubleshooting a Locked Security Token After You Consecutively Enter an Incorrect Security Token Password

Setting the Smart Card Service to Started and Automatic

Messages for the Cisco CTL Client

Troubleshooting the Phone When a Problem Exists with the CTL File

Comparing CTL File Versions on the Cisco IP Phone and Server

Deleting the CTL File on the Cisco IP Phone

Deleting the CTL File on the Server

Troubleshooting If You Lose One Security Token (Etoken)

Troubleshooting If You Lose All Security Tokens (Etoken)

Verifying or Uninstalling the Cisco CTL Client

Verifying the Security Mode for the Cisco CallManager Cluster

Changing the Security Token Password (Etoken)

This administrative password retrieves the private key of the certificate and ensures that the CTL file gets signed. Each security token comes with a default password. You can change the security token password at any time. If the Cisco CTL client prompts you to change the password, you must change the password before you can proceed with the configuration.

To review pertinent information on setting passwords, click the Show Tips button. If you cannot set the password for any reason, review the tips that display.

To change the security token password, perform the following procedure:

Procedure


Step 1 Verify that you have installed the Cisco CTL client on a Windows 2000 server or workstation.

Step 2 If you have not already done so, insert the security token into the USB port on the Windows 2000 server or workstation where you installed the Cisco CTL client.

Step 3 Choose Start > Programs > etoken > Etoken Properties; right-click etoken and choose Change etoken password.

Step 4 In the Current Password field, enter the password that you originally created for the token.

Step 5 Enter a new password.

Step 6 Enter the new password again to confirm it.

Step 7 Click OK.


Related Topics

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Cisco CTL Client Configuration Settings

Troubleshooting a Locked Security Token After You Consecutively Enter an Incorrect Security Token Password

Each security token contains a retry counter, which specifies the number of consecutive attempts to log in to the etoken Password window. The retry counter value for the security token equals 15. If the number of consecutive attempts exceeds the counter value, that is, 16 unsuccessful consecutive attempts occur, a message indicates that the security token is locked and unusable. You cannot reenable a locked security token.

Obtain additional security token(s) and configure the CTL file, as described in "Configuring the Cisco CTL Client" section. If necessary, purchase new security token(s) to configure the file.


Tip After you successfully enter the password, the counter resets to zero.


Related Topics

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Cisco CTL Client Configuration Settings

Setting the Smart Card Service to Started and Automatic

If the Cisco CTL client installation detects that the Smart Card service is disabled, you must set the Smart Card service to automatic and started on the server or workstation where you are installing the Cisco CTL plug-in.


Tip You cannot add the security tokens to the CTL file if the service is not set to started and automatic.

After you upgrade the operating system, apply service releases, upgrade Cisco CallManager, and so on, verify that the Smart Card service is started and automatic.


To set the service to started and automatic, perform the following procedure:

Procedure


Step 1 On the server or workstation where you installed the Cisco CTL client, choose Start > Programs > Administrative Tools > Services.

Step 2 From the Services window, right-click the Smart Card service and choose Properties.

Step 3 In the Properties window, verify that the General tab displays.

Step 4 From the Startup type drop-down list box, choose Automatic.

Step 5 Click Apply.

Step 6 In the Service Status area, click Start.

Step 7 Click OK.

Step 8 Reboot the server or workstation and verify that the service is running.


Related Topics

System Requirements

Interactions and Restrictions

Activating the Cisco CTL Provider Service

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Configuring the Device Security Mode

Messages for the Cisco CTL Client

Table 9-2 provides the messages that may display and the corresponding corrective actions/reasons for the Cisco CTL client.

Table 9-2 Messages for the Cisco CTL Client 

Message
Corrective Action or Reason

Unknown CTL Error

Internal CTL error occurred. Review the CTL logs for errors.

Invalid Port number

Enter a valid port number, which must comprise numbers only.

Invalid Range for port numbers

Specify the correct range. Valid port numbers range from 1026 and 32767.

Could not write information to the local Windows Registry

The CTL client does not have access to the registry. Verify that you logged in by using the local administrator or local power users account. The Cisco CTL client does not save the server name, port, and administrator name with subsequent logins.

Invalid Group Name

The CTL Provider service cannot retrieve Windows 2000 User Groups where the user belongs. Verify that you logged in by using the local administrator or local power users account.

Invalid User Name

You did not enter a valid user name. The user name field appears blank, or the name exceeds the maximum number of characters. Enter a valid user name.

Invalid IP Address

You did not enter a valid IP address. Ensure that the address exists in the X.X.X.X format and contains the valid IP range. Enter a valid IP address.

Invalid Hostname

You did not enter a valid hostname. The server name field remains blank, or it includes more than the maximum number of allowed characters. Enter the valid hostname.

User could not be authenticated

You entered the wrong password for the specified user name. Enter the correct password.

Invalid Password

You entered an invalid password. Either the password is blank, or the password exceeds the maximum number of allowed characters. Enter the correct password.

Cannot run CTL Client from Terminal Services

The CTL client does not work with Terminal Services. You must configure the client on the machine where you installed the application.

Failed to create CTL File

After the error occurs, a dialog box, which displays in the CTL client window, lists the servers and failure reason.

Please insert a Security Token. Click Ok when done

Insert a security token and click OK. If the message continues to display, restart the Etoken Notification service on the client machine.

Cannot create CTL Entries. Total number of CTL Records has exceeded the Maximum

The CTL file contains more than the maximum number of certificates or entries that are allowed in the file. Delete servers or etokens that are not required. The maximum limit equals 100.

Unable to create CTL Entry

CTL File exceeded maximum file size limit. Maximum file size equals 75K. Consider deleting security tokens or alternate TFTP server entries that you no longer use.

Unable to parse CTL File

System could not parse CTL file. The CTL file appears corrupt. On all servers in the cluster, determine whether someone tampered with or replaced the CTL file.

Tip You can connect to the subscriber server from the CTL client to retrieve the CTL file from the subscriber server. If file is corrupt on subscriber servers, delete the existing CTL file and create a new file. If the CTL file does not appear to be corrupt on the subscriber server, manually copy the file to the publisher; before you copy the file, verify that you have the latest CTL file.

CTL Client version is not compatible with the CTL Provider

Compare the version of the CTL client and the version of Cisco CallManager. Run the Cisco CTL client that displays in Cisco CallManager Administration 4.1.

Please select an item to delete

In the CTL Entries window, choose an entry before you click Delete.

Error occurred when creating Dialog

Insufficient system memory exists. Free up memory resources and rerun the CTL client.

--- No Issuer Name---

In nonsecure mode, the CTL Entries window displays the issuer name as No Issuer Name. This message indicates that the application will write a null issuer name to the CTL file because the file exists in nonsecure mode.

--- No Subject Name---

In nonsecure mode, the CTL Entries window displays the subject name as No Subject Name. This message indicates that the application will write a null issuer name to the CTL file because the file exists in nonsecure mode.

You cannot delete this item. You can only delete Security Tokens and multi-cluster TFTP

In the CTL Entries window, you can delete security tokens and alternate TFTP servers only.

Are you sure you want to delete this item?

This message displays before you delete an entry from the CTL Entries window.

You have selected to exit the CTL Client application. Are you sure you want to exit?

This message displays when you click Cancel or exit from any Cisco CTL client windows.

You must have at least 2 security tokens in the CTL File

Before you click Finish to sign the CTL file, verify that at least two security tokens exist in the CTL Entries pane.

You must have at least one CallManager server in the cluster

Before you click Finish to sign the CTL file, verify that one Cisco CallManager server (with function CCM+TFTP) exists in the CTL Entries pane.

Could not get CallManager Certificate from server <server name>

Perform the following tasks:

1. Verify that you have network connectivity to the Cisco CallManager server.

2. Verify that the Cisco CTL client connects to the port where the Cisco CTL Provider service is configured.

3. Verify that the Cisco CallManager self-signed certificate exists in c:\program files\cisco\certificates\ccmserver.cer.

4. In Cisco CallManager Serviceability, enable detailed traces for the Cisco CTL Provider service and review the traces for that service.

Entry for Server already exists.

An entry for the server already exists in the CTL file.

No Help available.

Online help does not exist for this window.

No CTL File exists on the server but the CallManager Cluster Security Mode is in Mixed Mode.

You must create the CTL File and set Call Manager Cluster to Mixed Mode.

This message displays if someone manually deletes or tampers with the CTL file. All data in the CTL file, including certificate and security token information, no longer exists in the file. Re-create the CTL file.

The CTL File signature is invalid or the CTL File is corrupt.

The CTL file appears corrupt. All data in the CTL file, including certificate and security token information, no longer exists in the file. Re-create the CTL file.

You must recreate the CTL File. All existing certificate information in the CTL file will be lost.

Re-create the CTL file by running the Cisco CTL client.

There are no Security Tokens in CTL File. You must have at least 2 security tokens. Select Update CTL File to add security Tokens.

This message displays if CTL file is corrupt or invalid or if the CTL client cannot read the security token information. The CTL file must contain entries for at least two security tokens. Choose the Update CTL File option and re-create the CTL file.

Please insert a Security Token. Click Ok when done.

Insert a Cisco security token in the USB port. Click OK. If this message continues to display, verify that Cisco issued the security token and that the Etoken Notification and Smart Card services are running.

Please insert another Security Token. Click Ok when done.

To add a new token to the CTL file, insert a Cisco security token in the USB port. Click OK. If this message continues to display, verify that Cisco issued the security token and that the Etoken Notification and Smart Card services are running.

The Security Token you have inserted already exists in the CTL File.

The security token information already exists in the CTL file. Insert a token that does not already exist in the file.

The Security Token cannot be used to sign the CTL File. The token must already exist in the CTL file.

You must sign the CTL file by inserting a token that already exists in the file.

No CTL File.

CTLFile.tlv does not exist.

Error opening CTL File.

The application cannot open CTLFile.tlv. Review the Cisco CTL Provider service traces.

Error reading CTL File.

The system could not read CTLFile.tlv. Review the Cisco CTL Provider service traces.

CTL Filename or contents are invalid.

The CTL file name appears invalid, or the CTL File contents appear invalid. Verify that CTLFile.tlv exists in the TFTP service parameter FileLocation path and review the Cisco CTL Provider service traces.

CTL File is not valid.

The CTL file appears corrupt or invalid. Review the Cisco CTL Provider service traces.

CTL File created successfully.

The CTL File exists in the TFTPPath location.

CTL File operation was not successful on one or all the servers. Please correct the error and run the CTL Client again.

Verify the server name, path, and error reason in the CTL client window where this error displays.

You must restart all the CallManager and TFTP nodes in the Cluster.

After you create the CTL file, restart the Cisco CallManager and TFTP services on all servers in the cluster that run the services. Likewise, reset the devices.

No Valid Server Certificate found.

The application cannot read the security token certificate. Verify that Cisco issued the security token and verify that the token is valid.

No Server Certificate File found.

The application cannot read certificate file from the Cisco CallManager server. Verify that c:\program files\cisco\certificiates\ccmserver.cer exists.

Server Certificate is Invalid.

The application detects that an invalid Cisco CallManager certificate exists. Verify that c:\program files\cisco\certificiates\ccmserver.cer exists. Review the Cisco CTL Provider service traces.

Certificate Date Invalid.

The application detects that the certificate contains an invalid date. Review the Cisco CTL Provider service traces.

In the Security Token Information window in the Cisco CTL client, review the valid from and valid up to dates for the security token certificate.

Certificate expired.

The certificate expired. Review the Cisco CTL Provider service traces. Review the certificate for the security token.

Certificate is not of type RSA.

The Cisco CallManager certificate does not use the RSA type. Double-click ccmserver.cer. In the Certificate Details window, verify that the public key specifies RSA. If not, you have an invalid Cisco CallManager server certificate.

No Issuer Name in Certificate.

The certificate does not contain an issuer name. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Issuer name is not valid.

The certificate issuer name appears invalid. Review the Cisco CTL Provider service traces. Review the certificate for the security token.

Invalid Issuer Name length.

The certificate issuer name length exceeds 256 characters. Review the Cisco CTL Provider service traces. Review certificate for the security token.

No Subject Name in Certificate.

The certificate does not contain a subject name. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Subject name is not valid.

The certificate subject name appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Subject Name length.

The certificate subject name exceeds 256 characters. Review the Cisco CTL Provider service traces. Review certificate for the security token.

No Public Key in Certificate.

The certificate does not contain a public key. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Public Key is not valid.

The certificate public key appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Public Key length.

The certificate public key length exceeds 512 characters. Review the Cisco CTL Provider service traces. Review certificate for the security token.

No Private Key File.

The certificate does not contain a private key. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Private Key File is not valid.

The certificate private key appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Cipher for Private key.

The certificate private key cipher appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Signature length.

The certificate signature length exceeds 1024 characters. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Signature Algorithm.

The certificate signature algorithm appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

No Signature.

The certificate does not contain a signature. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Thumbprint.

The certificate thumbprint appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Serial Number.

The certificate serial number appears invalid. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Invalid Serial Number length.

The certificate serial number exceeds 256 characters. Review the Cisco CTL Provider service traces. Review certificate for the security token.

Error Opening Security Token Store.

The application cannot read the security token certificate. Verify that the Etoken Notification and Smart card services are running.

No Certificate in Security Token.

The security token contains no certificate. Verify that Cisco issued the security token.

Could not Sign Message.

The Cisco CTL client cannot sign the contents of the CTL file. Review the Cisco CTL client traces; run the Cisco CTL client again.

Could not verify Message.

The Cisco CTL client cannot verify the signature after signing the contents of the CTL file. Review the Cisco CTL client traces; run the Cisco CTL client again.

Could not sign CTL File.

Review the Cisco CTL client traces; run the Cisco CTL client again.

For the security of the phones, tokens inserted during update cannot be used to sign the CTL File. You must use one of the tokens that already existed in the CTL file to sign. Once this token has been inserted and the phones have been restarted, you may use the new tokens to sign the CTL File.

The message provides the corrective action.

Error Initializing SDI Control.

Fatal error occurred in initializing tracing for CTL Provider. Configure a trace in Cisco CallManager Serviceability.

DBL Exception occurred.

Fatal error occurred in initializing Database layer for CTL Provider. Review the DBL logs for exceptions.

CM Name is too long.

The Cisco CallManager hostname that you entered exceeds 256 characters. Enter the hostname again.

Init TLS Failed.

The application cannot initialize SSL between the Cisco CTL client and the Cisco CTL Provider service. Review the Cisco CTL client traces; run the Cisco CTL client again.

TLS Connect Error when Opening Sockets.

Review the Cisco CTL client traces; run the Cisco CTL client again.

Error occurred during SSL Handshake.

Review the Cisco CTL client traces; run the Cisco CTL client again.

Could not connect to CTL provider Service.

Verify that the Cisco CTL Provider hostname where the client connects is valid and accessible. Verify that the CTL provider listens on the port where the client connects.

Parsing data from CTLProvider failed.

An internal error occurred. The Cisco CTL client received invalid data from the Cisco CTL Provider service.

Error occurred during Post CTL File operation.

An internal error occurred when the Cisco CTL client attempted to copy the CTL file to the servers in the cluster.

Error occurred during Get CAPF File operation.

An internal error occurred when the Cisco CTL client attempted to retrieve files from the certificate trust list folder.

Error occurred during Get CCM Certificate operation.

An internal error occurred when the Cisco CTL client attempted to retrieve the Cisco CallManager certificate.

Error occurred during Get CAPF Certificate operation.

An internal error occurred when the Cisco CTL client attempted to retrieve the CAPF certificate.

Error occurred during Authenticate User operation.

An internal error occurred when the Cisco CTL client attempted to authenticate user.

Invalid Response for Authenticate User operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get CCM List operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get CCM Certificate operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get CAPF Certificate operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for get CTL File operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get CAPF File operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get Cluster Security Mode operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get CTL Version operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Get Alternate Paths operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Invalid Response for Authenticate User operation.

The Cisco CTL client version appears incompatible with the Cisco CTL Provider service. Install and configure the Cisco CTL client plug-in that displays in Cisco CallManager Administration 4.1.

Not enough Memory to run Application.

You cannot execute the Cisco CTL client because the system has insufficient system memory. Free up memory resources and rerun the Cisco CTL client.

Could not get CAPF Certificate(s). CAPF Service seems to be running on the CCM Publisher but the certificate file(s) do not exist in the Certificates trust path. Please check if the following certificates exist.

If you activated the CAPF Service on the publisher database server, verify that the capf.cer and the corresponding capf (.0) files exist in the certificates trust folder.

Entry for this certificate already exists.

Verify that the alternate TFTP server does not already exist in the CTL file.

Failed to set Cluster Security Mode on the CallManager publisher. You must run the CTL Client again to set the correct value for the Cluster Security Mode.

The CTL client cannot set the Cluster Security Mode to the correct value. The message provides the corrective action.

The Alternate TFTP Server entry is invalid. You must delete the entry for the Alternate TFTP Server and add it again

Delete the alternate TFTP server entry from the Cisco CTL Entries pane and add the entry again. Failing to perform this task may cause the phones to fail to register.


Related Topics

System Requirements

Interactions and Restrictions

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Troubleshooting the Phone When a Problem Exists with the CTL File

Table 9-3 describes problems that may exist with the CTL file on the phone.

To perform the corrective actions in Table 9-3, obtain one security token that exists in the CTL file. To update the CTL file, see the "Updating the CTL File" section.

Table 9-3 CTL File Problems That Affect the Phone 

Problem
Possible Cause
Corrective Action

Phone cannot authenticate CTL file.

Consider the following causes:

The security token that signed the updated CTL file does not exist in the CTL file on the phone.

You attempted to add new security tokens to the existing CTL file. You attempted to sign the CTL file with the last token that was added to the file. The existing CTL file on the phone may not contain a record for the new security token.

Update the CTL file, and sign the CTL file by using a security token that exists in the file.

If the problem persists, delete the CTL file from the phone and run the Cisco CTL client again.

Phone cannot authenticate any configuration files other than the CTL file.

An incorrect TFTP entry exists in the CTL file.

Update the CTL file.

Phone reports TFTP authorization failure.

Consider the following causes:

The TFTP address for the phone does not exist in the CTL file.

If you created a new CTL file with a new TFTP record, the existing CTL file on the phone may not contain a record for the new TFTP server.

Update the CTL file.

If the new CTL file contains different TFTP information than the existing CTL file on the phone, delete the existing CTL file from the phone; see the "Deleting the CTL File on the Cisco IP Phone" section.

Phone does not register with Cisco CallManager.

The CTL file does not contain the correct information for the Cisco CallManager server.

Auto-registration may be enabled.

Verify that auto-registration is disabled.

Update the CTL file.

Phone does not interact with the correct CAPF server to obtain the locally significant certificate.

A TLS handshake error occurs.

The CAPF certificate changed since the last update of the CTL file.

Update the CTL file.

Phone does not request signed configuration files.

The CTL file contains a TFTP entry that does not have a certificate with it.

Update the CTL file.

When you update the CTL file, verify that you set the Cisco CallManager clusterwide security mode to Mixed Mode.


Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Comparing CTL File Versions on the Cisco IP Phone and Server

You can identify the version of the CTL file on the phone by calculating the MD5 hash, which is a cryptographic hash that is computed on the file contents.

On the phone, an option exists for CTL file; this option provides the MD5 hash value. An MD5 application allows you to compute the MD5 hash of files on disk. When you compare the hash values for saved CTL files on disk with the value that displays on the phone, you can determine which version is installed on the phone.

After you determine the version of the CTL file that exists on the phone, you can run an MD5 check on the server CTL file to verify that the phone uses the correct CTL file.

To compute the MD5 value, perform the following procedure:

Procedure


Step 1 On the server where the CTL file exists, open the command window, cd c:\program files\cisco\bin\

Step 2 To compute the MD5 value for a file, enter MD5UTIL.EXE <drive:><path><filename>.


Tip The variables, <drive:><path> <filename>, specify the drive, directory, and/or file for which you want to compute the MD5 value. To view this description in the CLI, enter md5util -?.


For example, to compute the MD5 value for the CTL file, enter MD5UTIL.exe c:\program files\cisco\tftppath\ctlfile.tlv.


Related Topics

Activating the Cisco CTL Provider Service

Configuring the Cisco CTL Client

Updating the CTL File

Cisco CTL Client Configuration Settings

Deleting the CTL File on the Cisco IP Phone


Caution Cisco recommends that you perform this task in a secure lab environment, especially if you do not plan to delete the CTL file from the Cisco CallManager servers in the cluster.

Delete the CTL file on the Cisco IP Phone if the following cases occur:

You lose all security tokens that signed the CTL file.

The security tokens that signed the CTL file appear compromised.

You move a phone out of a secure cluster; for example, to a storage area, to a nonsecure cluster, or to another secure cluster in a different domain.

You move a phone from an area with an unknown security policy to a secure cluster.

You change the alternate TFTP server address to a server that does not exist in the CTL file.

To delete the CTL file on the Cisco IP Phone, perform the tasks in Table 9-4.

Table 9-4 Deleting the CTL File on the Cisco IP Phone

Cisco IP Phone Model
Tasks

Cisco IP Phones 7960 and 7940

Under the Security Configuration menu on the phone, press CTL file, unlock or **#, and erase.

Cisco IP Phone 7970

Perform one of the following methods:

Unlock the Security Configuration menu, as described in Cisco IP Phone Administration Guide for Cisco CallManager. Under the CTL option, press the Erase softkey.

Under the Settings menu, press the Erase softkey.

Note Pressing the Erase softkey under the Settings menu deletes other information besides the CTL file. For additional information, refer to the Cisco IP Phone Administration Guide for Cisco CallManager.


Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Deleting the CTL File on the Server

Delete the CTL file that exists on the server if the following cases occur:

You lose all security tokens that signed the CTL file.

The security tokens that signed the CTL file appear compromised.


Tip Remember to delete the file from all servers in the cluster where the Cisco CallManager or Cisco TFTP services run.


To delete the CTL file, perform the following procedure:

Procedure


Step 1 Browse to C:\Program Files\Cisco\tftppath (the default location) or to the location where you saved the CTLFile.tlv.

Step 2 Right-click CTLFile.tlv and choose Delete.

Step 3 Perform this procedure on all servers in the cluster where the Cisco CallManager and Cisco TFTP services run.


Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Troubleshooting If You Lose One Security Token (Etoken)

If you lose one security token, perform the following procedure:

Procedure


Step 1 Purchase a new security token.

Step 2 Using a token that signed the CTL file, update the CTL file by performing the following tasks:

a. Add the new token to the CTL file.

b. Delete the lost token from the CTL file.

For more information on how to perform these tasks, see the "Updating the CTL File" section.

Step 3 Reset all phones, as described in "Resetting the Devices, Restarting Services, or Rebooting the Server/Cluster" section.


Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Troubleshooting If You Lose All Security Tokens (Etoken)


Tip Perform the following procedure during a scheduled maintenance window because you must reboot all servers in the cluster for the changes to take effect.


If you lose the security tokens and you need to update the CTL file, perform the following procedure:

Procedure


Step 1 On every Cisco CallManager, Cisco TFTP, or alternate TFTP server, browse to directory where the file, CTLFile.tlv, exists.

The following location designates the default directory: C:\program files\cisco\tftppath. To identify where you stored the CTL file, locate the File Location service parameter for the TFTP service in the Service Parameters window of Cisco CallManager Administration.

Step 2 Delete CTLFile.tlv.

Step 3 Repeat Step 1 and Step 2 for every Cisco CallManager, Cisco TFTP, and alternate TFTP server.

Step 4 Obtain at least two new security tokens.

Step 5 By using the Cisco CTL client, create the CTL File, as described in "Installing the Cisco CTL Client" section and "Configuring the Cisco CTL Client" section.


Tip If the clusterwide security mode exists in mixed mode, the Cisco CTL client displays the message, "No CTL File exists on the server but the CallManager Cluster Security Mode is in Mixed Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Mixed Mode." Click OK; then, choose Set Call Manager Cluster to Mixed Mode and complete the CTL file configuration.


Step 6 After you create the CTL file on all the servers, delete the CTL file from the phone, as described in "Deleting the CTL File on the Cisco IP Phone" section.

Step 7 Reboot all the servers in the cluster.


Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Verifying the Security Mode for the Cisco CallManager Cluster

To verify the security mode for the Cisco CallManager cluster, perform the following procedure:

Procedure


Step 1 From Cisco CallManager Administration, choose System > Enterprise Parameters.

Step 2 Locate the Cluster Security Mode field. If the value in the field displays as 1, you correctly configured the Cisco CallManager cluster for mixed mode.


Tip You cannot configure this value in Cisco CallManager Administration. This value displays after you configure the Cisco CTL client.



Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Verifying or Uninstalling the Cisco CTL Client

Uninstalling the Cisco CTL client does not delete the CTL file. Likewise, the clusterwide security mode and the CTL file do not change when you uninstall the client. If you choose to do so, you can uninstall the CTL client, install the client on a different Windows 2000 workstation or server, and continue to use the same CTL file.

To verify that the Cisco CTL client installed, perform the following procedure:

Procedure


Step 1 Choose Start > Control Panel > Add Remove Programs.

Step 2 Double-click Add Remove Programs.

Step 3 To verify that the client installed, locate Cisco CTL Client.

Step 4 To delete the client, click Remove.


Related Topics

System Requirements

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Updating the CTL File

Reviewing the Log Files

Determining the Cisco CTL Client Version

To determine which version of the Cisco CTL client you are using, perform the following procedure:

Procedure


Step 1 Perform one of the following tasks:

Double-click the Cisco CTL Client icon that exists on the desktop.

Choose Start > Programs > Cisco CTL Client.

Step 2 In the Cisco CTL client window, click the icon in the upper, left corner of the window.

Step 3 Choose About Cisco CTL Client. The version of the client displays.


Related Topics

Activating the Cisco CTL Provider Service

Installing the Cisco CTL Client

Configuring the Cisco CTL Client

Troubleshooting CAPF

This section contains information on the following topics:

Messages for CAPF

Troubleshooting the Authentication String on the Phone

Troubleshooting If the Locally Significant Certificate Validation Fails

Verifying That the CAPF Certificate Installed on All Servers in the Cluster

Verifying That a Locally Significant Certificate Exists on the Phone

Verifying That a Manufacture-Installed Certificate (MIC) Exists in the Phone

Messages for CAPF

Table 9-5 displays messages and corrective actions for CAPF:

Table 9-5 Messages for CAPF 

Message
Corrective Action

Authentication String contains one or more invalid characters. Valid characters for Authentication String are numbers.

Enter the appropriate information as described in the message.

CAPF Authentication String length should be between 4 and 10.

Enter no fewer than 4 and no more than 10 digits.

Operation Completes By contains one or more invalid characters. Valid characters for Operation Completes By are numbers.

Enter the appropriate information as described in the message.

Invalid Year. Please enter a value equal to or greater than the current year.

The message provides the corrective action.

Invalid Month. Please adjust your entry to continue.

The message provides the corrective action.

Invalid Date. Please enter a value equal to or greater than the current date.

You entered a past date. Enter the appropriate date.

Invalid Date. Please adjust your entry to continue.

You entered a date that is not valid for the month. Enter the appropriate date.

Invalid Time. Please enter a value equal to or greater than current time (hours).

You enter a past time. Enter the appropriate time.

Invalid Time. Please adjust your entry to continue.

The message provides the corrective action.


Related Topics

System Requirements

Interactions and Restrictions

Certificate Authority Proxy Function Overview

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Entering the Authentication String on the Phone

Troubleshooting the Authentication String on the Phone

If you incorrectly enter the authentication string on the phone, a message displays on the phone. Enter the correct authentication string on the phone.


Tip Verify that the phone is registered to the Cisco CallManager. If the phone is not registered to the Cisco CallManager, you cannot enter the authentication string on the phone.

Verify that the device security mode for the phone equals nonsecure.


CAPF limits the number of consecutive attempts in which you can enter the authentication string on the phone. If you have not entered the correct authentication string after 10 attempts, wait at least 10 minutes before you attempt to enter the correct string again.

Related Topics

Entering the Authentication String on the Phone

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Troubleshooting If the Locally Significant Certificate Validation Fails

On the phone, the locally significant certificate validation may fail if the certificate is not the version that CAPF issued, the certificate has expired, the CAPF certificate does not exist on all servers in the cluster, the CAPF certificate does not exist in the CAPF directory, the phone is not registered to Cisco CallManager, and so on. If the locally significant certificate validation fails, review the SDL trace files and the CAPF trace files for errors.

Related Topics

Entering the Authentication String on the Phone

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Reviewing the Log Files

Certificate Authority Proxy Function Overview

Verifying That the CAPF Certificate Installed on All Servers in the Cluster

After you activate the Cisco Certificate Authority Proxy Function service, CAPF automatically generates a key pair and certificate that is specific for CAPF. The CAPF certificate, which the Cisco CTL Client copies to all servers in the cluster, uses the .0 extension. To verify that the CAPF certificate exists, browse to C:\Program Files\Cisco\Certificates on each server in the cluster and locate the following files:

In DER encoded format—CAPF.cer

In PEM encoded format—.0 extension file that contains the same common name string as the CAPF.cer

Related Topics

Entering the Authentication String on the Phone

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Verifying That a Locally Significant Certificate Exists on the Phone

You can verify that the locally significant certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting. The LSC setting displays Installed or Not Installed, depending on the circumstances.

Related Topics

Entering the Authentication String on the Phone

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Verifying That a Manufacture-Installed Certificate (MIC) Exists in the Phone

You can verify that a MIC exists in the phone by choosing the MIC option on the Security Configuration menu on the phone. The setting states Installed or Not Installed, depending on the circumstances.

Related Topics

CAPF Configuration Checklist

CAPF Settings in the Phone Configuration Window

Reviewing the Log Files

Certificate Authority Proxy Function Overview

Uninstalling the CAPF 1.0(1) Utility

To uninstall the CAPF 1.0(1) utility, navigate to Add/Remove Programs to delete the application. After you delete the utility, see the "Generating a New CAPF Certificate" section.

Generating a New CAPF Certificate

The Certificate Authority Proxy Function includes its own certificate and private key that is used for authentication. If the CAPF certificate or private key does not exist, for example, after you delete the CAPF 1.0(1) utility, perform the following procedure:

Procedure


Step 1 Save the current copy of the CAPF.cer file that exists in C:\Program Files\Cisco\Certificates to a location that you will remember.

Step 2 Delete the CAPF.cer file that exists in C:\Program Files\Cisco\Certificates.

Step 3 In Cisco CallManager Serviceability, stop and start the Cisco Certificate Authority Proxy Function (CAPF) service.

Step 4 Update the CTL file.

Step 5 Verify that the phone downloaded the updated CTL file.


Troubleshooting Encryption for Phones and Cisco IOS MGCP Gateways

This section contains information on the following topics:

Packet Capturing Overview

Configuration Checklist for Packet Capturing

Configuring Packet-Capturing Service Parameters

Packet-Capturing Service Parameters

Configuring BAT for Phone Packet Capturing

Configuring Packet Capturing in the Phone Configuration Window

Configuring Packet Capturing in the MGCP Gateway Configuration Window for Enpoint Identifiers

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Analyzing Captured Packets

Messages for Packet Capturing in Cisco CallManager Administration

Message for Encryption and Barge Configuration

Packet Capturing Overview

Because third-party troubleshooting tools that sniff media and TCP packets do not work after you enable encryption, you must use Cisco CallManager Administration to perform the following tasks if a problem occurs:

Analyze packets for messages that are exchanged between Cisco CallManager and the device (phone or Cisco IOS MGCP gateway).

Capture the SRTP packets between the devices.

Extract the media encryption key material from messages and decrypt the media between the devices.

Related Topics

Configuration Checklist for Packet Capturing

Packet-Capturing Service Parameters

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Analyzing Captured Packets

Messages for Packet Capturing in Cisco CallManager Administration

Configuration Checklist for Packet Capturing

Extracting and analyzing pertinent data includes performing the following tasks in Table 9-6:

Table 9-6 Configuration Checklist for Packet Capturing 

Configuration Steps
Related Procedures and Topics

Step 1 

Enable packet capturing in the Service Parameter window in Cisco CallManager Administration.

Configuring Packet-Capturing Service Parameters

Packet-Capturing Service Parameters

Step 2 

If you do not want to use the default settings for the service parameters. update other applicable service parameters in the Service Parameter window.

Configuring Packet-Capturing Service Parameters

Packet-Capturing Service Parameters

Step 3 

Configure packet capturing settings on a per-device basis in the Phone or MGCP Gateway Configuration window.

Note Cisco strongly recommends that you do not enable packet capturing for many devices at the same time because this task may cause high CPU usage in your network.

Configuring Packet Capturing in the Phone Configuration Window

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Step 4 

Capture SRTP packets by using a sniffer trace between the affected devices.

Refer to the documentation that supports your sniffer trace tool.

Step 5 

After you capture the packets, set the Signal Packet Capture Mode to None and the Packet Capture Enable service parameter to False.

Configuring Packet-Capturing Service Parameters

Packet-Capturing Service Parameters

Step 6 

Gather the files that you need to analyze the packets.

Analyzing Captured Packets

Step 7 

Cisco Technical Assistance Center (TAC) analyzes the packets. Contact TAC directly to perform this task.

Analyzing Captured Packets

Configuring Packet-Capturing Service Parameters

Perform the following procedure to configure parameters for packet capturing:

Procedure


Step 1 In Cisco CallManager Administration, choose Service > Service Parameters.

Step 2 From the Server drop-down list box, choose a server where you activated the Cisco CallManager service.

Step 3 From the Service drop-down list box, choose the Cisco CallManager service.

Step 4 Scroll to the Packet-Capture parameters and configure the settings, as described in Table 9-7.

Step 5 For the changes to take effect, click Update.

Step 6 To continue packet-capturing configuration, see one of the following sections:

Configuring Packet Capturing in the Phone Configuration Window

Configuring Packet Capturing in the MGCP Gateway Configuration Window for Enpoint Identifiers


Related Topics

Configuration Checklist for Packet Capturing

Packet-Capturing Service Parameters

Packet-Capturing Service Parameters

Use Table 9-7 in conjunction with the "Configuring Packet-Capturing Service Parameters" section.

Table 9-7 Packet Capturing Service Parameters

Parameter
Description

Packet Capture Enable

This parameter enables packet capturing over a TLS connection. For information on the default value, click the i button that displays in the Service Parameter window.

Packet Capture Service Listen TLS Port

This port accepts requests from real-time debugging tools for capturing packets over a TLS connection. For information on the default value, click the i button that displays in the Service Parameter window.

Packet capture Max real time Client Connections

This parameter specifies the maximum number of connections from real-time debugging tools that you can use to capture packets. For information on the default value, click the i button that displays in the Service Parameter window.

Packet Capture Max File

This parameter specifies the maximum size for the packet capture file that is created by Cisco CallManager during batch mode debugging. Cisco CallManager stops writing to the file after the maximum value is reached. For information on default and maximum values, click the i button that displays in the Service Parameter window.


Related Topics

Configuration Checklist for Packet Capturing

Configuring Packet-Capturing Service Parameters

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Configuring BAT for Phone Packet Capturing

By using the Bulk Administration Tool that is compatible with this Cisco CallManager release, you can configure the Packet Capture mode for phones. For information on how to perform this task, refer to the Bulk Administration Tool User Guide.


Tip Performing this task in BAT may cause high CPU usage and call-processing interruptions. Cisco strongly recommends that you perform this task when you can minimize call-processing interruptions.


Related Topics

Bulk Administration Tool User Guide

Packet Capturing Overview

Configuration Checklist for Packet Capturing

Configuring Packet Capturing in the Phone Configuration Window

After you enable packet capturing in the Service Parameter window, you must configure packet capturing on a per-device basis in the Phone Configuration window of Cisco CallManager Administration.

You enable or disable packet capturing on a per-phone basis. The default setting for packet capturing equals None.


Tip Cisco strongly recommends that you do not enable packet capturing for many phones at the same time because this task may cause high CPU usage in your Cisco CallManager network.

If you do not want to capture packets or if you completed the task, set the Signal Packet Capture Mode to None and the Packet Capture Enable service parameter to False.


Use the following guidelines when you configure packet-capturing settings for secure phones:

1. Before you configure the packet-capturing settings, see the "Configuration Checklist for Packet Capturing" section.

2. To access the device in Cisco CallManager Administration, choose Device > Phone.

3. Specify the criteria to find the phone and click Find or click Find to display a list of all phones. If you have not added the phone to the database, the phone does not display in the list. For information on adding a phone, refer to the Cisco CallManager Administration Guide.

4. To open the Phone Configuration window for the device, click the device name.

5. Configure the troubleshooting settings, as described in the "Packet-Capturing Phone and MGCP Gateway Configuration Settings" section.

6. After you complete the configuration, click Update and then click Reset Phone.


Tip Resetting phones causes active calls over the gateway to drop.


7. Capture SRTP packets by using a sniffer trace between the affected devices.

8. After you capture the packets, set the Packet Capture Mode to None and Packet Capture Enable service parameter to False.

9. See the "Analyzing Captured Packets" section.

Related Topics

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Configuration Checklist for Packet Capturing

Configuring Packet Capturing in the MGCP Gateway Configuration Window for Enpoint Identifiers


Tip To determine whether your Cisco IOS MGCP gateway supports the voice security features described in the Cisco CallManager Security Guide, refer to Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways. If your Cisco IOS MGCP gateway supports SRTP, you can use Cisco CallManager Administration to capture the packets.


When a Cisco IOS MGCP gateway registers with Cisco CallManager, the system retrieves the configured Signal Packet Capture Mode and Packet Capture Duration settings from the database for all devices on the gateway.


Tip Cisco strongly recommends that you do not enable packet capturing for many devices at the same time because this task may cause high CPU usage in your Cisco CallManager network.

If you do not want to capture packets or if you completed the task, set the Signal Packet Capture Mode to None and the Packet Capture Enable service parameter to False.


Use the following guidelines to configure the packet capturing settings:

1. Before you configure the packet capturing settings, see the "Configuration Checklist for Packet Capturing" section.

1. To access the gateway in Cisco CallManager Administration, choose Device > Gateway.

2. Find the Cisco IOS MGCP gateway for which you want to configure the packet-capturing settings. For information on how to perform this task, refer to the Cisco CallManager Administration Guide.

3. If you have not already done so, configure the ports for the Cisco IOS MGCP gateway, as described in the Cisco CallManager Administration Guide.

4. The packet-capturing settings display in the Gateway Configuration window for endpoint identifiers. To access this window, click the endpoint identifier for the voice interface card.

5. When you configure the troubleshooting settings, use the "Packet-Capturing Phone and MGCP Gateway Configuration Settings" section as a reference.

6. After you configure the packet-capturing settings, click Update and Reset Gateway.

7. Capture SRTP packets by using a sniffer trace between the affected devices.

8. After you capture the packets, set the Packet Capture Mode to None and Packet Capture Enable service parameter to False.

9. See the "Analyzing Captured Packets" section.

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Use the following information, which describes the Signal Packet Capture Mode and Packet Capture Duration settings, with the following sections:

Configuring Packet Capturing in the Phone Configuration Window

Configuring Packet Capturing in the MGCP Gateway Configuration Window for Enpoint Identifiers

Signal Packet Capture Mode

In the Signal Packet Capture Mode drop-down list box, choose one of the following options:

None—This option, which serves as the default setting, indicates that no packet capturing is occurring. After you complete packet capturing, configure this setting.

Real-Time Mode—Cisco CallManager sends decrypted or nonencrypted messages over a secure channel to analyzing devices. A TLS connection opens between Cisco CallManager and the TAC debugging tool. After authentication occurs between Cisco CallManager and the debugging tool, Cisco CallManager sends the SCCP messages (phone) or UDP and TCP backhaul messages (gateway) to all connected real-time debugging tools; this action occurs only for the chosen devices where you configured packet capturing.

This mode eliminates sniffing over the network.

The TAC debugging tool captures the SRTP packets and decrypts the packets by using the key material that is extracted from the decrypted SCCP or UDP or TCP backhaul messages.

You must run the debugging tool on the debugging site.

Batch Processing Mode—Cisco CallManager writes the decrypted or nonencrypted messages to file, and the system encrypts each file. On a daily basis, the system creates a new file with a new encryption key. Cisco CallManager, which stores the file for seven days, also stores the keys that encrypt the file in a secure location. Cisco CallManager stores the file in C:\Program Files\Cisco\PktCap. A single file contains the time stamp, source IP address, source IP port, destination IP address, packet protocol, message length, and the message. The TAC debugging tool uses HTTPS, administrator username and password, and the specified day to request a single encrypted file that contains the captured packets. Likewise, the tool requests the key information to decrypt the encrypted file.

Before you contact TAC, you must capture the SRTP packets by using a sniffer trace between the affected devices.

Packet Capture Duration

This field specifies the maximum number of minutes that is allotted for one session of packet capturing. The default setting equals 60, although the range exists from 0 to 300 minutes.

Related Topics

Configuration Checklist for Packet Capturing

Analyzing Captured Packets

Configuring Packet Capturing in the Phone Configuration Window

Messages for Packet Capturing in Cisco CallManager Administration

Analyzing Captured Packets

Cisco Technical Assistance Center (TAC) analyzes the packets by using a debugging tool. Before you contact TAC, capture SRTP packets by using a sniffer trace between the affected devices. Contact TAC directly after you gather the following information:

Packet Capture File—https://<server name or IP address>/pktcap/pktcap.asp?file=mm-dd-yyyy.pkt, where you browse into the server and locate the packet-capture file by month, date, and year (mm-dd-yyyy)

Key for the file—https://<server name or IP address>pktcap/pktcap.asp?key=mm-dd-yyyy.pkt, where you browse into the server and locate the key by month, date, and year (mm-dd-yyyy)

Administrative username and password for the Cisco CallManager server

Related Topics

Configuration Checklist for Packet Capturing

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Messages for Packet Capturing in Cisco CallManager Administration

Messages for Packet Capturing in Cisco CallManager Administration

Table 9-8 provides a list of messages that could display when you configure packet capturing in Cisco CallManager Administration.

Table 9-8 Messages for Packet Capturing

Message
Corrective Action

Packet Capture Duration contains one or more invalid characters. Valid characters for Packet Capture Duration are numbers.

The message provides the corrective action.

Invalid Packet Capture Duration. Packet Capture Duration should be between 0 and 300.

Enter the appropriate information, as described in the message.


Related Topics

Packet-Capturing Phone and MGCP Gateway Configuration Settings

Configuration Checklist for Packet Capturing

Message for Encryption and Barge Configuration

Use the following information in conjunction with the "Interactions and Restrictions" section.

When you attempt to configure barge for Cisco IP Phone models 7960 and 7940 that are configured for encryption, the following message displays:

If you configure encryption for Cisco IP Phone models 7960 and 7940, those encrypted devices cannot accept a barge request when they are participating in an encrypted call. When the call is encrypted, the barge attempt fails.

The message displays when you perform the following tasks in Cisco CallManager Administration:

In the Phone Configuration window, you choose Encrypted for the Device Security Mode (or System Default equals Encrypted), On for the Built In Bridge setting (or default setting equals On), and you click Insert or Update after you create this specific configuration.

In the Enterprise Parameter window, you update the Device Security Mode parameter.

In the Service Parameter window, you update the Built In Bridge Enable parameter.


Tip For changes to take effect, you must reset the dependent Cisco IP devices.


Related Topics

Interactions and Restrictions

Encryption Overview

Where to Find More Information

Troubleshooting Secure SRST References

This section contains information on the following topics:

Security Message That Displays During SRST Reference Configuration

Troubleshooting When the SRST Certificate Is Deleted from the Gateway

Deleting Security from the SRST Reference

To make the SRST reference nonsecure after you configure security, uncheck the Is the SRTS Secure? check box in the SRST Configuration window in Cisco CallManager Administration. A message states that you must turn off the credential service on the gateway.

Related Topics

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Cisco CallManager Administration Guide

System administration documentation that supports the SRST-enabled gateway and this version of Cisco CallManager

Security Message That Displays During SRST Reference Configuration

The following message may display when you configure secure SRST references in Cisco CallManager Administration.

The message reads, "Port Numbers can only contain digits." This message displays if you enter an invalid port number when you configure the SRST Certificate Provider Port. The port number must exist in the range of 1024 and 49151.

Related Topics

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Cisco CallManager Administration Guide

System administration documentation that supports the SRST-enabled gateway and this version of Cisco CallManager

Troubleshooting When the SRST Certificate Is Deleted from the Gateway

If the SRST certificate no longer exists in the SRST-enabled gateway, you must remove the SRST certificate from the Cisco CallManager database and the phone.

To perform this task, uncheck the Is the SRST Secure? check box and click Update in the SRST Configuration window; then, click Reset Devices.

Related Topics

Configuring a Secure Survivable Remote Site Telephony (SRST) Reference

Cisco CallManager Administration Guide

System administration documentation that supports the SRST-enabled gateway and this version of Cisco CallManager