Feedback
Table Of Contents
Using Microsoft Performance Monitor Counters
Troubleshooting the Cisco CTL Client
Changing the Security Token Password (Etoken)
Setting the Smart Card Service to Started and Automatic
Error Messages for the Cisco CTL Client
Troubleshooting the Phone When a Problem Exists with the CTL File
Comparing CTL File Versions on the Cisco IP Phone and Server
Deleting the CTL File on the Cisco IP Phone
Deleting the CTL File on the Server
Troubleshooting If You Lose One Security Token (Etoken)
Troubleshooting If You Lose All Security Tokens (Etoken)
Verifying the Security Mode for the Cisco CallManager Cluster
Verifying or Uninstalling the Cisco CTL Client
Determining the Cisco CTL Client Version
Troubleshooting the CAPF Utility
Error Messages for the CAPF Utility
Verifying or Uninstalling the CAPF Utility
Troubleshooting If You Incorrectly Enter the Authentication String on the Phone
Troubleshooting If the Locally Significant Certificate Validation Fails
Verifying That You Installed the Locally Significant Certificate on the Phone
Troubleshooting
This chapter contains information on the following topics:
•
Using Microsoft Performance Monitor Counters
•
•
Tip
This chapter describes how to delete the CTL file from Cisco IP Phone models 7970, 7960, and 7940 only; for information on how to perform this task, see Table 5-3 or the Cisco IP Phone Administration Guide for Cisco CallManager that matches the model of the phone.
Using Alarms
Cisco CallManager Serviceability generates alarms for the following cases:
•
•
•
Alarms may get generated on the phone under the following conditions:
•
The phone generates this alarm when the TFTP server information (alternate or otherwise) does not exist in the CTL file. The phone may issue the alarm twice if DHCP has provided primary and backup server addresses and neither address exists in the CTL file. Verify that you entered the CTL file information correctly and that you configured the DHCP server with the correct address.
•
The phone may generate this alarm for a variety of reasons; for example, the CTL file appears corrupt. If the CTL file is corrupt, you may need to use a sniffer trace to troubleshoot the network. If you cannot identify the problem, you may need to debug by using a console cable, as described in Cisco IP Phone Administration Guide for Cisco CallManager (available for Cisco IP Phone Models 7970, 7960, and 7940, unless otherwise indicated in the administration documentation that supports your phone model).
Tip
Related Topics
•
•
•
Using Microsoft Performance Monitor Counters
Microsoft Performance Monitor counters exist to monitor the number of authenticated phones that register with Cisco CallManager, the number of authenticated calls that are completed, and the number of authenticated calls that are active at any time.
Related Topics
•
•
Reviewing the Log Files
Before you contact the team that provides technical assistance for this product, for example, your Cisco AVVID Partner or the Cisco Technical Assistance Center (TAC), obtain and review the following log files:
•
•
•
–
–
–
–
–
•
Tip
•
•
By default, the Cisco CTL client installs in C:\Program Files\Cisco\CTL File.
–
•
Tip
Related Topics
•
•
Troubleshooting the Cisco CTL Client
The section contains information on the following topics:
•
•
•
•
•
•
•
•
•
•
•
Changing the Security Token Password (Etoken)
This administrative password retrieves the private key of the certificate and ensures that the CTL file gets signed. Each security token comes with a default password. You can change the security token password at any time. If the Cisco CTL client prompts you to change the password, you must change the password before you can proceed with the configuration.
To review pertinent information on setting passwords, click the Show Tips button. If you cannot set the password for any reason, review the tips that display.
To change the security token password, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Related Topics
•
•
•
Setting the Smart Card Service to Started and Automatic
If the Cisco CTL client installation detects that the Smart Card service is disabled, you must set the Smart Card service to automatic and started on the server or workstation where you are installing the Cisco CTL plugin.
Tip
After you upgrade the operating system, apply service releases, upgrade Cisco CallManager, and so on, verify that the Smart Card service is started and automatic.To set the service to started and automatic, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Related Topics
•
•
•
•
•
•
Error Messages for the Cisco CTL Client
Table 5-1 displays the error messages and the corresponding corrective actions for the Cisco CTL client installation.
Table 5-1 Error Messages for CTL Client
If you have installed intrusion detection software, you must stop and disable these applications from the Service Control Console before you continue with the Cisco CTL Client installation. Failure to do so could result in unrecoverable errors.
The error message provides the corrective action.
Error 1920: Service `Etoksrv' failed to start. Make sure that the Smart Card service or its dependent services are enabled and you have sufficient privileges on the system. Click Retry to continue.
The error message provides the corrective action.
Invalid Port Number
Make sure that port number field in the CTL client user interface is not blank.
Invalid range for Port Number
Choose a port number in the range from 0 through 99999.
Invalid HostName or IP Address
Verify that the length of the hostname ranges from 0 through 256 characters.
Invalid Username
Verify that the length of the username ranges between 0 through 256 characters.
User could not be authenticated
Enter a valid username and password.
Please insert a Security Token. Click Ok when done.
Perform the action as stated in the error message.
Please insert another Security Token. Click Ok when done.
Perform the action as stated in the error message.
You have selected to exit the CTL Client application. Are you sure you want to exit?
Choose the option that you want the application to perform.
No CTL File exists on the server but the CallManager Cluster Security Mode is in Secure Mode. For the system to function, you must create the CTL File and set CallManager Cluster to Secure Mode.
When the clusterwide security mode is mixed mode, the CTL file should always exist on the server.
Update the CTL file; see the "Updating the CTL File" section.
There are no Security Tokens in CTL File. You must insert at least 2 security tokens. Select Update CTL File to add security Tokens.
Perform the action as stated in the error message.
Failed to create CTL File on server(s):<LIST_OF_SERVERS>
Make sure that the CTL Provider service is running on all the Cisco CallManager servers that the error message specifies.
Make sure that the Cisco CallManager or TFTP service is running on all the servers that the error message specifies.
Make sure that the alternate TFTP paths are mapped to the correct drives and that the mappings are valid.
Could not Sign CTL File. Possible Reasons:\n1. User cancelled the operation\n2.The security token does not contain signature in valid format.
Verify that you did not press Cancel. Make sure that the Cisco Certificate Authority issued the security token.
The CTL File signature is invalid. The CTL File has been signed with a security token that does not exist in the CTL File.
You must re-create the CTL File. All existing security tokens in the CTL file will be deleted.
The CTL file appears corrupt; re-create the CTL file. See the "Updating the CTL File" section.
The Security Token you have inserted does not exist in the CTL File.
Insert a security token that you previously used to create or update the CTL file.
The Security Token you have inserted already exists in the CTL File.
Insert a security token that you have not used to create or update the CTL file.
The Security Token is not issued by Cisco CA.
Insert a security token that the Cisco Certificate Authority issued.
Cannot run CTL Client from Terminal Services
You must run the CTL client locally.
Could not get Certificates from CallManager <server name>
Perform the following actions:
•
•
•
Error Occurred creating the dialog
Uninstall the Cisco CTL client; reinstall the client.
Could not add CAPF Server
Perform the following actions:
•
•
•
Could not add TFTP Server
If an entry for the alternate TFTP server exists, delete the entry and add it again to the file.
You must insert at least 2 Security Tokens.
Verify that you inserted the appropriate security token; insert the correct security token and complete the configuration tasks.
You must have at least one CallManager server in the cluster.
Verify that the Cisco CallManager service or Cisco TFTP service runs on at least one server in the cluster.
The Security Token currently inserted will be used to sign the CTL File and it does not exist in the CTL File. Please insert the token in the CTL File before you click Finish.
Perform the action as stated in the error message.
Please select an item to delete.
Click on an entry in the CTL file and delete the entry.
You cannot delete Cisco TFTP Servers.
You can delete only alternate TFTP servers.
CAPF Certificate already exists in CTL File.
A CAPF server with the same hostname or IP address already exists in the CTL file. Enter a new CAPF server if you want to add another CAPF server.
Invalid Date Range
Verify the dates in the Valid From and Valid Until fields for the security token.
Delete <CERTIFICATE_ISSUER_NAME>
Click Yes to delete the CTL entry; click No if you do not want to delete the CTL entry.
An Entry for TFTP Server <TFTP_SERVER_NAME> already exists in CTL File
A TFTP server with the same hostname or IP address already exists in the new CTL file. Enter a new TFTP server if you want to add another TFTP server.
Could not get Certificates from CallManager servers because <WINDOWS_SOCKET_REASON>
The error message specifies the reason why the Cisco CallManager server could not obtain the certificate.
Verify that the CTL Provider service runs on all servers in the Cisco CallManager cluster.
Verify that the administrator username and password or the super username and password are the same on all servers in the cluster.
Cannot connect to server <SERVER_NAME> on port <CTLPORT_#>
Perform the following procedure:
1.
2.
3.
4.
5.
The computer is locked. Only administrator can unlock this computer.
When you remove the security token from the USB port, the computer locks because the NT LM Support Security Provider service is running. Perform one of the following tasks:
•
•
•
You cannot delete this item. You can only delete security tokens, CAPF and alternate TFTP.
You can only delete the types that are specified in the error message.
TFTP certificate already exists in the CTL file.
A TFTP server with the same hostname or IP address already exists in the CTL file. To add a new TFTP server, enter a different hostname or IP address.
Could not get certificate from a CAPF server. Make sure that you are connecting to a CAPF server or the port number is correct and try again.
The error message specifies the corrective action.
You must connect to the Cisco CTL Provider service. Make sure that you are connecting to a CCM server or the port number is correct and try again.
The error message specifies the corrective action.
Related Topics
•
•
•
•
Troubleshooting the Phone When a Problem Exists with the CTL File
The errors in Table 5-2 may display on the phone when a problem exists with the CTL file.
To perform the corrective actions in Table 5-2, you must obtain at least one security token that you used to create the original CTL file. If you need to update the CTL file, see the "Updating the CTL File" section.
Table 5-2 CTL File Errors That Affect the Phone
Phone cannot authenticate CTL file.
The security token that signed the updated CTL file does not exist in the CTL file on the phone.
By using at least one security token that exists in the CTL file, update the CTL file.
Phone cannot authenticate any of the configuration files other than the CTL file.
The TFTP entry in the CTL file is wrong, and the security token does not exist in the CTL file.
By using at least one security token that exists in the CTL file, update the TFTP entry in the CTL file.
Phone reports TFTP authorization failure.
Consider the following causes:
•
•
By using at least one security token that exists in the CTL file, update the TFTP entry in the CTL file.
If the new CTL file contains different TFTP information than the existing CTL file on the phone, delete the existing CTL file from the phone; see the "Deleting the CTL File on the Cisco IP Phone" section.
Phone does not register with Cisco CallManager.
The CTL file does not contain the correct information for the Cisco CallManager server.
Auto-registration may be enabled.
Verify that auto-registration is disabled.
By using at least one security token that exists in the CTL file, update the Cisco CallManager entries for the CTL file.
Phone does not interact with the correct CAPF server to obtain the locally significant certificate.
A TLS handshake error occurs.
Consider the following causes:
•
•
By using at least one security token that exists in the CTL file, update the CAPF IP address or hostname in the CTL file.
Phone does not request signed configuration files.
Consider the following causes:
•
•
By using at least one of the security tokens that exists in the original CTL file, update the TFTP entry in the CTL file.
When you update the CTL file, verify that you set the Cisco CallManager clusterwide security mode to Mixed Mode.
Related Topics
•
•
•
•
Comparing CTL File Versions on the Cisco IP Phone and Server
You can identify the version of the CTL file on the phone by calculating the MD5 hash, which is a cryptographic hash computed on the file contents.
On the phone, an option exists for CTL file; this option provides the MD5 hash value. An MD5 application allows you to compute the MD5 hash of files on disc. When you compare the hash values for saved CTL files on disc with the value that displays on the phone, you can determine which version is installed on the phone.
After you determine the version of the CTL file exists on the phone, you can run an MD5 check on the server CTL file to verify that the phone uses the correct CTL file.
Tip
Related Topics
•
•
•
Deleting the CTL File on the Cisco IP Phone
Caution
Delete the CTL file on the Cisco IP Phone if the following cases occur:
•
•
•
•
•
To delete the CTL file on the Cisco IP Phone, perform the tasks in Table 5-3.
Related Topics
•
•
•
•
Deleting the CTL File on the Server
Delete the CTL file that exists on the server if the following cases occur:
•
•
Tip
To delete the CTL file, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Related Topics
•
•
•
•
Troubleshooting If You Lose One Security Token (Etoken)
If you lose one security token, perform the following procedure:
Procedure
Step 1
Step 2
a.
b.
For more information on how to perform these tasks, see the "Updating the CTL File" section.
Step 3
Related Topics
•
•
•
•
Troubleshooting If You Lose All Security Tokens (Etoken)
Tip
If you lose the security tokens and you need to update the CTL file, perform the following procedure:
Procedure
Step 1
The following location designates the default directory: C:\program files\cisco\tftppath. To identify where you stored the CTL file, locate the File Location service parameter for the TFTP service in the Service Parameters window of Cisco CallManager Administration.
Step 2
Step 3
Step 4
Step 5
Tip
Step 6
Step 7
Related Topics
•
•
•
•
Verifying the Security Mode for the Cisco CallManager Cluster
To verify the security mode for the Cisco CallManager cluster, perform the following procedure:
Procedure
Step 1
Step 2
Related Topics
•
•
•
•
Verifying or Uninstalling the Cisco CTL Client
Uninstalling the Cisco CTL client does not delete the CTL file. Likewise, the clusterwide security mode and the CTL file do not change when you uninstall the client. If you choose to do so, you can uninstall the CTL client, install the client on a different Windows 2000 workstation or server, and continue to use the same CTL file.
To verify that the Cisco CTL client installed, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Related Topics
•
•
•
•
Determining the Cisco CTL Client Version
To determine which version of the Cisco CTL client you are using, perform the following procedure:
Procedure
Step 1
•
•
Step 2
Step 3
Related Topics
•
•
•
Troubleshooting the CAPF Utility
This section contains information on the following topics:
•
•
•
•
•
Error Messages for the CAPF Utility
Table 5-4 displays error messages and corrective actions for the CAPF utility:
Related Topics
•
•
•
•
•
Verifying or Uninstalling the CAPF Utility
Uninstalling the CAPF utility removes all files that exist in the CAPF directory, including certificates and keys. If you uninstall the utility and do not reinstall it, no CAPF functionality exists; that is, certificates do not get issued and certificate requests do not occur on behalf of the phone.
To verify or uninstall the CAPF utility, perform the following procedure:
Procedure
Step 1
Step 2
Step 3
Step 4
Related Topics
•
•
•
•
•
Troubleshooting If You Incorrectly Enter the Authentication String on the Phone
If you incorrectly enter the authentication string on the phone, an error displays on the phone. Enter the correct authentication string on the phone.
Related Topics
•
•
Troubleshooting If the Locally Significant Certificate Validation Fails
On the phone, the locally significant certificate validation may fail if the certificate is not the version that CAPF issued, the certificate has expired, the CAPF certificate does not exist on all servers in the cluster, the CAPF certificate does not exist in the CAPF directory, and so on. If the locally significant certificate validation fails, review the SDL trace files and the CAPF trace files for errors.
Related Topics
•
•
•
Verifying That You Installed the Locally Significant Certificate on the Phone
You can verify that the certificate installed on the phone by choosing Settings > Model Information and viewing the LSC setting. The LSC setting displays Yes.
Related Topics
•
•
