Cisco Unified Communications Manager (CUCM) Cluster 8.x introduced a new Security by default feature and the use of Initial Trust List (ITL) files. With this new feature, care must be taken when you move phones between different CUCM clusters. This document discusses how to resolve issues with Cisco IP Phones during the migration from Cisco Unified Communications Manager Express (CUCME) to CUCM 8.x. The issue is that those IP Phones are not able to get the firmware load uploaded to the TFTP server.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
You currently migrate IP Phones from an existing CME environment onto a new CUCM 8.x cluster. The Trust List Update Failed messages that appear may indicate a potential issue with ITL files that reside on these endpoints. Here the IP Phones do not receive the load file on CUCM.
12:58:15 Trust List Update Failed
12:58:57 Trust List Update Failed
12:59:08 TFTP Timeout : SEP001D705F9EA8.cnf.xml.sgn
12:59:31 Trust List Update Failed
13:00:13 Trust List Update Failed
13:01:45 Trust List Update Failed
13:02:26 Trust List Update Failed
You have exported the IP Phones to CUCM 8.x. Since the IP Phones were registered with CUCME 7.X and then registered to the new CUCM 8.x server, the phone would have to have downloaded the ITL file from the CUCM server since they do not exist in CUCME.
If the phone was just moved from CUCME to CUCME, it would blindly accept the ITL file and save it to use for authentication/verification. In this case it is possible that the phone somehow got an ITL that is no longer in use, if the TFTP certificates were regenerated.
The error messages and symptoms is a new feature on CUCM 8.0 where phones have an Initial Trust List file. This is used to authenticate HTTPS, since services now use HTTPS instead of HTTP, and TFTP configuration files. Since your phone has an ITL that does not match the signature of the ITL on your CUCM, you can do one of two things:
Manually delete the ITLs from the phones and then they work correctly.
Use the Roll Back option. Refer to Migrating IP Phones Between Clusters with CUCM 8 and ITL Files for detailed steps.
Choose these steps in order to manually delete the ITL file on one of the IP phones:
Choose Settings > Security Configuration.
Press**# and erase the ITL file in order to unlock the IP Phone.
Make sure it works properly afterwards and check that there are no ITL errors. Then the fix for all the other IP phones would be to complete the rollback procedure.
This allows the phones to get a blank ITL file, which allows them to then download the new correct ITL file that can authenticate their configuration files.
Even if you point the phones back to a CUCME, they still do not accept their configuration files due to the ITL file being on the phone. It has to be removed or a blank (empty) ITL has to be put on the phones for them to work properly with CUCME.
The rollback option is not on CUCME . It would have to be done on CUCM 8.x . You can power on the CUCME and the phones would register since its old (cached) configuration file is still on the phone, however configuration changes would not update on the phones.