Thanks for the clarification Brian. This really helps.
I was able to confirm that:
* I could change the PC port setting to 100 Full on the phone with the
empty ITL file
* I could NOT change the PC port setting to 100 Full on the phone with the
non-empty ITL file
For the heck of it, I compared to the two CallManager.pem files and they are,
in fact, different. There was no TVS certificate on the v7 cluster members, so
no comparison there.
I think I have everything I need to continue with my testing scenarios.
I hope this thread proves useful for others.
Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
----- Original Message -----
From: "Brian Meade (brmeade)" <brme...@cisco.com>
To: "Lelio Fulgenzi" <le...@uoguelph.ca>, "cisco-voip voyp list"
<cisco-voip@puck.nether.net>
Sent: Thursday, February 20, 2014 11:21:03 AM
Subject: RE: [cisco-voip] unexpected behaviour with "Prepare Cluster for
Rollback" and migrating phones between v9 and v7 cluster
Lelio,
The trust list definitely contains the certificates. The actual ITL will be
signed by the CallManager.pem certificate of the TFTP node the phone downloaded
it from. It will also have a TFTP entry for that node with the same
CallManager.pem certificate. The ITL should then have a bunch of TVS
certificates for all of your nodes in order to be used for authenticating any
unknown certificates.
So you said the old cluster it was registering to was 7.x, right?
If so, the phones with a valid ITL should be requesting signed config files
which the 7.x should be responding to with File Not Found errors.
If the phones used their cached config files, they would probably be able to
register to the old cluster since the IP addresses are the same and there’s
nothing preventing the phone from sending SCCP register messages to the old
cluster. Things like line changes are done via SCCP so adding a second DN would
probably work but any changes on the device itself would probably fail such as
enabling or disabling web access since that is set in the actual config file.
Thanks,
Brian Meade
From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Lelio
Fulgenzi
Sent: Thursday, February 20, 2014 10:50 AM
To: cisco-voip voyp list
Subject: Re: [cisco-voip] unexpected behaviour with "Prepare Cluster for
Rollback" and migrating phones between v9 and v7 cluster
As a follow up to this, I'm still a little confused.
I have confirmed
* that the phone that I removed after setting the "Prepare Cluster for
Rollback" to True, had an empty trust list
* that the phone that I removed after setting the "Prepare Cluster for
Rollback" to False, had an non-empty trust list
* TFTP: fqdn of TFTP server
* TVS: fqdn of PUB
* TVS: fqdn of SUB1
* this was with only changing the parameter and resetting phones, no
restarts of TFTP or TVS services.
I was also able to confirm that:
* both the phone with an empty trust list AND non-empty trust list were
able to register to the old cluster
* I was able to change the configuration (adding a secondary DN) to both
phones and they both accepted them
Is the trust list simply a _list_ of acceptable hosts? And because the (fqdn)
hostnames and IP addresses are the same on both clusters the phones are still
able to register and accept changes?
If not simply a list, and it uses the host certificates, i.e. it uses host
certificates to either build the list hash or push the certificates down to the
phones, is what I am seeing the same certificate being generated on each host?
I mean, I'm using all the same information, could that be possible? I don't
know which certificates to compare, or I would have provided the results of
that test.
Thoughts?
Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519 ‐ 824 ‐ 4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
----- Original Message -----
From: "Lelio Fulgenzi" < le...@uoguelph.ca >
To: "cisco-voip voyp list" < cisco-voip@puck.nether.net >
Sent: Wednesday, February 19, 2014 4:37:35 PM
Subject: unexpected behaviour with "Prepare Cluster for Rollback" and migrating
phones between v9 and v7 cluster
OK, now I am officially confused. ;)
I was under the impression that once a phone has registered to a v9 cluster, it
downloads an ITL trust list/file which prevents it from registering to a v7
cluster. To help with this, the "Prepare Cluster for Rollback" enterprise
parameter was introduced.
Here's what I did:
* upgraded offline cluster (all servers had same hostname and IP address)
* set the "Prepare Cluster for Rollback" parameter to True and clicked Save
(because there were no phones registered, I did not "Apply Changes")
* plugged phones into the offline network
* phones registered to the new offline v9 cluster
* checked phone security pages - they showed ITL files listed (that long
string of numbers)
* thinking it was the "Apply Changes" that missed something, I clicked that
* phones restarted, but still showed an ITL file
* brought a phone back to the live network, phone registered to the v7
cluster (still has an ITL file listed)
* on offline cluster, change the "Prepare Cluster for Rollback" to False,
clicked Save, clicked Apply Changes (phones restarted, and showed an ITL file)
* I picked up one of the phones from the offline network (now in
rollback=false mode) and brought it to the live network. It registered to the
v7 cluster.
So what I see are a few things confusing me:
* Why do phones still have ITL files if the cluster is in rollback mode.
This is not a big deal, but I'd like to be able to tell from the phone when
it's registered with the "Prepare Cluster for Rollback" set to TRUE.
* Why does a phone that registers to a v7 cluster still have it's ITL file
set?
* Why (and this is the one that gets me) does a phone that was on v9 with
"Prepare Cluster for Rollback" set to FALSE successfully register to the v7
cluster?
Is the ITL trust list a simple hash of the IP addresses and host names of the
cluster members? If I don't change anything, things will continue to work?
Is something wrong with my logic and steps? I was testing with a 7942 and a
7962.
Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519 ‐ 824 ‐ 4120 Ext 56354
le...@uoguelph.ca
www.uoguelph.ca/ccs
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
_______________________________________________
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
