Yup, looks like a continuous loop of each server being told about the new cert, then telling the rest of the cluster about it. The delay is likely related to the fact that we require a delay before subsequent certs can be regenerated/installed specifically to allow the phones to reset and pick up a new ITL. No more regenerating tomcat + CallManager certs at the same time and nuking your ITLs.
-Ryan On Oct 9, 2014, at 2:41 PM, Matthew Loraditch <[email protected]<mailto:[email protected]>> wrote: Yes this is the bug, it is super fun… Migrated to a customer to 10.5 and updated the certs.. spent a day finding out this was the bug.. I am eagerly awaiting SU1. Something to do with the sever being on multiple servers it continuously sends the cert to the other servers which causes the change notification. Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA 1965 Greenspring Drive Timonium, MD 21093 direct voice. 443.541.1518 fax. 410.252.9284 Twitter<http://twitter.com/heliontech> | Facebook<http://www.facebook.com/#!/pages/Helion/252157915296> | Website<http://www.heliontechnologies.com/> | Email Support<mailto:[email protected]?subject=Technical%20Support%20Request> Support Phone. 410.252.8830 From: cisco-voip [mailto:[email protected]] On Behalf Of Brian Meade Sent: Thursday, October 09, 2014 2:32 PM To: Jason Aarons (AM) Cc: cisco-voip ([email protected]<mailto:[email protected]>) Subject: Re: [cisco-voip] Bug with mult-server certificate and phones reset every 7 min? That's what it looks like. Starting in CUCM version 8.6, we started resetting all registered phones on the cluster whenever a certificate used in the ITL changed. This was to prevent the ITL from changing too much at once before the phones go the update such as regenerating CallManager.pem and TVS.pem at the same time which will force you to have to delete the ITL on all phones unless the phones got the updated ITL after the first certificate was regenerated. It sounds like this bug is due to that behavior but I'm not sure why it repeats every 7 minutes. I would expect it to only happen the single time when the certificate database is updated. On Thu, Oct 9, 2014 at 1:52 PM, Jason Aarons (AM) <[email protected]<mailto:[email protected]>> wrote: https://tools.cisco.com/bugsearch/bug/CSCup28852 The way I read this (it’s not in a fixed version of CallManager yet) is that after you Upload Certificate a multi-server certificate you have to stop the Cisco Certificate Change Notification (CCMServe > Tools > network Services > Cisoc Certificate Change Notification. If you don’t do this then the phones will reset every 7 minutes? Am I right in reading the bug? _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip _______________________________________________ cisco-voip mailing list [email protected]<mailto:[email protected]> https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
