Friday, October 02, 2015

VG224 VG310 VG3210 SCCP configuration

I've been asked a couple time lately about SCCP on analog gateways. 

On the CUCM side:

First, add the gateway in CUCM and pick the SCCP protocol.  Then, much like the host name is critical in MGCP setups, you'll need to identify it with the last 10 digits of the gateways interface MAC address.  Then, still in CUCM, add however many sub-units are in your gateways so have ports to configure.

On the gateway side:

After you get basic network connectivity and access, the basic critical SCCP related commands are:
stcapp ccm-group 1
! loopbacks are generally preferred here, but the physical interfaces will work
sccp local GigabitEthernet0/0
! 7.0+ is basically standard now but check your version here against your CUCM
sccp ccm <ip address of a CUCM,  subscriber if you have one> identifier 10 priority 1 version 7.0+
sccp ccm <ip address of another CUCM subscriber, if you have another in a CUCM group> identifier 20 priority 2 version 7.0+
sccp ccm group 1
 ! again, loopbacks are generally preferred here
 ! keep it consistent
 bind interface GigabitEthernet0/0
 associate ccm 10 priority 1
 associate ccm 20 priority 2
dial-peer group 1 pots
 service stcapp
 port all
! check if it's working
show sccp
show stcapp device summary

Monday, September 28, 2015

CUCM using SIP phones as PLAR or ring down lines

Customer using Cisco 8841 and 8851 phones wanted to use a particular button on several phones as ring down or PLAR lines.  The basic idea is after accessing a DN, rather than being returned dial tone you automatically call another number.  This is common in elevators, emergency phones, common areas, etc.

The steps below are found in various CUCM documents, but step 5 needs a bit of clarification.  Since the phones I was testing with are SIP based running sip88xx.10-3-1-20, you do indeed need to apply SIP dial rules to the phone devices, but configuring the rule takes one more bit of information. See me italics and pictures.

I've modified some of the other steps to hopefully help avoid confusion as well.

How to Configure PLAR

Step 1:
Create  a partition, for example, P1, and a calling search space, for example  CSS1, so CSS1 contains P1. (In Cisco Unified Communications Manager  Administration, choose Call Routing > Class of Control > Partition or Calling Search Space.)

Step 2:
Create  a null (blank) translation pattern, for example, TP1, in partition P1. In this null (blank)  pattern, make sure that you enter the directory number for the PLAR destination in the Called Party Transformation Mask field and that the translation pattern uses a CSS that has access to that destination. (In Cisco  Unified Communications Manager Administration, choose Call Routing > Translation Pattern.)

Step 3:
Assign the calling search space, CSS1, to either a device or line on a phone that will be dialing automatically. (In Cisco Unified Communications Manager Administration, choose Device > Phone.) 

Step 4:
For phones that are running SIP, create a SIP dial rule. (In Cisco Unified Communications Manager Administration, choose Call Routing > Dial Rules > SIP Dial Rules. Choose 7940_7960_OTHER. Enter a name for the pattern; for example, PLAR1. Click Save; then, click Add Plar. Click Save.) 

Here's the missing piece:  after you click Add Plar you must define what button number on the phone has the DN that is acting as the PLAR.  Leaving the PLAR default will show you a line with a blank pattern.  While this seems correct as it is similar to the blank translation pattern you created earlier, it will not work.

Here's a working SIP Dial rule:

The device where this will be applied will automatically dial when the fourth DN / button is accessed.
In addition, if you mistakenly choose Add Pattern rather than Add PLAR and make it look just like the above rule, your PLAR will still not work.

Here's a great looking SIP Dial rule that doesn't work:

Looks good, works badly.

Step 5:
For  phones that are running SIP, assign the SIP dial rule configuration  that you created for PLAR to the phones (In Cisco Unified Communications Manager Administration, choose  Device > Phone. Choose the SIP dial rule configuration from the SIP Dial Rules drop-down list box.)

FYI... here's another post of mine from years a ago reiterating the first several steps suitable for SCCP devices

Sunday, September 20, 2015

Cisco CUCM weak ephemeral Diffie-Hellman public key

At the time of this writing, due to one or more SSL vulnerabilities that were discovered in CUCM’s web server you may suddenly be prevented from accessing the administrative interface. This is the result of various Internet browser upgrades attempting to protect you from these vulnerabilities but in the process, preventing access to the CUCM web pages.  The good news is because your CUCM servers are typically not exposed to remote users, the only threat would be from malicious users inside your network, and then only malicious users extremely knowledgeable in these vulnerabilities and possible exploits, and then only those literate in Cisco CUCM or other UC applications.   While compromises to your CUCM server's security may be unlikely, keeping up to date with software patches / upgrades is prudent.

Your new browser looking out for your best interests.
For your reference, Cisco publishes information re: security advisories here:

Google has decided to be rather unforgiving (maybe call it condescending?) and not even provide an interactive way for a Chrome user to opt out of their security measures.

The real fix is to upgrade / patch your systems to versions that rectify the vulnerabilities.

In the interim, there are workarounds for most browsers if you care to suggest your users go that route.

For Firefox (the one I use):
Navigate to about:config in the address bar.
Choose “I’ll be careful”
Search for security.ssl3.dhe_rsa_aes
Double click security.ssl3.dhe_rsa_aes_128_sha  and security.ssl3.dhe_rsa_aes_256_sha to change them to false.
Restart Firefox.

For Chrome (I haven’t tried this personally but is the commonly referenced workaround):
In MS Windows, right click on desktop and choose New | Shortcut
In the location field, including the double quotation marks enter "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0039,0x0033
Choose Next and enter a name like “CUCM Chrome” and Finish.
You should be able to use that shortcut to start a version of Chrome access the CUCM interface.

Sunday, August 23, 2015

Cisco Quality Manager 10.5 upgrade issues

I'm sharing several important lessons learned during a Cisco Quality Manager upgrade from to 10.5 SR6, given they are not well documented.  I hope it saves you some time.

Quality Manager administrator access

In environments where you are using MS Active Directory to associate users with recorded devices you may find your self unable to login to the QM administrator's application after the upgrade.  The normal Quality Manager local admin user and password doesn't seem to work, and neither do the AD accounts you've used for logging in as administrators previously. If you are really motivated and change the model to use QM Authentication, the local QM administrator works but now your administrative AD access is gone. 

What to do?

Note there is a new field buried in the Enterprise | Site Configuration | Enterprise Settings form.  You need to actually select and choose to edit one of your Active Directory entries to see it.  Of course you can't do any of this unless you run postinstall.exe because of course, your locked out.

When you choose to edit an Active Directory entry, you will find a field called Admin Group. Mine contained the value QMAdministrator.  I don't know where that value came from because the Admin Group is now actually enforced and represents a MS Active Directory group that contains users that may or may not be Quality Manager system administrators.

First, find or create a AD group that contains your potential QM admins.  Enter the display name of the group in the QM Admin Group field.

Then, when choosing OK you will be presented with a grid of users from that AD group.  Choose one or more to become system admins.  See below.

You're in.

CUCM Recording Server SIP Trunk

If you are using Cisco Built In Bridge recording / Calabrio network recording you will already have a SIP trunk configured in CUCM, pointing to your recording server.  This trunk carries information from CUCM to Quality Manager regarding the DNs that need to be recorded, and from Quality Manager regarding what recording server to use.  There's the rub.  Previously the CUCM pointed the trunk to the Quality Manager recording server and no one thought about it. Of course, you would point it to the recording server because of course that's where the recording are going to go. Right?

Calabrio has changed the basic architecture in 10.5.  You now point the SIP trunk in CUCM to the Quality Manager Base server, not the recording server.  Before you correct this, you might dig around in the QM logs and find references to your QM not receiving SIP invites on the base server and be confused. Why would you need them there? 

Reset your CUCM trunk, start WireSharking stuff, reread all the install and upgrade guides you can find from Cisco's site. Freak out a little.

Then just point the trunk to the Quality Manager base server, rather than the record server where it's been pointing forever. 

See below.

Quality Manager VoIP Devices and Recording Cluster and Signaling Group

New programmatic entities in Quality Manager probably make in more scalable and manageable. New information under Enterprise | Site Configuration | Telephony Groups allow you to parse up and group different recording resources and signalling types.  This is great, but after the upgrade you will need to verify those values have been associated with your VoIP devices correctly.  My experience was that none of my devices had been associated with a Recording Cluster or Signaling Group at all.  That won't work.

Luckily, given all my devices need to be associated with the same Recording Cluster and Signaling Group, it's an easy edit of the entire list.  If your environment has multiple recorders, this might be a more painful process.

Go to Enterprise | Record Server Configuration | VoIP Devices and clean up your mess.

See below.

Enjoy your recordings again.

Wednesday, June 24, 2015

Cisco PLM Prime License Manager login hangs

I've run into an issue twice now on CUCM 10.5.2 systems.  When attempting to log into Cisco Prime License Manager running co-resident with a CUCM server, after entering the correct credentials the login page never changes.  The small spinning status wheel below the credentials stops but the browser may look like it is still attempting access.  You can't access PLM.

You may likely be hitting  bug CSCur95552.

For some reason, Cisco TAC has not documented any work around or fixes at this time.

If running co-resident with CUCM, you need regenerate the IPSec certificate on the node where Prime License Manager is running. Then if this is your CUCM Publisher, restart the DRF Master and DRF Local services. If it's not the Publisher, just restart the DRF Local services.

You should then be able to login.

Regenerate Certificate:
Navigate to Cisco Unified OS Administration | Securtiy | Certificate Management and choose Find.
Scroll down to and choose the ipsec certificate associated with the server where PLM is running co-resident.

Choose Regenerate and wait a few moments until it indicates success.

Restart Services:
Navigate to Cisco Unified Serviceability | Tools | Control Center - Network Services.
Pick the server where PLM is running co-resident and choose Go.
Scroll to and choose Cisco DRF Master, click Restart, and wait until it has been restarted.
Scroll to and choose Cisco DRF Local, click Restart, and wait until it has been restarted.

You should now be able to log into PLM.

Restart Tomcat:
If you experience the same issue, restart Tomcat on the same server and repeat the above steps.
SSH to or open VMware console on server where PLM is co-resident.
Login as the platform administrator.
run "utils service restart Cisco Tomcat"