Configuring SIP Integration Between CUCM and Unity Connection

Below are the steps to configure SIP integration between CUCM and Unity Connection. This is now the Cisco recommended best practice and replaces the legacy CTI Route Point configuration.

Create New SIP Trunk Security Profile

  • In CUCM, navigate to System > Security > SIP Trunk Security Profile

  • Click Add New

  • Enter a Profile Name and Description, check Accept Out-of-Dialog REFER, Accept Unsolicited Notification, Accept Replaces Header. Click Save.

Create a SIP Profile

  • In CUCM, navigate to Device > Device Settings > SIP Profile

  • To right of Standard SIP Profile click Copy.

  • Enter a Name and Description for the SIP Profile. I also like to enable SIP OPTIONS Ping, this will let you know if the SIP Trunk has been established, and for how long it has been up, on the Find and List Trunks page. Click Save when completed.

Create SIP Trunk

  • In CUCM, navigate to Device > Trunk.

  • Click Add New, select SIP Trunk and SIP from the drop down menus and click Next.

  • Enter a Device Name and Description. Select the proper Device Pool for the Trunk. Check Run On All Active Unified CM Nodes.

  • Under Inbound Calls select the CSS for inbound CUXN if you have one and check Redirecting Diversion Header Delivery – Inbound.

  • Under SIP Information enter the Destination Address of the Unity Connection Publisher. This can be an IP address or DNS name. Change the SIP Trunk Security Profile to the new profile we made earlier. Change the SIP Profile to the profile we made earlier. Click Save.

Create Route Group

  • In CUCM, navigate to Call Routing > Route/Hunt > Route Group. Click Add New.

  • Enter a name for the Route Group, change Distribution Algorithm to Top Down. Find the newly created SIP trunk under Find Devices and click Add to Route Group. Click Save.

Create Route List

  • In CUCM, navigate to Call Routing > Route/Hunt > Route List. Click Add New.

  • Enter a name for the Route List and click Save.

  • Click Add Route Group. Select the previously configured Route Group from the drop down menu and click Save.

  • Confirm that Enable This Route List and Run On All Active Unified CM Nodes are checked and that the correct Route List is displayed under Route List Details. Click Save.

Create Route Pattern

  • In CUCM, navigate to Call Routing > Route/Hunt > Route Pattern. Click Add New.

  • Enter the voicemail pilot number you’d like to use under Route Pattern. Select the name of the Route List we configured earlier under Gateway/Route List. Click Save.

Create Voice Mail Pilot

  • In CUCM, navigate to Advanced Features > Voice Mail > Voice Mail Pilot. Click Add New.

  • Enter the Voice Mail Pilot number, this should match the Route Pattern we created earlier. Enter the Calling Search Space and Description, check Make this default… and click Save.

Create Voice Mail Profile

  • In CUCM, navigate to Advanced Features > Voice Mail > Voice Mail Profile. Click Add New.

  • Enter a Voice Mail Profile Name and Description. Select the Voice Mail Pilot configured earlier. Check Make this the default… if you want this profile to be the system default. Click Save.

Configure Unity Connection

  • In CUC, navigate to Telephony Integration and then click Phone System.

 

  • Click the default phone system and make any changes you’d like such as the Phone System Name.

  • At the top right of the Phone System Basics page look for Related Links. Select Add Port Group and click Go.

  • Under Create From, change the Port Group Type to SIP from the drop down box. Give the Port Group a Display name. Under Primary Server settings enter the IP address of the CUCM server. Click Save.

  • Under Related Links on the Port Group Basics page, select Add Ports and click Go.

  • Enter the number of Ports and click Save.

  • Navigate to the Port Group Basics by going to Telephony Integrations > Port Group > and click the newly created port group.

  • Click Edit and select Servers.

  • If you need to add secondary CUCM servers enter them under SIP servers. Follow the same steps to add additional TFTP servers.

  • Click Edit > Port Group Basics. Click Reset to reset the Port Group.

Test and Verify

This should be enough to configure basic SIP integration between CUCM and CUC. In CUCM you can navigate to Devices > Trunk and verify that the SIP trunk has been established. You can then test by dialing the voice mail pilot number and seeing if you hit Unity Connection.

 

 

Upgrading Cisco Emergency Responder 8.6 to 10.5 (Physical to Virtual)

I was recently tasked with upgrading Cisco Emergency Responder 8.6 to 10.5. The 8.6 install just so happened to be on a physical IBM MCS server so I thought I’d document the steps of upgrading a physical install of CER 8.6 to a virtual CER 10.5 install, along with the software used to complete the upgrade.

  • Log in to Disaster Recovery System by selecting it from the drop down box located on the top right of the CER login page and clicking Go.

  • Select the Backup Menu and then navigate to Backup Device.

DRS uses SFTP to securely transport the backup records. If you have a SFTP server already setup in your environment you can use that to create a manual up-to-date back up. For this upgrade, a SFTP server was unavailable so I had to use my laptop as the back up device. The software I used to accomplish this task was freeSSHd. These next steps are an overview on how to configure freeSSHd as a backup device for DRS.

  • Open freeSSHd and click the Users tab and then click Add to configure a backup user.

  • Click the SFTP tab and set the SFTP home path, the directory where the backup files will be stored.

Now that freeSSHd is configured we can go back to DRS and configure the Backup Device.

  • Give the Backup device a name, IP, path, and the username and password you configured in freeSSHd.

  • Once the backup device is configured click the Backup menu and select Manual Backup.

  • Select the device you configured and click CER to back up all registered CER components.

  • Click Start Backup, if everything is configured successfully you should see the progress bar advance and a number of tar archives will now be in your SFTP directory.

With a backup of the existing physical 8.6 install in place, we can now migrate to a virtual install of CER 8.6. The vmware ova and install media for CER 8.6 are unfortunately not on the Cisco downloads page. However, if you open a TAC case for assistance with a P2V migration, Cisco will make the download available to you.

After you import the 8.6 ova you may also want to adjust the virtual machine properties so that CER 10.5 will be supported without issues. Increasing the memory to 4 GB, increasing the CPU resources, etc.

Follow the on screen instructions to complete the basic CER install (if you want re-IP CER, now would be the time to do that, or if you want to keep the same IP address please be sure that the virtual CER is on an isolated network). Once completed head to the web interface and select Disaster Recovery System.

  • Create your backup device on the by going to Backup > Backup Device.

  • Go to the Restore menu and select Restore Wizard.

  • Select your Backup Device and click next.

  • Select your Backup Archive and click next.

  • Select the features you’d like to restore and click next.

  • Select File integrity check and the servers to be restored then click Restore.

 

  • Wait for the restore process to finish. Once completed you will need to reboot the virtual machine by SSH’ing into the server and issuing the utils system restart command.

  • Next we can begin the upgrade process. Select Cisco Unified OS Administration from the navigation drop down menu and click Go. Select the Software Upgrades menu and click Install/Upgrade.

  • First we need to install ciscocm.cer_refresh_upgrade_v1.1.cop.sgn, a Cisco Options Package that is necessary to upgrade from 8.6 to 10.5. The file can be downloaded from Cisco and will need to be placed in your SFTP directory.
  • Select Remote Filesystem as the software source.
  • Configure the Software Location to point to your PC running freeSSHd then click next.

  • Under Software Location select ciscocm.cer_refresh_upgrade_v1.1.cop.sgn and click next.

  • You should then see the install progress.

  • Reboot the system.

  • Next, mount the 10.5 install media on the virtual machine. Select Connected and Connected at power on.

  • Select Cisco Unified OS Administration from the navigation drop down menu and click Go. Select the Software Upgrades menu and click Install/Upgrade.
  • Select DVD/CD as the software source and click next.

  • Be sure the correct software version is displayed and click next.

  • Select your Switch options and click next.

  • Follow the upgrade process on screen, when the system reboots you can view the install progress from the vmware console.

And that’s it. Once completed you should now have a fully upgraded version of CER 10.5, complete with migrated data from the old physical installation.

Creating a Bootable ISO from Cisco Non-Bootable Updates

There’s plenty of great posts out there on how to make bootable CUCM/Collaboration media with paid GUI software such as UltraISO or free command line utilities like cdrtools. Inspired by those bloggers, I wanted to share a method to create bootable media that features the best of both worlds: open source utilities with easy to use interfaces, all for the low low price of free.

Software you’ll need:

7-Zip / cdrtfe

First, find an existing bootable CUCM ISO (a Red Hat or CentOS live cd will do the trick as well) and open it in 7zip.

2016-07-12 11_40_49-C__Temp_Bootable_UCSInstall_UCOS_11.5.1.10000-6.sgn.iso_

Find the isolinux directory, highlight it, and click Extract. Choose where to save the files.

2016-07-12 12_57_58-Copy

Next, take your non-bootable update dvd from Cisco and extract the contents with 7zip by right clicking the ISO -> 7-Zip -> Extract to….

2016-07-12 12_59_10-Temp

Copy the isolinux directory you extracted earlier to the newly extracted Cisco ISO folder, overwriting any duplicate files.

Now open cdrtfe. Under the Data Disc tab click Options.

2016-07-12 20_33_09-cdrtools Frontend

Under ISO image, select Use image, and browse to a location to store the finished ISO. Check Create image only, do not burn. Click Ok.

2016-07-12 20_33_47-Data Disc - Options

Next, click the File System button. Check the following options: Create boot disc, No disc emulation, and Create boot info table. Under the Boot image field, browse to the copied isolinux directory of your extracted ISO folder and select isolinux.bin. Click Ok.

2016-07-12 20_44_37-mkisofs - OptionsIn file explorer, browse to your extracted ISO folder and copy over all the files and folders into the cdrfte window.

2016-07-12 20_41_20-UCSInstall_CUP_11.5.1.10000-4.sgnClick Start to create your ISO. Once completed you should have a fully bootable ISO!

2016-07-13 19_50_41-2016-07-12 20_46_20-cucm_im_p_11.5_vmv8_v1.2 - VMware Workstation.png - Windows

 

 

 

Troubleshooting TFTP Issues with Cisco Unified Real-Time Monitoring Tool (RTMT)

I’ve recently began studying for my CCNA Collaboration exam and to help with my studies I’ve built a small collaboration lab. Nothing too fancy, a 2811 with PVDMs and FXO/FXS cards, 2 3750 PoE switches, and 2 Cisco 7960 VOIP phones. My lab server has a dedicated NIC which connects to the lab network and hosts a domain controller, workstation, and CUCM 11.5 virtual machines.

All this was working well until I configured the switches to have a separate dedicated voice VLAN. The phones started having issues contacting CUCM and downloading new configuration files or firmware. If I moved the phones back to the same VLAN as CUCM the phones would work properly. Sounded like a TFTP issue to me, and here are the steps I followed to resolve the issue.

TLDR; ip tftp source-interface

First, I setup a trace to capture TFTP logs from my CUCM server.

  • From the CUCM Console: select Cisco Unified Serviceability from the Navigation drop down, and click Go.

2016-06-28 20_29_24-Cisco Unified CM Console

  • On the Cisco Unified Serviceability page select Trace -> Configuration

trace

  • Select your CUCM Server running the TFTP service for Server then select CM Services under Service Group.
  • For Service select Cisco Tftp then click Go.
  • Be sure Trace On is selected then change the Trace Level to Detailed.
  • Click Save.

2016-06-28 20_36_32-Cisco Unified Serviceability - Trace Configuration

With the detailed TFTP trace enabled, I tried resetting the phones to duplicate the issue. Once I verified the issue was still occurring it was time to grab the trace files.

To download the trace files you’ll need to use the Cisco Unified Real-Time Monitoring Tool which comes bundled with CUCM. To download the tool, follow these steps.

  • From the CUCM Administration page navigate to Application -> Plugins.

2016-06-28 20_46_18-Cisco Unified CM Console

  • Near the bottom of the plugins page find the download link for Cisco Unified Real-Time Monitoring tools.
  • Download the tool for your appropriate os and install.

2016-06-28 20_50_36-Find and List Plugins

  • When you run the program it will ask you for the IP of the CUCM server and the GUI username/password.

2016-06-28 20_52_43-Real-Time Monitoring Tool Login2016-06-28 20_53_00-Authentication Required2016-06-28 20_53_13-

 

  • Select Trace & Log Central. Then double click Collect Files.

2016-06-28 20_53_45-Cisco Unified Real Time Monitoring Tool (Currently Logged into_ collab-pub-01.a2016-06-28 20_54_07-Cisco Unified Real Time Monitoring Tool (Currently Logged into_ collab-pub-01.a

 

  • Scroll down to find Cisco Tftp and select either All Servers or an individual server.

2016-06-28 20_54_49-Cisco Unified Real Time Monitoring Tool (Currently Logged into_ collab-pub-01.a

  • Select your download options and click Finish.

2016-06-28 20_55_33-Collect Files

You should now have a wealth of information to dive into to try and troubleshoot your issue. As I was perusing the TFTP trace logs a few lines popped out at me.

2016-06-28 21_16_12-C__Users_bryan_Desktop_SDL001_600_000002.txt - Notepad++It would appear that the phone is contacting the TFTP server, but its IP address was not part of my voice VLAN. In fact, the source IP was the IP of the outside interface of my 2811!

After some quick google’ing I came across this article on the ip tftp source-interface command. Because my router was sourcing TFTP traffic from its outside interface, CUCM was not able to route the traffic back to 7960 phone.

Simply adding the ip tftp source-interface command followed by the VLAN my CUCM server resided in resolved the issue and my phones began registering again.

 

 

 

Zero Downtime ASA Upgrade (ASDM)

In the same vein as my last post, this update will take you through the steps of performing a zero downtime upgrade on a HA pair of ASA 5525-X’s, this time via the ASDM GUI.

Take a look here for Cisco’s official documentation, which will be the blueprint for our guide.

  • First, back up your configuration by going to Tools -> Backup Configurations

asdm-update-01asdm-update-02asdm-update-03

  • Download your updated ASDM and ASA software from Cisco.com
  • Click Tools -> Upgrade Software from Local Computer

asdm-update-04

  • We’ll update ASDM first, select ASDM from the drop down box and click Browse Local Files. Navigate to where you downloaded your images and select the new ASDM image then click Upload Image.

asdm-update-05

  • You will receive a prompt asking to set this image as the ASDM image. Click No for now. If we select Yes you will not be able to use ASDM to connect to the secondary unit and upload the new images in the later steps.

asdm-update-06

  • Now let’s update the ASA software. Again, click Tools -> Upgrade Software from Local Computer. Select ASA from the drop down menu and click Browse Local Files. Navigate to where you downloaded your images and select the new ASA image then click Upload Image. Click yes on the prompt.

asdm-update-09asdm-update-10asdm-update-11

  • Open a new ASDM window and connect to the standby ASA IP address. Follow the same steps as above to upload the new ASDM and ASA images. Close the ASDM window for the secondary unit when finished.
  • On the Primary ASDM window click Configuration -> Device Management -> expand System Image/Configuration -> click Boot Image/Configuration. Under ASDM Image File Configuration click Browse Flash and select our new ASDM image we uploaded earlier. Save the configuration.

asdm-update-12asdm-update-13

  • We can now reload the secondary unit to start the upgrade process. Click Monitoring -> Properties -> Failover -> Status. Click Reload Standby.

asdm-update-15

  • Refresh the Failover Status page until the Secondary unit moves from a failed state to standby ready. Make note of the sw rev field. It should reflect the new ASA software version.

asdm-update-16asdm-update-18

  • Force the active unit to failover to standby by clicking the Make Standby button on the Failover Status page. Refresh the Failover Status page to verify the Secondary unit is now the active unit. Now click Reload Standby to reboot the primary/standby unit and complete the upgrade.

asdm-update-19

  • Exit ASDM and relaunch. You should now see the updated ASDM and ASA software versions under Device Information.

asdm-update-20

Zero Downtime ASA Upgrade (CLI)

So you have stateful failover configured on your pair of Cisco ASAs and need to upgrade ASDM or the os? Maybe a critical security vulnerability was discovered with the software and you need to upgrade them ASAP. With stateful failover, we can perform a zero downtime upgrade on our ASAs to minimize end user disruption. Below are the steps I used to upgrade a pair of ASA 5525-X’s using the command line interface. You can find Cisco’s documentation for upgrading an Active/Standby Failover Configuration here.

  • First, back up your current configuration!

  • Download your updated ASDM and ASA software from Cisco.com
  • Copy new ASA operating system to active and standby units.

  • Copy new ASDM software to active and standby units.

  • Verify the current boot images, making note of the boot order. Remove the current image and set the config to boot from the newly uploaded image followed by the old image as a back up.

  • Configure the ASA to use the new ASDM image

  • Save your configuration and reload the secondary standby unit.

  • Verify the standby unit is back up and running the new software version.

  • Make the active primary unit the new standy unit

  • You may need to re-establish your SSH connection. Log back into the ASA and verify that the secondary unit is now the active unit. Reload the primary/standby unit, wait a few minutes and verify that both units are now running identical code.

 

And there you have it. If you’d like, after monitoring and verification, you can remove the old ASA and ASDM images from the boot order commands as well as the disk to keep things clean.

 

Configuring Stateful Failover on a Cisco ASA HA Pair

The ASA, Cisco’s Adaptive Security Appliance, has been around for over 15 years and has since become an ubiquitous network security solution, securing networks the world over.

Because it is such a critical device in our networks, it has become best practice to deploy these security appliances in a resilient and highly available configuration.

Currently, Cisco supports Active/Active as well as Active/Standby failover. This article contains a simple example of how to configure Active/Standby stateful high availability on a pair of Cisco ASAs, where one unit acts as the primary ASA and a standby unit becomes active once a failover has occurred. When stateful failover is enabled, connection states are continuously passed between the active and standby units keeping session information available to the new active unit. Please note that both ASAs must be running identical hardware and software versions.

Detailed instructions from Cisco on how to configure Failover can be found here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

  • Each interface on the primary ASA will need an additional “standby” IP address, for example:

  • Specify failover interface on the primary ASA
  • Configure failover link IP address

  • Configure shared failover key

  • Configure ASA as primary

  • Enable stateful failover

  • Enable failover

  • On the secondary ASA we’ll need to do some similar configuration:

If everything is configured properly you should see some console output regarding configuration replication.

Now verify the status of failover with a show failover:

Creating a Subject Line Disclaimer in Exchange 2010

With ever increasing amounts of spam and spear phishing attacks, many companies today are going out of their way to warn users when an email is received from an external, and potentially unsafe, source. Thankfully the Exchange Management Console makes it fairly straight forward to create transport rules to add disclaimers, re-write subject lines, and even insert html into emails for all types of situations.

Recently I was asked to add an [EXTERNAL] tag to the subject line of all incoming emails from outside the organization. Below are the steps to create a Hub Transport rule to accomplish such a task.

  • Open the Exchange Management Console
  • Navigate to Organization Configuration -> Hub Transport

ex-subject01

  • On the right side of the console click “New Transport Rule…

ex-subject02

  • The New Transport Rule wizard will open. Simply follow the onscreen instructions, entering a name and comment for the rule. Click Next when finished.

ex-subject03

  • Under Conditions, select “from users that are inside or outside the organization” and “sent to users that are inside or outside the organization, or partners.” Click the blue links under Step 2 to change the from users field to “Outside” and the sent to users field to “Inside.” Click Next when completed.

ex-subject04

  • Under actions, check “prepend message subject with string.” Click the blue link next to “string” to edit the subject prefix. Enter the tag that you’d like to appear in the subject line. Click OK and Next.

ex-subject05

  • Under Exceptions click “except when the Subject field matches text patterns.” Click the blue link next to “string” and added the same prefix you added in the previous step. This will prevent multiple subject stamping from occurring when people email back and forth. Click Next.

ex-subject06

  • Click New to create your new transport rule.

ex-subject07

  • Emails from an external source should now have a new tag in the subject line.

ex-subject08

GNS3 VM and VMware Workstation 12 Player: Could not find the default VM directory

While setting up the new GNS3 1.4 Virtual Machine with VMware Workstation 12 Player, I ran into an interesting error that was preventing me from completing the installation.

gns3-vm01Thankfully the fix is fairly straight forward and requires that we edit the VMware Workstation preferences file.

  • Open preferences.ini in your text editor of choice
    • %Appdata%\VMware\preferences.ini
  • Add or edit the following line, changing the path to where your virtual machines are stored
    • prefvmx.defaultVMPath = "C:\Path\To\My\VMs"
  • And that’s it. Save the ini and restart the GNS3 Setup Wizard.

gns3-vm02gns3-vm03Credit to the VMware support forums: https://communities.vmware.com/thread/245114?start=0&tstart=0

Installing a CA Signed Certificate in Cisco Prime Infrastructure 2.2

After following the Prime Infrastructure upgrade path to 2.2 you’ll need to re-issue CA signed certificates. Unfortunately, this can’t be accomplished from the Web GUI and will need to be done via the CLI.

Here’s Cisco’s documentation for installing CA-Signed Certificates and the steps I used to import a new certificate from our Active Directory Certificate Services server.

  • First you’ll want to SSH to your Prime Infrastructure server as well as create a FTP server on your workstation. See my previous blog post for instructions how to do so.
  • Generate a new CSR file and answer the information prompts
    • PIServer/admin# ncs key genkey -newdn -csr CSRFile .csr repository defaultRepo
    • The NCS server is running. Changes will take affect on the next server restart
      Enter the domain name of the server: (the fqdn you'll use to access prime from e.g., prime.company.org)
      Enter the name of your organizational unit:
      Enter the name of your organization:
      Enter the name of your city or locality:
      Enter the name of your state or province:
      Enter the two letter code for your country:
      Generating RSA key
  • Copy the CSR to your FTP server
    • PIServer/admin# copy disk: /defaultRepo/ CSRFile.csr ftp://your.ftp.server
  • Open your CSR in a text editor, copying the text to your clipboard

pi-cert01

  • Navigate to your internal CA and click Request a certificate

pi-cert02

  • Click Submit an advanced certificate request

pi-cert03

  • Under “Saved Request,”paste your certificate request output from earlier and select the Web Server certificate template. Click Submit

pi-cert04

  • Download your certificate and copy it to your FTP server directory

pi-cert05

  • Copy the certificate from the FTP server to the default repository
    • PIServer/admin# copy ftp://your.ftp.server/CertFile.cer disk:defaultRepo
  • Import the certificate into the Prime Infrastructure server
    • PIServer/admin# ncs key importsignedcert CertFile.cer repository defaultRepo
  • Restart Prime Infrastructure
    • ncs stop
    • ncs start
  • When the server comes back up, reload the web page and you should notice that the site is now trusted!

pi-cert07