call rsvp-sync resv-timer

RSVP is the IP service that allows applications to request end-to-end QoS guarantees from the network. Cisco VoIP applications use RSVP for call admission control, limiting the accepted voice load on the IP network to guarantee the QoS levels of calls. The VoIP Call Admission Control using RSVP feature synchronizes RSVP signaling with H.323 Version 2 signaling to ensure that the bandwidth reservation is established in both directions before a call moves to the alerting phase (ringing). This ensures that the called party phone rings only after the resources for the call have been reserved. Using RSVP-based admission control, VoIP applications can reserve network bandwidth and react appropriately if
bandwidth reservation fails. Prior to Cisco IOS Release 12.1(3)XI and 12.1(5)T, VoIP gateways used H.323 Version 1 (Slow Connect) procedures when initiating calls requiring bandwidth reservation. This feature, which is enabled by default, allows gateways to use H.323 Version 2 (Fast Connect) for all calls, including those requiring RSVP. To enable backward compatibility, commands are available to force the originating gateway to initiate calls using Slow Connect procedures if the terminating gateway is running Cisco IOS Release 12.1(1)T or later. You can configure Slow Connect globally for all VoIP calls by using the h323 call start voice-service command, or configure Slow Connect per the individual VoIP dial-peer by using the call start voice-class command. A timer can be set by using the call rsvp-sync resv-timer command to limit the number of seconds that the terminating gateway waits for bandwidth reservation setup before proceeding with the call setup or releasing the call, depending on the configured QoS level in the dial peers.


Posted in Notes | Tagged , , | Leave a comment

Secure SRST

1     Introduction

This report explains and gives the steps to be done to activate secure SRST, on tis report I use the router as Certificate authority (CA) , if you use their part CA , there will be a slight difference ,some steps has to be done manually

This report is based on the following reference:

2     Pre-Request

  • You must activate security mixed mode on the callmanager
  • You must deactivate the SRST on the router by typing( no call-manager-fallback)
  • You must activate the http server on the Cisco Router by typing (ip http server) , this will allow the enrolment with the CA server

Note: The call manager has two modes, non secure mode and mixed mode, when using mixed mode both IP phone (secure profile and non secure profile can register with the CUCM)

Note: To use mixed mode you must buy the security tokens and use the CTL client to upload the certificate

3     Procedure

3.1    Create the certificate Authority (CA)

Router(config)# crypto pki server srstcaserver

Router(cs-server)# database level complete

Router(cs-server)# database url nvram

Router(cs-server)# issuer-name CN=srstcaserver

Router(cs-server)# grant auto

% This will cause all certificate requests to be automatically granted.

Are you sure you want to do this? [yes/no]: y

Router(cs-server)# no shutdown

% Once you start the server, you can no longer change some of

% the configuration.

Are you sure you want to do this? [yes/no]: y

% Generating 1024 bit RSA keys …[OK]

% Certificate Server enabled.

Note: The    grant auto command is used to allow the automatic acceptance of enrolment to the CA server

3.2    Enrolment to the CA server

3.2.1   Configure the parameters of the certificate

Router(config)#crypto pki trustpoint srstca

Router(ca-trustpoint)# enrollment url http://X.X.X.X

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# exit

The X.X.X.X is the IP address of the SRST Router, with the configuration above, you say, my certificate name is srstca , it will enroll with the server x.x.x.x , it will be valid for ever

3.2.2   authentication of the certificate

Router(config)# crypto pki authenticate srstca

Certificate has the following attributes:

Fingerprint MD5: 4C894B7D 71DBA53F 50C65FD7 75DDBFCA

Fingerprint SHA1: 5C3B6B9E EFA40927 9DF6A826 58DA618A BF39F291

% Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

3.2.3   Enrollement of the certificate

Router(config)# crypto pki enroll srstca


% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.


Re-enter password:

% The fully-qualified domain name in the certificate will be:

% The subject name in the certificate will be:

% Include the router serial number in the subject name? [yes/no]: y

% The serial number in the certificate will be: D0B9E79C

% Include an IP address in the subject name? [no]: n

Request certificate from CA? [yes/no]: y

% Certificate request sent to Certificate Authority

% The certificate request fingerprint will be displayed.

% The ‘show crypto pki certificate’ command will also show the fingerprint.

3.2.4   Deactivate the Auto enrollment

crypto pki server srstcaserver


no grant auto

no shutdown

Note: For security reason deactivate auto enrollment on the CA server

3.3    Enabling Credentials Service

The credential service allow automatic exchange of the certificate between the SRST router and the CUCM


ip source-address  x.x.x.x  port 2445

trustpoint srstca


In this step you says , the certificate to exchange automatically with the CUCM  is  srstca , and it will be done through the port 2445 and the given interface x.x.x.x

Note: The x.x.x.x is the IP address of the SRST router

3.4    Importing CUCM certificates

3.4.1   download CUCM certificates

From Cisco Unified Communications Operating System Administration, under certificate management menue download all certificates in PEM listed under CAPF-trust, including :





CAPF, and


Also download any CAPF-xxx certificates that are listed under CallManager-trust only

Note: Not all of the above certificate are needed for recent callmanager >5.x  , importing all of them will ensure the validation of this procedure

Note: the needed certificate for CUCM 8.5 is Cisco_Root_CA_2048.pem ,  Cisco_Manufacturing_CA.pem,  CAP-RTP-001.pem , CAPF.pem


Hint: How to decide which certificate to import

The last version of CUCM when  writing this procedure was 8.6 , you may want to refer to last procedure from cisco to verify if there is any modification .

The name of the certification may change in future version, here is a way I could verify the needed certifications. Open the certification file in a text editor program (Notepad++) And verify the end of the certificate , it must match the one indicated by Cisco Guide

Ex :

In the Cisco guide it says execute the following command crypto pki trustpoint CiscoCA

CiscoCA is the name of the trust point or the certificate, you will never find this name on the callmanager Certificate managemanet page (>5.X)

When comparing the certificate in the Cisco guide













You will notice that it ends with 2Q== the only certificate on the call manager that ends with 2Q== is CAP-RTP-001.pem certificate

I have also noticed that CAPF-82c946c6.pem and CAPF.pem is in fact the same certificate

Below is the name of each certificate file name found on the CUCM 8.6 and the only needed certificate to be imported.


CAP-RTP-001.pem= CiscoCA

Cisco_Manufacturing_CA.pem= CiscoManufactureCA

Cisco_Root_CA_2048.pem= CiscoRootCA2048

3.4.2   Import CUCM certificate to the SRST Router


Router(config)# crypto pki trustpoint CAPF

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CAPF

Now open the CAPF.pem with a text editor and copy and paste all the text inside ,then hit enter until you get the below prompt :

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

Repeat the same steps to the rest of the certificates:


Router(config)# crypto pki trustpoint CiscoCA

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CiscoCA


Router(config)# crypto pki trustpoint CiscoManufactureCA

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CiscoManufactureCA


Router(config)# crypto pki trustpoint CiscoRootCA2048

Router(ca-trustpoint)# revocation-check none

Router(ca-trustpoint)# enrollment terminal

Router(ca-trustpoint)# exit

Router(config)# crypto pki authenticate CiscoRootCA2048

3.5   Activate secure SRST on the CUCM

Go to SRST part and check secure SRST, then click on the update button

Posted in CallManager, LAB, SRST | Tagged , | Leave a comment

Back to study

I will restart studying , so there will be more updates soon

Here is my first book

Cisco Unified Communications Solution Reference Network Design (SRND)



Posted in status | Leave a comment

How To Recover Security Password On Callmanager

You must be connected to console , you can’t do this procedure from SSH connection

Log in to the system with the following username and password:

Username: pwrecovery

Password: pwreset

Then just follow the instruction , notice that you must have any valid data cd , music CD wont work

Posted in CallManager, LAB | Tagged , | 2 Comments

Phone Monitor


coming soon

I will make some tests then upload it here

Posted in Gadget | Tagged , , | Leave a comment

Urgent Messages Program UMP

It was raining last weekend , I had no any other projects , and I did not feel like studying for my CCIE , so I have decided with play to JTAPI . It has been more than 5 years that I did not write a line with JAVA , I thought that I can make a program in a 4 hrs . In reality it took about 2 days (sat and sun) and 5 hours after my work for a 3 days, so in total about about 5 day. Yes back to Java was HARD

This program will allow sending messages to Cisco IP phones , I did not have the time to test it in a large production environment yet . I have test it with 7.1.5 callmanager and (7942,7941,7911,7912) .This is a free program , but not open source , I feel ashame to show my code 🙂 . Please notice that I wrote this program for fun only, I won’t be responsible for any damages caused by this program. If you have any bug please write me back I will check it . if you test it under other callmanager version let me know .

Download it here :UMP

To make this program working you have to create a jtapi  user on the callmanager

Create an application user

The same password will be used to connect UMP to the callmanager

Assign the phone to be controlled by the JTAPI user , UMP will be able to send alerts only to phones that are controlled by the JTAPI user

Assign CTI group to the JTAPI user

Posted in CallManager, Gadget | Tagged , , , | 11 Comments

Thank you Steve

I get an request from Steve asking for new posts , It is because I’m having some professional changes , I was not able to concentrate in the past few weeks , but soon everything will be stable like before

Thank you Steve for asking




Posted in status | Leave a comment