#CLUS

Introduction to
Cisco UC Security
Michael Mendoza – Technical Leader Services
Laurent Pham – Technical Marketing Engineer

BRKCOL-2014

#CLUS
Agenda
• UC Security Overview

• PKI and Certificate Fundamentals

• Transport Layer Security and Ciphers

• Certificates in CUCM, Phones and CUBE

• Secure to Non-Secure Interoperability

• Expressway and Mobile and Remote Access

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKCOL-2014

by the speaker until June 18, 2018.

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 Why Having UC Security?
Threats specific to UC
• Toll Fraud
• Denial of Service
• Eavesdropping
• Stealing private and sensitive information
• Impersonation, session replay, media
tampering, SPAM…

Organization Security Requirements

• Compliance and certifications, network access
control, encryption policy, password policy,
audit logs, vendor security processes…

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco Secure Development Lifecycle
www.cisco.com/go/csdl

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Multi-Layered Security

Secure Servers

Secure Endpoints

Secure Network

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Secure Physical Access
• First line of defense
• Once a user or attacker has physical access to one of the devices
in a network, all kinds of problems could occur…

• Action:
• Secure access to the building
• Secure access to the Data Center / servers / network devices

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Secure VMware access
• Most Cisco Collaboration applications are running on top of
VMware ESXi.
• VMware administrator could have elevated permissions.
• Mount CD/DVD and recover password
• Access to VMDK

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Network Security
• Layer 2/3 Security
• Separate VLAN for voice and data
• DHCP Snooping creates binding table
• Dynamic ARP Inspection (DAI) examines ARP & GARP for violations
(against ARP spoofing)
• IP Source Guard against spoofed IP addresses
• Port Security limits the number of MAC addresses allowed per port
• 802.1x limits network access to authenticate devices on assigned VLANs
• QoS helps during Denial of Service attacks
• Perimeter Security
• Firewalls/IPS, ASA with FirePOWER Services

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IP Phone Security Features
Signed
Security Features config
(.xml.sgn)
• Signed firmware images (.snb extension)
• Secure boot (select model)
• Signed config files (<devicename>.cnf.xml.sgn)
• Encrypted config files*
• Endpoint certificates:
MIC (Manufacture Installed Certificate)
LSC (Locally Significant Certificates)*
• FIPS mode

* To configure for better security

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IP Phone Security Features
Security Features
• Encrypted signaling (mutually authenticated) and media*
• HTTPS web services*
• Hardening. Disable settings if not used:
• PC port, PC Voice VLAN Access, Gratuitous ARP,
Web Access (or at least, disable HTTP), Settings button, SSH, console…
• 802.1X* supplicant
• Positive off-hook indicator
• Lock icon

* To configure for better security

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Unified Communications Manager Security
Hardened Platform
• Host Based Intrusion Protection (SELinux)
• Host based firewall (IPTables)
• No 3rd party software allowed
• OS and applications are installed with a single package
• Root account disabled
• Signed upgrade software
• Secure management protocols
• FIPS, Enhanced Security, Common Criteria modes available

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Unified Communications Manager Security
Security Features
• Certificate Management Features (notification of certificate
expiration, multi-SAN certificates)
• TLS version control, cipher strength control for SIP and SRTP
• Passwords not stored in clear
Authentication Failure
• Encrypted Backups 16:10:32.908 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 4
EventType : UserLogging ResourceAccessed: Cisco CallManager Administration EventStatus :

• Built-in CA (CAPF) Failure CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco

CCM Application AuditDetails : Failed to Log into Cisco CCM Webpages App ID: Cisco
Tomcat Cluster ID: Node ID: cucm-pub

• Audit Logging Phone Added

16:13:48.823 |LogMessage UserID : administrator ClientAddress : 10.10.10.100 Severity : 5
EventType : DeviceUpdate ResourceAccessed: CUCMAdmin EventStatus : Success
CompulsoryEvent : No AuditCategory : AdministrativeEvent ComponentID : Cisco CUCM
Administration AuditDetails : New Phone added with MAC address=AAAABBBBCCCC , CAL
mode=< None > and CAL value=< None > App ID: Cisco Tomcat Cluster ID: Node ID: cucm-
pub

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Unified Communications Manager Security
Secure Protocols
SIP
Trunks
SIP &
SCCP MGCP With IPSec
Registration

SLDAP H.323 With IPSec

Media TAPI &

Resources JTAPI

LBM ILS

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cluster Security Modes
Feature Non Secure Cluster Mixed Mode Cluster
New in
Auto-registration
11.5

Signed & Encrypted Phone Configs

Signed Phone Firmware

Secure Phone Services (HTTPS)

CAPF + LSC

IP VPN Phone

Encrypted SIP Trunk

Secure Endpoints (TLS & SRTP)

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
CUCM Cluster Security Mode
Non-Secure or Mixed Mixed
• NOT On/Off
Mixed Mode Requirements:
• Export Restricted version of UCM
• 11.5(1)SU3+: Encryption License
12.0: Export-controlled Functionality
allowed Non-Secure

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Expressway Security
Hardened Platform
• Host based firewall (IPTables)
• Host Based Intrusion Protection (disabled by default)
• 3rd party software installation NOT allowed
• OS and applications are installed with a single package
• Secure management protocols
• FIPS mode
• Audit logging
• Hardening: Disable unnecessary protocols, Configure host-based
firewall rules and host-based Intrusion Protection, monitor events
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Expressway Security
Security Features Traversal Zone

Authenticated
Expressway-C

Internet
Expressway-E non-authenticated

• Call Policy (CPL) Rules

• Granular TLS version control and cipher control
• Media encryption policy
• TLS certificate verification policy (TLS verify)

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
CUBE / IOS Security voice service voip
ip address trusted list
ipv4 10.1.1.10
Security Features ipv4 66.66.66.66

• IP Trust List: Don’t respond to any SIP INVITEs if not originated from an IP address
specified in this trust list
• Call Threshold: Protect against CPU, Memory & Total Call spike
• Call Spike Protection: Protect against spike of INVITE messages within a sliding
window
• Bandwidth Based CAC: Protect against excessive media
• Media Policing: Protect against negotiated Bandwidth overruns and RTP Floods
• NBAR policies: Protect against overall SIP, RTP flood attacks from otherwise
“trusted” sources
• Voice Policies: Identify patterns of valid phone calls that might suggest potential
abuse

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Toll Fraud Prevention - CUCM
• Partitions and Calling search spaces provide dial plan segmentation and access
control
• “Block offnet to offnet transfer” (CallManager service parameter)
• “Drop Ad hoc Conferences” (CallManager service parameter)
• Device Pool “Calling Search Space for Auto-registration” to limit access to dial plan
• Employ Time of day routing to deactivate segments of the dial plan after hours
• Require Forced Authentication Codes on route patterns to restrict access on long
distance or international calls.
• Monitor Call Detail Records

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Toll Fraud Prevention
• Unity Connection could be used to transfer a call
• Use restriction tables to allow or block call patterns
• Change the Rerouting CSS on the trunk in the
CUCM side
CUBE
• Use IP Trust List voice service voip
ip address trusted list
ipv4 10.10.1.10
Expressway ipv4 66.66.66.66

• Call Policy Rules (CPL)

• Check Search History

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Balancing Risk
Cost - Complexity - Resources - Performance - Manpower - Overhead
Low Medium High
Easy or Default Moderate and Reasonable Advanced or Not Integrated
Hardened Platform IP VPN Phone UC-Aware Firewall (Inspection)
SELinux – Host Based Intrusion
Secure Directory Integration (SLDAP) TLS Proxy
Protection
iptables - Integrated Host Firewall Encrypted Configuration IPsec

Signed Firmware & Configuration TLS & SRTP for Phones & Gateways Rate Limiting

HTTPS Trusted Relay Points (TRP) Managed VPN (Remote Worker)

Separate Voice & Data VLANs QoS Packet Marking Network Anomaly Detection

STP, BPDU Guard, SmartPorts DHCP Snooping Scavenger Class QoS

Basic Layer 3 ACL’s (Stateless) Dynamic ARP Inspection 802.1x & NAC

Phone Security Settings IP Source Guard, Port Security

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
PKI and Certificate
Fundamentals
What’s a Digital Certificate?

Issued To: John Doe X.509 Certificate

Version
Issued By: Cisco Systems Serial Number

Signature Algorithm
Serial Number: 63542
Signature Hash
Algorithm
Certificate Validity: May 4th, 2020 Issuer
Lorem ipsum dolor sit
amet, consectetur
adipiscing elit. Valid From
John Doe
5/4/20 CCIE# 63542 Valid To

Subject Name

Public Key

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Public Key Infrastructure

• Provides a uniform way for different organizations to identify people or other

entities through X.509 identity certificates containing public keys.

• These certificates and keys can be used through secured connections

(TLS/SSL) to positively establish the identity of the entities on the
connection.

Private Key

Public Key
Certificate
Authority

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Certificate Authority and PKI

Private Key

Public Key

Certificate
Alice Authority
Bob

abcde 01011 abcde

fghijk 11001 fghijk
lmnop 10100 lmnop
qrstuv 00010 qrstuv

Private Key

Public Key
Public Key

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Digital Certificates
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Certificate properties Issuer: CN=root, OU=ca, O=cisco
Validity
Not Before: Mar 25 10:46:17 2013 GMT
Not After : Mar 25 10:46:17 2014 GMT
Subject: CN=router, OU=TAC, O=Cisco, C=BE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:e5:4d:45:50:8b:18:86:45:ca:b6:b2:f0:f1:
Issuer identity
[...]
& signature 36:c2:16:ca:a2:df:ac:8e:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
Subject identity, key 03:65:af:30:c5:8d:e4:45:b1:00:1b:4f:e0:22:8b:ef:3b:d3:
& attributes [...]
c3:5d:37:ac

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Types of Certificates

Root CA Intermediate CA Identity

Certificates Certificates Certificates
Self-Signed certificates used Certificates signed by a Root Certificates issued to a specific
by Certificate Authorities to sign CA and in turn can sign other entity (a device) and signed or
other certificates. identity certificates. issued by a root CA and
sometimes also by intermediate
CAs.
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Certificate Trust Chain

Root CA Public Certificates

Must be stored in Clients’
Trust Store(s)

Root Intermediate Identity

Certificate Certificates Certificate

Signs Signs

Trust Chain Identity

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Generating Certificate Signing Request (CSR)

Certificate
Authority

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
CA-signed Certificate Trust Chain

Trust
Chain

Certificate
Authority

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Self-Signed vs. CA-Signed

if we add
another
cluster?

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Self-Signed vs. CA-Signed

Certificate
Authority

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Multi-Server Certificate Support
Unified CM Cluster

One CA-signed Multi-Server certificate for

the entire Unified CM cluster

• To simplify certificate management in clustered environments

• One single CA-signed certificate and private key pushed automatically across all nodes in a cluster
• Each cluster node’s FQDN included as Subject Alternative Name (SAN) in a single certificate,
custom SANs can also be included

Recommendation:
Use Multi-Server certificates wherever available:
Tomcat/Tomcat-ECDSA for Unified CM/IM&P and CUC, CallManager, CUP-XMPP, CUP-XMPP-
S2S

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Public vs Private Certificate Authorities

Private CA Public CA

Pros: Pros:
• No additional costs involved • Identity can be validated on the Internet
• More scalable • Easier to maintain for fewer devices
• More granular access control to resources
• Easier key usage customization
• Faster to get new certificates Cons:
• Costs can be very high
Cons: • Strict requirements for CSR
• More difficult to install and maintain trust • Difficult to scale
relationships between devices
• Limited and costly customization
• May require an expert for large scale • Some CAs can take days to provide new signed
environments certificates
• Identity cannot be validated over the Internet
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Certificate Re-used on Multiple Nodes
• Some products allow to generate a private key / certificate and
import them manually to several nodes.
• Available with Cisco Meeting Server, Expressway,

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Transport Layer Security
and Ciphers
TLS Session Establishment
Client Server

ClientHello
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
ClientKeyExchange
[ChangeCipherSpec]
Finished

[ChangeCipherSpec]
Finished
TLS Established

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 TLS Session Establishment - Mutual TLS
Client Server

ClientHello
ServerHello
Certificate
ServerKeyExchange
Certificate (MTLS) CertificateRequest (MTLS)
ClientKeyExchange ServerHelloDone
CertificateVerify (MTLS)
[ChangeCipherSpec]
Finished
[ChangeCipherSpec]
Finished
TLS Established

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 Deconstructing the Cipher Suite

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Key Exchange Message Authentication Code

• ECDHE: Elliptic Curve Diffie- • SHA2 with key size
Hellman Ephemeral

Bulk Encryption
Signature Algorithm
• AES GCM: Advanced Encryption
• RSA: Rivest-Shamir-Adleman Standard Galois Counter Mode

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cipher Suites Support
• CUCM 10.5(2): Added SIP support of
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
And SRTP support of AEAD_AES_256_GCM and AEAD_AES_128_GCM
• CUCM 11.0: Added SIP support on CUCM for
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• CUCM 11.5: Added HTTPS support for ECDSA based cipher suites
• 3DES being removed in CUCM 11.5(1)SU4+ and CUCM 12.0(1)SU2+ (for
TLS and SSH)

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
TLS v1.2
• More secure version
• Supports Stronger Ciphers
• May be required for Security or Compliance reasons
• Requirements:
Ability to disable TLS 1.1, 1.0, SSL 3.0
and lower protocols

TLS 1.2 support

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 TLS v1.2 Support
Product Support
Supports Disable Disable Notes
TLS 1.2 TLS 1.0 TLS 1.1
CUCM/IM&P, UCxn, CER, PLM*, PCD, TMS, secure    System Release 12 and earlier (e.g.
CUBE (G2/G3)


backport to 11.5)
Other infrastructure (CMS, Conductor, TP Server,    System Release 12
Expressway, Contact Center, PCP, secure SIP PSTN
GW/CUBE/MTP/CFB G2/G3, secure SRST G3, secure
analog VG)
CE Endpoints (DX70/80, MX 200/300 G2, MX 700/800,    9.1.3
SX, IX 5000
78xx/88xx    12.1(1)
Newer TC endpoints (can run CE)    Can SW upgrade to CE
(MX 200/300 G2, MX 700/800, SX)
Legacy TC endpoints    End of Sale
(C-series, EX, MX 200/300 G1, Profile)
Legacy Immersive    End of Sale
(TX 9000 series, CTS)
Older IP phones (e.g., 79xx series, 69xx, 99xx, 89xx,    No support or partial support
DX on Android, IP Communicator)

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CUCM Certificates
and Trust Stores
CUCM Certificate Trust Stores

Identity Certificate Trusted Certificates

Type Type-trust

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Types

CallManager

Tomcat CAPF

Identity Certificates for

different Services and
Functions

IPSec TVS

ITLRECOVERY

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Truststores

CallManager-Trust

Tomcat-Trust CAPF-Trust

Truststores for
Services and Functions

IPSec-Trust TVS-Trust

Phone-VPN-Trust

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CUCM Certificate Truststores
Identity Trust

CallManager CallManager-Trust

CallManager-ECDSA Tomcat-Trust

Tomcat CAPF-Trust

CAPF TVS-Trust

TVS IPSec-Trust

IPSec Phone-Trust

authz (12.0+) Phone-VPN-Trust

ITLRecovery Phone-CTL-Trust

Phone-CTL-ASA-Trust (12.0+)

Phone-SAST-Trust

Userlicensing-Trust

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phone Certificates and Trust Lists
Phone Certificate Types

Manufacture-Installed Certificate (MIC)

• Signed by Cisco Manufacturing CA

• Automatically installed in supported phone models
• Used to authenticate with CAPF for LSC installation or
downloading an encrypted configuration file
• Cannot be overwritten or deleted or revoked

Locally Significant Certificate (LSC)

• Used for authentication and encryption

• Signed by CAPF certificate
• Takes precedence over MIC

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Phone Certificate Trust Chains

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Phone Certificate Trust Chains

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
How Do Endpoints Trust Servers?
CTL / ITL

• CTL and ITL are signed files that contains a list of

certificates that the endpoint can trust

• When an endpoint boots/resets, it requests:

1. Certificate Trust List (CTL) file
2. Initial Trust List (ITL) file (no support on Jabber) Signature

• Endpoints verify the signature of the CTL/ITL

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
CUCM Non-Secure Mode
Security by Default

ITLFile.tlv

Trust Verification Service

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
ITLRecovery Trust Anchor change in 12.0
• Benefits for the following scenarios.
• Renewing CallManager certificate does not lead to issues anymore.
• No need to connect to TVS when renewing CallManager certificate.
• Easier certificate exchange for EMCC when migrating a phone from
one CUCM cluster to another (less certificate to exchange, no need
to exchange certificate when renewing CallManager certificate).
• Easier certificate exchange for EMCC

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
UCM non-secure
Endpoint not supporting ITL (e.g. older phone or Jabber)

TFTP Server

Unsigned
1 config
(.xml)

Validate with 2
existing Signed
firmware Firmware
(.sbn)

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
UCM non-secure
Endpoint supporting ITL

CTLFile.tlv
CTL not
found and
not on file 1

Trust ITL if
none on file. ITLFile.tlv TFTP Server
Otherwise 2
validate ITL
signature

Validate
with ITL Signed
config
3 (.xml.sgn)

ITLFile.tlv Validate
with 4 Signed
Signed existing
Firmware
config firmware
(.sbn)
Signed
Firmware
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Contents of the ITL and Trust Anchor
ITLFile.tlv
Certificate Role
Publisher CallManager Certificate System Administrator Security Token Before 12.0

Publisher and Subscriber(s) CallManager

CCM+TFTP
Certificates

Publisher and Subscriber(s) CallManager EC

CCM+TFTP
Certificates

Publisher and Subscriber(s) TVS Certificates TVS

Publisher CAPF Certificate CAPF

ITLRECOVERY Certificate System Administrator Security Token As of 12.0

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Loss of Trust
Before CUCM version 12.0
TFTP
ITLFile
Check ITL
signature
1

Unable to
verify config
Signed
file config
signature
3

TVS

2
ITLFile
Unable to
establish
TLS
connection
with TVS

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
CUCM Mixed Mode
CUCM Mixed Mode and Generating CTL

OR utils ctl set-cluster mixed-mode

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
USB Security Tokens vs. Tokenless

USB Security Tokens Tokenless CTL

Pros: Pros:
• Less situations where endpoints loose trust • Easier to manage: No need to purchase USB
relationship with Unified CM and easier to security tokens, no need to install CTL client,
recover from this scenario easier to update CTL file
• Can be used across multiple Unified CM • No need to worry about losing your USB tokens or
clusters and facilitates migration between where to store without compromising them.
clusters • Easier to update the CTL records
• Easy to migrate from eTokens to Tokenless
Cons:
• Must purchase 2+ USB Security tokens Cons:
• Not manufactured in the US • Easier for endpoints to loose trust relationship and
• Requires CTL Client installation on a desktop complex to recover for versions earlier than 12.0
• Requires more steps when migrating clusters
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Phone Trust List and Verification

CTLFile.tlv

ITLFile.tlv
Trust Verification Service

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 UCM in mixed mode
Initial bootstrap
Trust CTL if
CTLFile.tlv
not present.
Otherwise
check CTL 1
signature

ITLFile.tlv TFTP Server

Validate
2
with CTL

Validate
with
CTL
Signed
3 config

CTLFile.tlv
ITLFile.tlv Validate with 4 Signed
existing
Signed firmware Firmware
config
Signed
Firmware

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Contents of the CTL if using USB eTokens
CTLFile.tlv
Certificates Roles

System Administrator Security Token(s)

Before 12.0
Publisher and Subscriber(s) CallManager
CCM+TFTP
Certificate

Publisher CAPF Certificate CAPF

ITLRECOVERY Certificate System Administrator Security Token As of 12.0

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Contents of the CTL if using Tokenless
CTLFile.tlv
Certificates Roles

Publisher CallManager Certificate System Administrator Security Token Before 12.0

Publisher and Subscriber(s) CallManager

CCM+TFTP
Certificate

Publisher CAPF Certificate CAPF

ITLRECOVERY Certificate System Administrator Security Token As of 12.0

ITLRECOVERY Certificate System Administrator Security Token

Phone-SAST-trust

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Phone Security Modes

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
High Level View of a Secure Phone Registration
Phone with security profile set to Authenticated or Encrypted mode

Client Hello

Truststore

Do I trust this
Yes
device?

? Trust
Yes
it?

ITLFile.tlv
CTLFile.tlv
TLS

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
 End-to-End Phone Signaling Encryption
Phones with security profile set to Encrypted mode

ITLFile ITLFile
SRTP
CTLFile CTLFile

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Signaling Secure to Non-Secure Interworking

ITLFile ITLFile
RTP
CTLFile CTLFile

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Phone Security Status Icons

Phones That Display Both Phones That Display

Media and Device Types In the Call
Shield and Lock Icons Only the Lock Icon

Secure audio only

Secure audio with non-secure video None

Secure audio with secure video

Authenticated device with
None
non-secure audio only
Authenticated device with
None
non-secure audio and video
Unauthenticated device with
None None
non-secure audio only
Unauthenticated device with
None None
non-secure audio and video

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Monitoring Certificate Expiration

Handled by
the Cisco Certificate Expiry Monitor
service

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
CUBE Certificates and Trustpoints
Trustpoint and Generating CSR

crypto pki trustpoint <trustpoint_name>

crypto pki enroll <trustpoint_name>

<trustpoint_name>

CUBE Certificate
Authority
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Importing Trustchain and Identity Certificate

crypto pki authenticate <trustpoint_name>

crypto pki import <trustpoint_name> certificate

<trustpoint_names>

CUBE Certificate
Authority
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Associating Trustpoint to SIP Trunk

sip-ua
crypto signaling remote-addr 10.1.1.100 255.255.255.255 trustpoint <trustpoint_name>

<trustpoint_name>

SIP Trunk

CUBE

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
High Level View of a Secure Connection

CUCM Client Hello CUBE

Truststore

Do I trust this
Yes
device?

? Trust
Yes
it?

Trustpoint (s)

TLS

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure to Non-Secure
Interoperability
TLS to TCP/UDP Interworking

ITSP

SIP TLS
Mixed-Mode
SIP Unsecure

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
 What’s Secure RTP?
• As per RFC 3711: SRTP is a profile of the Real-time Transport Protocol (RTP), which can
provide confidentiality, message authentication, and replay protection to the RTP traffic“
• It uses AES (Advanced Encryption Standard) as the default cipher for stream encryption
• HMAC (Hash-based Message Authentication Code) is used to authenticate the message and
protect its integrity

a=crypto:<tag> <crypto-suite> <key-params> [<session-params>]

SDP for RTP SDP for SRTP

m=audio 8256 RTP/AVP 0 m=audio 8264 RTP/SAVP 0
c=IN IP4 14.50.248.31 c=IN IP4 14.50.248.31
a=rtpmap:0 PCMU/8000 a=rtpmap:0 PCMU/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:
Detailed information
L5+zq2AXJxLk+058lu/XRQWJZiK0c0D0
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
CUBE-based SRTP-RTP Interworking

Signaling
Media

SIP

ISR 4000 - 4400/4300-series routers ISR G2 - 2900/3900-series routers

• Uses built-in crypto-engine • DSP required
• No additional configuration required • Leverages DSPfarm configuration

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SRTP Fallback
Enables a SIP device to fall back from SRTP to RTP by accepting or sending an
RTP/AVP (Audio-Video Profile) in response to an RTP/SAVP (Secure Audio Video
Profile) by offering support of the cisco proprietary x-cisco-srtp-fallback tag

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
SRTP to RTP offer without Fallback
SDP: RTP/SAVP

488 Not Acceptable Media

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SRTP Fallback
SDP: RTP/SAVP
Supported: x-cisco-srtp-fallback

SDP: RTP/AVP

RTP
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Expressway and
Mobile and Remote
Access (MRA)
MRA Media and Signaling Encryption
• SIP TLS always enforced between MRA clients & Exp-E, Exp-C &
Exp-E
• Voice/Video streams always SRTP encrypted between Exp-C and
MRA client
• * UCM mixed mode required to achieve SRTP on internal network
and SIP TLS between Exp-C and UCM
Media and Signaling always encrypted

SIP TLS* SIP TLS SIP TLS

SIP TCP

SRTP

Expressway-C DMZ Expressway-E External

Firewall Firewall

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
MRA Authentication
• MRA endpoints verify the Expressway-E Server Certificate
• Jabber Clients rely on the underlying platform trusted CA list
• Hardware endpoints rely on a trusted CA list included in firmware
=> One reason why a public CA must be used with Expressway-E
• Expressway-E does not verify the MRA endpoint certificate

SIP TLS* SIP TLS SIP TLS

SIP TCP

SRTP

Expressway-C DMZ Expressway-E External

Firewall Firewall

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
MRA Encrypted Endpoints
• Endpoints/Jabber that connect only via MRA (not directly to CUCM)
can achieve SIP TLS and SRTP without MIC/LSC

SIP TLS* SIP TLS SIP TLS

SRTP

Expressway-C DMZ Expressway-E External

Firewall Firewall

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Conclusion
 Addressing UC Security Requirements
Threats specific to UC Countermeasures
• Toll Fraud • Network security, endpoint security,
• Denial of Service server security, certificates,
• Eavesdropping encryption (IP Phone Services,
• Stealing private and sensitive information signaling, media), mutual TLS,
• Impersonation, session replay, media signed software, signed and
tampering, SPAM… encrypted config file, secure boot,
encrypted backups, QoS…

Organization Security Requirements Meeting the requirements

• Compliance and certifications, network access • FIPS/CC modes, 802.1x supplicant,
control, encryption policy, password policy, complex password policy, audit logs,
audit logs, vendor security processes… CSDL, Encryption, NGE, TLS 1.2…

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Call to Action Secure Network,
Secure Endpoints,
Secure Servers
• Further harden the platform
• Configure Toll-Fraud protection
• Manage your certificates carefully and simplify it
• Embrace security by default (especially with 12.0)
• Configure encryption for critical services (IP Phone services)
• Consider enabling CUCM mixed-mode
• Consider starting configuring endpoints in encrypted mode
• Establish a good security policy. Keep software updated, monitor
logs/audit logs/CDR, backup your system, etc…

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Security is a Journey, Not a Destination
• Stay up-to-date on the latest security news and upgrade / install
security updates when applicable
• Product Security Incident Response Team (PSIRT)
• www.cisco.com/go/psirt
• Latest Threats
• Security advisories and
responses
• Get Notifications

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Additional UC Security Sessions

• BRKCOL-3224: Implementing and Troubleshooting Secure Voice

on Network Edge Devices
• Tuesday 12th at 4pm

• BRKCOL-3501: Implementing and Troubleshooting Secure IP

Phones and Endpoints
• Wednesday 13th at 1:30pm

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Complete your online session evaluation

Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Thank you

#CLUS
#CLUS
Appendix
Identity Certificates used by Communications
Manager For your reference

• Used for TLS connections to CallManager service (TCP port 5061

CallManager for SIP or 2443 for SCCP)
CallManager-EC • Signs TFTP files: configuration files, localization files, etc

• Use for TLS connections to CAPF service (TCP port 3804)

CAPF • Signer of the phones Locally Significant Certificates (LSC)

Tomcat • Used for HTTPS connections to Web services (TCP port 8443)
• Used to sign SSO SAML Requests (if required by IdP)
Tomcat-EC

TVS • For TLS connections to the TVS service (TCP port 2445)

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Identity Certificates used by Communications
Manager For your reference

IPSec • Used for IPSec connections and inter-cluster

communication by DRS during backup operations

• Included in ITL file beginning with 10.0, CTL in 11.0

ITLRecovery
• Used by TFTP to sign TL files in certain scenarios

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Certificate Trust Stores used with Client
Connections For your reference

• Used to Validate Certificates when CallManager is the Client side

CallManager-trust • IE: Outbound SIP TLS Connections

• Used for CAPF Service to Validate Client side Certificate (mutual-

CAPF-trust authentication) when Authenticating Phones using MIC while
installing their Locally Significant Certificates (LSC)

• Used to Validate Certificates for all Web Applications’ Client requests

Tomcat-trust as well as LDAPS (DirSync + Ldap Authentication)
• IE: EMCC, CTI Manager LDAPS Authentication

• Used for Intermediate and Root certificates that are issuers to CA-
TVS-trust signed TVS certificates

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Certificate Trust Stores used with Client
Connections For your reference

Userlicensing-trust • Used by ELM and PLM

• Allows TVS to authenticate certificates used by IP Phone

Phone-trust
Services

Phone-vpn-trust • Holds server certificates for the Phone VPN feature

• Allows TVS to authenticate certificates used by TFTP to

Phone-sast-trust
sign files

• Used to include a certificate in a CTL file.

Phone-ctl-trust
• Only works for tokenless-CTL after version 11.5

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Certificate Verification with TVS
Phone being migrated to a new cluster
NEW Cluster TFTP
CTLFile.tlv
Check CTL
signature
1

Start secure
connection
to TVS

2
Verify new Old Cluster TVS
CTL
signature

ITLFile 3
CTLFile

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Certificate Verification with TVS
Phone being migrated to a new cluster
NEW Cluster TFTP
CTLFile.tlv

Download all
remaining
new files
ITLFile.tlv

4
Signed
config

ITLFile

CTLFile

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
TLS versioning support,
Ciphers
References

• TLS 1.2 Compatibility Matrix

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/commun
ications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html

• TLS 1.2 White Paper

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-
for-On-Premises-Cisco-Collaboration-Deployments.html

• TLS 1.2 Configuration Overview

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-
Configuration-Overview-Guide.html

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
 IOS Configuration – crypto signaling
Enabling Secure Signaling
Associate CUBE trustpoint with voice process
sip-ua
crypto signaling remote-addr 14.50.248.100 255.255.255.255 trustpoint caServer

Base command Peer IP address/network association trustpoint cipher selection

association
crypto signaling default trustpoint <name>

<enter> (default) All

ecdsa-cipher ECDSA-Only
strict-cipher RSA-Only
crypto signaling remote-addr <ip.address> <mask> trustpoint <name>
<enter> (default)
ecdsa-cipher
strict-cipher

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
IOS Signaling Cipher Suites
Configuration Cipher Suites

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1
Default Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA1
Strict Cipher
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDSA Cipher
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
CUCM Cipher Suites for TLS
Versions Max Certificate Key Length Cipher Suites

TLS_RSA_WITH_AES_128_CBC_SHA
Before 10.5.2 (TLS 1.0) 1024 (RSA)
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
As of 10.5.2 (TLS 1.2) 2048 (RSA)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2048 (RSA) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
As of 11.0
521 (EC) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
 Secure Media – IOS Configuration Pre-
Enabling Secure Media 16.5.1
1. Enables SRTP
1. Enable SRTP on Dial-peer
2. Configure SRTP cipher suite support
dial-peer voice 1 voip
description to CUCM Sub – Secure Signaling In 15.4(1), support for sha1-80
preference 1 AES_CM_128_HMAC_SHA1_80 was
destination-pattern 418110.... added
session protocol sipv2
session target ipv4:14.50.248.103 3. (Optional) Configure NGE cipher
srtp suite support.
voice-class sip srtp-auth sha1-80 sha1-32 Introduced in 15.6(1)
voice-class sip srtp pass-thru
Allows for unsupported SRTP cipher
or suites to be negotiated,
1. Enable SRTP Globally • AEAD_AES_128_GCM
voice service voip • AEAD_AES_256_GCM
srtp • AEAD_AES_128_CCM
srtp pass-thru • AEAD_AES_256_CCM
sip
CUBE will pass-thru offered cipher
srtp-auth sha1-80 sha1-32
suites and keys from one call-leg to the
#CLUS BRKCOL-2014
other call-leg.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
 Secure Media – IOS-XE Configuration 16.5.1+
Enabling Secure Media
Define SRTP crypto suite support 2. Enable SRTP and apply voice-class crypto-suite on Dial-peer
voice class srtp-crypto 1 dial-peer voice 1 voip
crypto 1 AEAD_AES_256_GCM
description to CUCM Sub – Secure Signaling
crypto 2 AEAD_AES_128_GCM
crypto 3 preference 1
AES_CM_128_HMAC_SHA1_80 destination-pattern 418110....
crypto 4 session protocol sipv2
AES_CM_128_HMAC_SHA1_32 session target ipv4:14.50.248.103
1. Create a voice class to define srtp
supported SRTP cipher suites. voice-class sip srtp-crypto 1

2. Apply the defined voice-class either or

under the dial-peer or globally
2. Enable SRTP and apply voice-class crypto-suite Globally

3. Enables SRTP voice service voip

srtp
sip
srtp-crypto 1

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
IOS Cipher Suite Support for Media
Version Cipher Suites
Prior to 15.4(1)T/S AES_CM_128_HMAC_SHA1_32 (default)
Starting with 15.4(1)T/S AES_CM_128_HMAC_SHA1_80
AEAD_AES_128_GCM
AEAD_AES_256_GCM
AEAD_AES_128_CCM
Starting with 15.6(1)T/S*
AEAD_AES_256_CCM

* With SRTP Passthru feature

AEAD_AES_128_GCM
AEAD_AES_256_GCM
Starting with 16.5.1*
* Native support only in IOS-XE
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
CUCM Cipher Suites for Media
Versions Cipher Suites
F8_128_HMAC_SHA1_80
Before 10.5.2: AES_CM_128_HMAC_SHA1_32
AES_CM_128_HMAC_SHA1_80
AEAD AES256 GCM-based ciphers
AEAD AES128 GCM-based ciphers
As of 10.5.2

* SHA1 cipher compatibility for non-SIP devices

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Data to Collect
Phone Registration
Type of Problem CUCM Other
LSC Installation CAPF traces
Phone console logs
Secure Phone Registration CCM traces

TFTP traces Packet capture

CTL Installation
show ctl

Media Establishment
Type of
IOS Debugs IOS Command Output CUCM Other
Problem

debug voip ipipgw show dspfarm profile active

SRTP-RTP debug voip hpi show voip rtp connection

Interworking
ISR-G2 only error
debug ccsip
info
show call active|history voice brief Packet
CCM traces
Media debug ccsip media capture
show sip-ua call
#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Data to Collect
Signaling and Call Establishment
Type of Problem IOS Debugs IOS command output CUCM Other

TCP connection transaction

debug ip tcp show tcp brief
failure packet
messages
transactions
debug crypto
validation
pki
TLS connection api
show sip-ua connection tcp tls detail
failure callback Packet
CCM traces
errors capture
debug ssl
msg
openssl
states
message
SIP call
debug ccsip error show call active|history voice brief
establishment
transport
Call Routing debug voip ccapi inout show dial-peer voice summary

#CLUS BRKCOL-2014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124