Cisco Cisco Expressway
Appendix 1: Troubleshooting
SIP TLS negotiation failures on neighbor and traversal zones
If TLS verify mode is enabled, the neighbor system's FQDN or IP address, as specified in the Peer
address field of the zone’s configuration, is used to verify against the certificate holder’s name contained
within the X.509 certificate presented by that system. (The name has to be contained in either the Subject
Common Name or the Subject Alternative Name attributes of the certificate.) The certificate itself must also
be valid and signed by a trusted certificate authority.
address field of the zone’s configuration, is used to verify against the certificate holder’s name contained
within the X.509 certificate presented by that system. (The name has to be contained in either the Subject
Common Name or the Subject Alternative Name attributes of the certificate.) The certificate itself must also
be valid and signed by a trusted certificate authority.
Therefore when certificates have been generated with peer or cluster FQDNs, ensure that the zone's Peer
address fields are configured with FQDNs rather than IP addresses.
address fields are configured with FQDNs rather than IP addresses.
Certificates with key length of 8192 bits
SIP TLS zones may fail to become active if certificates with a key length of 8192 bits are used. We
recommend using certificates with a key length of 4096 bits.
recommend using certificates with a key length of 4096 bits.
Service failures when using mobile and remote access
Unified Communications mobile and remote access services can fail due to certificate errors if you have
uploaded a private key file that does not contain a trailing newline character.
uploaded a private key file that does not contain a trailing newline character.
Ensure that the private key file contains a trailing newline character.
Cisco Expressway Certificate Creation and Use
Page 13 of 25
Appendix 1: Troubleshooting