Cisco/Tandberg endpoints troubleshooting
This article covers the following Cisco/Tandberg endpoint issues:
- Cisco CE10.x or later firmware unable to be activated using the Activate Endpoint app
- Cisco CE9.10.x or later firmware unable to be activated using the Activate Endpoint app
- Cisco endpoints report activation failure with CE9.3.x and newer
- Content sharing unreliable with firewall default UDP session timeout value
- Migrate a DX device to CE software with the Cloud Upgrader tool
- Resetting factory defaults on EX series endpoints
Cisco endpoints with firmware release CE10.x or later and factory default settings require a certificate to be loaded manually before being activated (sometimes referred to as provisioning) using the Activate Endpoint app. (Devices previously activated to the Pexip Service that upgrade to RoomOS 10 should not encounter this problem.)
Without the certificate loaded, the Activate Endpoint app reaches 70% on the status bar before throwing the following error:
You can resolve this issue by following the steps below to replace the existing Root CA certificate with an updated certificate:
- Go to the DigiCert repository to obtain the DigiCert Global Root CA: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem (you may need to right-click and select Save link as...).
- Follow the prompts to save the file as a .pem file.
- If you choose to open the file first, be sure to use a text editor such as Notepad or Vi.
- To install the certificate, sign in to the unit's configuration interface and from the side menu select .
- Then from the horizontal tabs, switch to the tab .
- Then select .pem file on your computer. Follow the prompts to complete installation of the .pem file. and find the saved the
After installing the certificate, you can re-run the Activate Endpoint app to complete registration to the Pexip Service. The app may mistakenly report failure, but if the certificate was loaded successfully then activation should have worked. You can check by viewing the device's status in the web interface, it should be registered.
This issue will be addressed in the forthcoming release for the Activate Endpoint app.
If you see the error below while using the Activate Endpoint app to activate (sometimes referred to as provisioning) a Cisco endpoint running CE9.10.x firmware or later, please go to https://pexip.me/download and install the latest version of the app, and then re-run the activation. This error was caused by an out of date root CA certificate and has been fixed in the latest version of the app.
If you see this error while using the Activate Endpoint app to activate a Cisco endpoint running CE9.3.x firmware or newer, you can ignore it because it's a false error. The endpoint has been successfully activated for use with the Pexip Service as per the subscription template and can be used as normal to initiate and receive calls.
This is fixed in the latest version of the Activate Endpoint app which is available here: https://pexip.me/download.
It has been observed in several Enterprise network environments that purpose-built video endpoint systems from Cisco Systems and Poly registered to the Pexip Service may experience unreliable content sharing behavior. This behavior may include an inability to receive or initiate content share soon after the video call is connected, either to a video bridge or in a point-to-point call. In many cases the content share capability is initially found to behave as expected, but then changes to the unreliable state within a short period of time. A list of compatible Cisco Systems and Poly endpoint models which can be registered to the Pexip Service can be found here.
The common element to these Enterprise network environments may be the presence of a Palo Alto Networks Firewall. After working alongside Palo Alto Networks Technical Support, the problem was traced to a requirement to increase the value of the UDP session timeout setting on the Palo Alto Networks Firewall. Video endpoints registered to the Pexip Service use SIP (Session Initiation Protocol) as the signaling protocol, and the content share channel is negotiated via SIP BFCP (Binary Floor Control Protocol), which is UDP-based. It was observed that the two-way BFCP communications between the video endpoint to the Pexip Service was being closed prematurely when the default UDP session timer of 30 seconds is used.
Pexip's recommendations when Palo Alto Networks Firewalls are present are:
- Ensure that the firewall can accommodate all the traffic types and port ranges to/from the IP address spaces shown in the https://pexip.me/test/firewall. section at
- Increase the UDP session timeout from the default 30 second value to 600 seconds for UDP port range 10000-65535.
- Disable the "Application Filtering" setting on the Firewall, which may be called SIP-ALG.
For firewalls from other vendors we recommend that you:
- Increase the UDP session timeout to 180 seconds for UDP port range 10000-65535.
If you need to upgrade from CUCM to CE software follow the instructions on page 10 in this guide from Cisco.
The EX system can be factory reset in three different ways:
- By issuing the xAPI command: xcommand systemunit FactoryReset Confirm: Yes
- Via the Touch panel: Settings/Administrator Settings/Reset/Factory Reset
By using the power button:
- Unplug power cable.
- Replug power cable.
- Immediately when the green led in the bottom left corner lights up, press and hold the power button for 10 seconds (the led will turn off), until the green led lights up again.
- Push the power button twice within two seconds (two short pushes).