Cisco/Tandberg endpoints troubleshooting
This article covers the following Cisco/Tandberg endpoint issues:
- Cisco CE 10.x or later firmware unable to be provisioned by the Activate Endpoint app
- Cisco CE 9.10.x or later firmware unable to be provisioned by Activate Endpoint app
- Cisco endpoints report provisioning failure with CE9.3.x and newer
- Cisco CE8.1.x and CE8.2.0 endpoints are not checking in for provisioning
- Tandberg MXP endpoint fails to provision
- Content sharing unreliable with Palo Alto Networks Firewall default UDP session timeout value
- Migrate a DX device to CE software with the Cloud Upgrader tool
- Resetting factory defaults on EX series endpoints
- Cisco MXP cannot receive content unless it shares first
- No incoming video on Tandberg endpoints (TC 4.2.x and 5.1.x) when dialing out from rooms
Cisco endpoints with firmware release CE 10.x or later and factory default settings require a certificate to be loaded manually before being provisioned using the Activate Endpoint app. (Devices previously activated to the Pexip Service that upgrade to RoomOS 10 should not encounter this problem.)
Without the certificate loaded, the Activate Endpoint app reaches 70% on the status bar before throwing the following error:
You can resolve this issue by following the steps below to replace the existing Root CA certificate with an updated certificate:
- Go to the DigiCert repository to obtain the DigiCert Global Root CA: https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem.
- Follow the prompts to save the file as a .pem file.
- If you choose to open the file first, be sure to use a text editor such as Notepad or Vi.
- To install the certificate, sign in to the unit's configuration interface and from the side menu select .
- Then from the horizontal tabs, switch to the tab .
- Then select .pem file on your computer. Follow the prompts to complete installation of the .pem file. and find the saved the
After installing the certificate, you can re-run the Activate Endpoint app to complete registration to the Pexip Service. The app may mistakenly report failure, but if the certificate was loaded successfully then activation should have worked. You can check by viewing the device's status in the web interface, it should be registered.
This issue will be addressed in the forthcoming release for the Activate Endpoint app.
If you see the error below while using the Activate Endpoint app to provision a Cisco endpoint running CE 9.10.x firmware or later, please go to https://pexip.me/download and install the latest version of the app, and then re-run the activation. This error was caused by an out of date root CA certificate and has been fixed in the latest version of the app.
If you see this error while using the Activate Endpoint app to provision a Cisco endpoint running CE9.3.x firmware or newer, you can ignore it because it's a false error. The endpoint has been successfully provisioned to the Pexip Service as per the subscription template and can be used as normal to initiate and receive calls.
This is fixed in the latest version of the Activate Endpoint app which is available here: https://pexip.me/download.
Cisco endpoints running CE8.1.x and CE8.2.0 firmware do not check in for provisioning updates every 15 minutes, however, you can trigger a single provisioning check-in by restarting the endpoint.
Cisco has fixed this bug in CE8.2.1.
If your Tandberg MXP device fails to provision to the Pexip Service please ensure that it is configured to use HTTPS for provisioning. Tandberg MXP endpoints use HTTP for provisioning by default. However, the Pexip Service now requires that devices use HTTPS for secure device provisioning.
You can enable HTTPS provisioning on your endpoint via the command line. Here are the commands to use:
- xConfiguration CorporateDirectory Protocol: HTTPS
- xConfiguration ExternalServices Protocol: HTTPS
- xConfiguration ExternalManager Protocol: HTTPS
Please note you may also need to adjust the network firewall rules to allow the endpoint to use HTTPS (443 TCP) when communicating with the Pexip Service.
It has been observed in several Enterprise network environments that purpose-built video endpoint systems from Cisco Systems and Poly registered to the Pexip Service may experience unreliable content sharing behavior. This behavior may include an inability to receive or initiate content share soon after the video call is connected, either to a video bridge or in a point-to-point call. In many cases the content share capability is initially found to behave as expected, but then changes to the unreliable state within a short period of time. A list of compatible Cisco Systems and Poly endpoint models which can be registered to the Pexip Service can be found here.
The common element to these Enterprise network environments may be the presence of a Palo Alto Networks Firewall. After working alongside Palo Alto Networks Technical Support, the problem was traced to a requirement to increase the value of the UDP session timeout setting on the Palo Alto Networks Firewall. Video endpoints registered to the Pexip Service use SIP (Session Initiation Protocol) as the signaling protocol, and the content share channel is negotiated via SIP BFCP (Binary Floor Control Protocol), which is UDP-based. It was observed that the two-way BFCP communications between the video endpoint to the Pexip Service was being closed prematurely when the default UDP session timer of 30 seconds is used.
Pexip's recommendations when Palo Alto Networks Firewalls are present are:
- Ensure that the firewall can accommodate all the traffic types and port ranges to/from the IP address spaces shown in the https://pexip.me/test/firewall. section at
- Increase the UDP session timeout from the default 30 second value to 3600 seconds for UDP port range 10000-65535.
- Disable the "Application Filtering" setting on the Firewall, which may be called SIP-ALG.
If you need to upgrade from CUCM to CE software follow the instructions on page 10 in this guide from Cisco.
Issue: MXP device cannot receive content unless it shares first. Applies to SIP calls only.
Cause: If the endpoint is not the first presenter, it does not punch a hole in the firewall for content sharing stream and thus cannot also receive the content. This has been registered as two bugs in Cisco's F9 software:
- CSCud35907, "F9 breaks BFCP TCP" (no planned release to fix this and verified that there is no content seen on MXP with F8.2, so not only F9 is affected)
- CSCty51581, "Movi rings MXP and BFCP fails"
Workaround: As the MXP is EOL, we do not expect Cisco to fix these bugs. Recommended on single-screen MXP systems, but can be used on dual-screen systems as well: Turn off H.239 in the Presentation settings (and continue to use SIP). This will force the content data into the main video stream, and the user will lose dual streams capability.
Dialing out from a VMR to a Cisco Tandberg endpoint running firmware version TC4.2.x and TC5.1.x results in no incoming video on the endpoint.
Cisco endpoints running TC6 and TC7 firmware versions are not affected by this issue.
Immediate workaround for endpoints running firmware prior to TC6: using the endpoint’s call history or directory, have affected endpoints dial back from the endpoint to the VMR.
Recommended solution: upgrade all video system to vendor recommended or later releases for greatest compatibility and security. Upgrade the codecs to the firmware version TC6 or TC7. The recommended version from Cisco is TC 7.3.9 or later.
The EX system can be factory reset in three different ways:
- By issuing the xAPI command: xcommand systemunit FactoryReset Confirm: Yes
- Via the Touch panel: Settings/Administrator Settings/Reset/Factory Reset
By using the power button:
- Unplug power cable.
- Replug power cable.
- Immediately when the green led in the bottom left corner lights up, press and hold the power button for 10 seconds (the led will turn off), until the green led lights up again.
- Push the power button twice within two seconds (two short pushes).