CX500, CX600 and CX3000 log on problem to Skype for Business RRS feed

  • Question

  • Hello Community,

    We are having a bad time figuring out why some of our phones are not or no longer able to log on to SfB. The problem phones are a mix of cx500, cx600 and cx3000.

    The problem started around the time when we migrated our Lync 2013 environment to SfB 2015 (swing migration). The phones that were at that time logged in with a user are still working now, phones that were not logged in or new devices (the cx3000) are unable to log on.

    The problem phones are not contacting the server properly, not for updates, not for logons. Other phones do. Could it be that the firmware is too old now to be able to connect to the SfB?

    The devices do get the DHCP options (as before), but the time when booting is off (minutes are ok, hours are wrong)

    I suspect the problem to be certificate related. A wireshark trace on the SfB server shows the output:

    Another strange thing is that I don't see any traffic coming in from the phones to the CA server. One would expect the CRL check to show up?

    Resetting (4+6 or *+#) the phones does not help. I've put some of the phones in the server VLAN (also with the correct DHCP options)  to rule out that possible problem.

    Did someone encounter the same problem or does anyone have some pointers for me?

    Thanks in advance,

    Kind regards,


    Monday, May 30, 2016 12:15 PM

All replies

  • How long do the phone show connecting to ntp time service? This should only take seconds to get the correct time.

    Have you changed the dhcp setimgs, Option 43 to the new FE and webservices?

    regards Holger Technical Specialist UC

    • Proposed as answer by Eason Huang Tuesday, May 31, 2016 2:50 AM
    Monday, May 30, 2016 6:31 PM
  • Hi,

    If you migration from Lync Server 2013 to 15, then as Holger said above, make sure update DHCP 43 and 120 to the new SFB Server.

    Also, if these IP Phones not update to the latest firmware, then try to update them to the latest firmware.

    Best Regards

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    Tuesday, May 31, 2016 6:10 AM
  • Hello all,

    Thanks for your reply.

    I have cleaned the DHCP config with dhcputil -cleanDHCPconfig, and executed the DHCPConfigScript again. I checked the options manually and with -EmulateClient and all seems OK.

    Connecting to NTP is quick, I see the packets in wireshark on the NTP server. The minutes are correct on the device but not the hours. Then after a while I see a DNS lookup from the phones to time.nist.gov, the firewall allows NTP out.

    I've tried updating the phones, but that is only possible through the SfB server update mechanism. The latest updates are approved, but I don't even see any connections coming from those phones in the IIS logs. I do see the DNS lookup for ucupdate-r2 after a while, which returns the SfB server IP.

    Kind regards,


    Tuesday, May 31, 2016 6:49 AM
  • Do you get the same problem if you sign in via USB or via PIN?
    Tuesday, August 16, 2016 3:29 AM
  • You should add option 004 and option 042 with a local time server to your dhcp options for the phones.

    If it is possible you should do a IP Wireshark trace on the dhcp and on a mirroring port of the phone site to see that the phone request and get the dhcp options correct from the dhcp.

    I had a similar issue with cisco switches as the network team activated dhcp security on the switch, which prepend the phone to get the correct settings.

    You can also use the log from the phones, but you need the tool from the mobile sdk to convert this log to readable version.

    regards Holger Technical Specialist UC

    Tuesday, August 16, 2016 7:36 AM
  • Hello Holger, Adam,

    I've made some progress, the phone updates are now working after adding the ucupdates-r2.domain.local to the SANs on the certificate...

    However I am still unable to log on either by PIN or USB. I still suspect a certificate problem. I've checked, there is no dhcp snooping or firewall between the devices (I even put the phone inside the server VLAN)

    The phone logs show the correct settings, and I see requests coming in to the IIS on the frontend.

    I took some wireshark traces of the connection attempts but I can't pinpoint the problem. Is there a way I can share these with you?


    Kind regards,


    Friday, September 2, 2016 11:22 AM
  • If you run the usb tethering, have you tried to use as login domainusername and also firstaname.lastname@domain (UPN name)?

    Have you test on the frontend Test-CsPhoneBootstrap -PhoneOrExtension "+14255551219" -Pin "0712"

    You can also run dhcputil.exe -EmulateClient

    Here is also a good link from Jef Schertz


    Be sure, that the time is set correct on the phone thru NTP server.

    Here is also a good tool to read the logs from the phone



    regards Holger Technical Specialist UC

    Tuesday, September 6, 2016 5:57 AM