Cannot login to Cisco Call Manager After Firefox Update

After performing the last Cisco CallManager update we were unable to login into Cisco Call Manager 8.5 via the web interface. When we attempt to login we received the following message:

Secure Connection Failed An error occurred during a connection to YOUR IP. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.

(Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. * Please contact the website owners to inform them of this problem.

The Cause:

Since the 30th of June of 2015, Mozilla Firefox doesn't support connections to a server with weak Diffie-Hellman ciphers anymore (Mozilla Release Notes:)

The Resolution:

Perform at your own risk. Accidental adjustment may effect Firefox's performance. To fix type about:config in your Firefox web browser, in the address bar. Change the next settings with the next values: 

security.ssl3.dhe_rsa_aes_128_sha=false
security.ssl3.dhe_rsa_aes_256_sha=false

The values should be true by default. Click on them to change to "false."

That's it! You should now be able to login to Cisco Call Manager.

Getting a strange PING from you Cisco Call Manager? Dropping every 6th packet?

We have been having some issues with our Cisco VOIP system here, such as phones rebooting, SRST Fallback messages etc. During the troubleshooting process I discovered what I thought was latency with the route to the Call Manager:


MDF1#ping
Protocol [ip]:
Target IP address: 192.168.XXXX
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.22.1, timeout is 2 seconds:
!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!
!.!!!!!.!!!!!.!!!!!.!!!!!.!!!!
Success rate is 84 percent (84/100), round-trip min/avg/max = 1/2/9 ms

We got on the phone with Cisco, replaced the adjoining switch to no avail. Upon further investigation we discovered that this is normal and has to do with the firewall policy. Cisco CUCM and other VOIP products(CUC) use a rate limit on their firewall to protect against DOS attacks, and we can safely ignore this:

admin:utils firewall ipv4 list
***output Omitted***
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 10/sec burst 5
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/min burst 5 LOG flags 0 level 4 prefix `ping flood '
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
***output Omitted***