Primary WAN drops during the nightly Tokyo ISP window. Edge 2024.6.1 cluster flips straight into local survivability mode while the R750 nodes stay stable with the dual NIC bond holding. Local SIP stack won’t accept desk phones and the logs just spam 401 Unauthorized with SIP_REG_FAIL: local_auth_mismatch. Pairing status stays green in the console yet nothing connects to the local media server, and the /etc/asterisk/sip.conf override hasn’t updated the auth token while the whole stack is doing jack all.
The local_auth_mismatch error is almost always a certificate trust issue, not a password one. When Edge flips to local mode, the SIP stack switches to using the local device certificate for TLS verification. If the R750’s local CA isn’t perly chained or if the phone’s trust store hasn’t been updated since the last firmware push, the registration fails with 401 even though the credentials are correct.
Check the /var/log/edge/sip-server.log on the node. Look for verify error:num=20:unable to get local issuer certificate. If you see that, the phone doesn’t trust the local CA.
You can force a re-sync of the trust store via the API. First, get the device ID:
curl -X GET "https://api.mypurecloud.com/api/v2/telephony/viders/edges/nodes/{nodeId}/devices" \
-H "Authorization: Bearer $TOKEN"
Then trigger a config push to update the certificates:
curl -X POST "https://api.mypurecloud.com/api/v2/telephony/viders/edges/nodes/{nodeId}/devices/{deviceId}/actions/resync" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"
If that doesn’t clear it, you might need to manually export the local CA from the Edge node and push it to the phone’s trusted store via the visioning file. The default file often misses the intermediate cert in the chain. Also, make sure the sip.conf override isn’t blocking the local realm. Sometimes the override gets cached and the node tries to authenticate against the cloud realm instead of local. Restarting the sip-server service on the node usually clears that cache.
systemctl restart sip-server
Don’t forget to check the time sync on the node. If NTP is drifting, the cert validation window might be closed. It’s a small detail but it causes exactly this type of intermittent 401 error during failover events.