You can check the following:
For 53xxe series, the potential root causes are:
1. SAC port 3998 is blocked between controller and 53xx series IP phones. For pre-MiVB 9.2, SAC port 3999 was used.
2. For 5330/40, when custom certificate is loaded in ESM -> Device Certificate as 5330/40 does not support custom certificate at all
3. For 5330/40, when the security level in ESM is set to low or high as 5330/40 does not support TLS 1.0+
4. For 5330/40 Teleworker, when the minet option for SAC port is set to TCP as 5330/40/MIVB 9.2 requires secure SAC port 3998.
5. For 5330/40 Teleworker, when the device certificate is loaded in MIVB.
6. For 53xxe or 69xx, when custom certificate is not loaded properly.
For custom certificate to load properly, in addition to the certificate loaded in ESM -> Device Certificate, DHCP option for IP phone should include cfg_srv_url tag. Also in ESM system option, Enabled TCP for IP Set registration is required.
Procedure
For case 1, make sure SAC port 3999 ( pre-MiVB 9.2) and secure port 3998 (mivb 9.2 or higher) is not blocked.
For case 2 and 5, if custom certificate is loaded in ESM->Device Certificate, remove the custom certificate.
For case 3, set the security level in ESM to Legacy
For case 4, set the Minet option for SAC port in MBG to TCP/TLS
For case 6, ensure the IP phone can access the custom certificate via DHCP option (cfg_srv_rul tag is set correctly). Enabled TCP for IP Set registration - system option is enabled and the custom certificate is loaded in Device Certificate.