Solved: CUCM 11, Expressway 8.6, Jabber 11 phone service is not working

Thomas Leitner · ‎08-27-2015

Hey community ...

I'm frustrated :( ...

... what's the problem? ... setting up a simple MRA environment with CUCM 11, Expressway 8.6 and Jabber for Windows 11 ...

The login from the windows client is fine ... but afterwards the phone service is not working.

I have no idea where the mistake could be ...

please help me :)

... in attend there is the Jabber-log ...

thanks in advance!

abdel-moniem · ‎11-10-2015

Hello Tom,

Going through the posted log files I can see several points here that would be a good idea to mitigate:

I see two different domains that are used one is ".local" and the other is ".at". On Expressway-E it is Signed with CN= ***.***.local and not with the public Domain. Beside there was no SAN to validate **.**.local domain. This why you are receiving Invalid Certificate and ofcourse no Root CA is put there. You need to sign the Expressway-E certificate with Public CA with Domain **.at or add SAN for **.at.
Although that, A Policy to access the Certificate is enforced prompting the user to accept and then it passes.
I am not sure about the Configuration on Expway-E and Expway-C Traversal Zone and configuration of Allow list on Expway-C to allow HTTPS download/TFTP download. But it seems that after several trial it manage to download the configuration file.

So Back to the problem,

The Client still is able to reach the UCM, HTTPS connection is somehow challenging here however, the SIP Registeration is failing.

I am seeing SX10 Registeration with MAC address and also Jabber with CSFSX10AT device name. Username is sx10at i believe?.

I see apparently a SIP registeration is failing here with "Forbidden 403" Registeration reply relayed by the Expressway-E. :

ipio-recv<--- SIP/2.0 403 Forbidden
Via: SIP/2.0/TLS 172.19.30.106:55592;branch=z9hG4bK000014ed;received=212.241.65.35;rport=55592
Call-ID: 40618691-e9450012-000068cb-0000197c@172.19.30.106
CSeq: 184 REGISTER
From: <sip:501@cucm01.meinhart.local>;tag=40618691e945001300002b53-0000789e
To: <sip:501@cucm01.meinhart.local>;tag=1c6246c1f9dae786
Server: TANDBERG/4131 (X8.6)
Content-Length: 0
2015-08-27 21:56:43,100 DEBUG [0x0000234c] [p\sipcc\core\sipstack\ccsip_debug.c(326)] [csf.sip-call-control] [platform_print_sip_msg] - ::End-Of-Sip-Message::

so I wonder:

- Do you have SIP Digest Authentication enabled on the SIP Secure profile? if yes, please uncheck it? I see Digest authentication trial as well. Local Domain is used as well

- If not, can you assure username/password correct

- Valid question, can you register the client internally on Local LAN without MRA?

- Do you have the End-user assoicated with the Jabber device?

- Do you have CUCM added to the Expressway-C allow list with Device security profile?

- is the CUCM in secure mode or non-secure mode

Action:

- Check the above questions

- Try to sign the certification of Expressway-E with Public CA and SAN added as well

Tell me what are you thoughts,

Abdel-moniem E. REZK

http://ucjournal.net

Rate if it is helpful

t

View solution in original post

Ammar Saood · ‎09-04-2015

i have the same setup. and it works fine with me.

is it working locally ??

what are your inside and outside domain names?

are DNS records pointing to right servers ?

gfolens · ‎10-20-2015

I have the same problem with CUCM v10.5 and Expressway v8.6.

MRA was working fine with Jabber 10.6 but after upgrade to 11.0.1 the phone services do not work anymore.

Maybe some new ports to be opened on the FWs?

rgds, Geert.

Ammar Saood · ‎10-20-2015

I dont know why its not working for you. its working fine with me.

may be you need to configure your jabber-config file more appropriate.

can you provide me a readonly access to your VCS-E .so i can troubleshoot your issue.

with one dummy account for jabber as well.

Ammar Saood · ‎10-20-2015

i reviews your configs.

you have added WEBEX& CUCM domain in excluded domains under your jabber-config file.

<servicediscoveryexcludedservices>WEBEX,CUCM</servicediscoveryexcludedservices>

Remove CUCM and try your configs.

HTH,

AMMAR

Thomas Leitner · ‎11-10-2015

Hey Ammar,

thanks for your reply ... i changed my config file ...

now the error message on my MRA-Device is "failed to get device configuration" ...

... do you have any idea?

Big THANKS again for your reply :)

best regards, Thomas

abdel-moniem · ‎11-10-2015

Hello Tom,

Going through the posted log files I can see several points here that would be a good idea to mitigate:

I see two different domains that are used one is ".local" and the other is ".at". On Expressway-E it is Signed with CN= ***.***.local and not with the public Domain. Beside there was no SAN to validate **.**.local domain. This why you are receiving Invalid Certificate and ofcourse no Root CA is put there. You need to sign the Expressway-E certificate with Public CA with Domain **.at or add SAN for **.at.
Although that, A Policy to access the Certificate is enforced prompting the user to accept and then it passes.
I am not sure about the Configuration on Expway-E and Expway-C Traversal Zone and configuration of Allow list on Expway-C to allow HTTPS download/TFTP download. But it seems that after several trial it manage to download the configuration file.

So Back to the problem,

The Client still is able to reach the UCM, HTTPS connection is somehow challenging here however, the SIP Registeration is failing.

I am seeing SX10 Registeration with MAC address and also Jabber with CSFSX10AT device name. Username is sx10at i believe?.

I see apparently a SIP registeration is failing here with "Forbidden 403" Registeration reply relayed by the Expressway-E. :

ipio-recv<--- SIP/2.0 403 Forbidden
Via: SIP/2.0/TLS 172.19.30.106:55592;branch=z9hG4bK000014ed;received=212.241.65.35;rport=55592
Call-ID: 40618691-e9450012-000068cb-0000197c@172.19.30.106
CSeq: 184 REGISTER
From: <sip:501@cucm01.meinhart.local>;tag=40618691e945001300002b53-0000789e
To: <sip:501@cucm01.meinhart.local>;tag=1c6246c1f9dae786
Server: TANDBERG/4131 (X8.6)
Content-Length: 0
2015-08-27 21:56:43,100 DEBUG [0x0000234c] [p\sipcc\core\sipstack\ccsip_debug.c(326)] [csf.sip-call-control] [platform_print_sip_msg] - ::End-Of-Sip-Message::

so I wonder:

- Do you have SIP Digest Authentication enabled on the SIP Secure profile? if yes, please uncheck it? I see Digest authentication trial as well. Local Domain is used as well

- If not, can you assure username/password correct

- Valid question, can you register the client internally on Local LAN without MRA?

- Do you have the End-user assoicated with the Jabber device?

- Do you have CUCM added to the Expressway-C allow list with Device security profile?

- is the CUCM in secure mode or non-secure mode

Action:

- Check the above questions

- Try to sign the certification of Expressway-E with Public CA and SAN added as well

Tell me what are you thoughts,

Abdel-moniem E. REZK

http://ucjournal.net

Rate if it is helpful

t

abdel-moniem · ‎11-10-2015

Hello

As An addition,

Please ensure that both internal and external domain are added to Expressway-C setup.

thanks