Expressway Errors Inbound TLS Negotiation Error & Authentication Failed Service

srsalari111 · ‎12-23-2016

Hi Community,

There is a problem in Jabber Clients (iPhone and Android). They disconnect from phone service after a while and can not reconnect to phone service unless our clients sign out and sign in again.

There is no problem with IM and Presence service.

CUCM is version 11.5

CUIMP 11.5

Expressway 8.9

Jabber client version 11.8

Certificate CA is public valid CA authority.

There are two errors in Expressway E log:

tvcs: Event="Authentication Failed" Service="SIP" Src-ip="1.1.1.1" Src-port="1029" Detail="No valid authentication" Protocol="TLS" Method="REFER" Level="1" UTCTime="2016-12-23 15:07:22,243"

tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="1.1.1.1" Src-port="1516" Dst-ip="expressway WAN IP" Dst-port="5061" Detail="Timeout" Protocol="TLS" Level="1" UTCTime="2016-12-23 13:56:33,077"

On expressway C there is one error:

alarmdaemon: Level="INFO" Event="Alarm Lowered" Id="40037" UUID="f2b8149b-e0f7-4b70-ba9b-8f2aa627ca35" Severity="warning" Detail="Delegated credential checking error: There is a communication problem with the traversal client zone Traversal zone for UCMC used to receive delegated credential checking requests" UTCTime="2016-12-24 05:12:34,171"

Any help would be highly appreciated.

Please advise.

Cordially,

james.buchanan1 · ‎12-27-2016

I have seen two causes to this error:

1. The firewall from the Internet to the DMZ is doing SIP inspection and basically mangling the SIP packets.

2. CUCM is not set to communicate using TLS to the Expressway C. I know it says it is "up" with just TCP, but it really needs to be TLS and the CUCM's certs, whether self-signed or valid CA-signed, need to be uploaded to the Expressway C.