Hi Jonathan,

Thankyou for your explanation.

The answer below to reply your previous question :

1. Its properly configured

2. No, it didnt appear as red text

3. Yes, device can registered properly when in LAN

4. Yes, youre correct

5. I'd tried to restart the expressway twice

Fyi, i didnt create any jabber-config. I guess the device can't get the tftp information. But thats just my presumption.

Cheers

It would be helpful if you could also post your jabber client troubleshooting log (Help > Report a problem) after a failed softphone registration.

One last thing, from the jabber client, when you look at Help > Show connection status, under the "Softphone" section, what does it say for the Status, Protocol, and Address?

Hi Jonathan,

PFA for the Jabber Client Troubleshooting log and connection status.

Based on the logs you sent I can see the following:

A. A SIP register message went out to the EXP-E from the CSF device and was not responded to (at least there was no response in the CSF log - more on this later).

2016-03-21 13:35:45,024 DEBUG [0x000026c4] [oftphonewrapper\CC_SIPCCService.cpp(342)] [csf.ecc.sipcc] [_SIPCCLoggerFunction] - sipio-sent---> REGISTER sip:cucm.demo.astra.co.id SIP/2.0
Via: SIP/2.0/TLS 10.0.27.216:50718;branch=z9hG4bK00001cc9
From: <sip:5002@cucm.demo.astra.co.id>;tag=3468950133b300020000200b-000054d3
To: <sip:5002@cucm.demo.astra.co.id>
Call-ID: 34689501-33b30002-00002cb3-000061ed@10.0.27.216

B. It appears that the CSF device was able to download its configuration (as confirmed by the 200 OK). The full configuration file for the CSF device was also displayed near the end of the PRT.

2016-03-21 13:36:14,883 INFO  [0x0000040c] [ls\src\http\BasicHttpClientImpl.cpp(373)] [csf.httpclient] [http::executeImpl] - *-----* HTTP response from: https://ewedge.demo.astra.co.id:8443/ZGVtby5hc3RyYS5jby5pZC9odHRwL2N1Y20uZGVtby5hc3RyYS5jby5pZC82OTcw/CSFjabberdemo2.cnf.xml[17] -> 200.
2016-03-21 13:36:14,899 DEBUG [0x0000040c] [src\config\TftpHelper.cpp(134)] [csf.ecc] [ecc::TftpHelper::doRetrieveFile] - HTTP Result: 200

C. Later on in the log it indicates that the SIP TLS connection was closed by the remote end (Expressway-E or any other device in the path).

2016-03-21 13:35:56,289 ERROR [0x000026c4] [ndyiron\src\security\sec_ssl_api.c(2507)] [csf.ecc.handyiron] [secSSLReceive] - SSL_read() : Protocol violation socket error (e.g. remote end closed socket).
2016-03-21 13:35:56,289 DEBUG [0x000026c4] [oftphonewrapper\CC_SIPCCService.cpp(342)] [csf.ecc.sipcc] [_SIPCCLoggerFunction] - SIPCC-SIP_TCP_MSG: sip_tcp_read_socket: CUCM closed TCP connection.
2016-03-21 13:35:56,289 DEBUG [0x000026c4] [oftphonewrapper\CC_SIPCCService.cpp(342)] [csf.ecc.sipcc] [_SIPCCLoggerFunction] - SIPCC-SIP_TRANS: sip_transport_destroy_cc_conn: CC <PRIMARY_CCM>: closing the TCP connection

Immediately after we can see in the CSF Out Of Service Alarm (OOS), that the last SIP message sent from the CSF device was the SIP Register message. To confirm that the CSF device did not receive a response we can see that the "LastProtocolEventReceived" section of the OOS Alarm has no content.

2016-03-21 13:35:56,289 DEBUG [0x000026c4] [honewrapper\ccapi_plat_api_impl.cpp(765)] [csf.ecc.sipcc] [platSetAlarmXML] - Last OOS Alarm: <?xml version="1.0" encoding="UTF-8" ?>
<x-cisco-alarm>
 ...Some Output Removed...
<Enum name="ReasonForOutOfService">12</Enum>
<String name="LastProtocolEventSent">Sent:REGISTER sip:cucm.demo.astra.co.id SIP/2.0  Cseq:101 REGISTER CallId:34689501-33b30002-00002cb3-000061ed@10.0.27.216</String>
<String name="LastProtocolEventReceived"></String>
 ...Some Output Removed...

Unfortunately the CSF logs were not from the same source device or in the same time frame as the diagnostic logs taken from the EXP-E so it is not possible to correlate the EXP logs to the CSF logs.

A few additional points:

1. Is your EXP-E behind NAT, or does it connect directly to the internet?

2. If EXP-E is behind NAT (or a firewall), can you confirm that the firewall does not perform any SIP inspection (can you also confirm the vendor of firewall)? This also includes any type of SIP inspection between the EXP-C and the EXP-E.

3. On the EXP-C please you try the following:

a. Navigate to "Configuration > Unified Communications > Unified CM Servers"

b. Delete all Unified CM servers in the list.

c. Re-Add the UCM publisher node (it should automatically discover the rest of the cluster nodes).

d. Restart the EXP-C and see if there is any improvement in the softphone registration.

Hi Jonathan,

thanks for your reply. Below is to answer your points :

1 & 2. My Exp-E server is behind NAT and deployed with dual NIC. FYI, the firewall didnt perform any SIP inspection

3. I will try this

Thanks.

Hi There,

Any luck with your expressways?

Hi Jonathan,

No luck here. I think its because of SIP Inspection. I try to verify again with my customer. 

But from your perspective, all of my configuration is already correct right?

Yes, it could be an issue related to their firewall.

It would be interesting to grab a diagnostic log with packet capture on the EXP-C/EXP-E as well as the Tshoot log from the jabber client while reproducing the issue.

That way we know if the jabber client receives a TCP reset from the far end and we don't see it in the EXP-E packet capture, there is another device in the path sending the reset (could be firewall).

Also to confirm, is the static NAT mode on the EXP-E set to ON and configured with an external NAT address?

PFA my IP configuration on Expressway-E and last log that i capture.

Thanks for gathering all of those traces!

The following breakdown compares log snippets to parts of the wireshark capture from the EXP-E LAN2 interface (Wireshark adjusted -10 hours, +3 seconds to match with jabber log timestamps).


A. Jabber client opens a SIP connection to the EXP-E on port 5061 (source port 61732).

Jabber Log:

2016-03-23 11:08:17,779 DEBUG [0x00002154] [oftphonewrapper\CC_SIPCCService.cpp(342)] [csf.ecc.sipcc] [_SIPCCLoggerFunction] - SIPCC-SIP_CC_CONN: sip_transport_setup_cc_conn: <PRIMARY_CCM>: CC TCP socket opened: to <202.46.131.118>:<5061>, local_port: 61732 handle=<6692>
2016-03-23 11:08:17,779 INFO  [0x00002154] [oftphonewrapper\CC_SIPCCService.cpp(339)] [csf.ecc.sipcc] [_SIPCCLoggerFunction] - set_active_ccm: ccm=PRIMARY_CCM  port=61732

B. Jabber client sends a SIP register message at 11:08:19 which is never received by the EXP-E. No record of the packet in the EXP-E logs, or in the PCAP as seen below.

Jabber Log:

2016-03-23 11:08:19,984 DEBUG [0x00002154] [oftphonewrapper\CC_SIPCCService.cpp(342)] [csf.ecc.sipcc] [_SIPCCLoggerFunction] - sipio-sent---> REGISTER sip:cucm.demo.astra.co.id SIP/2.0

C. Jabber client times out the SIP registration due to no response and marks the CUCM servers as unhealthy.

Jabber Log:

2016-03-23 11:08:22,547 DEBUG [0x00002828] [TelephonyAdapterAuthentication.cpp(1234)] [TelephonyAdapter] [TelephonyAdapter::Connect] - Failed to connect with CUCM [error: eDeviceRegTimedOut]
2016-03-23 11:08:22,547 DEBUG [0x000011c4] [\impl\TelephonyServerHealthImpl.cpp(267)] [csf-unified.telephony.TelephonyServerHealthImpl] [TelephonyServerHealthImpl::updateHealth] - updating health with serverType [CucmSoftphone] serverHealthStatus [Unhealthy] serverConnectionStatus [Disconnected] serverAddress [cucm.demo.astra.co.id (CCMCIP - Expressway)] serviceEventCode [UnknownConnectionError] transportProtocol [SIP]

Based on what we can see in the logs and PCAP, it looks like something is interfering with the SIP messaging between the MRA client and the EXP-E.

Please double check with your customer that they do not have a firewall attempting to inspect the traffic on 5061.

Hi There,

Im seeing very similar behaviour when trying to register a Jabber client through a Checkpoint firewall.

I can see the REGISTER being sent in the jabber logs and also the relevant packet (TLS port5061) from my laptop, however it seems like the firewall is replying the TLS packet as the EXPE never receives it.

The firewall administrator is certain the checkpoint is working as per normal and dropping anything.. However, although its not dropping packets.. its intercepting packets and replying on behalf of the EXPE device.

Has anyone configure Jabber via a Checkpoint firewall, what inspection settings etc need to be configured.

cheers

Ben

Hi Ben,

We have seen tons of issues with SIP and Palo Alto firewalls. The main problem is that the dropped SIP packets do not show up in the PA logs. The only way to get them is to run a PCAP on the PA and look at the special "dropped packets" PCAP file that the FQ generates.

The solution for all of the SIP related PA issues I have seen is to remove SIP inspection on the PA and write an application override for SIP. There is an article on the PA site which hopefully can help you accomplish this.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-Override-Policy/ta-p/60044

Please let us know if this helps.

Thanks Jonathon, this will come in handy as I'm also having MRA issues with SIP Signalling via a PA device.

Do you have any references for Checkpoint Firewall?

Thanks

Ben