cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17023
Views
15
Helpful
11
Replies

Jabber MRA Edge_Connection_Failed

Kane Smith
Level 1
Level 1

Hi guys,

 

I have Jabber 11.8.5 and Expressway x8.10. I have followed the Expressway deployment guide for MRA in a multi-domain environment. I configured the "voiceservicesdomain" in the jabber-config-user.xml file under Appdata\Roaming etc. I have an internal domain "uccelab.com" in which I have CUCM 11.5, IMP 11.5 and Expressway C. I have the Expressway-E in "lab-external.com". The traversal zone is of type "Unified Communications" and is active. When I run Jabber, I get prompted for username and password, then Jabber reports "Cannot communicate with the server". Jabber diagnostics shows "Failure: FAILED_EDGE_CONNECTION".

In the jabber logs I see that "_cisco-uds" isn't found and neither is "_cuplogin". Then "_collab-edge" is found with the lab-external domain as expected. Then I seem to have certificate issues on which I am not very clear. Before Jamie has a go at me, LOL, I have read the certificates chapter in the deployment guide. On the Jabber PC I have installed the CA ROOT certificate in Trusted Root Certificate Authorities and I have the SERVER certificate in Enterprise Trust. I created both certificates using my internal MS CA server. 

If the Jabber PC is inside the network, it picks up the internal DNS server and Jabber can log in fine.


Can anyone advise please?

1 Accepted Solution

Accepted Solutions

Hi Kane,

Its my pleasure to help.

When we analysed expressway logs, we saw that the CWAY tool complained about TLS error for the XMPP traffic on port 7400

 

++ Here is an excerpt of the logs ++

2017-10-03T11:58:53.866+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,866" ThreadID="139833605216000" Module="Jabber" Level="INFO " CodeLocation="mio.c:1132" Detail="Connecting on fd 26 to host '172.29.1.118', port 7400"
2017-10-03T11:58:53.868+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,867" ThreadID="139833849988864" Module="Jabber" Level="INFO " CodeLocation="base_connection.cpp:56" Detail="Component jabberd-port-1.atlas-exp-c-uccelab-com is CONNECTED"
2017-10-03T11:58:53.885+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,885" ThreadID="139833649370880" Module="Jabber" Level="WARN " CodeLocation="cvsservice.cpp:601" Detail="Certificate verification failed for host=172.29.1.118, additional info: Invalid Hostname atlas-exp-e.lab-external.com"
2017-10-03T11:58:53.886+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,886" ThreadID="139833649370880" Module="Jabber" Level="WARN " CodeLocation="ssl.c:507" Detail="The SSL Handshake failed for fd (26). SSL Error code: 1"

 

After looking at this we observed that there were two DNS Alias entries for the hostname of the expressway-e. Once we removed this, MRA sign worked.

In newer version of expressy, the XMPP connection on the core uses TLS to verify the identity of the expressway-e. It does this doing a DNS reverse lookup on the ip address of the expressway-e.

 

Please rate all useful posts

View solution in original post

11 Replies 11

Andrew West
Level 4
Level 4

Have you validated your Collab Edge deployment via the CSA? https://cway.cisco.com/tools/CollaborationSolutionsAnalyzer/ 

 

When you logg into your Expressway/VCS-C does the Unified Comm status page show everything correctly? 

 

If I read your message right you arent even getting to your service domain or you are able to get to that and its the next logon that fails? 

 

Hi, yes everything seems to be up and active. Screenshots attached. I've also attached the diagnostic logs further down. I'm not convinced that there is any further communication beyond the returning of the _collab-edge SRV. There seems to be a certificate issue even though I've followed the Cisco Expressway deployment guide and also the certificate guide.   

 

Thanks for your help.

Ayodeji Okanlawon
VIP Alumni
VIP Alumni

From your jabber logs, Jabber is unable to connect to the edge server.

Is there firewall involved here? I am asking because this looks like a lab setup, but if you have firewall I would suggest that you check that you have configured firewall rules as documented.

Secondly, We need your diagnostic logs from expressway-e and c to know whats going on.

 

 

HTTP response code 0 for request #0 to https://atlas-exp-e.lab-external.com:8443/[...]
2017-09-26 12:47:13,372 ERROR [0x00000af8] [ls\src\http\BasicHttpClientImpl.cpp(457)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #0: CONNECTION_TIMEOUT_ERROR

 

Cert vberification looks okay: Do you get any cert error on the client?

"

Match for 'atlas-exp-e.lab-external.com' found in dnsNames index: 0

--

Verification of identity succeeded. Matched identifier : 'atlas-exp-e.lab-external.com'

--

Setting the certificate verification result to success"

Please rate all useful posts

Hi, thanks for your response.

 

There is no firewall. It is a lab environment and all devices are on a flat network. I got a message to accept a certificate the first time I started Jabber. I also had to enter a username and password the first time but not since. Now when jabber is started, it states "Finding services" for a few seconds before giving the "Cannot communicate with server" error message.The CSA tool reports that it couldn't get certificate details for Expressway E.

Diagnostic logs attached - you'll need to add a .gz to the filenames after downloading as these are not supported formats for upload.

From your diagnostic logs, I do not see any MRA transactions. So here are my questions

1. Is the MRA feature enabled on Expressway-C

2. How many NICs are you using for Expressway-e deployment? Single or dual NIC

3. If you are using a Dual NIC, do you have static route configured pointing to your internal network

 

We need to look at your configuration, something is obviously not right with it

Please rate all useful posts

Hi, MRA is enabled. Screenshots attached. It is a single NIC deployment on a flat network.

I saw the same. No MRA transactions. I've spent about 4 days on this and haven't progressed. Your assistance is appreciated. 

 

 

Your logs contain almost no MRA transaction. Which suggests that Jabber cant connect to E to perform service discovery etc..

When are you available for a webex? Which time zone are you?

Please rate all useful posts

Hi, your help is greatly appreciated. I can make myself available when it suits you. Any time tomorrow or on Saturday if you prefer. I'm in the UK - currently BST timezone.

HI Kane,

 

as discussed please send the expressway-C logs and the CWAY analyzer screen shot so we can post the resolution for others.

Please rate all useful posts

Hi Deji,

 We should mention that the initial issue of no MRA signalling was due to a dodgy Windows 7 VM :-).

 I built another VM which did interact with Exp-E, there was MRA signalling but then Jabber reported "Cannot communicate with server". Screenshot and logs from Expressway-C are attached. I'll let your good self provide the explanation.

 Thanks very much for getting this resolved. Really appreciated!

Hi Kane,

Its my pleasure to help.

When we analysed expressway logs, we saw that the CWAY tool complained about TLS error for the XMPP traffic on port 7400

 

++ Here is an excerpt of the logs ++

2017-10-03T11:58:53.866+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,866" ThreadID="139833605216000" Module="Jabber" Level="INFO " CodeLocation="mio.c:1132" Detail="Connecting on fd 26 to host '172.29.1.118', port 7400"
2017-10-03T11:58:53.868+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,867" ThreadID="139833849988864" Module="Jabber" Level="INFO " CodeLocation="base_connection.cpp:56" Detail="Component jabberd-port-1.atlas-exp-c-uccelab-com is CONNECTED"
2017-10-03T11:58:53.885+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,885" ThreadID="139833649370880" Module="Jabber" Level="WARN " CodeLocation="cvsservice.cpp:601" Detail="Certificate verification failed for host=172.29.1.118, additional info: Invalid Hostname atlas-exp-e.lab-external.com"
2017-10-03T11:58:53.886+01:00 atlas-exp-c XCP_JABBERD[11048]: UTCTime="2017-10-03 10:58:53,886" ThreadID="139833649370880" Module="Jabber" Level="WARN " CodeLocation="ssl.c:507" Detail="The SSL Handshake failed for fd (26). SSL Error code: 1"

 

After looking at this we observed that there were two DNS Alias entries for the hostname of the expressway-e. Once we removed this, MRA sign worked.

In newer version of expressy, the XMPP connection on the core uses TLS to verify the identity of the expressway-e. It does this doing a DNS reverse lookup on the ip address of the expressway-e.

 

Please rate all useful posts