Jabber over MRA Not Working. "You can not login out of corporation network".

aniket0422 · ‎05-07-2018

Hi Guys,

I am facing weird issue with Jabber over Internet. Setup was working fine till last week. Then suddenly few users reported that Jabber is not working over Internet. Its not working for all at this moment.

Below are the checklist i performed.

1. Checked MRA and B2B Zone. Both are active.

2. Checked SIP Trunk on CUCM, though it is used for B2B. Reset SIP trunk.

3. Rebooted EXP-C and EXP-E

4. Checked Licenses on Expressway servers. Licenses are fine.

5. Checked certificates on expressway servers. Re Uploaded certificates. EXP-C EXP-E FQDN and domain name are there in SAN entries of the certificates. Certificates are signed using OpenSSL.

6. Checked ports on firewall. Its is set for any any rule. Even checked with specific ports 8443, 5060, 5061, 443, 1719, 1720, 5222.

7. Checked by changing Public IP.

8. Checked A and SRV records on Public DNS.

9. Checked A and SRV records on Internal DNS.

10. Upgraded Expressway servers to X8.10.

Still, If i check Cisco SRV analyzer, It shows required ports are blocked and Jabber is not working with error " You can not log out of corporation network".

Please help.

Slavik Bialik · ‎05-07-2018

Hi,

Did you also check the existence of the PTR record in your internal DNS?

If are using single NIC deployment, you must have a PTR record of your PUBLIC IP address of the Expressway-E configured in your internal DNS.

If you are using dual NIC deployment, you must have PTR record of your internal DMZ IP address of the Expressway-E configured.

Anyway, I'm guessing you used the SRV checker in this page:

https://cway.cisco.com/tools/CollaborationSolutionsAnalyzer/

Can you also try using CollabEdge Validator?

Also try to Log Analysis tool, just take a dump logs from both Expressways and upload them to this tool and it'll output a very useful information. Helped me few times to resolve some difficult issues that you can find easily by reading the logs.

If possible, share the outputs from the above with us, maybe we'll see something over there.

Do you have an access to your Firewall? If so, review the routing and the policy again. Also that the NAT rule is still working.

BTW, what about the certificates of the CUCM and IM&P servers? Are they fine? Maybe they got expired or something like that. If your Expressway-C server is communicating towards those servers with TLS it may lead to that.

aniket0422 · ‎05-07-2018

Hello Slavik,

Its a Dual NIC deployment. Forward and Reverse lookup for EXP-C and EXP-E are in place on Internal DNS.

Below is the result of Collab Edge Validator.

Log Analysis also shows that Ports are Blocked. Attaching Logs from Expressway Servers.

I am not firewall expert. But below is the snap shared by firewall team with me stating no issue from firewall side.

CUCM and IMP Certificates are valid.

aniket0422 · ‎05-07-2018

What about this thing ?

Times-Square#sh mac address-table address d8b1.9040.e7e8
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
101    d8b1.9040.e7e8    DYNAMIC     Gi3/0/26
Total Mac Addresses for this criterion: 1
Times-Square#
Times-Square#sh mac address-table address d8b1.9040.e7e9
          Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
Times-Square#

But I am able to Ping IP address.

Times-Square#
Times-Square#ping 10.20.14.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.14.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Times-Square#

Switch is not learning MAC address of NIC-2 which is EXP-E External Interface. Could this be a Problem ?