Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
45
Helpful
6
Replies

"Cisco Jabber over MRA" registration issue

akhilkumar.sharma
Level 1
Level 1

‎01-04-2022 12:29 AM - edited ‎01-04-2022 01:26 AM

I am not able to register Jabber over MRA(CUCM 12.5 SU5, Xpressway 12.7, Dual NIC)

1) Internally it works fine

2) On Cisco tool CSA, it says "404 not found" policy issue. Attached word document for CSA output.

3) In PRT logs I can see "(1003) ServiceDiscoveryCannotConnectToCucmServer"

 

Attached are the PRT logs for your reference, kindly help in pointing out the error and resolution.

FYI, this is a new deployment and it is not working for any user.

 

 

 

 

Labels:
MRA issue Themba.zip
555 KB
6 Replies 6

b.winter
VIP
VIP

‎01-04-2022 05:28 AM

Hi,

 

your EXP-E certificate doesn't contain the domain, on which you are trying to login as a SAN. In your case "sasol.com".

Can the EXP-C resolve the SRV-Record "_cisco-uds._tcp.sasol.com"?

Can the EXP-C resolve it's hostname and the corresponding reverse pointer?

 

What version of CUCM, IMP, EXP, ... do you use?

If you use EXP X14.0.2 or later, please keep the following note in mind:

The Certificate Authority (CA) that signed the Expressway-C certificate must be added to the tomcat-trust & CallManager-trust list of Cisco UCM, even if it is in non-secure mode, otherwise MRA services may be impacted

 

Have you taken logs of EXP-C and -E and let it verify with CSA? In some cases, the tool also gives you the correct solution.

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

akhilkumar.sharma
Level 1
Level 1
In response to b.winter

‎01-04-2022 08:41 AM

Hi B, thanks for your prompt response, please find below answers-

 

your EXP-E certificate doesn't contain the domain, on which you are trying to login as a SAN. In your case "sasol.com". ---AS-->I understand that domain is missing, but is it really impacting the registration/login functionality? as Exp-E & C are able to converse through Active Traversal zone.

Can the EXP-C resolve the SRV-Record "_cisco-uds._tcp.sasol.com"? AS--> Yes, all target servers(Pub + 2 Sub) are getting resolved through this UDS query.

Can the EXP-C resolve it's hostname and the corresponding reverse pointer? AS-->Primary Exp-C01 (A & PTR) both are working, Secondary Exp-C02 only A record working(PTR not working). Also for CUCM,IMP,Exp only A records work (PTR not working).

 

What version of CUCM, IMP, EXP, ... do you use? AS--> CUCM 12.5SU5, IMP 12.5, Exp-12.7

If you use EXP X14.0.2 or later, please keep the following note in mind: 

The Certificate Authority (CA) that signed the Expressway-C certificate must be added to the tomcat-trust & CallManager-trust list of Cisco UCM, even if it is in non-secure mode, otherwise MRA services may be impacted

 

Have you taken logs of EXP-C and -E and let it verify with CSA? In some cases, the tool also gives you the correct solution. --AS--> Will it impact anyhow as Exp servers are in production?

 

Again, a big thankyou.

0 Helpful

Nithin Eluvathingal
VIP
VIP
In response to akhilkumar.sharma

‎01-04-2022 08:41 PM

---AS-->I understand that domain is missing, but is it really impacting the registration/login functionality? as Exp-E & C are able to converse through Active Traversal zone.

Expressway E cert must contain your public Domain as SAN filed. its mandatory for MRA feature.

 

Collect the logs from both E and C and run it on CSA tool. taking logs wont effect your production. Once log collection is done, make sure you change  log configuration from  debugging mode to info mode.

 

Refer below links

 

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213360-collect-expressway-vcs-diagnostic-log-fo.html

https://www.youtube.com/watch?v=sO4H4kkHaAchttps://video.cisco.com/video/5810050375001

 

 

 



Response Signature


akhilkumar.sharma
Level 1
Level 1
In response to Nithin Eluvathingal

‎01-05-2022 09:20 AM

Thanks a lot Nithin, I followed your advise and CSA tool says the same.

1) Domain missing in cert.

2)Reverse lookup issue.

I will respond here once I am done with these 2 activities.

Roger Kallberg
VIP
VIP
In response to akhilkumar.sharma

‎01-04-2022 10:51 PM

Apart from the suggestion from Nithin you’ll need to fix your problem with PTR records as it’s required for not only MRA services for reverse lookup to function properly. On your question about impact of collecting logs from a production system. No it has no impact.



Response Signature


akhilkumar.sharma
Level 1
Level 1
In response to Roger Kallberg

‎01-05-2022 09:21 AM

Thanks a lot Roger, I followed your advise and CSA tool says the same.

1) Domain missing in cert.

2)Reverse lookup issue.

I will respond here once I am done with these 2 activities.

0 Helpful
Customers Also Viewed These Support Documents