VCS-E MRA problem. Calls good in from internet, but fail out.

George Paxson · ‎12-15-2014

I will try to work left to right on my configuration
Left:
CUCM Pub and 2 Subs 9.1
domain name configured
internal FQDN certificate
*problem no DNS client with IP defined CUCM cluster members

CUPS 9.1 with DNS client and internal FQDN certificate

VCS C is connected to CUCM and CUPS with TLS

middle:
VCS C LAN1 on subnet A internal certificate
VCS C is connected to VCS E via LAN1 interfaces with TLS
VCS E LAN1 on subnet A with certificate subject alternative name

right:
VCS E LAN2 set to external with default gateway on subnet B
LAN2 static NAT configured
firewall inside on subnet B
firewall outside with static NAT no NAT reflection

The internal and external DNS zones share the same domain name but are isolated from each other. The internal and external SRV records are in place.

Inbound calls work from iPhone and PC client.

Chat and Visual Voicemail work.

Outbound calls do not work with incomplete signaling as symptom.

Connection recap
VCS-C LAN1------VCS-E LAN1     VCS-E LAN2 Ext----------Fw In Fw Out
FQDN cert       FQDN SAN cert FQDN cert               Global Static NAT
subnet A IP1    subnet A IP2   subnet B
                               default gateway

Why would outbound calls fail?

It is obvious that inbound calls present less of an addressing problem than outbound calls do.

I see reference to NAT reflection in the configuration guides.
I know that no DNS client on phone system is an old practice that I can not correct with this version.

Is there an obvious flaw with this setup that prevents outbound calls?
If so, is there a correct left to right SIP address sequence that I should see in debugs?

Is NAT reflection required?

What part in the addressing does the NAT reflection portion play in ensuring correct addressess to complete calls?

George Thomas · ‎12-15-2014

George, have you assigned the Static NAT address on the VCS-E LAN 2 interface? Did you setup a static route to make sure that traffic for internal subnets are sent via LAN 1 of the VCS-E? Can you ping 4.2.2.2 or some other IP on the internet from the VCSE?

NAT reflection is required when you use a single NIC on the VCSE, in your case that doesnt seem to be true.

Please rate useful posts.

George Paxson · ‎12-16-2014

George:

The VCSC and VCSE have LAN1 on the same subnet and the traversal zone is connected. As far as I understand, there should be no static routes required as the servers are connected on the same subnet. Any internal IP connections would be served from the VCSC to CUCM, CUPS, and CUC.

The VCSE does have static NAT enabled on the external LAN2. Audio did not work at all without this configured. Note that chat and web applications work across the traversal zone to indicate that there is not a routing or connectivity issue. I suspect the SIP addressing is not suitable for outbound calls. I suspect the called device on the internet can not properly reply to call requests. There is no confusion for the internet device communicating inbound.

George Thomas · ‎12-16-2014

I am fairly positive a static route is required in your case to make sure that traffic inbound to VCS takes LAN1 and not LAN2. Its more of a SDP rewrite that is caused by static NAT configuration that is the problem and not pure IP routing. When you set a static NAT, the SDP gets rewritten with this NAT address for all traffic going through LAN2. And this is why you neef NAT reflection whrn you have a single LAN nic configured. You could also get rid of LAN1 and peer with the NAT address on LAN2 in your traversal zone and configure NAT reflection to get this to work. Since you have MRA, don't forget the peer address should be a FQDN pointing to the NAT address.

Please rate useful posts.

George Paxson · ‎12-17-2014

George:

I added the static route on VCSE LAN1 for subnet A with no change.

George Thomas · ‎12-17-2014

Will you be able to upload logs here? Basically turn on diagnostic logging, reproduce the issue.

Please rate useful posts.

George Paxson · ‎12-17-2014

Outbound call diagnostic

George Thomas · ‎12-17-2014

George, what do you have for Static NAT ip under LAN2? Is it your public IP? I dont see that public IP being attached correctly to the SDP.

Please rate useful posts.

George Paxson · ‎12-17-2014

198.203.146.200 as is configured on the collab SRV and static NAT on the firewall. I agree the SDP does not look correct resulting in the outbound signaling fail. The client debug indicates the same issue.

George Thomas · ‎12-17-2014

Do you have that address on the VCSE as well, its under the network settings, there should be a field for you to put this address in. Doing it just on the firewall wont help with SDP rewrites, the VCSE does it for you when you add the IP in the field mentioned above.

Please rate useful posts.

George Paxson · ‎12-17-2014

Yes on LAN2 external

George Thomas · ‎12-18-2014

Have you done the inevitable - reboot?

Please rate useful posts.

George Paxson · ‎12-18-2014

Yes. I shut the virtual machines down and powered them back up.

George Paxson · ‎12-20-2014

I am past beginning to doubt the two interface configuration works for MRA. I think I am going to apply some virtual gaffer tape and try the single interface solution.

George Paxson · ‎12-21-2014

George

I reverted the Expressway back to single interface with static NAT enabled.

I introduced some Linux static NAT gaffer tape in between. I configured the Controller with the Expressway FQDN which resolves to the global internet address. The VCS boxes have static routes to route to each other through the Linux box with the outside global address NAT'd to the internal address of the Expressway. TLS and IP connectivity established for the traversal zone.

I have two way calls established. I am certain that the Controller must establish the traversal zone to the Expressway with the global internet address to establish the correct SIP chain of routes. Thanks George Thomas for your help and sanity check on my configuration.