Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
7
Replies

User loses access to Jabber

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 10:48 AM

Guys, I have a question about Jabber. When the user returns from vacation he can no longer log in to Jabber, the profile of him CSFXXXXXXX when I see in CUCM is missing some settings, being necessary to be again to get back to work.

Example: On the line add the end users membership:

Line CSF.png

 At the end user in Service Settings, I need to reconfigure the home cluster:

Service Settings.png

 CTI permissions also add:

Permissions.png

This could be some time limitation configured in AD for all login that has gone more than 10 days without connecting to the network. So CUCM disables these services by preventing you from logging into Jabber?

Thank you!

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 01:25 PM

Hello @spinardi 

I understand that by using AD synchronization CUCM is automatically purging for inactive users and therefore the user is unbound from the Jabber device (CSF).

I believe the following flow is occurring:

The contributor goes on vacation and some routine inactivates the user in AD (Automatic or manual).

CUCM often checks AD users for their status.

CUCM identifies that the contributor user is inactive.

CUCM then removes this user from its base automatically in a process called purge to keep only active users in the base.

Employee returns from vacation and user is reactivated in AD (Automatically or manually)

CUCM often checks active users in AD and re-adds the user from the deleted contributor

The user is added to the CUCM again, but since it was previously removed, its links (With CSF, for example) have been lost.

 

This is expected behavior and the solution is not to inactivate the user when he goes on vacation or in your sync create an LDAP filter that removes users only if removed from AD: 

https://community.cisco.com/t5/ip-telephony-and-phones/ldap-user-inactive-never-delete-in-ucm-is-possible/td-p/1970589

References: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_5_1SU1/systemConfig/cucm_b_system-configuration-guide-1251su1/cucm_b_system-configuration-guide-1251su1_restructured_chapter_0100001.html

I hope I helped.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 12:14 PM

Hello, @spinardi!

Can you help us with some questions, please?

What CUCM release do they have?

Active support agreement? And if so, was a case created with TAC?

Is there a connection/synchronization with a Directory/AD ?

User continues to appear in the list of users of CUCM, and has only been disassociated from Jabber? Or does it appear as Inactive in the CUCM users list?

Thank you!

Att

Gabriela

Community Manager

 

0 Helpful

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 12:27 PM

Hello Gabriela!

We're at 12.5, we have an active contract, yes. But I don't know if it's a case to open a CT scan.

We have synchronization with AD. Yes the user remains in the CUCM list as active. However, it only loses access to Jabber, and it is necessary to reconfigure the information I mentioned. I don't know what the CUCM does that loses that information I mentioned. I did not find anything related to downtime loss of config.

0 Helpful

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 01:04 PM

Hello @spinardi!

In conversation with one of our engineers, it seems an abnormal behavior, since there is synchronization of AD, user remains active in the list of users of CUCM and only loses access to Jabber. That is, the AD sync appears to be functioning normally.
Would it be nice to understand if this user is being deleted or deactivated in AD, or does it also not change status?
Also, do these users have a physical phone associated with them? Or just Jabber? If they have a physical phone, do they also lose the settings on the phones? Going forward we try to understand if it is a user problem in CUCM as a whole, or if it is only the config with Jabber that is failing.

Well, in my opinion it's case to open TAC yes. TAC has the necessary tools to get a CUCM log and help mitigate the problem directly.

Each of Collab OnPrem's applications has its own databases for identity management.
It's something we see in Identity Management Architecture Overview, below.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab12/collab12/directry.html

 

0 Helpful

Go to solution
bill.king1
VIP
VIP

‎04-25-2023 01:20 PM

I've seen something similar but not exactly, when it was a case where the AD account tied to the user expired/was removed. Is it possible to test and remove a user/deactivate their AD account and try it the next day to see if it happens again/in a similar manner?

0 Helpful

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 01:25 PM

Hello @spinardi 

I understand that by using AD synchronization CUCM is automatically purging for inactive users and therefore the user is unbound from the Jabber device (CSF).

I believe the following flow is occurring:

The contributor goes on vacation and some routine inactivates the user in AD (Automatic or manual).

CUCM often checks AD users for their status.

CUCM identifies that the contributor user is inactive.

CUCM then removes this user from its base automatically in a process called purge to keep only active users in the base.

Employee returns from vacation and user is reactivated in AD (Automatically or manually)

CUCM often checks active users in AD and re-adds the user from the deleted contributor

The user is added to the CUCM again, but since it was previously removed, its links (With CSF, for example) have been lost.

 

This is expected behavior and the solution is not to inactivate the user when he goes on vacation or in your sync create an LDAP filter that removes users only if removed from AD: 

https://community.cisco.com/t5/ip-telephony-and-phones/ldap-user-inactive-never-delete-in-ucm-is-possible/td-p/1970589

References: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/12_5_1SU1/systemConfig/cucm_b_system-configuration-guide-1251su1/cucm_b_system-configuration-guide-1251su1_restructured_chapter_0100001.html

I hope I helped.

0 Helpful

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 01:28 PM

Great Gabriela, I'm going to read this Overview tks. We check here in corporate AD, and users who go on vacation are disabled, activation occurs when they return. Can that influence?

0 Helpful

Go to solution
Translator
Community Manager
Community Manager

‎04-25-2023 05:36 PM

Right Jonas is exactly this flow that occurs, I will check in the mentioned documentation, has already given a light to where to follow! I'll come back here and tell you if it worked. Thank you!!

0 Helpful
Customers Also Viewed These Support Documents