Yes, all devices are using same domain.

Actually I have 2 cucm clusters and 2 IM&P clusters.

Cluster A : cucm with 10.5.1.1000-7 version and an im&p with 10.5.1.12900-2.

Cluster B : cucm with  10.5.1.1000-7 and an im&p with 10.5.1.10000-9. 

while I just add a cluster to the expressway, everything is fine. 

But while I add two clusters to the expressway, a couple of jabber IDs in a Cluster A cannot login.

This looks like an ILS related issue

If you have multiple Unified CM clusters, ILS (Intercluster Lookup Service) must be set up on all of the clusters. This is because the expressway has to authenticate a client against its home Unified CM cluster, and to discover the home cluster it sends a UDS (User Data Service) query to any one of the Unified CM nodes over ILS

Have you checked that your ILS service is working?  If you have then please send jabber logs for the clients that cant login.

Hi, 

As I mentioned befere, there are 2 cucm and im&p clusters here.

prior to 10.x, ILS must be enable on all nodes. but with 10.X, ILS just be set up on the pub, and there is no ILS service on serviceability of cluster A sub cucm. 

I attach ILS configuration screen on cluster A pub, sub and Cluster B pub

system components are as a below. 

[Cluster A]

- CUCM : Pub 1ea , Sub 1ea

- IM&P : Pub 1ea 

[Cluster B]

- CUCM : Pub 1ea 

- IM&P : Pub 1ea 

When I mean ILS service, I am not referring to the service in serviceability. I mean is ILS within the cluster operational, which your pictures depict it is..

Can we have jabber logs please? So we can see why the login is failing.

Hi, 

you can see jabbers logs. which logs are do you want to see and where can I get the logs on the local computere.

There are two ways to get Jabber logs. You can generate a problem report from the client and it will include the log file in there or you can go to the following folder

C:\Users\userxxx\AppData\Local\Cisco\Unified Communications\Jabber\CSF\logs

You will find the logs here

Hi,

I attached the log file that you request. 

Thanks

I have looked at the logs and  I have a few questions for you.

Is your user on this cluster?

Adding new home UDS URI: https://192.168.200.1:8443/cucm-uds/user/kim617408
Adding new home UDS URI https://192.168.200.2:8443/cucm-uds/user/kim617408

And is this the correct IM&P server for this user?

****************************************************************
2015-02-10 23:14:16,221 INFO  [0x00002fdc] [ters\imp\commands\LoginCommands.cpp(158)] [imp.service] [IMPStackCap::LoginCommands::SignOn] - Signing into Presence Server. Server: 192.168.200.3, login mode: ON_PREM, result: 0
2015-02-10 23:14:16,222 INFO  [0x00002fdc] [ters\imp\commands\LoginCommands.cpp(159)] [imp.service] [IMPStackCap::LoginCommands::SignOn] - ****************************************************************

Do you also have a webex messenger service/domain?

Yes, kim617408 is a test user id and this user is on Cluster A 

Cluster A have 2 cucm nodes and 1 im&p node. 

192.168.200.1 - cucm pub 
192.168.200.2 - cucm sub
192.168.200.3 - im&p pub

in addition, I don't have a webex messager service/domain.

Okay from the logs we see that the client is getting authentication error with the presence server..

[imp.service] [IMPStackCap::Login::OnLoginError] - ****************************************************************

[IMPStackCap::Login::OnLoginError] - OnLoginError: (data=0) LERR_JABBER_AUTH <17>: Authentication error with server e.g. resource bind, TLS, create session or SASL error

[IMPStackCap::Login::OnLoginError] - ****************************************************************

We can at least conclude that ILS part is working because the client has been directed to its home cluster. We now need to know why its unable to login.

Can this client login to the server internally? Is this IM&P server configured with a presence domain of "insunginfo.co.kr"

If the answer is yes to both questions, then please use RTMT to send me the Tomcat security logs for the IM&P server. The link below shows how to do this..( you  need to select the log name : Tomcat Security)

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-im-presence-service-version-105/117827-configure-unifiedpresenceserver-00.html?mdfid=286269517

++++WebEx messenger+++
Looking the the logs if does look like you have an active webex messenger service. This could create problems for you.

+++Here Jabber does a CAS lookup++++

 *-----* Making HTTP request to: http://loginp.webexconnect.com/cas/FederatedSSO?org=insunginfo.co.kr.

[http::CurlAnswerEvaluator::curlCodeToResult] - curlCode=[0] result=[SUCCESS]

++++Here Jabber gets a 200 OK to the request for your domain++++

[http::executeImpl] - *-----* HTTP response from: http://loginp.webexconnect.com/cas/FederatedSSO?org=insunginfo.co.kr[0] -> 200

[http::CurlHttpUtils::getResponseCode] - Http Response Code = [200] for request [0]

++Jabber also does a successful service discovery on webex for the domain+++

[service-discovery] [CasLookupImpl::executeCasQuery] - CAS request finishes with response: [responseCode]200

[CasLookup::getCasLookupResult] - CAS lookup request has been successfully finished with domain: insunginfo.co.kr

+++++++++

Suggestion on this: Speak to your cisco AS/SE/account manager and find out if you have a webex service and ensure its only enabled for webex meeting and not webex messenger.

We  just use public DNS server. So I configure a Internal DNS server for Jabber.

Synchronization between two systems don't happen.    

You asked me two questions as a below.  

Q1. Can this client login to the server internally?
  -  When DNS server on the computer is changed into the internal DNS, jabber can login.    

Q2.  Is this IM&P server configured with a presence domain of "insunginfo.co.kr"
  - How can I check it? Please explain it more detail.  
  - when I execute DNS lookup on expressway-c, IM&P server can find 
    Of cause, DNS setting on Expressway-c is assigend the Internal DNS. 

I was testing several times to login jabber, and the last test was starting at 1:46 on the log.  

 in addition, we don't use webex message service. we just use on-promise webex server called CWMS. 

Okay to check your IM&P presence domain please go to your IM&P server, system>cluster topology>settings (its under cluster topology) You will see your IM&P domain there..

Secondly the time on the security logs doesn't match the time on the jabber logs. Can you do another test with jabber and send the tomcat logs for that time.

in 10.x version, there is no cluster topoloy. it changed to Presence Topology.

I think the Value on Cluster Fully Qualified Domain Name is that you asked.

System > Enterprise Parameters Configuration > Clusterwide Domain Configuration > Cluster Fully Qualified Domain Name. At this field, Domain is diaplayed. 

I also did jabber login test around 18:37:20 and send you the logs.