Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1937
Views
0
Helpful
5
Replies

jabber client: MRA expressway login error

Go to solution
jaheshkhan
Level 4
Level 4

‎06-28-2018 03:23 PM - edited ‎03-17-2019 01:07 PM

We have strange kind of implementation so people have to think not the normal way of implementation

Our client must have to use VPN connection. its a must. jabber client they want to use. after establishing the vpn and tried to make call they were able to establish calls but cannot no voice traffic between end parties.

because of limitation of VPN concentrator to route the call between end points we were forced to use expressway just to route the voice call.

This accomplish our voice issue. they were able to hear voice. ie expressway inside VPN connection. After getting into VPN users will not get internet access. 

 

CUCM,IMP,CUC, Expressway C and Edge are all in one vlan and one subnet. 

 

collab-edge srv added in our DNS. whether the users through vpn or locally all will use collab-edge. its not hosted in public but internally as if like lab environment. another DNS server we used for cisco-uds srv. its a standalone dns server with all dns entries required. This is the dns server for expressway C.

 

but today for some reason none of our clients are able to login to jabber. users are ldap users.

either ill get message cannot communicate with server or username or password is incorrect message.

 

our security engineer had made some changes since all our traffic are now passing through expressway Edge. so he changed so many policies which were working when there was no expressway in picture.

 

now when i checked firewall i foound client PC traffic is blocked to cucm publisher with 8443. I didnt understand how this is happening actually it should be only from expresswau and how jabber client is requesting to cucm for login authentication instead of expressway.

 

I want to know how the ldap authentication process is happening in normal expressway and in our scenario happening. 

 

should we open 8443 from jabber client network to cucm publisher and cucm subscriber.

 

When we tried self care portal for cucm subscriber i found i cannot login to it. it gives error and usrname and passware is incorrect. is it correct to have like that for subscriber? dont know its getting blocked or not.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jaheshkhan
Level 4
Level 4
In response to jaheshkhan

‎07-03-2018 06:06 AM

Solved this issue.

LDAP authentication for end user was enabled last moment. So CUCM subscriber to LDAP servers was blocked by firewall. It was not allowed.

When CUCM subscriber was added to firewall policy it started working.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-28-2018 05:45 PM

let me get this clear. are you using MRA or are you using Jabber after connecting to your corporate networks, using a VPN? 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
jaheshkhan
Level 4
Level 4
In response to Dennis Mink

‎06-28-2018 10:04 PM

im using MRA after user get connected to corporate network. otherwise voice cannot be hear because of the limitation.

Without VPN also through MRA. because they dont want to use another DNS because it will affect other services.
0 Helpful

Go to solution
Prashant Sharma
Cisco Employee
Cisco Employee

‎06-28-2018 06:00 PM

Hi jaheshkhan ,
It is important to allow the communication for 8443 if the UDS is being used. User queries will be done using UDS against the UDS service on Communications Manager if UDS is being used if 8443 is blocked the users will face an issue with login.
You can refer the below mentioned link for PORT information used on MRA :

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-9-2.pdf

Regards,
Prassha3

Rate if you find this helpful
0 Helpful

Go to solution
jaheshkhan
Level 4
Level 4
In response to Prashant Sharma

‎06-28-2018 10:18 PM

Thank you for your reply.

 

users LAN: network A

cucm,cuc,imp,exp c, exp e : network B

AD, integrated DNS, stand alond DNS : network C

 

But my question is if users are passing through Expressway and if it is UDS why the port (eg. 8443) from user LAN need to open to cucm LAN. Actually that even for UDS port request should be open only to expressway E only right? 

that is the one making me confuse. Today im planning to open port 8443 from user LAN to cucm pub and sub. but as per the document you shared we already opened sip(5061), XMPP(5222),  UDS(8443) to expressway E from user LAN. But we can see a direct traffic for port 8443  from user LAN to cucm servers is passing which are blocked now. 

 

I think jabber client is getting confused whether to behave as MRA or VPN connection. 

0 Helpful

Go to solution
jaheshkhan
Level 4
Level 4
In response to jaheshkhan

‎07-03-2018 06:06 AM

Solved this issue.

LDAP authentication for end user was enabled last moment. So CUCM subscriber to LDAP servers was blocked by firewall. It was not allowed.

When CUCM subscriber was added to firewall policy it started working.

0 Helpful
Customers Also Viewed These Support Documents