Looking for some assistance. I have Expressway 8.7 in the recommended two-legged design except not using NAT since the outside interface is already publicly accessible. I have a valid Cert on exp-e, and a privately created CA cert on exp-c using the Certificate Guide and OpenSSL.
Getting Failed to Establish SSL errors. In the debugging logs I see "peer did not return a certificate". I have my private CA and self-signed CM cert installed to the Enterprise Trust store on the laptop and the iPhone from which I'm connecting.
CUCM (9.1.2) has a tomcat cert also signed by the private CA, and the CallManager cert is self-signed. The root private CA and self-signed CM certs are uploaded as Trusted CA on both expressways. I've tested Jabber for iPhone and Jabber for Windows and both can successfully register externally with Exp-E, IMP, CUX, but not the softphone. I have a SIP Trunk for outbound calls and the Security SIP Profile has a separate port configured and there are two traversal zones, one for UC and one for that purpose. I also tried removing the Trunk's traversal zone and all references to it in case it was interfering and got the same results.
I'm attaching one of the Jabber Problem Reports and a Developer's log from expressway E. The time of the registration failure is 16:30 on 2/4/16.
If more are needed I can run another. Thanks for looking.
EDIT: Forgot to mention, I also tried adding a firewall rule to allow all traffic to and from the expressway temporarily and it still didn't work, so it shouldn't be a firewall oversight.
Solved! Go to Solution.
I have had the same exact issues and thanks to "kdotten36", I managed to update the Default Zone between the Expressway Core and Edge using the settings recommended above and everything started working now.
I now have IP Phones registering correctly via MRA as well as Cisco Jabber for Windows/iOS, etc.
Thanks again for the tips.
You are a legend! Thank you so much for sticking with this and updating the thread. I will be making the change too and monitor the behaviour. This has been absolutely frustrating for me.