Hi,
Thank you for answering!

The configurations have been made as recommended by you, in fact I have carried out the following steps:
• Add a Callbridge Group (set every option to "True", except "loadBalanceLyncCalls", set this to false)
• Assign it to Call Bridge (you need to have 4)
• Assign it to Web Bridges (you need to have 4)

Unfortunately, however, I did not understand if in the API in "webBridge" I have to leave the configured "url" field composed of the FQDN relating to the "Citrix" balancer (url: c2w://videconf.example.com:9999). I also tried to delete the "url" field, but doing so nothing works anymore, the message "Server unavailable" is returned. Conversely, if I leave it configured, I can access the meeting but it no longer allows me to join.
I'm stuck in this situation and can't figure out if the "citrix" balancer in this context is causing further problems.
Could you please help me understand?
Thank you

In the url field, you have to put the IP / FQDN of the webbrige. This has nothing to do, with other systems. It defines the connection between the callbridges and the webbridges.

In your case, you have to have 4 webbridges configured via the API (and then also the callbridge group assigned)

E.g.:

c2w://cms1.example.com:9999

c2w://cms2.example.com:9999

c2w://cms3.example.com:9999

c2w://cms4.example.com:9999

Caution: All the IP's / FQDN's that you put there, has to be in the certificate of the C2W cert. (in the command "webbridge3 c2w certs <key> <cert-chain-file>")

Hi Winter,

I configured all four webbridge with related callbridge group in API configuration as in your example:

c2w: //cms1.example.com: 9999

c2w: //cms2.example.com: 9999

c2w: //cms3.example.com: 9999

c2w: //cms4.example.com: 9999

Unfortunately I am unable to join the room. I get the following error: "c2w connection error to webbridge connection failure" user.err cms1 client_backend: ERROR: C2W: C2W Peer failed TLS handshake with error: self signed certificate in certificate chain.

I entered the certificate as you suggested:webbridge3 c2w certs <key> <cert-chain-file, they use the private key of the single nodes plus the certificate chain.

Basically I built a certificate bundle (cms1+cms2+cms3+cms4+rootCA). The certificates are selfsigned, so they were created with open SSL, so I don't have an intermediate CA.

And the FQDN's are in the corresponding certificate?

Have you set the trust in the callbridge? So that the callbridge trusts the webbridge?

callbridge trust c2w <webbridgebundle>

Can you post the output of the commands "callbridge" and "webbridge3"?

Hello Winter,

I managed to make some progress, but something is still wrong.

Now in "api / webBridge / status /" finally all four cms nodes respond with "success", so I guess now the certificates between callbridge and webbridge are trusted.
Unfortunately now when I run a meeting from webrtc, pointing the balancer fqdn I noticed that chrome browser fails the request for 3 consecutive times and on the fourth attempt it works. 
Subsequently, all the calls to the test meeting converge on the cms 4.
If I point directly to the fqdn of the single cms node, I can access the meeting but I can still find the call on node 4 instead of on the node to which I made the request. 
At this point I ask you, is it possible that the certificates are still incorrect? When you talk about webBridge and certificate bundle what do you mean specifically? In the construction of the "bundle", in notepad, do I have to insert the webBridge of all the nodes and lastly in rootCA? 
Example: 
--- begin ---- 
webbridge1 
---- end --------- 
---- begin ----- 
webbridge2 
---- end ------- 
--- begin ---- 
webbridge3 
---- end --------- 
---- begin ----- 
webbridge4 
---- end ------- 
--- begin ----- 
RootCA 
--- end -------
Thank you for the support!

I can't help you at the loadbalancer topic.

But what you mention, when you browse the URL directly is "works-as-designed".

You don't necessarily land on the callbridge/webbridge that you browse to, since the server come up with a priority, which the calculate internally.

So like you have seen, even if you browser to CMS 1, you can land on any of your 4 CMS in the end.

I think, you would see the priority when you look at the logs. But that just for your interest.

About the bundle:

It is correct, what you have done.

But it would also be sufficient to only include the Root CA, since it signed the certificate.

You also could play around with that, if you have some spare time on the project. Maybe it helps understanding the relationships between callbridge, webbridge and certs.

Hello Winter,

Thanks for the support!

Today I had the opportunity to carry out some tests and I can say that the system still does not work well. Let me explain better, when I try to access a meeting from webrtc I noticed that the calls are always intercepted by node 4 (cms4).
I got suspicious and therefore I shutdown the cms 4 with the result that the other webbridges do not accept calls 
from webrtc. 
I am presented with the meeting data entry screen but when I do the join it actually returns to the starting point and displays an "unable to join meeting" error.

Sometimes it happens that always with the cms4 turned off, I can access the meetings through the cms1 but when I perform the join, it happens that in some cases the request fails.
how can i solve?

Thank you!!

What do you see, when you enable the syslog via CLI?

I would first let it run without a test, just to see if there are any general errors.

And then I would do a test with CMS4 shut down.

Run the command on all nodes: "syslog follow" and log the screen output to a file.

What do you see, when you click on "status" on every webbridge via the API?

How do your outbound rules look like?

And how is your config looking like under "Configuration" --> "Cluster"?

Hi,

So, I did as you advised, in fact I checked without any tests and I did not find any errors that could lead to the malfunction,
only some warnings and nothing more.

But when I turned off the cms4, again I could no longer join the meeting via webrtc. In this case I found some error related to: "error messages of the form"

received client instance query for unknown user 295fd456-847b-4641-addb-6605bbb0792a from server cms1 ... cms2 ... cms3".

when I click on "status" on every webbridge via the AP, I always get "success", so they assume then the problem is not located here.

At this point I decided to upgrade from cms 3.1.1 to 3.3.0 and I noticed that things have improved but not that much ...

I realized that when I can't access the meeting from webrtc, viewing the "database cluster status" you notice that the nodes are all in the "replication" state but there is no primary server.

Therefore, when I shutdown 2 out of 4 servers, the cluster database remains frozen and cannot establish a "primary server".

If I reboot one of two of these nodes, the cluster database status changes from "replica" to "primary" and I am able to join the meeting again.

By the way, I read that the cluster database must be composed of "odd number of server", so since I had 4, I decided to remove the fourth node "database cluster remove" from the cluster.

Unfortunately the result does not change. When I turn off two nodes, the last one (cms3) remains in "replica" instead of "primary".

Am I doing something wrong?

Thanks for the support!!

Hard to help, without having a complete own view of the machines and their configuration.

Maybe something is wrong with your database clustering in the first place, but hard to guess for me.

Hello Winter,

Thank you for the support you gave me, your advice was very valuable.

I finally solved it !! 

You were right about the cluster database, in fact I had mistakenly clustered all 4 nodes, in this way the cluster was "inconsistent" and when I shutodown two nodes, in fact nothing worked anymore.

I summarize below the steps that helped me solve:



1) I configured all four webbridge with related callbridge group in API configuration.



c2w: //cms1.example.com: 9999


c2w: //cms2.example.com: 9999


c2w: //cms3.example.com: 9999


c2w: //cms4.example.com: 9999


2) I built a certificate bundle (cms1+cms2+cms3+cms4+rootCA)

3) I have trusted the callbridge with the command "callbridge trust c2w <webbridgebundle>"

4) I have trusted the webbridges with the command "webbridge trust c2w <callbridgebundle>"

5) removed node "cms4" from cluster database

6) I inserted the command "Database cluster connect" to allow the Callbridge of the CMS4 node to be part of the Callbridge cluster.

7) Eliminated the configuration made to the balancer (persistence on source ip) to allow the correct management of IP calls.

These days I am monitoring the operation, for now I can say that it is working great!



N.B. If you think it is worth making further changes, I am open to new suggestions.



Thank you very much!!

No, you're wrong on the fact that it needs to be 3 or 5 for callbridge and webbridge

Note 1: Maximum of 24 Call Bridge nodes per cluster; cluster designs of 8 or more nodes need
to be approved by Cisco, contact Cisco Support for more information.

https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3-4/Cisco-Meeting-Server-3-4-Scalable-and-Resilient-Deployment.pdf

What you say is applicable to the DB, not the callbridge and webbridge.