Expressway X8.2.1 - TLS verification failed for Unified Communication Config

Erwin Austero · ‎05-12-2015

Hi Community,

I'm seeking a help for the setup of Expressway Edge/Core X8.2.1 for the TLS verified.

Currently, I have working Jabber client in the internal network. Then I have to setup a Expressway Control and Edge in order to access Jabber outside.

- CUCM Server 10.5

- IM&P Server 10.5

- EXP-C X8.2.1

- EXP-E X8.2.1

Here's my concern;

1. I'm having a trouble with traversal zone for Control and Edge due to failed status at the Unified Communication type config in Zones.

- Zone status: SIP failed

2. I'm having a trouble of TLS verification failed in setting up the TLS mode for CUCM and IM&P servers in Expressway Control.

- Failed: Cannot connect to cucm.<domain>. TLS certificate validation failed.

Need Help!!!!

Thanks.

-Erwin

Jaime Valencia · ‎05-12-2015

And have you made sure that all your certificates and root certificates have been exchanged between the various elements for authentication to succeed???

Are you using the built-in certs?? internal CA signed?? public CA signed???

I've done this in my lab, and the config for the expressways is quite easy, if it fails, is mostly because of certs, FW, DMZ, communication, DNS, etc.

Did you follow the MRA config guide??

HTH

java

if this helps, please rate

Erwin Austero · ‎05-12-2015

Hi Jaime,

Thanks for your reply.

I just followed what MRA guide instructed. I used a internal CA signed which I setup local AD Certificate services. Is it applicable? right?

I'm just confusing with this certificate is!

Here are what I'm done on my setup (configuration type= Unified Communication Traversal);

1. In my EXP-C, I generated CSR provided the alternative name including my IM chat node.

- Then create it a certifcate in my internal AD Certicate services after that I downloaded it as in .cer file.

- Then upload it to my EXP-C Server certificate and Trusted CA. And also in EXP-E, I installed it in Trusted CA .

2. In my EXP-E, I generated the CSR provide the alternative name including my CUCM with the domain name in my network.

3. I created the traversal zone in my EXP-E with correct connection credential and TLS verify subject name pointing to my EXP-C<domain>.

4. Then created the traversal zone for my EXP-C with correct connection credentials and location peer address 1 pointing to my EXP-E<domain>

But still SIP failed status. My question is what should I do in the certificate?

- Where do I have to install it?

- Do I have to install certificate in CUCM? and Where?

- How can I install the certificate in CUCM for TLS verify?

I appreciate your help.

Jaime Valencia · ‎05-12-2015

OK, what about the certificates from CUCM / IM&P on EXP-C???

Are you sure you're using the right FQDN for the traversal zone???

HTH

java

if this helps, please rate

Erwin Austero · ‎05-12-2015

For the CUCM / IM&P on EXP-C, when I turn it ON the TLS verify mode - TLS certificate validation failed. .error.... But I already configured my CUCM for SIP trunk profile pointing to my EXP-C in order for TLS.

Yes, I have a FQDN for my EXP-E for the travesal zone. What will be my next step?

Thanks.

Jaime Valencia · ‎05-12-2015

Yeah, and have you exchanged the certificates between CUCM / IM&P and EXP-C for that to work?????? and BTW, MRA required no SIP trunk to EXP-C, not sure why you have that.

HTH

java

if this helps, please rate

Erwin Austero · ‎05-12-2015

I understand.

What valid certificate should I use to exchange for CUCM / IM&P and EXP-C???

For the SIP trunk to EXP-C, I just added it a while ago to test if will work the TLS verify mode in EXP-C for CUCM / IM&P. I removed it already.

What do you think wrong in my traversal zone for EXP-C and EXP-E? Do I need to setup only one domain name for CUCM / IM&P, EXP-C and EXP-E?

Thanks.

joefalba00 · ‎12-14-2016

Erwin,

Were you able to determine this issue? I'm having the same....