Solved: Mobile and Remote Access via Cisco VCS - Jabber can't log in

kozooh147 · ‎05-17-2014

Hello everybody,

I'm during a configuration of Mobile and Remote Access via Cisco VCS. Even though a status of my configuration on both VCSs in "Status->Unified Communications" looks OK, I still can't log in successfully using Jabber 9.7.1 client. I've checked logs on my VCS expressway and I probably localized a problem.

Event Log:

2014-05-17T17:12:58+02:00	traffic_server[1282]: Event="Sending HTTP error response" Status="400" Reason="Bad Request" Dst-ip="Jabber_IP_Address" Dst-port="59415" UTCTime="2014-05-17 15:12:58,695"
2014-05-17T17:12:36+02:00	sshdpfwd[7425]: Received disconnect from NAT_router_IP: 11: disconnected by user
2014-05-17T17:12:36+02:00	sshdpfwd[7423]: Event="sshd" Module="openssh" Level="INFO" Detail="User child is on pid 7425" UTCTime="2014-05-17 15:12:36"
2014-05-17T17:12:36+02:00	sshdpfwd[7423]: Event="sshd" Module="openssh" Level="INFO" Detail="Accepted publickey for pfwd from NAT_router_IP port 40968 ssh2" UTCTime="2014-05-17 15:12:36"
2014-05-17T17:12:36+02:00	sshdpfwd[7423]: Event="sshd" Module="openssh" Level="INFO" Detail="Authorized by X509(rsa) : CN=...,OU=...O=...,L=...,ST=...,C=..." UTCTime="2014-05-17 15:12:36"
2014-05-17T17:12:36+02:00	sshdpfwd[7423]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from NAT_router_IP port 40968" UTCTime="2014-05-17 15:12:36"
2014-05-17T17:12:36+02:00	sshdpfwd: Event="sshd" Module="openssh" Level="INFO" Detail="sshdpfwd run in non-FIPS mode" UTCTime="2014-05-17 15:12:36"
2014-05-17T17:12:36+02:00	sshdpfwd[7423]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2014-05-17 15:12:36"
2014-05-17T17:12:18+02:00	traffic_server[1282]: Event="Sending HTTP error response" Status="400" Reason="Bad Request" Dst-ip="Jabber_IP_Address" Dst-port="59391" UTCTime="2014-05-17 15:12:18,449"

Network log:

2014-05-17T17:12:58+02:00	traffic_server[1282]: UTCTime="2014-05-17 15:12:58,695" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="439" Dst-ip="Jabber_IP_Address" Dst-port="59415" Msg="HTTP/1.1 400 Bad Request"
2014-05-17T17:12:58+02:00	traffic_server[1282]: UTCTime="2014-05-17 15:12:58,695" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="439" Src-ip="Jabber_IP_Address" Src-port="59415" Msg="POST https:///EPASSoap/service/v80 HTTP/1.1"

It seems to me as there's a missed CUPS IP address in POST request (POST https:///EPASSoap/service/v80 HTTP/1.1).

Thanks for any help!

kozooh

P.S. Confidential content is replaced by Jabber_IP_address and NAT_router_IP.

David28 · ‎05-22-2014

yes, I have configured the SRV Records inside as described in the guide (_cuplogin and _cisco-uds)

I got it to work today.

Check if you can resolve your Expressway E hostname from public DNS. Jabber Client is requesting from outside _collab-edge._tls.domain.com (beside all others). Most likely you have that covered, pointing to an A record which then points to your Expressway E. But after Jabber client gets the answer, it then requests the hostname of Expressway E (which was different than public A record im my case).

I added that and it worked.

Alternatively, add Expressway E hostname with public IP in your hosts file.

regards, Dave

View solution in original post

David28 · ‎05-20-2014

I have the same problem - with the same messages in the log.

Also: On Expressway C under Status - Unified Communications, I can see provisioned sessions.

On the bottom is a link to view them. I can see there multiple entries for my one (and only) external test user.

However, this user never was able to go online with his jabber client from outside. From inside - no problem.

Would appriciate any help - I'm stuck for days on this topic.

Dave

kozooh147 · ‎05-22-2014

Hi David!

"Nice" to hear I'm not alone with this problem. Could you tell me if you've configured any internal DNS records as it's stated in the config guide?

Kind regards

David28 · ‎05-22-2014

yes, I have configured the SRV Records inside as described in the guide (_cuplogin and _cisco-uds)

I got it to work today.

Check if you can resolve your Expressway E hostname from public DNS. Jabber Client is requesting from outside _collab-edge._tls.domain.com (beside all others). Most likely you have that covered, pointing to an A record which then points to your Expressway E. But after Jabber client gets the answer, it then requests the hostname of Expressway E (which was different than public A record im my case).

I added that and it worked.

Alternatively, add Expressway E hostname with public IP in your hosts file.

regards, Dave

kozooh147 · ‎05-27-2014

Thank you Dave, apart from some others DNS issues I had, you hit the nail on the head! This all domain's stuff could be a real pain in the neck...

To troubleshoot these problems, I do recommend to run Wireshark on your internal DNS server and check requests which one receives. For instance, I've no idea why, I got requests about SRV record _cisco-phone-tftp._tcp.example.com 0 0 69 cftp.example.com on my internal DNS! After I added it pointing to my CUCM, everything works like a charm.

Kind regards, kozooh

Geo Gon · ‎08-04-2015

Hi all,

I'm having the same issue here, just wandering if you ever got to the bottom of it.

I have followed all the steps but I'm getting Status=400 error.

Thanks

kozooh147 · ‎08-04-2015

Hi there,

Could you post some logs where the problem arises? (Please remember to anonymize any confidential data like public IP addresses and domain names.)

Kind regards

Geo Gon · ‎08-04-2015

Hi, thanks for your reply.

Please see below the logs from my Expressway-E

Event Log

2015-08-04T14:06:37+01:00 traffic_server[24579]: Event="Sending HTTP error response" Status="400" Reason="Bad Request" Dst-ip="Jabber_Remote_IP" Dst-port="10006" UTCTime="2015-08-04 13:06:37,622"

2015-08-04T14:06:08+01:00 traffic_server[24579]: Event="Sending HTTP error response" Status="400" Reason="Bad Request" Dst-ip="Jabber_Remote_IP" Dst-port="10000" UTCTime="2015-08-04 13:06:08,595"

Network log

2015-08-04T14:06:37+01:00 traffic_server[24579]: UTCTime="2015-08-04 13:06:37,622" Module="network.http.trafficserver" Level="INFO": Detail="Sending Response" Txn-id="7" Dst-ip="Jabber_Remote_IP" Dst-port="10006" Msg="HTTP/1.1 400 Bad Request"

2015-08-04T14:06:37+01:00 traffic_server[24579]: UTCTime="2015-08-04 13:06:37,621" Module="network.http.trafficserver" Level="INFO": Detail="Receive Request" Txn-id="7" Src-ip="Jabber_Remote_IP" Src-port="10006" Msg="POST https:///EPASSoap/service/v80 HTTP/1.1"

kozooh147 · ‎08-04-2015

Have you run Wireshark on a PC with the remote Jabber to check if all domain names and SRVs are correctly resolved?

Please also check that your DNS records are configured as stated here: https://supportforums.cisco.com/sites/default/files/attachments/discussion/jabber_mra_multi_domain_deployment.pdf It's tailored for multidomain deployments but you can easily adapt it to a single domain configuration as well.

Geo Gon · ‎08-04-2015

Thanks for the document. Very helpful.

I have run Wireshark and dns and SRV seem to be working fine.

Quick question: If I go into Jabber Advanced Settings, and manually enter the Cisco IM&P address (which is the address of my Expressway-E), should it work?

kozooh147 · ‎08-04-2015

Unfortunately no, you need to login using user@domain.com and Jabber will automatically find Expressway-E address. In Jabber as an account type choose "Cisco IM & Presence" and "default server" option.

As for https:///EPASSoap/service/v80 HTTP/1.1, I recalled that a missing CUCM hostname will appear in this URL (between https:// and /) if you set Hostname in Cisco Unified OS Administration->Settings->IP->Ethernet. Also make sure that a domain name and DNS servers are set correctly in CUCM. I don't think if it's the issue but you could give it a try.

Geo Gon · ‎08-04-2015

DNS has been configured on CUCM as well as a host name and domain name. Still shows up as https:///EPASSoap/service/v80 HTTP/1.1.

I'm trying to log in using jabber@domain.com, but still says "Cannot communicate with the server". And also getting the same error logs on Expe.

Looking a my wireshark trace, I can see that I do have communication with the Expe

kozooh147 · ‎08-04-2015

Do reuests reach Expressway-C? If so, there's a problem between Exp-C and CUCM. You can check if Expressway-C is able to resolve all SRVs (and A records as well), to do that just go to Maintenance->Tools->Network utilities->DNS lookup, set query type to SRV and check if all internal SRVs are resolved correctly.

You can also turn on debugging DNS on Exp-C. In order to do that go to Maintenance->Diagnostics->Advanced->Network Log configuraton and set network.dns to debug. It will show up in Network Log which DNS Exp tries to resolve.

If status of MRA in Status->Unified Communications shows everything's all right then I'm pretty sure it's some DNS issue.

Geo Gon · ‎08-04-2015

Does the communication between Exp-c and CUCM have to be with TLS? Is it mandatory? Just to rule out some options I would like to disable if I can.

I will try the guidelines you gave me.

Thanks again.

kozooh147 · ‎08-04-2015

No, it's not necessary, Expressway-C will create a TCP zone automatically and that's ok. Are you deploying the single or multi domain deployment? If multi, then remember to add both internal and external domain on Expressway-C.