05-09-2014 04:14 AM - edited 03-13-2019 08:33 PM
Have deployed an Expressway-C on the internal and Expressway-E on the DMZ, followed the config guide here, have checked it through 4-5 times now and satisfied everything is configured correctly
CUCM version is 9.1(2)
IM + P version is 9.1(1)
Jabber for Windows is 9.7
Jabber for Iphone/Android is 9.6
All Jabbers connect fine inside the network, when on the outside they reach the Expressway-E ok but then get an error “Cannot locate server. Check your server address. If the problem persists, contact your system administrator. Send problem report”
When checking the problem report I see this output on all failed connections (Iphones and Androids)
05-08 16:22:08.863 32374 32374 I : INFO [0x40028ffc] [ts/adapters/imp/components/Login.cpp(90)] [imp.service] [OnLoginError] - ****************************************************************
05-08 16:22:08.863 32374 32374 I : INFO [0x40028ffc] [ts/adapters/imp/components/Login.cpp(91)] [imp.service] [OnLoginError] - OnLoginError: (data=0) LERR_JABBER_UNREACHABLE <14>:
05-08 16:22:08.863 32374 32374 I : INFO [0x40028ffc] [ts/adapters/imp/components/Login.cpp(92)] [imp.service] [OnLoginError] - ****************************************************************
I looked up LERR_JABBER_UNREACHABLE and found this blog about it being a bug for Jabber over VPN which is the opposite of Mobile Remote Access, however I still tried the workaround for the bug but it didn't help
http://blog.prorouting.com/2013/12/cisco-jabber-on-iphone-through-asa-vpn.html
Checking on the Expressway-C under Status>Unified Communications I do see an error about Inactive Jabber on the Expressway-E so unsure if this is the cause. Could find no info on this error message in the setup guide or on google
(note – the 2 alarms bubble is just about how I haven’t changed the default passwords, no alarms relating to this Inactive Jabber)
Has anyone else seen this problem yet and knows how to resolve it?
Solved! Go to Solution.
05-12-2014 03:34 PM
How is your expressway E configured? is it dual interface? Does your MRA Traversal zone point to the DNS name of the expressway E?
05-11-2014 06:08 AM
Hi,
I'm assuming you have the DNS records set for the external server and have all the ports allowed, forwarded, NAT, etc you should be running Jabber 9.6.1.
Check that any protocol fixup on the ASA is disabled for SIP, XMPP, etc.. you can do a TCP dump on the ExpresswayE and set level logging to 2 to see what is happening on that side.
How does your MRA Traversal zone look like?
I cannot see any attachments, could be my browser is there any?
05-12-2014 02:25 AM
Hello Heathrw,
Yes the internal DNS has 2 SRV records of _cisco-uds._tcp. and _cuplogin._tcp. as well as the 2 A records for both the C and the E's private IP
The external DNS has _collab-edge._tls. as well as A record for the E's public IP
I've had 3 different security engineers (ranging from CCNP to CCIE) confirm the ASA's configuration but I'll check on protocol fixup and try that logging you mentioned.
The MRA traversal zone looks just like the guide asks me to set it up
The picture of the error was in the body of my text but doesn't seem to have applied, I have uploaded it as an attachment now
thanks for the reply
05-12-2014 02:25 AM
Have removed the domain and username output in logs below, replacing with X or Y
Am seeing a failure to authenticate SASL as well as a features query error, possibly linked together.
Unsure what the SASL is trying to authenticate, whether it is the traversal zone or the user trying to log in or something else...
Soon after it I see some authentication messages between the C and E about the traversal zone however which result in being ok
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E XCP_CM[8931]: UTCTime="2014-05-12 08:46:56,164" ThreadID="139744777799424" Module="cm-1.XXX-vp-expressway-e-XXX-co-uk" Level="INFO " CodeLocation="SASLManager.cpp:198" Detail="Failed to query auth component for SASL mechanisms"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E XCP_CM[8931]: UTCTime="2014-05-12 08:46:56,164" ThreadID="139744660883200" Module="cm-1.XXX-vp-expressway-e-XXX-co-uk" Level="ERROR" CodeLocation="DomainFeaturesManager.cpp:152" Detail="DomainFeaturesManager::features query error for : XXX.co.uk"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,753" Module="network.sip" Level="INFO": Action="Received" Local-ip="172.X.X.X" Local-port="7001" Src-ip="10.Y.Y.Y" Src-port="25004" Detail="Receive Request Method=OPTIONS, CSeq=28081, Request-URI=sip:172.X.X.X:7001;transport=tls, Call-ID=f7e3af645ee998e9@10.Y.Y.Y, From-Tag=2f10dd3518cad68f, To-Tag=, Msg-Hash=14098966125509972495"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,753" Module="network.sip" Level="DEBUG": Action="Received" Local-ip="172.X.X.X" Local-port="7001" Src-ip="10.Y.Y.Y" Src-port="25004" Msg-Hash="14098966125509972495"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,754" Module="network.sip" Level="INFO": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Detail="Sending Response Code=401, Method=OPTIONS, CSeq=28081, To=sip:172.X.X.X:7001, Call-ID=f7e3af645ee998e9@10.Y.Y.Y, From-Tag=2f10dd3518cad68f, To-Tag=819b36e2f3c222b7, Msg-Hash=17817441136054781472"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,754" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Msg-Hash="17817441136054781472"
SIPMSG:
|SIP/2.0 401 Unauthorised
Via: SIP/2.0/TLS 10.Y.Y.Y:5061;branch=z9hG4bK7d87f780748bb749e65bef3e4c60d31d34379;received=10.Y.Y.Y;rport=25004
Call-ID: f7e3af645ee998e9@10.Y.Y.Y
CSeq: 28081 OPTIONS
From: <sip:10.Y.Y.Y>;tag=2f10dd3518cad68f
To: <sip:172.X.X.X:7001>;tag=819b36e2f3c222b7
Server: TANDBERG/4129 (X8.1.1)
WWW-Authenticate: Digest realm="Traversal Zone", nonce="48a20b8be6eed34f905363cef53ccaf63d596abe463f58ba6c54a08760e9", opaque="AQAAAG3g/LmPkasxRpJLo5MJWrE10cB4", stale=FALSE, algorithm=MD5, qop="auth"
Content-Length: 0
SIPMSG:
|OPTIONS sip:172.X.X.X:7001;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.Y.Y.Y:5061;branch=z9hG4bKedc5a9fb4c1bd6743e4a14dfdcece49a34380;rport
Call-ID: f7e3af645ee998e9@10.Y.Y.Y
CSeq: 28082 OPTIONS
From: <sip:10.Y.Y.Y>;tag=2f10dd3518cad68f
To: <sip:172.X.X.X:7001>
Max-Forwards: 0
User-Agent: TANDBERG/4129 (X8.1.1)
Authorization: Digest nonce="48a20b8be6eed34f905363cef53ccaf63d596abe463f58ba6c54a08760e9", realm="Traversal Zone", opaque="AQAAAG3g/LmPkasxRpJLo5MJWrE10cB4", algorithm=MD5, uri="sip:172.X.X.X:7001;transport=tls", username="expressway", response="780a1b48c345125fa7e6e8b0cb262991", qop=auth, cnonce="042b40a92c13d613cb9569cc2e69a6222e98f2c95b2c5a5fdebaa4926748", nc=00000001
Supported: com.tandberg.vcs.resourceusage
Content-Type: text/xml
Content-Length: 463
<?xml version="1.0" encoding="utf-8"?> <info><resourceusageinfo><traversalcallsavailable>300</traversalcallsavailable><nontraversalcallsavailable>1500</nontraversalcallsavailable><registrationsavailable>0</registrationsavailable><turnrelaysavailable>0</turnrelaysavailable></resourceusageinfo><timestamp>1399884416</timestamp><media><encryption><mode>on</mode></encryption></media><domains><domain>XXX.co.uk</domain></domains><edge><state>on</state></edge></info>|
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,756" Module="network.http" Level="DEBUG": Message="Request" Method="POST" URL="http://127.0.0.1:9998/credential/name/expressway" Ref="0x7fcdf60b70a0"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,760" Module="network.http" Level="DEBUG": Message="Response" Src-ip="127.0.0.1" Src-port="9998" Dst-ip="127.0.0.1" Dst-port="32930" Response="200 OK" ResponseTime="0.003693" Ref="0x7fcdf60b70a0"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,760" Module="network.ldap" Level="INFO": Detail="Authentication credential found in directory for identity: expressway"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,761" Module="network.sip" Level="INFO": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Detail="Sending Response Code=200, Method=OPTIONS, CSeq=28082, To=sip:172.X.X.X:7001, Call-ID=f7e3af645ee998e9@10.Y.Y.Y, From-Tag=2f10dd3518cad68f, To-Tag=82153555b5b47f6b, Msg-Hash=8520717247879337074"
2014-05-12T09:46:56+01:00 XXX-VP-Expressway-E tvcs: UTCTime="2014-05-12 08:46:56,761" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="172.X.X.X" Local-port="7001" Dst-ip="10.Y.Y.Y" Dst-port="25004" Msg-Hash="8520717247879337074"
SIPMSG:
|SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.Y.Y.Y:5061;branch=z9hG4bKedc5a9fb4c1bd6743e4a14dfdcece49a34380;received=10.Y.Y.Y;rport=25004
Call-ID: f7e3af645ee998e9@10.Y.Y.Y
CSeq: 28082 OPTIONS
From: <sip:10.Y.Y.Y>;tag=2f10dd3518cad68f
To: <sip:172.X.X.X:7001>;tag=82153555b5b47f6b
Server: TANDBERG/4129 (X8.1.1)
Supported: com.tandberg.vcs.resourceusage,path,outbound,gruu
Content-Type: text/xml
Content-Length: 540
05-12-2014 03:34 PM
How is your expressway E configured? is it dual interface? Does your MRA Traversal zone point to the DNS name of the expressway E?
05-12-2014 03:39 PM
Hi Heathrw
It is single interface, see my last post. Thanks for your input, appreciate it
05-12-2014 03:53 PM
Good work. Glad is all working.
02-17-2016 10:54 PM
Hello,
We have vcs-e connected with dmz interface of firewall & vcs-c in internal network.
1- From documentation "Expressway-E sits in the DMZ network and is NATed to a publically routable IP". We have only one public IP on outside interface of Cisco firewall & its NATed (actullay its PATed) to multiple private IP. In this scenario, what ip address should we use in public DNS A Record and in VCS-E under IPv4 static NAT address ?
Public ip (of firewall outside interface) or the private IP (NATed in firewall)?
We have redundant CUCM, single Unity Connection and single IM&P and from vcs, single vsc-c and single vcs-e.
Regards
02-17-2016 11:44 PM
Dear ilana_ilana.
You must use public ip for public DNS A record.
Private IP can't be use in Internet enviroment.
Thanks!
02-18-2016 01:14 AM
Thank vinh
Got it.
What about IPv4 static nat address option in vcs-e ? Public or private NATed ip ?
02-18-2016 01:16 AM
Public IP too.
You configure it on External Interface
02-20-2016 11:58 PM
Thank you so much for help.
Regards
02-23-2016 03:39 AM
Hello,
I am bit confuse in configuring SRV Record as our internal DNS and external DNS are different. I have configured following can someone verify please.
Internal DNS = abc.local
SIP Domain = abc.local
External Domin = abc.com
DNS Records for INTERNAL DNS
_cisco-uds._tcp.abc.local. SRV 10 10 8443 CUCMPUB.abc.local
_cuplogin._tcp.abc.local. SRV 10 10 8443 CUCMIMP.abc.local
CUCMPUB.abc.local. IN A 192.168.10.6
CUCMIMP.abc.local. IN A 192.168.10.9
DNS Records for PUBLIC DNS
_collab-edge._tls.abc.local. SRV 10 10 8443 EXPe1.abc.local
EXPe1.abc.local. IN A 87.23.50.47
Regards,
02-23-2016 04:32 AM
1 - According to your config, you're not advertising your abc.com anywhere internally or externally
2 - you should open your own support forum entry, it does not relate to the issue on this thread and makes the whole thing hard to read and follow
3 - or search the support forums for people with your exact requirement/issue. Here are two links for you
Someone with your issue
https://supportforums.cisco.com/discussion/12348931/expressway-configuration
Official Cisco doc with your issue
( "This document describes how to configure the Cisco TelePresence Video Communication Server (VCS) for Mobile Remote Access (MRA) when multiple domains are used.")
kind rgds
Andrew (TigrePojke)
02-25-2016 01:25 AM
Thanks Andrew for advise and links.
Apologize to ask wrong question on this thread.
Will open another thread for additional question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide