12-21-2022 03:15 AM
Hello
There is a main CMS and CMM servers in local network. All internal WebRTC calls work correct.
I'm trying to set up an Edge Server for external WebRTC. I configured Webbridge3 and Turn services on the Edge server and C2W on the main server. When I connect to external URI and press "Join meeting", an error message "Unable to join call. Check your settings and try again" appears. CMM shows that the user is trying to connect for a long time.
There is a message "instantiating user "guest3185211031" in a log file on main server. But there isn't any information about create conference for this user.
How can I resolve this issue?
Solved! Go to Solution.
01-19-2023 01:36 AM - edited 01-19-2023 01:37 AM
Thank you very much for help!
The case is solved. The settings for the time zone did not apply on the Edge server
The problem is that Core server time is different from Edge server time. And when I validate received JWT from Edge server it might be that token will be valid in 1 or n seconds.
12-21-2022 06:55 AM - edited 12-21-2022 06:58 AM
In the past, often when the error was "unable to join call", it was a problem that the client couldn't connect via turn.
Are there all necessary ports open in the firewall? Between the internet and the webbridge and the turn component and also between those 2 components and the internal components?
What is your exact setup? Do you have a setup with 2 FWs like in the deployment guide:
Also be aware of the "specialities" when using TURN behind NAT. This is also mentioned in the split server deployment guide, Appendix G
https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3-6/Cisco-Meeting-Server-3-6-Single-Split-Server-Deployment.pdf
12-23-2022 12:34 AM
I deployed the circuit as in the picture, only I have a test bench. There are no port restrictions between servers right now.
Maybe I have made a settings mistake?
On the Edge server I configured Turn sevice by MMP.
On the main server I configured Turn service by API and link it with Callbridge
12-23-2022 01:51 AM
Could you post the output of the webbridge, callbridge and Turn component status? Just type "webbridge3", "callbridge", ...
Also, you can check via API, if the TURN server is reachable. I don't know that exact command / haven't got any CMS right now, but it must be somewhere in the "/api/v1/turnServers" tree.
Maybe also make a screenshot of the turnServers and webbridge API object in the Core CMS.
12-25-2022 02:10 AM - edited 12-25-2022 10:14 PM
Edge server settings
edge@\:>webbridge3
Enabled : true
HTTPS Interface whitelist : a:443
HTTPS Key file : cms36edge.key
HTTPS Full chain certificate file : hcms36edge.cer
HTTP redirect : Enabled, Port:80
C2W Interface whitelist : a:9999
C2W Key file : cms36edge.key
C2W Full chain certificate file : hcms36edge.cer
C2W Trust bundle : hcms36edge.cer
edge@\:>turn
Enabled : true
Username : <hashed>
Password : <hashed>
Realm : <hashed>
Public IP : 73.219.22.102
Relay address : 10.201.1.242
TLS port : 447
TLS cert : cms36edge.cer
TLS key : cms36edge.key
TLS bundle : CA2022.cer
Listen interface a
edge@\:>callbridge
No callbridge configuration
There isn't any the turnServers and webbridge API object on the Edge server. If I create webbridge API object there is an error message in Collaboration Solutions Analyzer.
CMS has several webbridges configured with the same URL(=) :
- Webbridge configured over API with id=2dc32c1a-0223-4987-bd82-b21c0d6b3822
- Webbridge configured over WebGUI
This configuration is not supported
API settings from the Core CMS
Webbridge id=1d37a431-7f6b-44be-9f49-eb37cc28f3ad
API uri
https://10.101.1.240:445/api/v1/webbridges/1d37a431-7f6b-44be-9f49-eb37cc28f3ad
webBridge id
1d37a431-7f6b-44be-9f49-eb37cc28f3ad
allowWeblinkAccess
idEntryMode
disabled
resolveCoSpaceCallIds
resolveLyncConferenceIds
showSignIn
url
c2w://cms3-6edge.dom.loc:9999
CallBridge id=272dc409-7d90-4752-827e-7658fdfbfbce
API uri
https://10.101.1.240:445/api/v1/callBridges/272dc409-7d90-4752-827e-7658fdfbfbce
callBridge id
272dc409-7d90-4752-827e-7658fdfbfbce
address
https://cms3-6.dom.loc
name
cms3-6
Ther is the screenshot of the turnServers API object in the attachment.
12-29-2022 02:39 AM
In the core server for the TURN API:
- You need to specify the "clientAddress" to be the public IP address. Otherwise, external clients don't know where to connect.
- Type should be set to "cms" according to the programming guide.
- In the API, you enabled "useShortTermCredentials", but have you enabled this also in the TURN server? Review the config steps in the guide again, section 4.7.1. If not, set the API parameter to "false".
https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3-6/Cisco-Meeting-Server-3-6-Single-Split-Server-Deployment.pdf
Also: in the TURN API, I think there should be something called "/api/v1/turnServers/<object-id>/status", to check, if the core server can successfully establish a connection to the turn server.
Do you see any errors, when you enter the command "syslog follow" via CLI in both CMS servers?
01-10-2023 12:52 AM
In the TURN API there is status success on the main CMS. But I see a message "INFO : error 401 from turn server 10.201.1.242:3478 " in the main CMS. On the edge CMS there is an error message "user.err cms-edge coturnserver: 87038: check_stun_auth: Cannot find credentials of user <admin> "
I have checked passworn line many times. It is correct.
I tried to add the "clientAddress", disable "useShortTermCredentials", change type to "cms". The issue remains the same
01-10-2023 01:23 AM
In your Core API, you specified the "admin" as the username/pwd combination. According to the guide, you cannot reuse existing users.
I would recommend the following:
In the TURN CLI:
turn short_term_credentials_mode enable
turn short_term_credentials <mysharedsecret> <my-domain.com>
in the Core API for the TURN server:
serverAddress: private IP of the TURN server
clientAddress: public IP of the TURN server / FW in front
Username and password: empty
useShortTermCredentials: True
sharedSecret: same as above (<mysharedsecret>)
type: cms
tcpPortNumberOverride: 447
callBridge: select the correct one
01-11-2023 01:49 AM
I had only the TURN CLI level in the Edge server and the TRUN API in the Core server.
Now I created the TURN server in the Edge API with the same parameters like in the Core API. The error message is gone. I don't see anyy error line in current time. But external calls are still not working.
01-11-2023 02:05 AM
Have you made the changes I recommended?
You don't need API commands in the edge server. There is no callbridge running...
The API command connects the callbridge to the TURN server. And as the callbridge should only be running on the core server, there is nothing to do via API on the edge.
01-12-2023 07:15 AM
I have made recommended changes. The issue remains the same
01-12-2023 10:13 AM
I have made the recommended changes. The issue remains the same
01-19-2023 01:36 AM - edited 01-19-2023 01:37 AM
Thank you very much for help!
The case is solved. The settings for the time zone did not apply on the Edge server
The problem is that Core server time is different from Edge server time. And when I validate received JWT from Edge server it might be that token will be valid in 1 or n seconds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide