cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1883
Views
0
Helpful
12
Replies

CMS 3.6 Edge server

axiceleet
Level 1
Level 1

Hello

There is a main CMS and CMM servers in local network. All internal WebRTC calls work correct.

I'm trying to set up an Edge Server for external WebRTC. I configured Webbridge3 and Turn services on the Edge server and C2W on the main server. When I connect to external URI and press "Join meeting", an error message "Unable to join call. Check your settings and try again" appears. CMM shows that the user is trying to connect for a long time.

There is a message "instantiating user "guest3185211031" in a log file on main server. But there isn't any information about create conference for this user.

How can I resolve this issue?

 

1 Accepted Solution

Accepted Solutions

axiceleet
Level 1
Level 1

Thank you very much for help!

The case is solved. The settings for the time zone did not apply on the Edge server
The problem is that Core server time is different from Edge server time. And when I validate received JWT from Edge server it might be that token will be valid in 1 or n seconds.

View solution in original post

12 Replies 12

b.winter
VIP
VIP

In the past, often when the error was "unable to join call", it was a problem that the client couldn't connect via turn.
Are there all necessary ports open in the firewall? Between the internet and the webbridge and the turn component and also between those 2 components and the internal components?
What is your exact setup? Do you have a setup with 2 FWs like in the deployment guide: 

Unbenannt.PNG

Also be aware of the "specialities" when using TURN behind NAT. This is also mentioned in the split server deployment guide, Appendix G
https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3-6/Cisco-Meeting-Server-3-6-Single-Split-Server-Deployment.pdf

axiceleet
Level 1
Level 1

I deployed the circuit as in the picture, only I have a test bench. There are no port restrictions between servers right now.
Maybe I have made a settings mistake?
On the Edge server I configured Turn sevice by MMP.
On the main server I configured Turn service by API and link it with Callbridge

Could you post the output of the webbridge, callbridge and Turn component status? Just type "webbridge3", "callbridge", ...
Also, you can check via API, if the TURN server is reachable. I don't know that exact command / haven't got any CMS right now, but it must be somewhere in the "/api/v1/turnServers" tree.

Maybe also make a screenshot of the turnServers and webbridge API object in the Core CMS.

axiceleet
Level 1
Level 1

Edge server settings

edge@\:>webbridge3
Enabled : true
HTTPS Interface whitelist : a:443
HTTPS Key file : cms36edge.key
HTTPS Full chain certificate file : hcms36edge.cer
HTTP redirect : Enabled, Port:80
C2W Interface whitelist : a:9999
C2W Key file : cms36edge.key
C2W Full chain certificate file : hcms36edge.cer
C2W Trust bundle : hcms36edge.cer

edge@\:>turn
Enabled : true
Username : <hashed>
Password : <hashed>
Realm : <hashed>
Public IP : 73.219.22.102
Relay address : 10.201.1.242
TLS port : 447
TLS cert : cms36edge.cer
TLS key : cms36edge.key
TLS bundle : CA2022.cer
Listen interface a

edge@\:>callbridge
No callbridge configuration

There isn't any the turnServers and webbridge API object on the Edge server. If I create webbridge API object there is an error message in Collaboration Solutions Analyzer.

CMS has several webbridges configured with the same URL(=) :

- Webbridge configured over API with id=2dc32c1a-0223-4987-bd82-b21c0d6b3822
- Webbridge configured over WebGUI
This configuration is not supported

API settings from the Core CMS

Webbridge id=1d37a431-7f6b-44be-9f49-eb37cc28f3ad
API uri
https://10.101.1.240:445/api/v1/webbridges/1d37a431-7f6b-44be-9f49-eb37cc28f3ad
webBridge id
1d37a431-7f6b-44be-9f49-eb37cc28f3ad
allowWeblinkAccess
idEntryMode
disabled
resolveCoSpaceCallIds
resolveLyncConferenceIds
showSignIn
url
c2w://cms3-6edge.dom.loc:9999

CallBridge id=272dc409-7d90-4752-827e-7658fdfbfbce
API uri
https://10.101.1.240:445/api/v1/callBridges/272dc409-7d90-4752-827e-7658fdfbfbce
callBridge id
272dc409-7d90-4752-827e-7658fdfbfbce
address
https://cms3-6.dom.loc
name
cms3-6

Ther is the screenshot of the turnServers  API object in the attachment.

In the core server for the TURN API:
- You need to specify the "clientAddress" to be the public IP address. Otherwise, external clients don't know where to connect.
- Type should be set to "cms" according to the programming guide.
- In the API, you enabled "useShortTermCredentials", but have you enabled this also in the TURN server? Review the config steps in the guide again, section 4.7.1. If not, set the API parameter to "false".
https://www.cisco.com/c/dam/en/us/td/docs/conferencing/ciscoMeetingServer/Deployment_Guide/Version-3-6/Cisco-Meeting-Server-3-6-Single-Split-Server-Deployment.pdf

Also: in the TURN API, I think there should be something called "/api/v1/turnServers/<object-id>/status", to check, if the core server can successfully establish a connection to the turn server.

Do you see any errors, when you enter the command "syslog follow" via CLI in both CMS servers?

axiceleet
Level 1
Level 1

 

In the TURN API there is status success on the main CMS. But I see a message "INFO : error 401 from turn server 10.201.1.242:3478 " in the main CMS. On the edge CMS there is an error message "user.err cms-edge coturnserver: 87038: check_stun_auth: Cannot find credentials of user <admin> "

I have checked passworn line many times. It is correct.

I tried to add the "clientAddress", disable "useShortTermCredentials", change type to "cms". The issue remains the same

b.winter
VIP
VIP

In your Core API, you specified the "admin" as the username/pwd combination. According to the guide, you cannot reuse existing users.

Unbenannt.PNG

I would recommend the following:
In the TURN CLI:
turn short_term_credentials_mode enable
turn short_term_credentials <mysharedsecret> <my-domain.com>

in the Core API for the TURN server:
serverAddress: private IP of the TURN server
clientAddress: public IP of the TURN server / FW in front
Username and password: empty
useShortTermCredentials: True
sharedSecret: same as above (<mysharedsecret>)
type: cms
tcpPortNumberOverride: 447
callBridge: select the correct one

axiceleet
Level 1
Level 1

I had only the TURN CLI level in the Edge server and the TRUN API in the Core server.

Now I created the TURN server in the Edge API with the same parameters like in the Core API. The error message is gone. I don't see anyy error line in current time. But external calls are still not working. 

 

Have you made the changes I recommended?

You don't need API commands in the edge server. There is no callbridge running...
The API command connects the callbridge to the TURN server. And as the callbridge should only be running on the core server, there is nothing to do via API on the edge.

I have made recommended changes. The issue remains the same

axiceleet
Level 1
Level 1

I have made the recommended changes. The issue remains the same

axiceleet
Level 1
Level 1

Thank you very much for help!

The case is solved. The settings for the time zone did not apply on the Edge server
The problem is that Core server time is different from Edge server time. And when I validate received JWT from Edge server it might be that token will be valid in 1 or n seconds.