12-19-2017 08:32 AM - edited 03-18-2019 01:42 PM
Hi,
We have an Expressway C/E pair configured with MRA.
When Jabber endpoint successfully connected, we have sound, and presence.
But sometimes the ASA firewall near to Endpoint show packet dropped from Exp-E upper tcp ports to Endpoint upper TCP port, and Endpoint cannot register to CUCM. (Most of the time the presence is working well.)
Obviously these ports are NOT open at firewall (note this is not Expressway side, it is the Client side).
I assume opening this ports is a SIP ALG/Fixup task. But what if we use TLS between Jabber endpoint and Expressway-E? The SIP header and others is encrypted, and firewalls cannot allow ports to come in.
Is there any solution? If I know well the TLS encryption is a must between Jabber Endpoint and Expressway-E, and cannot switch off.
12-20-2017 03:24 PM
You are actually supposed to turn SIP/H323 inspection off for all Expressway connections. Instead, configure the "IPv4 static NAT address" on the Expressway-E (which you may have already done) and open all required ports - see this guide for a full list: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-10/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-10.pdf
SIP inspection built into ASA's and the like will often work some of the time but fail at other times, which is why Cisco tell you to turn it off and just open the required ports and make the Expressway explicitly aware of its NAT'd public IP.
12-20-2017 10:22 PM
Hi,
The NAT in switched on at external interface of Edge. The sound is good between two NAT-ed end - so I assume it is configured correctly .
Instead of configuration mistake, it is seem to be a bug.
Investigate a bit and found that drop occured after I closed the TLS session (logout).
When TLS session is closed to port 5061 (SIP signaling over TLS) , Expressway-E try to reach endpoint in an upper range port (and obviously ASA drop the packet).
So we assume this is
12-20-2017 10:38 PM
12-20-2017 10:44 PM
Checked and read all the guides :) , btw this is the Endpoint side firewall drop,
so it is (most of the time) out of our control. It can be a Mobile ISP fw, an SMB firewall, and so on.
12-20-2017 10:46 PM
Btw, we assume the problem is cluster related. Have you any suggestion?
https://supportforums.cisco.com/t5/telepresence/expressway-c-amp-e-clustering-issue/td-p/3299859
12-20-2017 10:52 PM
Btw, we assume the problem is cluster related. Have you any suggestion?
https://supportforums.cisco.com/t5/telepresence/expressway-c-amp-e-clustering-issue/td-p/3299859
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide