03-15-2023 05:19 AM
Hello
a fresh install of expressway cluster C+E ,cluster is good, but MRA zone is down.
all the servers in the cluster can ping each other.
a secure traversal test- was successful.
went into the logs and an error appears:
EXP-E:
inbound TLS negotiation Error - service=sip - Could not download the latest CRL or get OCSP Response.
EXP-C:
check VCSE certificate.
a secure traversal test- was successful.
Any Ideas?
Solved! Go to Solution.
03-15-2023 06:33 AM
Under Configuration --> Protocols --> SIP, can you set the parameter "Certificate revocation checking mode" to "off" and check again?
03-15-2023 05:24 AM - edited 03-15-2023 05:27 AM
TLS negotiation is probably (in most cases) a problem with your certificates.
Are the CA-certs of the Exp-E certificate in the trust store in Exp-C?
Are the CA-certs of the Exp-C certificate in the trust store in Exp-E?
Is the FQDN in the zone setting in Exp-C included in the certificate of Exp-E?
Do you have 1 certificate for all the nodes in the cluster, or a certificate for each individual node?
03-15-2023 05:33 AM
thank you for your reply
yes, i have uploaded the server certificate CA-Certs to both.
in fact , in this scenario, the same CA has signed the C + E certs .
it was cisco's advise because a WAF is involved.
and as for the question:
Is the FQDN in the zone setting in Exp-C included in the certificate of Exp-E?
yes,it is the expressway E FQDN (hostname+domainname)
03-15-2023 06:33 AM
Under Configuration --> Protocols --> SIP, can you set the parameter "Certificate revocation checking mode" to "off" and check again?
03-15-2023 07:33 AM
thanks,
changed it to OFF
now Traversal is Active
but it only ensures that the problem is with the certificate.
just not sure what is the problem
probably related to the Error :Could not download the latest CRL or get OCSP Response.
03-15-2023 08:07 AM - edited 03-15-2023 09:26 AM
but it only ensures that the problem is with the certificate. --> Yes and No.
Your certificates are correct, but the servers check the certificates against the CRL-servers (Certificate Revocation List), if the issuing CA has maybe revoked the certificate or not (maybe use google to understand that process better).
In your case probably, the Expressways cannot reach the CRL-server (cannot resolve the hostname or have no internet connection to it, ...) and therefore, cannot check if the certificates are still valid or not. and therefore, they don't trust each other.
If your issue is resolved, I would appreciate an "accepted solution"
03-16-2023 02:03 AM
Thanks again
all EXP servers are reachable for each other
is the CA that sign the certificates need to be reachable? because that is what showing under the CRL Distribution points in the certificate.
03-16-2023 02:37 AM
If the EXP reach each other has nothing to do with the CRL.
The server, that is checking the certificate has to reach the URL in the CRL points.
But again: lookup the info in the internet how this works. This is nothing Cisco or Expressway specific.
03-16-2023 05:52 AM
great, so the revocation is not necessary for my deployment ,ill keep it off.
thank you for your help
03-15-2023 05:59 AM
i have a certificate for all the nodes in the EXP_C cluster
and a certificate for all the nodes in the EXP_E cluster
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide