Re:Jabber from external (via VCS-E) can Login but can't make a c

Ovindo Prastyo Utomo · ‎09-30-2013

Hi all,

I need to get external calling working through the VCS expressway (jabber call-in and jabber call-out) however I am experieincing some issues. I have these below :

- Jabber :

call from jabber internal to jabber internal = OK (audio, video, and presentation works fine)

call from jabber internal to jabber external = NOK (Tx=OK but Rx=NOK) <-- call diagnostic from jabber internal and jabber external

call from jabber external to jabber internal = NOK (Tx=OK but Rx=NOK) <-- call diagnostic from jabber internal and jabber external

- below screen capture "registration details" on my user (jabber login from external on my VCS-E)

- And below screen capture "registration details" on my user (jabber login from internal on my VCS-C)

- And below Logs from VCS-E when jabber client external try to call jabber client internal :

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2013-09-30T15:48:46+07:00	tvcs: Event="Search Completed" Service="SIP" Src-alias-type="SIP" Src-alias="vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Detail="found:true, searchtype:INVITE" Call-routed="YES" Level="1" UTCTime="2013-09-30 08:48:46,952"
2013-09-30T15:48:46+07:00	tvcs: Event="Call Connected" Service="SIP" Src-ip="39.219.172.82" Src-port="49454" Src-alias-type="SIP" Src-alias="sip:vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Protocol="TLS" Call-routed="YES" Level="1" UTCTime="2013-09-30 08:48:46,945"
2013-09-30T15:48:43+07:00	licensemanager: Level="INFO" Detail="License granted" call_id="1c90568c-29ad-11e3-bd1e-0010f32d0754" lic_type="traversal" UTCTime="2013-09-30 08:48:43,674"
2013-09-30T15:48:43+07:00	tvcs: Event="Call Attempted" Service="SIP" Src-ip="39.219.172.82" Src-port="49454" Src-alias-type="SIP" Src-alias="sip:vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Protocol="TLS" Auth="YES" Level="1" UTCTime="2013-09-30 08:48:43,657"
2013-09-30T15:48:43+07:00	tvcs: Event="Search Attempted" Service="SIP" Src-alias-type="SIP" Src-alias="vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Detail="searchtype:INVITE" Level="1" UTCTime="2013-09-30 08:48:43,657"
2013-09-30T15:48:43+07:00	licensemanager: Level="INFO" Detail="License freed" call_id="d5173514-29ac-11e3-8c38-0010f32d0754" lic_type="traversal" UTCTime="2013-09-30 08:48:43,305"

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

- Below Screen capture "Call Diagnostic" from client jabber internal :

- There is no firewall in my tolpology.

- I use static NAT 1:1 to my VCS-E (VCS-E use single NIC).

# Please advise, so client jabber internal and jabber external can connect each other (audio, video, and presnetaion)..

Thanks,

Ovindo

Jens Didriksen · ‎09-30-2013

I use static NAT 1:1 to my VCS-E (VCS-E use single NIC).

...and there's your problem.

if you want to use NAT, then you must have the dual NIC option installed for this to work as this does more than just activate the second NIC. This issue has been discussed in a large number of threads already.

Another option would be to give your VCS-E a public IP address and put it in DMZ, but NAT'ing is out of the question without that dual NIC option key installed.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Ovindo Prastyo Utomo · ‎09-30-2013

Hi Jens,

Thanks for advise,

but how if I just have single NIC in my VCS-E?

Ovindo

Jens Didriksen · ‎09-30-2013

You cannot use NAT with a single NIC, as I said, another option would be to give your VCS-E a public IP address and put it in the DMZ, or in the public if you haven't got, or can't have a DMZ.

Just to prevent any misunderstandings; you do not need to have, or use a second NIC to do NAT'ng, but you do need to have the "dual NIC option key" installed, even if you only have, or are only using a single NIC.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Paulo Souza · ‎09-30-2013

Hi Ovindo,

I guess you have asked the same question in a previous post answered by Martin who has provided you the same answer as Jens:

https://supportforums.cisco.com/thread/2242132?tstart=0

Just to give one more confimation, you do need "dual nic option key" in VCS if you are using a 1:1 NAT topology. It doesn't mean you are going to use two interfaces, but this license enables NAT feature in VCS, that means, you will be able to configure a NAT field under IP settings on VCS, that is required, otherwise VCS won't recognize the external IP address placed into SIP/H323 headers.

The main reason for that is, your NAT device only translate the IP address in the network layer, but in the SIP/H323 headers, the external IP address won't be translated, therefore it will remain there when the commnunication is sent to VCS, so you need to let VCS know what is the external IP address, otherwise the communication won't work. Furthermore, when VCS starts or answers communication towards internet, VCS needs to place the external IP address into the SIP/H323 headers as well, because NAT device do NAT only in the network layer, not in the application layer. So you need to statically inform VCS to put the external NAT address in the SIP/H323 headers.

Well, there are many firewalls able to do NAT also in the application layer, that means, the firewall will inspect H323/SIP messages to try to translate the address inside the aplication layer as well, this feature is also known as ALG (Advanced Layer Gateway). However, I strongly do not recommend you to use firewall inspection feature, because this may cause so many issues. The best and recommended option is to leave the NAT job to VCS Expressway, by enabling this option key that Jens and Martin are talking about. And this is a Cisco recommendation as well.

I hope this clarify.

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Ovindo Prastyo Utomo · ‎10-01-2013

Hi Alok,

There is no firewall in my deployment,
Flow topology below :

--> MCU
Router --> switch --> vcs-e(single NIC - NAT 1:1)
--> vcs-c
--> TMS

Thanks,
Ovindo

Sent from Cisco Technical Support Android App

Zac Colton · ‎10-01-2013

Is the traversal client on the VCS control pointing to the external address that is being NATed to the expressway? Have you ran a diag log on the control and expressway to see where it is failing? If the expressway has a search rule pointing to a DNS zone, is it excluding your sip domain?

Sent from Cisco Technical Support iPhone App

Ovindo Prastyo Utomo · ‎10-01-2013

Hi Zachary,

I've try to pointing VCS-C traversal client to external address that is being NATed to the expressway (203.128.x.x), but H323 and SIP status change into "Failed", but if use internal address of VCS-E, H323 and SIP status change into "Active".

Below screen capture :

"Have you ran a diag log on the control and expressway to see where it is failing?"

Where I can run the diag log on the VCS?

Below expressway's search rule that pointing to DNS zone :

Thanks,

Ovindo

Zac Colton · ‎10-02-2013

And there lies one of your issues. If you are running the Expressway with a single NIC with NAT, all TelePresence signalling and media need to be directed at the NAT address. Depending upon your network design, this may not be possible. The firewall/router that is handling the NAT must allow for "hairpin" communication. It's possible that your network device does not allow the communication to come in and out the same interface. The exact details are imposible to say, as this would need to be handled by your netwrok team. The recommended (and most efficient) design would be to use both LAN interfaces on the Expressway. LAN1 would be you internal interface, either in your internal LAN or an inner DMZ. The second interface would reside ion an outter DMZ with the NAT. The basic design and esxplaination is in the guide: http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf

Please take a close look at appendix 4 starting on page 56.

- Zac Colton

Zac Colton · ‎10-02-2013

The other thing I would like to add is that I see that you have the Provisioning key on your Expressway. Are you providing Provisioning at the Expressway, as it is normal to see this turned on only at the VCS Control.

- Zac

Jabber from external (via VCS-E) can Login but can't make a call to Jabber in internal.