09-30-2013 02:15 AM - edited 03-18-2019 01:53 AM
Hi all,
I need to get external calling working through the VCS expressway (jabber call-in and jabber call-out) however I am experieincing some issues. I have these below :
- Jabber :
call from jabber internal to jabber internal = OK (audio, video, and presentation works fine)
call from jabber internal to jabber external = NOK (Tx=OK but Rx=NOK) <-- call diagnostic from jabber internal and jabber external
call from jabber external to jabber internal = NOK (Tx=OK but Rx=NOK) <-- call diagnostic from jabber internal and jabber external
- below screen capture "registration details" on my user (jabber login from external on my VCS-E)
- And below screen capture "registration details" on my user (jabber login from internal on my VCS-C)
- And below Logs from VCS-E when jabber client external try to call jabber client internal :
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2013-09-30T15:48:46+07:00 | tvcs: Event="Search Completed" Service="SIP" Src-alias-type="SIP" Src-alias="vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Detail="found:true, searchtype:INVITE" Call-routed="YES" Level="1" UTCTime="2013-09-30 08:48:46,952" |
2013-09-30T15:48:46+07:00 | tvcs: Event="Call Connected" Service="SIP" Src-ip="39.219.172.82" Src-port="49454" Src-alias-type="SIP" Src-alias="sip:vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Protocol="TLS" Call-routed="YES" Level="1" UTCTime="2013-09-30 08:48:46,945" |
2013-09-30T15:48:43+07:00 | licensemanager: Level="INFO" Detail="License granted" call_id="1c90568c-29ad-11e3-bd1e-0010f32d0754" lic_type="traversal" UTCTime="2013-09-30 08:48:43,674" |
2013-09-30T15:48:43+07:00 | tvcs: Event="Call Attempted" Service="SIP" Src-ip="39.219.172.82" Src-port="49454" Src-alias-type="SIP" Src-alias="sip:vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Protocol="TLS" Auth="YES" Level="1" UTCTime="2013-09-30 08:48:43,657" |
2013-09-30T15:48:43+07:00 | tvcs: Event="Search Attempted" Service="SIP" Src-alias-type="SIP" Src-alias="vindo.movi@kayreach.com" Dst-alias-type="SIP" Dst-alias="sip:nafi.movi@kayreach.com" Call-serial-number="1c9055b0-29ad-11e3-8533-0010f32d0754" Tag="1c90575e-29ad-11e3-bb3c-0010f32d0754" Detail="searchtype:INVITE" Level="1" UTCTime="2013-09-30 08:48:43,657" |
2013-09-30T15:48:43+07:00 | licensemanager: Level="INFO" Detail="License freed" call_id="d5173514-29ac-11e3-8c38-0010f32d0754" lic_type="traversal" UTCTime="2013-09-30 08:48:43,305" |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- Below Screen capture "Call Diagnostic" from client jabber internal :
- There is no firewall in my tolpology.
- I use static NAT 1:1 to my VCS-E (VCS-E use single NIC).
# Please advise, so client jabber internal and jabber external can connect each other (audio, video, and presnetaion)..
Thanks,
Ovindo
09-30-2013 03:26 AM
I use static NAT 1:1 to my VCS-E (VCS-E use single NIC).
...and there's your problem.
if you want to use NAT, then you must have the dual NIC option installed for this to work as this does more than just activate the second NIC. This issue has been discussed in a large number of threads already.
Another option would be to give your VCS-E a public IP address and put it in DMZ, but NAT'ing is out of the question without that dual NIC option key installed.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
09-30-2013 03:32 AM
Hi Jens,
Thanks for advise,
but how if I just have single NIC in my VCS-E?
Ovindo
09-30-2013 03:35 AM
You cannot use NAT with a single NIC, as I said, another option would be to give your VCS-E a public IP address and put it in the DMZ, or in the public if you haven't got, or can't have a DMZ.
Just to prevent any misunderstandings; you do not need to have, or use a second NIC to do NAT'ng, but you do need to have the "dual NIC option key" installed, even if you only have, or are only using a single NIC.
/jens
Please rate replies and mark question(s) as "answered" if applicable.
09-30-2013 06:24 AM
Hi Ovindo,
I guess you have asked the same question in a previous post answered by Martin who has provided you the same answer as Jens:
https://supportforums.cisco.com/thread/2242132?tstart=0
Just to give one more confimation, you do need "dual nic option key" in VCS if you are using a 1:1 NAT topology. It doesn't mean you are going to use two interfaces, but this license enables NAT feature in VCS, that means, you will be able to configure a NAT field under IP settings on VCS, that is required, otherwise VCS won't recognize the external IP address placed into SIP/H323 headers.
The main reason for that is, your NAT device only translate the IP address in the network layer, but in the SIP/H323 headers, the external IP address won't be translated, therefore it will remain there when the commnunication is sent to VCS, so you need to let VCS know what is the external IP address, otherwise the communication won't work. Furthermore, when VCS starts or answers communication towards internet, VCS needs to place the external IP address into the SIP/H323 headers as well, because NAT device do NAT only in the network layer, not in the application layer. So you need to statically inform VCS to put the external NAT address in the SIP/H323 headers.
Well, there are many firewalls able to do NAT also in the application layer, that means, the firewall will inspect H323/SIP messages to try to translate the address inside the aplication layer as well, this feature is also known as ALG (Advanced Layer Gateway). However, I strongly do not recommend you to use firewall inspection feature, because this may cause so many issues. The best and recommended option is to leave the NAT job to VCS Expressway, by enabling this option key that Jens and Martin are talking about. And this is a Cisco recommendation as well.
I hope this clarify.
Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".
10-01-2013 07:32 AM
Hi Alok,
There is no firewall in my deployment,
Flow topology below :
--> MCU
Router --> switch --> vcs-e(single NIC - NAT 1:1)
--> vcs-c
--> TMS
Thanks,
Ovindo
Sent from Cisco Technical Support Android App
10-01-2013 09:16 AM
Is the traversal client on the VCS control pointing to the external address that is being NATed to the expressway? Have you ran a diag log on the control and expressway to see where it is failing? If the expressway has a search rule pointing to a DNS zone, is it excluding your sip domain?
Sent from Cisco Technical Support iPhone App
10-01-2013 07:47 PM
Hi Zachary,
I've try to pointing VCS-C traversal client to external address that is being NATed to the expressway (203.128.x.x), but H323 and SIP status change into "Failed", but if use internal address of VCS-E, H323 and SIP status change into "Active".
Below screen capture :
"Have you ran a diag log on the control and expressway to see where it is failing?"
Where I can run the diag log on the VCS?
Below expressway's search rule that pointing to DNS zone :
Thanks,
Ovindo
10-02-2013 05:57 AM
And there lies one of your issues. If you are running the Expressway with a single NIC with NAT, all TelePresence signalling and media need to be directed at the NAT address. Depending upon your network design, this may not be possible. The firewall/router that is handling the NAT must allow for "hairpin" communication. It's possible that your network device does not allow the communication to come in and out the same interface. The exact details are imposible to say, as this would need to be handled by your netwrok team. The recommended (and most efficient) design would be to use both LAN interfaces on the Expressway. LAN1 would be you internal interface, either in your internal LAN or an inner DMZ. The second interface would reside ion an outter DMZ with the NAT. The basic design and esxplaination is in the guide: http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Control_with_Expressway_Deployment_Guide_X7-2.pdf
Please take a close look at appendix 4 starting on page 56.
- Zac Colton
10-02-2013 06:14 AM
The other thing I would like to add is that I see that you have the Provisioning key on your Expressway. Are you providing Provisioning at the Expressway, as it is normal to see this turned on only at the VCS Control.
- Zac
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide