cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10070
Views
0
Helpful
8
Replies

Jabber & VCS Control issue - Inbound TLS Negotiation Error

jonwoloshyn
Level 4
Level 4

I'm just setting up Jabber and VCS Control. When I try to login to Jabber I get a message "Unable to connect to server"

In the event log on the VCS I see the following:

tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="192.168.111.124" Src-port="49206" Dst-ip="10.80.14.111" Dst-port-"5061" Detail="Timeout"

When I connect to the VCS-Expressway everything works great so it doesn't appear to be a provisioning issue.

Any help would be great

Jon

1 Accepted Solution

Accepted Solutions

Hi Jon,

so from what you say i can deduce that we narrow down this problem to firewall. Now i want to know some thing more.

If you have Cisco ASA then i believe there is some class map configure which is matching the traffic for expressway in that class on port 5061 i.e. TLS?

can you tell me if you have some phone proxy feature or something else on firewall?

Thanks

Alok

View solution in original post

8 Replies 8

Alok Jaiswal
Cisco Employee
Cisco Employee

Hi jon,

this clearly points that your Jabber is trying to connect to VCS on TLS port 5061 and its is getting failed either may be the TLS setting is OFF on the VCS or there is some device in between which is interferring with jabber and VCS handshake process.

is there any firewall in between jabber and VCS control like cisco ASA or something? normally i have seen this issue on VCS expressway when the outside jabber clients try to register with expressway and firewall blocks the handshake process on TLS port.

Thanks

Alok

Alok,

TLS is turned on. I was connecting from a remote site with a site-to-site IPSec VPN between an ISR router at the remote site and an ASA at the main site.

When I try on the local LAN it works.

When I try with cisco VPN client on the workstation to the ASA it fails as well.

So it looks to be something on the ASA.

Any idea what I should be looking for?

Thanks

Jon

Look for an ACL on your tunnel that doesn't allow 5061.

Sent from Cisco Technical Support iPad App

Hi Jon,

so from what you say i can deduce that we narrow down this problem to firewall. Now i want to know some thing more.

If you have Cisco ASA then i believe there is some class map configure which is matching the traffic for expressway in that class on port 5061 i.e. TLS?

can you tell me if you have some phone proxy feature or something else on firewall?

Thanks

Alok

Alok,

You nailed it. I had phone proxy set up about a year ago for some testing. Removed the config and Jabber is working perfect now.

Thanks for the insight.

Do you know if this is a one or the other type thing or is there a way to run phone proxy where it won't interfere with sip TLS for Jabber?

Jon

Hi jon,

Thanks for rating the post. I am glad that my exp was some help to you:)

i have faced this issue couple of times and i was able to fix by changing the class map configuration for phone proxy.

If you run the below command on your firewall just check if you see errors related to TLS 5061 port.

show log | inc

Traffic to the VCS control is encrypted SIP on port 5061, and will be processed by this ASA's phone-proxy feature. To prevent this from occurring, the

configuration needs to be changed from this:

-----------------------------------

class-map UCproxySIP

  match port tcp eq 5061

-----------------------------------

to this:

-----------------------------------

access-list SIP_Phone_proxy extended deny ip any host

access-list SIP_Phone_proxy extended permit tcp any any eq 5061 !

class-map UCproxySIP

  match access-list SIP_Phone_proxy

!

-----------------------------------

This will exclude traffic going to the expressway, and should allow both features to work at the same time.

So the full commands to enter are:

-----------------------------------

access-list SIP_Phone_proxy extended deny ip any host

access-list SIP_Phone_proxy extended permit tcp any any eq 5061

class-map UCproxySIP

no match port tcp eq 5061

match access-list SIP_Phone_proxy

-----------------------------------

Please note that this should be done during a maintenance window.

Thanks

Alok

Michael Boscia
Level 4
Level 4

So if you are outside it works, but If you are inside it does not?

Sent from Cisco Technical Support iPhone App

I have the same issue that Jon is seeing.

It seems that TLS has been disabled or was never enabled when the VCS was installed.

I can not seem to find anywhere in the VCS documentation where or how to get TLS enabled.

But the other question is why is the Jabber for iPab not trying tcp or usp conenction if TLS fails.  The Jabber for Telepresence (MOVI) client does not have this problem.