cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2688
Views
0
Helpful
9
Replies

TLS connection from ciscojabbervideo to VCS Expressway fails Bad Certificate

Paul Woelfel
Level 4
Level 4

Hi all,

I just did a fresh installation of a telepesence infrastructure. At first I kept the default certificate on the VCS Expressway. I tried to call in to some endpoint from the Cisco Jabber Cloud (ciscojabbervideo.com) and had no success. I didn't see a search on VCS Expressway and found in the tcpdump, that the connection is reseted by the cisco jabber cloud VCS:

Screen Shot 2013-09-30 at 14.06.52.png

If I try to call that VCS Expressway from our infrastructure, which does not have certificate checking enabled on the DNS Zone, everything works fine. So I thought it has to be related with the default certificate on the VCS Expressway and installed a official wildcard certificate.

I can check the certificate and it's path with openssl and get an OK:

    Verify return code: 0 (ok)

I enabled the certificate checking on VCS and it connects fine.

If I try again from the cisco jabber cloud, I still get the Bad Certificate error.

Any ideas?


Regards,
Paul        

Regards, Paul
9 Replies 9

Paulo Souza
VIP Alumni
VIP Alumni

Hey Paul,

I am very curious about your issue. I have an environment here with VCS Expressway 7.2.2 with default security configuration (not certificate at all). I can call from Cisco Jabber free in to our endpoints normally, and with encryption (TLS + SRTP).

Do you have any firewall in the path from VCSe towards internet? Can you give futher information on your topology? If you try do disable TLS in your VCSe just for test, does it work, are you able to at least see the call coming in to your VCSE using UDP or TCP?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,

outgoing calls to Cisco Jabber Free work fine, only incoming calls have an issue.

I tried your suggestion and disabled SIP TLS on the Expressway, but somehow the connection is also terminated with a FIN.

About the deployment:

VCS-C in the internal network, VCS-E with one Leg (NIC 2) in the same network, VCS-E leg two (NIC1) NATed behind a firewall.


Regards,
Paul

Regards, Paul

Hey Paul,

I think it may be something related to your firewall as you cannot even stablish a layer 4 connection, not sure. Can you check your firewall logs and configuration? Are you able to receive calls from another external systems? What about H323 calls, does it work?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,

I can call new system from our internal system via SIP and H323, even if I enable certificate checking on our VCS Expressway. That's the reason why I'm not sure, if this is really related to the firewall.

I'll also get tcpdumps from outside of the firewall, so I can really confirm that the firewall is not blocking anything.


Regards,
Paul

Regards, Paul

Hey Paul,

But what about receiving external calls from another external systems other than Jabber Free, are you able to? Did you try to receive calls using H323?

Also, when I said something related to the firewall, I was talking about some strange behavior, not about blocking communication indeed. As I can sucessful receive call from Jabber Free in my environment, it is hard to say that it is some problem related to VCS itself. Did you get the same behavior before enable certificate on VCS?

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,

the new installation I was referring to is a customer installation. We have got our own internal Telepresence system.

The issue only exist at our customer system. I have always been able to call into the customer system with SIP and h323.
From the cisco free jabber client call in did not work, even after installing an official certificate or disableing SIP TLS calls from the Cisco Jabber Video Cloud did not work. Calls to the free Jabber Video do work though.

Sent from Cisco Technical Support iPad App

Regards, Paul

Hey Paul, it is really a strange behavior. I am looking at your screen capture, I see the error "TCP Checksum incorrect", that's why you receive a FIN message and the TCP connection is not established.

I have no ideia what it is causing this issue. I would probably try to put the firewall out of the game, just to make sure that it is not related to the any firewall strange behavior or configuration. I would also check the whole path of the network to see if there is any layer 3 or 4 device that could cause the problem. Just hints, I am not sure.

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Hi Paulo,

TCP Checksum incorrect is not an issue, this is caused by TCP checksum offloading. In older days the CPU had to calculate UDP and TCP checksums, but in nower days the NIC card calculates these.


Regards,
Paul

Regards, Paul

You are right. I was reading something on google on this matter, and it is really not a issue.

Well, as you are saying that you dont even receive a call invite from Jabber Free because the connection is closed, I dont have nothing in mind to suggest you, I have never seen this issue before, it is really a strange behavior.

One more thing, did you get the same problem before enabling certificate on VCS?

Paulo Souza
Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Sent from Cisco Technical Support iPad App

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".