08-23-2017 06:44 AM - edited 03-18-2019 01:25 PM
Dear ,
I have MRA solution
1-Exp-C 8.10
2-EXP-E 8.10 (one port configuired with nated IP )
3-WatchGaurd (configuired with reflection nat)
UC traversal zone is active between EXP-C and EXP-E and added CUCM, IMP to EXP-C.
we have one internal domain and other external and two domain have been configired on EXP-C
when we try to login from outside this error appeared to us
2017-08-23T13:26:57.133+00:00 | traffic_server[21538]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="105.46.141.101" Dst-port="53919" UTCTime="2017-08-23 13:26:57,133" |
2017-08-23T13:26:57.133+00:00 | traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="105.46.141.101" Src-port="53919" UTCTime="2017-08-23 13:26:57,132" |
2017-08-23T13:26:56.862+00:00 | traffic_server[21538]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="105.46.141.101" Dst-port="53919" UTCTime="2017-08-23 13:26:56,862" |
2017-08-23T13:26:56.862+00:00 | traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="105.46.141.101" Src-port="53919" UTCTime="2017-08-23 13:26:56,861" |
08-24-2017 05:12 AM
08-25-2017 05:35 AM
Hi
when i check with this tool this message appeared to me .
traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="154.129.231.163" Src-port="35261" UTCTime="2017-08-25 12:28:36,447" |
08-25-2017 07:16 AM - edited 08-25-2017 07:23 AM
Hi,
My suggestion, you can access the Expressway via cli and start a tcpdump -i eth(x) port (specifiy ports mra). And validade if port is working fine.
You can use ssh -p [port number] userlogin@ip_address to force port and validate if firewall is blocking.
Share the configuration of MRA from Exp-C and Exp-E, you can hide the names and passwords before share with us.
Best regards,
Daniel
08-29-2017 04:54 PM
Have you enabled the domain "doubleclick.co.tz" for MRA ? Last i worked on a simillar issue with one of the other person having same issue, he had a typo error on domain name.
But without logs its very difficult to tell you what is happening.
regards,
Alok
12-06-2017 11:43 PM - edited 12-06-2017 11:51 PM
CUCM/CUPIMP 10.5.2
EXP-C/EXP-E X8.10
I am facing the same issue too. Based on my analyze, the Expressway has big change on X8.10.x, It's "MRA Access Control with Authentication path".
By default, When you select MRA, it will enable "UCM/LDAP basic authentication" by default. But unfortunately, you can see Exp-C logs shows Exp-C request SSO info to CUCM.
===================
2017-12-07T14:10:18.007+08:00 edgeconfigprovisioning: Level="WARN" Event="Edge OAuth/SSO" Service="OAuth/SSO" Detail="Forbidden at authorization server" Dst-ip="127.0.0.1" Dst-port="34472" Local-ip="127.0.0.1" Local-port="22111" Code="403" Server="192.168.50.9" Username="sunny.zhang" UTCTime="2017-12-07 06:10:18,007"
2017-12-07T14:10:17.813+08:00 edgeconfigprovisioning: Level="INFO" Detail="Sending authorize_proxy request" Server="192.168.50.9" POST="https://ccmhq.example.com:8443/ssosp/token/authorize_proxy" UTCTime="2017-12-07 06:10:17,813"
2017-12-07T14:10:17.813+08:00 edgeconfigprovisioning: Level="INFO" Event="Edge SSO" Service="OAuth/SSO" Detail="Received local_authentication for Edge OAuth access" Local-ip="127.0.0.1" Local-port="22111" Src-ip="127.0.0.1" Src-port="34472" Username="sunny.zhang" UTCTime="2017-12-07 06:10:17,813"
===================
I am trying to disable it but new login request did not send it again.
===================
2017-12-07T15:19:35.813+08:00 traffic_server[14393]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="1.1.1.146" Dst-port="8512" UTCTime="2017-12-07 07:19:35,813"
2017-12-07T15:19:35.812+08:00 traffic_server[14393]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="example.com" Src-ip="1.1.1.146" Src-port="8512" UTCTime="2017-12-07 07:19:35,812"
2017-12-07T15:19:35.806+08:00 traffic_server[14393]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="1.1.1.146" Dst-port="8512" UTCTime="2017-12-07 07:19:35,806"
2017-12-07T15:19:35.806+08:00 traffic_server[14393]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="example.com" Src-ip="1.1.1.146" Src-port="8512" UTCTime="2017-12-07 07:19:35,806"
===================
Need to research it deeply.
I will try to downgrade to X8.9.2 test again.
Sunny
12-09-2017 06:33 AM
Dear Sunny. Have you downgraded? If yes was the issue resolved? I am asking as we are tackling with similar issue.
TIA
12-19-2017 08:24 AM
08-29-2017 12:45 PM
12-06-2017 06:49 AM
I am getting the same error, did you ever find a solution for this?
12-06-2017 06:57 AM
Restart exp-e after 10m restart exp-c ,,then after exp-c came up deactivate UC zone between exp-c and cucm and reactivate it again then test.
Before above steps make sure all configurations are correct
03-29-2018 04:09 AM
traffic_server[17937]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported
geeting same error did you found the issue
07-31-2018 08:12 AM
09-04-2018 05:27 PM
this one worked for me, many thanks jcl1
12-12-2018 12:32 PM
Thank you jcl, this worked for me too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide