cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8483
Views
49
Helpful
8
Replies

Unified Communcation SSH Tunnel failure

Josef Hutter
Level 1
Level 1

HI ,

 

 I have the following problem and maybe anyone could help me .

 

My Unified Communications traversal zone is still up but I did get this error message

 

Unified Communications SSH tunnel failure This system cannot communicate with one or more remote hosts Raised Warning Review the Event Log and check that the Zone between the Expressway-C and the Expressway-E is active 2015-03-06 18:35:54 2015-03-06 18:35:54 35013 Unified Communications SSH tunnel notification failure This system cannot communicate with one or more remote hosts Raised Warning Ensure that your firewall allows traffic from the Expressway-C ephemeral ports to 2222 TCP on the Expressway-E 2015-03-06 18:35:55 2015-03-06 18:35:55 35014

 

didn't find a solution right now .Customer told me firewall port 2222 is open

 

Thanks for your help

 

Josef

8 Replies 8

Martin Koch
VIP Alumni
VIP Alumni

Is it not able to establish the connection at all or does it drop it after some time?

 

You could try to do a tcpdump to see if the -e is really receiving what the -c is sending.

Rule number 1: only trust what you checked yourself, and better re-check that as well :-)

 

Besides the port itself it can also be some tcp timeout or some other magic by the firewall.

 

 

Firewall info doc:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-5.pdf

Please remember to rate helpful responses and identify

Hi Martin ,

the connection is established but I get the error that , one SSH Tunnel is broken with the reason Perminsion denied . :-(

The customer told me that port 2222 is open on his firewall

 

error message : Ensure that your firewall allows traffic from the Expressway-C ephemeral ports to 2222 TCP on the Expressway-E

 

Thanks for your Info

 

Br Josef

 

 

 

 

Hello Josef!

I could picture that the zone might show up even if this part of the tunnel fails.

 

You could ssh into the box as root and do a tcpdump to see if whats send is received.

the command would look like that:

tcpdump -nl -s0 -i any port 2222

 

if you run it at the same time on both boxes you should see the same, if you see a lot of

syn packets on the expressway-c you have some proof that there is some communication issue.

 

Customers believe a lot of things, also that ports are open. Better check and verify it.

 

If its ok you should see someting like this, this is bi directional packets:

01:18:24.364118 IP 192.168.5.6.40096 > 192.168.2.1.2222: Flags [P.], seq 1292729699:1292729811, ack 3008678290, win 1384, options [nop,nop,TS val 577228689 ecr 576350739], length 112
01:18:24.364156 IP 192.168.2.1.2222 > 192.168.5.6.40096: Flags [.], ack 112, win 1392, options [nop,nop,TS val 576380725 ecr 577228689], length 0
01:18:24.364203 IP 192.168.2.1.2222 > 192.168.5.6.40096: Flags [P.], seq 1:81, ack 112, win 1392, options [nop,nop,TS val 576380725 ecr 577228689], length 80
01:18:24.438240 IP 192.168.5.6.40096 > 192.168.2.1.2222: Flags [.], ack 81, win 1384, options [nop,nop,TS val 577228764 ecr 576380725], length 0
01:18:30.071667 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [S], seq 2215504417, win 29200, options [mss 1380,sackOK,TS val 577234397 ecr 0,nop,wscale 7], length 0
01:18:30.071723 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [S.], seq 169555520, ack 2215504418, win 28960, options [mss 1460,sackOK,TS val 576386433 ecr 577234397,nop,wscale 7], length 0
01:18:30.105959 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [.], ack 1, win 229, options [nop,nop,TS val 577234431 ecr 576386433], length 0
01:18:30.106205 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [P.], seq 1:27, ack 1, win 229, options [nop,nop,TS val 577234431 ecr 576386433], length 26
01:18:30.106220 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [.], ack 27, win 227, options [nop,nop,TS val 576386467 ecr 577234431], length 0
01:18:30.117569 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [P.], seq 1:27, ack 27, win 227, options [nop,nop,TS val 576386478 ecr 577234431], length 26
01:18:30.151886 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [.], ack 27, win 229, options [nop,nop,TS val 577234477 ecr 576386478], length 0
01:18:30.151913 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [P.], seq 27:323, ack 27, win 227, options [nop,nop,TS val 576386513 ecr 577234477], length

 

if its not ok, nothing on the expressway-e and something like this on the expressway-c, just sending syn packets but no response:

 

01:21:31.236284 IP 192.168.5.6.41911 > 192.168.2.1.2222: Flags [S], seq 49033653, win 29200, options [mss 1380,sackOK,TS val 577415562 ecr 0,nop,wscale 7], length 0
01:21:33.242267 IP 192.168.5.6.41911 > 192.168.2.1.2222: Flags [S], seq 49033653, win 29200, options [mss 1380,sackOK,TS val 577417568 ecr 0,nop,wscale 7], length 0
01:21:37.250276 IP 192.168.5.6.41911 > 192.168.2.1.2222: Flags [S], seq 49033653, win 29200, options [mss 1380,sackOK,TS val 577421576 ecr 0,nop,wscale 7], length 0
01:21:41.244422 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577425569 ecr 0,nop,wscale 7], length 0
01:21:42.246285 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577426572 ecr 0,nop,wscale 7], length 0
01:21:44.250278 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577428576 ecr 0,nop,wscale 7], length 0
01:21:48.258294 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577432584 ecr 0,nop,wscale 7], length 0
01:21:52.252784 IP 192.168.5.6.41915 > 192.168.2.1.2222: Flags [S], seq 3654669449, win 29200, options [mss 1380,sackOK,TS val 577436578 ecr 0,nop,wscale 7], length 0
01:21:53.254253 IP 192.168.5.6.41915 > 192.168.2.1.2222: Flags [S], seq 3654669449, win 29200, options [mss 1380,sackOK,TS val 577437580 ecr 0,nop,wscale 7

 

 

Please remember to rate helpful responses and identify

hi martin

 

thanks this was really helpful , after the tcpdump I saw that they are still connected .then I found out that I also have prob with the root cert .I changed it als oan the ssh  is working fine :-)

 

But now I have the problem with vpnless logon . Did you have any info about this message which I get on the expressway c whren I try to logon with jabber (Vpnless )

 


Failed to authenticate user against server and this ="All attempts to authenticate user failed

 

Thanks Josef

 

 

 

Do you have the jabber-config.xml file on the tftp server?

 

You find some postings here in the forum, just search, there might be more:

 

https://supportforums.cisco.com/document/106926/jabber-config-file-generator

https://supportforums.cisco.com/discussion/12238706/jabber-login-issue

https://supportforums.cisco.com/discussion/12366301/jabber-windows-can-not-login-internet-mra

 

maybe not helpful regards the auth question, but maybe interesting in general:

http://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/118798-technote-cucm-00.pdf

 

Please remember to rate helpful responses and identify

Hi Martin 

 

all is WORKING fine now.there was also some das probs.and the error Message Belangs to this des prob.but this was not to Identify with the message

 

thanks for your help

josef

Hi Josef,

I am in the middle of a MRA deployment, and running into SSH Tunnels cannot be estblished. The traversal running is OK, can you let me know what the problem was with your root cert,and how you overcame the issue?

Thanks and best regards,

James

 

HI James ,

my mistake was that I created self sign certs and this are only client and not client and server authentication !

then I changed also to sha256

don't forget to install the root as trusted on both Expressway C and E and check that the chain for the intermediate is still ok

 

Hope this helps

 

Br Josef