cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2566
Views
0
Helpful
23
Replies

CUCM - VCS-C - VCS-E - DNSZone call issue

Sean Alexander
Level 1
Level 1

Hi All,

We have Expressway-E Dual nic and Expressway-C

Traversal Zone between C and E on internal nic

E external nic in DMZ and Nat'ed to public IP

Calls from outside using SIP URI connects with both Audio and Video and have no issues however calls from inside to outside connect with no A\V

Initially I thought this was a firewall issue however all relevant ports and Nat are correct.

Attached call history for call and SIP logs from Expresway-E

 

Any Idea's on what to look at? At this point Ive gone through the eployment\admin and many google pages trying to get this working with no luck.

 

Thanks,

  
  
  
  
  
  
  
  
23 Replies 23

George Thomas
Level 10
Level 10

is your traversal zone client connecting to the Expressway E's NATed IP?  (ie. External address)

Please rate useful posts.

Hi George,

The traversal zone is connecting from Expressway-c to epressway-e on the internal nic Lan2

Expressway-E is configured with Dual nic

Lan2 - Internal

Lan 1 - External with static NAT

 

Thanks,

 

As odd as it seems, the Dual NIC license is mostly to add the ability to Static NAT your public IP address. The issue you're getting with no audio/video is because the Expressway Core is talking to the internal IP of the Expressway Edge, yet when the Expressway Edge responds, it's not talking with that IP, it's talking with it's external IP address. 

Picture this, you're sending traffic from expressway-c (say IP 10.0.0.1) to expressway-e internal IP (say 10.0.1.1). The expressway-e is responding with it's Static NAT Address which is the Public IP (say 12.34.56.78). You send a signal to 10.0.1.1, and receive a response on 12.34.56.78.... Doesn't really go well.

Configure your Expressway Core to talk to the Expressway Edge using it's public IP and configure a Hairpin NAT on your firewall. It's funky, but it's actually how it's supposed to work. 

The purpose of LAN1 if you're doing the Dual NIC is only for clustering (as stated here: http://www.cisco.com/c/en/us/td/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.html) 

Wonky, but it's how it works. Done a few VCS deployments now (and yes, they're the exact same platform, just different features).

It's actually explained quite well here starting on page 59 (http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf)

Regards,

 

-Tony

Sorry but that is incorrect.

You only need to point the VCS-C/Expressway-C at the public IP of a Static NAT VCS-E/Expressway-E when you are NOT doing dual interface. When doing dual interface, you point it at the actual IP of the E's LAN1 (inside).

If you continue past page 59 in your link to the example starting on page 64, you will see the example that correlates to Sean's environment. On page 65 we see this:

n VCS-E LAN1 has static NAT mode disabled

n VCS-E LAN2 has static NAT mode enabled with Static NAT address 64.100.0.10

n VCS-C has a traversal client zone pointing to 10.0.20.2 (LAN1 of the VCS-E)

 

Chad Marsh

Chad, out of curiosity, have you got that kind of deployment to work? I am interested to hear if you do since I have not been able to get that work. I personally like doing what you mentioned above but I havent had much luck with it. TAC suggested the same thing that Tony mentioned.

Please rate useful posts.

Yes, at several customers, including one with clusters of both C & E at a large coffee company you've probably heard of.

When you actually do dual NIC, you must add static routes for your inside network range(s) pointing to the inside gateway via the command line, as there is (still) no way to input them through the GUI, which just baffles me...

For example if your E was 10.0.20.2 and your C and TMS were in 172.21.X.X you could do:

xConfiguration IP Route 1 Address: "172.16.0.0"
xConfiguration IP Route 1 PrefixLength: 12
xConfiguration IP Route 1 Gateway: "10.0.20.1"
xConfiguration IP Route 1 Interface: LAN1
 

 

I had done that same thing with version 7.0 and didnt work. Time to try it again. :) Thanks Chad.

Please rate useful posts.

Can anyone sheed some more light on how to get this working? or what to look at?

I have tried everything I can think of but still stuck with no video from inside to outside.

 

Thanks,
 

I'm trying to get this to work with a single nic expressway e server, but get no media. Is that the same as your setup, or do you need dual nic?

Thanks for all the input thus far!

I have tried with a static route pointing and the best I can get is 2 way audio and no video (from inside to outside)

ouside to inside works fine.

I have tried this on version 8.1 and 8.2 (In Beta)

Chad, the configuration you mentioned above, does it work for environments with Dual NIC or Single NIC?

For eg. If i have VCSC as 10.0.0.10, and VCSE with LAN2 as 10.0.0.11 and LAN1 as 172.16.0.1 (DMZ address), how will the routes look?

Please rate useful posts.

I would change your scenario a little since typically you would not have your VCSE inside interface in the same network as your VCSC.

So let's go with this:

VCSE has two physical interfaces configured and connected in two different DMZ subnets. DMZ-Ext is 172.16.10.0/24 and firewall is .1
DMZ-Int is 10.30.10.0/24 and firewall is .1
FW-inside is 10.250.10.0/29, L3 switch is .1, FW is .4
FW-external is some public IP range, but is NAT'ing 204.104.100.25 to 172.16.10.10 from Outside to DMZ-ext.
Inside network with VCSC, TMS, etc is 192.168.10.0/24, .1 is L3 core switch

VCSE LAN2 (outside facing) IP 172.16.10.10 (NAT IP 204.104.100.25)
VCSE LAN1 (inside facing) IP 10.30.10.10
VCSE Gateway IP is External FW interface 172.16.10.1
VCSE CLI will need static route pointing 192.168.10.0 /24 to GW 10.30.10.1

VCSC LAN1 is 192.168.10.10 with GW .1 (L3 switch)

L3 switch and FW either exchange route info or have static routes for required networks.

 

-Chad

Gotcha, so the dual NIC can only be used if your VCSE LAN1 and LAN2 are in different subnets than your VCSC. If you have a VCSE in the DMZ, you will need to use the firewall u-turn methodolgy, correct?

Please rate useful posts.

"so the dual NIC can only be used if your VCSE LAN1 and LAN2 are in different subnets than your VCSC"

No, I'm not saying that, but most designs would still have a firewall between the VCSE inside interface and the VCSC, so they are usually in different subnets.

 

Chad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: