06-18-2014 12:37 AM - edited 03-18-2019 03:05 AM
Hi All,
We have Expressway-E Dual nic and Expressway-C
Traversal Zone between C and E on internal nic
E external nic in DMZ and Nat'ed to public IP
Calls from outside using SIP URI connects with both Audio and Video and have no issues however calls from inside to outside connect with no A\V
Initially I thought this was a firewall issue however all relevant ports and Nat are correct.
Attached call history for call and SIP logs from Expresway-E
Any Idea's on what to look at? At this point Ive gone through the eployment\admin and many google pages trying to get this working with no luck.
Thanks,
06-18-2014 08:13 AM
is your traversal zone client connecting to the Expressway E's NATed IP? (ie. External address)
06-18-2014 06:44 PM
Hi George,
The traversal zone is connecting from Expressway-c to epressway-e on the internal nic Lan2
Expressway-E is configured with Dual nic
Lan2 - Internal
Lan 1 - External with static NAT
Thanks,
06-26-2014 08:34 PM
As odd as it seems, the Dual NIC license is mostly to add the ability to Static NAT your public IP address. The issue you're getting with no audio/video is because the Expressway Core is talking to the internal IP of the Expressway Edge, yet when the Expressway Edge responds, it's not talking with that IP, it's talking with it's external IP address.
Picture this, you're sending traffic from expressway-c (say IP 10.0.0.1) to expressway-e internal IP (say 10.0.1.1). The expressway-e is responding with it's Static NAT Address which is the Public IP (say 12.34.56.78). You send a signal to 10.0.1.1, and receive a response on 12.34.56.78.... Doesn't really go well.
Configure your Expressway Core to talk to the Expressway Edge using it's public IP and configure a Hairpin NAT on your firewall. It's funky, but it's actually how it's supposed to work.
The purpose of LAN1 if you're doing the Dual NIC is only for clustering (as stated here: http://www.cisco.com/c/en/us/td/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.html)
Wonky, but it's how it works. Done a few VCS deployments now (and yes, they're the exact same platform, just different features).
It's actually explained quite well here starting on page 59 (http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf)
Regards,
-Tony
06-27-2014 11:00 AM
Sorry but that is incorrect.
You only need to point the VCS-C/Expressway-C at the public IP of a Static NAT VCS-E/Expressway-E when you are NOT doing dual interface. When doing dual interface, you point it at the actual IP of the E's LAN1 (inside).
If you continue past page 59 in your link to the example starting on page 64, you will see the example that correlates to Sean's environment. On page 65 we see this:
n VCS-E LAN1 has static NAT mode disabled
n VCS-E LAN2 has static NAT mode enabled with Static NAT address 64.100.0.10
n VCS-C has a traversal client zone pointing to 10.0.20.2 (LAN1 of the VCS-E)
Chad Marsh
06-27-2014 11:08 AM
Chad, out of curiosity, have you got that kind of deployment to work? I am interested to hear if you do since I have not been able to get that work. I personally like doing what you mentioned above but I havent had much luck with it. TAC suggested the same thing that Tony mentioned.
06-27-2014 11:22 AM
Yes, at several customers, including one with clusters of both C & E at a large coffee company you've probably heard of.
When you actually do dual NIC, you must add static routes for your inside network range(s) pointing to the inside gateway via the command line, as there is (still) no way to input them through the GUI, which just baffles me...
For example if your E was 10.0.20.2 and your C and TMS were in 172.21.X.X you could do:
xConfiguration IP Route 1 Address: "172.16.0.0"
xConfiguration IP Route 1 PrefixLength: 12
xConfiguration IP Route 1 Gateway: "10.0.20.1"
xConfiguration IP Route 1 Interface: LAN1
06-27-2014 11:28 AM
I had done that same thing with version 7.0 and didnt work. Time to try it again. :) Thanks Chad.
07-20-2014 10:54 PM
Can anyone sheed some more light on how to get this working? or what to look at?
I have tried everything I can think of but still stuck with no video from inside to outside.
Thanks,
09-02-2014 06:07 AM
I'm trying to get this to work with a single nic expressway e server, but get no media. Is that the same as your setup, or do you need dual nic?
06-27-2014 06:31 PM
Thanks for all the input thus far!
I have tried with a static route pointing and the best I can get is 2 way audio and no video (from inside to outside)
ouside to inside works fine.
I have tried this on version 8.1 and 8.2 (In Beta)
07-02-2014 10:16 PM
Chad, the configuration you mentioned above, does it work for environments with Dual NIC or Single NIC?
For eg. If i have VCSC as 10.0.0.10, and VCSE with LAN2 as 10.0.0.11 and LAN1 as 172.16.0.1 (DMZ address), how will the routes look?
07-03-2014 02:10 PM
I would change your scenario a little since typically you would not have your VCSE inside interface in the same network as your VCSC.
So let's go with this:
VCSE has two physical interfaces configured and connected in two different DMZ subnets. DMZ-Ext is 172.16.10.0/24 and firewall is .1
DMZ-Int is 10.30.10.0/24 and firewall is .1
FW-inside is 10.250.10.0/29, L3 switch is .1, FW is .4
FW-external is some public IP range, but is NAT'ing 204.104.100.25 to 172.16.10.10 from Outside to DMZ-ext.
Inside network with VCSC, TMS, etc is 192.168.10.0/24, .1 is L3 core switch
VCSE LAN2 (outside facing) IP 172.16.10.10 (NAT IP 204.104.100.25)
VCSE LAN1 (inside facing) IP 10.30.10.10
VCSE Gateway IP is External FW interface 172.16.10.1
VCSE CLI will need static route pointing 192.168.10.0 /24 to GW 10.30.10.1
VCSC LAN1 is 192.168.10.10 with GW .1 (L3 switch)
L3 switch and FW either exchange route info or have static routes for required networks.
-Chad
07-07-2014 10:29 AM
Gotcha, so the dual NIC can only be used if your VCSE LAN1 and LAN2 are in different subnets than your VCSC. If you have a VCSE in the DMZ, you will need to use the firewall u-turn methodolgy, correct?
07-07-2014 03:21 PM
"so the dual NIC can only be used if your VCSE LAN1 and LAN2 are in different subnets than your VCSC"
No, I'm not saying that, but most designs would still have a firewall between the VCSE inside interface and the VCSC, so they are usually in different subnets.
Chad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide