We have Expressway-E Dual nic and Expressway-C
Traversal Zone between C and E on internal nic
E external nic in DMZ and Nat'ed to public IP
Calls from outside using SIP URI connects with both Audio and Video and have no issues however calls from inside to outside connect with no A\V
Initially I thought this was a firewall issue however all relevant ports and Nat are correct.
Attached call history for call and SIP logs from Expresway-E
Any Idea's on what to look at? At this point Ive gone through the eployment\admin and many google pages trying to get this working with no luck.
The traversal zone is connecting from Expressway-c to epressway-e on the internal nic Lan2
Expressway-E is configured with Dual nic
Lan2 - Internal
Lan 1 - External with static NAT
As odd as it seems, the Dual NIC license is mostly to add the ability to Static NAT your public IP address. The issue you're getting with no audio/video is because the Expressway Core is talking to the internal IP of the Expressway Edge, yet when the Expressway Edge responds, it's not talking with that IP, it's talking with it's external IP address.
Picture this, you're sending traffic from expressway-c (say IP 10.0.0.1) to expressway-e internal IP (say 10.0.1.1). The expressway-e is responding with it's Static NAT Address which is the Public IP (say 22.214.171.124). You send a signal to 10.0.1.1, and receive a response on 126.96.36.199.... Doesn't really go well.
Configure your Expressway Core to talk to the Expressway Edge using it's public IP and configure a Hairpin NAT on your firewall. It's funky, but it's actually how it's supposed to work.
The purpose of LAN1 if you're doing the Dual NIC is only for clustering (as stated here: http://www.cisco.com/c/en/us/td/docs/telepresence/infrastructure/articles/vcs_benefits_placing_expressway_dmz_not_public_internet_kb_196.html)
Wonky, but it's how it works. Done a few VCS deployments now (and yes, they're the exact same platform, just different features).
It's actually explained quite well here starting on page 59 (http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/Cisco_VCS_Basic_Configuration_Cisco_VCS_Control_with_Cisco_VCS_Expressway_Deployment_Guide_X7-1.pdf)
Sorry but that is incorrect.
You only need to point the VCS-C/Expressway-C at the public IP of a Static NAT VCS-E/Expressway-E when you are NOT doing dual interface. When doing dual interface, you point it at the actual IP of the E's LAN1 (inside).
If you continue past page 59 in your link to the example starting on page 64, you will see the example that correlates to Sean's environment. On page 65 we see this:
n VCS-E LAN1 has static NAT mode disabled
n VCS-E LAN2 has static NAT mode enabled with Static NAT address 188.8.131.52
n VCS-C has a traversal client zone pointing to 10.0.20.2 (LAN1 of the VCS-E)
Chad, out of curiosity, have you got that kind of deployment to work? I am interested to hear if you do since I have not been able to get that work. I personally like doing what you mentioned above but I havent had much luck with it. TAC suggested the same thing that Tony mentioned.
Yes, at several customers, including one with clusters of both C & E at a large coffee company you've probably heard of.
When you actually do dual NIC, you must add static routes for your inside network range(s) pointing to the inside gateway via the command line, as there is (still) no way to input them through the GUI, which just baffles me...
For example if your E was 10.0.20.2 and your C and TMS were in 172.21.X.X you could do:
xConfiguration IP Route 1 Address: "172.16.0.0"
xConfiguration IP Route 1 PrefixLength: 12
xConfiguration IP Route 1 Gateway: "10.0.20.1"
xConfiguration IP Route 1 Interface: LAN1
Can anyone sheed some more light on how to get this working? or what to look at?
I have tried everything I can think of but still stuck with no video from inside to outside.
I'm trying to get this to work with a single nic expressway e server, but get no media. Is that the same as your setup, or do you need dual nic?
Thanks for all the input thus far!
I have tried with a static route pointing and the best I can get is 2 way audio and no video (from inside to outside)
ouside to inside works fine.
I have tried this on version 8.1 and 8.2 (In Beta)
Chad, the configuration you mentioned above, does it work for environments with Dual NIC or Single NIC?
For eg. If i have VCSC as 10.0.0.10, and VCSE with LAN2 as 10.0.0.11 and LAN1 as 172.16.0.1 (DMZ address), how will the routes look?
I would change your scenario a little since typically you would not have your VCSE inside interface in the same network as your VCSC.
So let's go with this:
VCSE has two physical interfaces configured and connected in two different DMZ subnets. DMZ-Ext is 172.16.10.0/24 and firewall is .1
DMZ-Int is 10.30.10.0/24 and firewall is .1
FW-inside is 10.250.10.0/29, L3 switch is .1, FW is .4
FW-external is some public IP range, but is NAT'ing 184.108.40.206 to 172.16.10.10 from Outside to DMZ-ext.
Inside network with VCSC, TMS, etc is 192.168.10.0/24, .1 is L3 core switch
VCSE LAN2 (outside facing) IP 172.16.10.10 (NAT IP 220.127.116.11)
VCSE LAN1 (inside facing) IP 10.30.10.10
VCSE Gateway IP is External FW interface 172.16.10.1
VCSE CLI will need static route pointing 192.168.10.0 /24 to GW 10.30.10.1
VCSC LAN1 is 192.168.10.10 with GW .1 (L3 switch)
L3 switch and FW either exchange route info or have static routes for required networks.
Gotcha, so the dual NIC can only be used if your VCSE LAN1 and LAN2 are in different subnets than your VCSC. If you have a VCSE in the DMZ, you will need to use the firewall u-turn methodolgy, correct?
"so the dual NIC can only be used if your VCSE LAN1 and LAN2 are in different subnets than your VCSC"
No, I'm not saying that, but most designs would still have a firewall between the VCSE inside interface and the VCSC, so they are usually in different subnets.