Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4176
Views
10
Helpful
11
Replies

Expressway E and C cannot sign-in

samhopealpha
Level 1
Level 1

‎09-14-2016 11:11 PM - edited ‎03-18-2019 06:22 AM

Hi everybody,

I am eatablishing Expressway MRA with CUCM

CUCM 11.5
Expressway X8.8.1
EXP-E is using Dual NIC, one for internal, one for external

Example:

VoiceServiceDomain: production.com
ServiceDomain: lab91.local

here is the connection
CUCM ---(tcp)---- EXP-C -----(tls)----- EXP-E --- Firewall --- Jabber Mobile

Jabber Mobile: Phone service only

  • The zone of Unified Communications traversal, between C and E are ACTIVE 
  • The zone of Neighbor with CUCM, between C and CUCM are ACTIVE
  • External DNS are done and tested

_collab-edge._tls.production.com: 10 10 8443 vcs.production.com.

  • Internal DNS are done and tested 

_cisco-uds._tcp.lab91.local: 10 10 8443 cucm91.lab91.local

  • jabber-config.xml has been configured 

<VoiceServicesDomain>production.com</VoiceServicesDomain>

Jabber mobile has been successfully registered to CUCM via internal wifi network

However, when trying to sign-in jabber mobile via Internet, it returns "Cannot sign in"

In jabber.log, it seems cannot connect to CUCM ? or I have to investigate in other area?

2016-09-15 12:51:04,023 INFO [0xdafba930] [control/CallControlManagerImpl.cpp(1874)] [csf.ecc.evt] [notifyConnectionInfoChange] - CONNECTION_INFO_CHANGE: size(5):
type=eUDS, isRelevant=true, server=10.10.242.91:8443, connectionState=eFailed, isEncrypted=true, failureReason=eTimeout
type=eCCMCIP, isRelevant=true, server=10.10.242.91:8443, connectionState=eFailed, isEncrypted=true, failureReason=eTimeout
type=eEMAPI, isRelevant=true, server=10.10.242.91:8443, connectionState=eNotApplicable, isEncrypted=false
type=eConfigFile, isRelevant=true, server=10.10.242.91:6970, connectionState=eNotApplicable, isEncrypted=false
type=eConfigFile, isRelevant=true, server=10.10.242.91:69, connectionState=eNotApplicable, isEncrypted=false

2016-09-15 12:51:04,023 ERROR [0xdafba930] [nts/ecc/src/config/CCMCIPClient.cpp(138)] [csf.ecc] [fetchDevices] - HTTP error: eTimeout
2016-09-15 12:51:04,023 ERROR [0xdafba930] [nts/ecc/src/config/CCMCIPClient.cpp(139)] [csf.ecc] [fetchDevices] - Request failed : "https://10.10.242.91:8443/ccmcip/Personalization"
2016-09-15 12:51:04,024 ERROR [0xdafba930] [c/src/callcontrol/Authenticator.cpp(320)] [csf.ecc] [authenticate] - authenticate() failed [eCouldNotConnect]
2016-09-15 12:51:04,024 ERROR [0xdafba930] [lcontrol/CallControlManagerImpl.cpp(745)] [csf.ecc.api] [doAuthenticate] - doAuthenticate() failed [eCouldNotConnect]
2016-09-15 12:51:04,024 INFO [0xdafba930] [control/CallControlManagerImpl.cpp(1781)] [csf.ecc.evt] [notifyAuthenticationStatusChange] - AUTHENTICATION_STATUS_CHANGE: eFailed
2016-09-15 12:51:04,024 INFO [0xdafba930] [lcontrol/CallControlManagerImpl.cpp(755)] [csf.ecc.api] [getAuthenticationStatus] - getAuthenticationStatus() = eFailed
2016-09-15 12:51:04,025 ERROR [0xdafba930] [ntrol/TelephonyCallControlImpl.cpp(1620)] [jcf.tel.callcontrol] [authenticateWithCucm] - Failed to authenticate with CUCM AuthenticationStatus: [eFailed]
2016-09-15 12:51:04,025 ERROR [0xdafba930] [ntrol/TelephonyCallControlImpl.cpp(1621)] [jcf.tel.callcontrol] [authenticateWithCucm] - Failed to authenticate with CUCM Authentication Failure Code [eCouldNotConnect]
2016-09-15 12:51:04,026 INFO [0xf775eb4c] [ices/impl/TelephonyServiceImpl.cpp(1991)] [jcf.tel.service] [onTelephonyServiceAuthenticationStatusChanged] - TelephonyServiceAuthenticationStatus has changed from [None] to [CouldNotConnect]
2016-09-15 12:51:04,030 INFO [0xf775eb4c] [lcontrol/CallControlManagerImpl.cpp(771)] [csf.ecc.api] [getLastCCMCIPServerUsed] - getLastCCMCIPServerUsed()
2016-09-15 12:51:04,031 INFO [0xf775eb4c] [c/src/callcontrol/Authenticator.cpp(609)] [csf.ecc] [getLastCCMCIPServerUsed] - getLastCCMCIPServerUsed() =
2016-09-15 12:51:04,032 ERROR [0xf775eb4c] [ice/TelephonyAdapterServerHealth.cpp(66)] [jcf.tel.adapter] [getConnectionIpProtocol] - No connected ConnectionInfo of type: [eSIP]. Could not determine connection IP Protocol
2016-09-15 12:51:04,033 INFO [0xf775eb4c] [lcontrol/CallControlManagerImpl.cpp(911)] [csf.ecc.api] [getLastCTIServerUsed] - getLastCTIServerUsed() =
2016-09-15 12:51:04,033 ERROR [0xf775eb4c] [ice/TelephonyAdapterServerHealth.cpp(66)] [jcf.tel.adapter] [getConnectionIpProtocol] - No connected ConnectionInfo of type: [eCTI]. Could not determine connection IP Protocol
2016-09-15 12:51:04,034 ERROR [0xf775eb4c] [ice/TelephonyAdapterServerHealth.cpp(66)] [jcf.tel.adapter] [getConnectionIpProtocol] - No connected ConnectionInfo of type: [eCTI]. Could not determine connection IP Protocol
2016-09-15 12:51:04,039 INFO [0xf775eb4c] [(0) ] [JABBER.TELEPHONY] [OnAuthenticationStatusChanged] - OnAuthenticationStatusChanged: CouldNotConnect
2016-09-15 12:51:04,041 INFO [0xf775eb4c] [e(0) ] [JABBER.TELEPHONY] [setTelephonyError] - telephony life cycle, set error to 3005
2016-09-15 12:51:04,043 INFO [0xdafba930] [ntrol/TelephonyCallControlImpl.cpp(1640)] [jcf.tel.callcontrol] [authenticateWithCucm] - <--
2016-09-15 12:51:04,044 INFO [0xdafba930] [/TelephonyAdapterAuthentication.cpp(193)] [jcf.tel.adapter] [Authenticate] - <--
2016-09-15 12:51:04,044 ERROR [0xdafba930] [s/impl/AuthenticationHandlerImpl.cpp(75)] [authentication-handler] [AuthenticateImpl] - Authentication Failed
2016-09-15 12:51:04,051 INFO [0xf775eb4c] [rc/framework/ServicesDispatcher.cpp(174)] [services-dispatcher] [nextTask] - Task queue is back to a safe size
2016-09-15 12:51:04,056 INFO [0xf775eb4c] [common/CertificateValidityCache.cpp(172)] [csf.cert] [clear] - Clearing accepted and rejected certificates from memory
2016-09-15 12:51:04,056 INFO [0xf775eb4c] [ervices/impl/StartupHandlerImpl.cpp(327)] [startup-handler] [OnAuthenticationFailed] - Calling startupHandlerCallback.OnSystemLoginFailed
2016-09-15 12:51:04,057 INFO [0xf775eb4c] [src/services/impl/LifeCycleImpl.cpp(791)] [Life-Cycle-Logger] [OnSystemLoginFailed] - OnSystemLoginFailed - Callback received
2016-09-15 12:51:04,057 INFO [0xf775eb4c] [rc/services/impl/LifeCycleImpl.cpp(1353)] [Life-Cycle-Logger] [updateState] - Changing lifecycle State to: SIGNEDOUT
2016-09-15 12:51:04,057 INFO [0xf775eb4c] [(0) ] [JABBER.LIFECYCLE] [OnStateChanged] - state = SIGNEDOUT
2016-09-15 12:51:04,058 INFO [0xf775eb4c] [ignOnAuthenticationInfoStoreImpl.cpp(36)] [service-discovery] [getSSOEnabledServiceById] - SSOEnabledService not found for Auth Id: 2100. Returning NULL SSOAuthenticationInfo Smart Pointer.
2016-09-15 12:51:04,058 WARN [0xf775eb4c] [rvices/impl/system/SingleSignOn.cpp(138)] [Single-Sign-On-Logger] [isAuthenticatorSSOEnabled] - SSO Discovery disabled for 2100
2016-09-15 12:51:04,059 INFO [0xf775eb4c] [src/services/impl/LifeCycleImpl.cpp(805)] [Life-Cycle-Logger] [OnSystemLoginFailed] - OnSystemLoginFailed - Service is not SSO Enabled
2016-09-15 12:51:04,059 INFO [0xf775eb4c] [rc/services/impl/LifeCycleImpl.cpp(1155)] [Life-Cycle-Logger] [copyAndReleaseLifeCycleCallback] - Lifecyleimpl's unsupportedAuthenticatorCallback is reset, and its' lifeCycleCallback is reset.
2016-09-15 12:51:04,059 INFO [0xf775eb4c] [(0) ] [JABBER.LIFECYCLE] [OnCredentialsRequired] - with error code
2016-09-15 12:51:04,060 INFO [0xf775eb4c] [d(0) ] [JABBER.LIFECYCLE] [setSSOAccount] - is sso ? = false
2016-09-15 12:51:04,061 INFO [0xf775eb4c] [(0) ] [JABBER.LIFECYCLE] [handleSignInRequired] - authID = 2100 , isSSO = false
2016-09-15 12:51:04,062 WARN [0xf775eb4c] [d(0) ] [JABBER.LIFECYCLE] [handleLoginFail] - authID = 2100 , error
2016-09-15 12:51:04,063 INFO [0xdabbe930] [ents/jcfcoreutils/src/FileUtils.cpp(482)] [jcfcoreutils.fileutils] [createDirectory] - Creating directory: /data/user/0/com.cisco.im/files/Cisco/Unified Communications/Jabber/CSF/Telemetry
2016-09-15 12:51:04,064 INFO [0xf775eb4c] [ts/jcfcoreutils/src/ScopedTimer.cpp(166)] [scoped-timer] [pop] -

Thanks in advance

Sam

Labels:
0 Helpful
11 Replies 11

zdesignstudio
Level 4
Level 4

‎09-15-2016 05:10 AM

Do you have the debugs from the Expressway devices?

Please rate useful posts and mark answers as correct if applicable.

samhopealpha
Level 1
Level 1
In response to zdesignstudio

‎09-15-2016 10:45 PM

Thanks for the suggestion, after collected the debug from EXP-C and EXP-E. 

It seems there is no traffic between EXP-E and firewall

Maybe I need to check with firewall team to verify that on coming Monday, because coming few days are public holiday here.

And update the result after 3 days 

Thank you~

0 Helpful

Nick Halbert-Lillyman
Level 8
Level 8
In response to samhopealpha

‎10-24-2016 07:38 PM

Did you ever get this fixed?

0 Helpful

samhopealpha
Level 1
Level 1
In response to Nick Halbert-Lillyman

‎10-24-2016 07:42 PM

still not yet fix ...

0 Helpful

Paolo Moserle
Level 1
Level 1
In response to samhopealpha

‎03-15-2017 01:19 AM

Hi samhopealpha, some situation an some problem here with X8.9.1.

0 Helpful

samhopealpha
Level 1
Level 1
In response to zdesignstudio

‎09-16-2016 06:57 AM

Finally, the firewall team has fixed the connection between EXP-E and firewall.

After collected the log on EXP-E and EXP-C (attached in this thread), I found 2 things 

 

1. 

In pcap (between EXP-E and firewall), it has TCP retransmission on port 8443

2. 

In EXP-E, there is 401 unauthorized. (but the CUCM traversal Zone between EXP-E and EXP-C is ACTIVE)

2016-09-16T21:16:36.345+08:00 vcs tvcs: UTCTime="2016-09-16 13:16:36,345" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.10.242.18" Local-port="7001" Dst-ip="10.10.242.17" Dst-port="25035" Msg-Hash="14457791731929824121"
SIPMSG:
|SIP/2.0 401 Unauthorised
Via: SIP/2.0/TLS 10.10.242.17:5061;branch=z9hG4bK6efafce64075a5984134c1d4a764b99815492;received=10.10.242.17;rport=25035
Call-ID: 9e61f8356f136695@10.10.242.17
CSeq: 53382 OPTIONS
From: <sip:10.10.242.17>;tag=5df8af125d5bf263
To: <sip:10.10.242.18:7001>;tag=48b21cf02f7ba61b
Server: TANDBERG/4133 (X8.8.1)
WWW-Authenticate: Digest realm="CUCM-Traveral-Zone", nonce="254502639a561f5576ad2213066df962dca56380b420fa4747d549c47352", opaque="AQAAAGPlxmXHSYAqvTOFWMfPSBYlLOpT", stale=FALSE, algorithm=MD5, qop="auth"
Content-Length: 0

But I have no idea these 2 issues are related to sign-in fail.

or there is anything I missed in the log ?

Thank you

Sam

Preview file
92 KB
Preview file
47 KB
Preview file
40 KB
0 Helpful

samhopealpha
Level 1
Level 1
In response to samhopealpha

‎09-17-2016 07:30 AM

Accroding to the pcap, on the eth1 (that is the interface of EXP-E connected to firewall)

I have the following assumption,

#1
EXP-E eth1 recevied a packet
o source: jabber mobile client (118.141.72.189)
o destination: EXP-E eth1 (192.168.243.18)
o Port: 8443
o Packet: SYN

#2
but, it seems EXP-E eth1 does not reply an SYN+ACK packet back to jabber mobile client

#3
then, EXP-E eth1 received "TCP re-transmission" SYN for 3 times.

The EXP-E eth1 still not reply any SYN+ACK packet back to jabber mobile client


It seems the jabber mobile cilent tried the process #1 - #3 for 3 times, then finally give up the sign-in process.


If my assumption is correct, it looks like there is someting stuck in EXP-E?
Anybody know what I have done incorrectly? or which part should I need to check ?

Thanks in advance

Sam

0 Helpful

samhopealpha
Level 1
Level 1
In response to samhopealpha

‎09-19-2016 09:56 PM

Anybody can help? 

Attached with jabber.log file, but no idea how to interpret 

Thanks in advance

Sam

Preview file
157 KB
0 Helpful

Diego Chvz
Cisco Employee
Cisco Employee

‎09-15-2016 09:58 AM

Hi samhopealpha,

Did you already make sure that all necessary ports in the firewall are open? If possible, as a test you can set a any to any firewall rule and then do some login tests.

Don't forget to rate all useful posts.

samhopealpha
Level 1
Level 1

‎10-23-2016 11:46 PM

Anybody can help?

0 Helpful

alex.kanaykin
Level 1
Level 1
In response to samhopealpha

‎12-26-2017 07:31 AM

Hi.

Did you solve that issue? I've got the same situation.

Stuck here =(

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents