ā09-14-2016 11:11 PM - edited ā03-18-2019 06:22 AM
Hi everybody,
I am eatablishing Expressway MRA with CUCM
CUCM 11.5
Expressway X8.8.1
EXP-E is using Dual NIC, one for internal, one for external
Example:
VoiceServiceDomain: production.com
ServiceDomain: lab91.local
here is the connection
CUCM ---(tcp)---- EXP-C -----(tls)----- EXP-E --- Firewall --- Jabber Mobile
Jabber Mobile: Phone service only
_collab-edge._tls.production.com: 10 10 8443 vcs.production.com.
_cisco-uds._tcp.lab91.local: 10 10 8443 cucm91.lab91.local
<VoiceServicesDomain>production.com</VoiceServicesDomain>
Jabber mobile has been successfully registered to CUCM via internal wifi network
However, when trying to sign-in jabber mobile via Internet, it returns "Cannot sign in"
In jabber.log, it seems cannot connect to CUCM ? or I have to investigate in other area?
2016-09-15 12:51:04,023 INFO [0xdafba930] [control/CallControlManagerImpl.cpp(1874)] [csf.ecc.evt] [notifyConnectionInfoChange] - CONNECTION_INFO_CHANGE: size(5):
type=eUDS, isRelevant=true, server=10.10.242.91:8443, connectionState=eFailed, isEncrypted=true, failureReason=eTimeout
type=eCCMCIP, isRelevant=true, server=10.10.242.91:8443, connectionState=eFailed, isEncrypted=true, failureReason=eTimeout
type=eEMAPI, isRelevant=true, server=10.10.242.91:8443, connectionState=eNotApplicable, isEncrypted=false
type=eConfigFile, isRelevant=true, server=10.10.242.91:6970, connectionState=eNotApplicable, isEncrypted=false
type=eConfigFile, isRelevant=true, server=10.10.242.91:69, connectionState=eNotApplicable, isEncrypted=false
2016-09-15 12:51:04,023 ERROR [0xdafba930] [nts/ecc/src/config/CCMCIPClient.cpp(138)] [csf.ecc] [fetchDevices] - HTTP error: eTimeout
2016-09-15 12:51:04,023 ERROR [0xdafba930] [nts/ecc/src/config/CCMCIPClient.cpp(139)] [csf.ecc] [fetchDevices] - Request failed : "https://10.10.242.91:8443/ccmcip/Personalization"
2016-09-15 12:51:04,024 ERROR [0xdafba930] [c/src/callcontrol/Authenticator.cpp(320)] [csf.ecc] [authenticate] - authenticate() failed [eCouldNotConnect]
2016-09-15 12:51:04,024 ERROR [0xdafba930] [lcontrol/CallControlManagerImpl.cpp(745)] [csf.ecc.api] [doAuthenticate] - doAuthenticate() failed [eCouldNotConnect]
2016-09-15 12:51:04,024 INFO [0xdafba930] [control/CallControlManagerImpl.cpp(1781)] [csf.ecc.evt] [notifyAuthenticationStatusChange] - AUTHENTICATION_STATUS_CHANGE: eFailed
2016-09-15 12:51:04,024 INFO [0xdafba930] [lcontrol/CallControlManagerImpl.cpp(755)] [csf.ecc.api] [getAuthenticationStatus] - getAuthenticationStatus() = eFailed
2016-09-15 12:51:04,025 ERROR [0xdafba930] [ntrol/TelephonyCallControlImpl.cpp(1620)] [jcf.tel.callcontrol] [authenticateWithCucm] - Failed to authenticate with CUCM AuthenticationStatus: [eFailed]
2016-09-15 12:51:04,025 ERROR [0xdafba930] [ntrol/TelephonyCallControlImpl.cpp(1621)] [jcf.tel.callcontrol] [authenticateWithCucm] - Failed to authenticate with CUCM Authentication Failure Code [eCouldNotConnect]
2016-09-15 12:51:04,026 INFO [0xf775eb4c] [ices/impl/TelephonyServiceImpl.cpp(1991)] [jcf.tel.service] [onTelephonyServiceAuthenticationStatusChanged] - TelephonyServiceAuthenticationStatus has changed from [None] to [CouldNotConnect]
2016-09-15 12:51:04,030 INFO [0xf775eb4c] [lcontrol/CallControlManagerImpl.cpp(771)] [csf.ecc.api] [getLastCCMCIPServerUsed] - getLastCCMCIPServerUsed()
2016-09-15 12:51:04,031 INFO [0xf775eb4c] [c/src/callcontrol/Authenticator.cpp(609)] [csf.ecc] [getLastCCMCIPServerUsed] - getLastCCMCIPServerUsed() =
2016-09-15 12:51:04,032 ERROR [0xf775eb4c] [ice/TelephonyAdapterServerHealth.cpp(66)] [jcf.tel.adapter] [getConnectionIpProtocol] - No connected ConnectionInfo of type: [eSIP]. Could not determine connection IP Protocol
2016-09-15 12:51:04,033 INFO [0xf775eb4c] [lcontrol/CallControlManagerImpl.cpp(911)] [csf.ecc.api] [getLastCTIServerUsed] - getLastCTIServerUsed() =
2016-09-15 12:51:04,033 ERROR [0xf775eb4c] [ice/TelephonyAdapterServerHealth.cpp(66)] [jcf.tel.adapter] [getConnectionIpProtocol] - No connected ConnectionInfo of type: [eCTI]. Could not determine connection IP Protocol
2016-09-15 12:51:04,034 ERROR [0xf775eb4c] [ice/TelephonyAdapterServerHealth.cpp(66)] [jcf.tel.adapter] [getConnectionIpProtocol] - No connected ConnectionInfo of type: [eCTI]. Could not determine connection IP Protocol
2016-09-15 12:51:04,039 INFO [0xf775eb4c] [(0) ] [JABBER.TELEPHONY] [OnAuthenticationStatusChanged] - OnAuthenticationStatusChanged: CouldNotConnect
2016-09-15 12:51:04,041 INFO [0xf775eb4c] [e(0) ] [JABBER.TELEPHONY] [setTelephonyError] - telephony life cycle, set error to 3005
2016-09-15 12:51:04,043 INFO [0xdafba930] [ntrol/TelephonyCallControlImpl.cpp(1640)] [jcf.tel.callcontrol] [authenticateWithCucm] - <--
2016-09-15 12:51:04,044 INFO [0xdafba930] [/TelephonyAdapterAuthentication.cpp(193)] [jcf.tel.adapter] [Authenticate] - <--
2016-09-15 12:51:04,044 ERROR [0xdafba930] [s/impl/AuthenticationHandlerImpl.cpp(75)] [authentication-handler] [AuthenticateImpl] - Authentication Failed
2016-09-15 12:51:04,051 INFO [0xf775eb4c] [rc/framework/ServicesDispatcher.cpp(174)] [services-dispatcher] [nextTask] - Task queue is back to a safe size
2016-09-15 12:51:04,056 INFO [0xf775eb4c] [common/CertificateValidityCache.cpp(172)] [csf.cert] [clear] - Clearing accepted and rejected certificates from memory
2016-09-15 12:51:04,056 INFO [0xf775eb4c] [ervices/impl/StartupHandlerImpl.cpp(327)] [startup-handler] [OnAuthenticationFailed] - Calling startupHandlerCallback.OnSystemLoginFailed
2016-09-15 12:51:04,057 INFO [0xf775eb4c] [src/services/impl/LifeCycleImpl.cpp(791)] [Life-Cycle-Logger] [OnSystemLoginFailed] - OnSystemLoginFailed - Callback received
2016-09-15 12:51:04,057 INFO [0xf775eb4c] [rc/services/impl/LifeCycleImpl.cpp(1353)] [Life-Cycle-Logger] [updateState] - Changing lifecycle State to: SIGNEDOUT
2016-09-15 12:51:04,057 INFO [0xf775eb4c] [(0) ] [JABBER.LIFECYCLE] [OnStateChanged] - state = SIGNEDOUT
2016-09-15 12:51:04,058 INFO [0xf775eb4c] [ignOnAuthenticationInfoStoreImpl.cpp(36)] [service-discovery] [getSSOEnabledServiceById] - SSOEnabledService not found for Auth Id: 2100. Returning NULL SSOAuthenticationInfo Smart Pointer.
2016-09-15 12:51:04,058 WARN [0xf775eb4c] [rvices/impl/system/SingleSignOn.cpp(138)] [Single-Sign-On-Logger] [isAuthenticatorSSOEnabled] - SSO Discovery disabled for 2100
2016-09-15 12:51:04,059 INFO [0xf775eb4c] [src/services/impl/LifeCycleImpl.cpp(805)] [Life-Cycle-Logger] [OnSystemLoginFailed] - OnSystemLoginFailed - Service is not SSO Enabled
2016-09-15 12:51:04,059 INFO [0xf775eb4c] [rc/services/impl/LifeCycleImpl.cpp(1155)] [Life-Cycle-Logger] [copyAndReleaseLifeCycleCallback] - Lifecyleimpl's unsupportedAuthenticatorCallback is reset, and its' lifeCycleCallback is reset.
2016-09-15 12:51:04,059 INFO [0xf775eb4c] [(0) ] [JABBER.LIFECYCLE] [OnCredentialsRequired] - with error code
2016-09-15 12:51:04,060 INFO [0xf775eb4c] [d(0) ] [JABBER.LIFECYCLE] [setSSOAccount] - is sso ? = false
2016-09-15 12:51:04,061 INFO [0xf775eb4c] [(0) ] [JABBER.LIFECYCLE] [handleSignInRequired] - authID = 2100 , isSSO = false
2016-09-15 12:51:04,062 WARN [0xf775eb4c] [d(0) ] [JABBER.LIFECYCLE] [handleLoginFail] - authID = 2100 , error
2016-09-15 12:51:04,063 INFO [0xdabbe930] [ents/jcfcoreutils/src/FileUtils.cpp(482)] [jcfcoreutils.fileutils] [createDirectory] - Creating directory: /data/user/0/com.cisco.im/files/Cisco/Unified Communications/Jabber/CSF/Telemetry
2016-09-15 12:51:04,064 INFO [0xf775eb4c] [ts/jcfcoreutils/src/ScopedTimer.cpp(166)] [scoped-timer] [pop] -
Thanks in advance
Sam
ā09-15-2016 05:10 AM
Do you have the debugs from the Expressway devices?
ā09-15-2016 10:45 PM
Thanks for the suggestion, after collected the debug from EXP-C and EXP-E.
It seems there is no traffic between EXP-E and firewall
Maybe I need to check with firewall team to verify that on coming Monday, because coming few days are public holiday here.
And update the result after 3 days
Thank you~
ā10-24-2016 07:38 PM
Did you ever get this fixed?
ā10-24-2016 07:42 PM
still not yet fix ...
ā03-15-2017 01:19 AM
Hi samhopealpha, some situation an some problem here with X8.9.1.
ā09-16-2016 06:57 AM
Finally, the firewall team has fixed the connection between EXP-E and firewall.
After collected the log on EXP-E and EXP-C (attached in this thread), I found 2 things
1.
In pcap (between EXP-E and firewall), it has TCP retransmission on port 8443
2.
In EXP-E, there is 401 unauthorized. (but the CUCM traversal Zone between EXP-E and EXP-C is ACTIVE)
2016-09-16T21:16:36.345+08:00 vcs tvcs: UTCTime="2016-09-16 13:16:36,345" Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.10.242.18" Local-port="7001" Dst-ip="10.10.242.17" Dst-port="25035" Msg-Hash="14457791731929824121"
SIPMSG:
|SIP/2.0 401 Unauthorised
Via: SIP/2.0/TLS 10.10.242.17:5061;branch=z9hG4bK6efafce64075a5984134c1d4a764b99815492;received=10.10.242.17;rport=25035
Call-ID: 9e61f8356f136695@10.10.242.17
CSeq: 53382 OPTIONS
From: <sip:10.10.242.17>;tag=5df8af125d5bf263
To: <sip:10.10.242.18:7001>;tag=48b21cf02f7ba61b
Server: TANDBERG/4133 (X8.8.1)
WWW-Authenticate: Digest realm="CUCM-Traveral-Zone", nonce="254502639a561f5576ad2213066df962dca56380b420fa4747d549c47352", opaque="AQAAAGPlxmXHSYAqvTOFWMfPSBYlLOpT", stale=FALSE, algorithm=MD5, qop="auth"
Content-Length: 0
But I have no idea these 2 issues are related to sign-in fail.
or there is anything I missed in the log ?
Thank you
Sam
ā09-17-2016 07:30 AM
Accroding to the pcap, on the eth1 (that is the interface of EXP-E connected to firewall)
I have the following assumption,
#1
EXP-E eth1 recevied a packet
o source: jabber mobile client (118.141.72.189)
o destination: EXP-E eth1 (192.168.243.18)
o Port: 8443
o Packet: SYN
#2
but, it seems EXP-E eth1 does not reply an SYN+ACK packet back to jabber mobile client
#3
then, EXP-E eth1 received "TCP re-transmission" SYN for 3 times.
The EXP-E eth1 still not reply any SYN+ACK packet back to jabber mobile client
It seems the jabber mobile cilent tried the process #1 - #3 for 3 times, then finally give up the sign-in process.
If my assumption is correct, it looks like there is someting stuck in EXP-E?
Anybody know what I have done incorrectly? or which part should I need to check ?
Thanks in advance
Sam
ā09-19-2016 09:56 PM
ā09-15-2016 09:58 AM
Hi samhopealpha,
Did you already make sure that all necessary ports in the firewall are open? If possible, as a test you can set a any to any firewall rule and then do some login tests.
Don't forget to rate all useful posts.
ā10-23-2016 11:46 PM
Anybody can help?
ā12-26-2017 07:31 AM
Hi.
Did you solve that issue? I've got the same situation.
Stuck here =(
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: