Showing results for 
Search instead for 
Did you mean: 

Mobile Remote Access via Expressway -> Jabber can't connect from the Outside

We're deploying the Mobile Remote Access via Cisco Expressway solution using the Expressway-E and Expressway-C in a VM environment on version X8.1.1.and I feel we're almost good to go. The traversal zones (using IP addresses) are active in both the ExpC and ExpE.

The problem is that I can't login from the Outside, it says that it could not find network services. While on the inside, everything works well.

This is the deal:
- internal domain: acme.corp (private)
-external domain: (public)

When I signin internally, I use user@acme.corp in the Jabber's login screen and everything works fine! Without any other configuration I am able to login and call other directory numbers.

When I try to signin externally, the user@acme.corp gives me a timeout, so I change it to, the certificate is prompted and a few moments after accepting it I get the could not find services error message.

Do I have to try both logins when on the inside/outside of the corporate network?

I haven't made any changes in the jabber-config.xml file. Is it necessary on version X8.1.1?

I'm thinking about certificate problems, reading the guide I got a little confused on the certificate exchange:

1)Generate CSR-> OK

2)Add UC Domain ( and XMPP server information -> ??? Meaning the "Additional alternative names (comma separated)" and "Unified Communications domains" and "IM and Presence chat node aliases" right?
     In our deploy we don't use FQDN for the CUCM, CUC and CUP services, we're starting to use FQDN from the deploy of the Expressway solution. Anyways, the CUCM PUB is, CUCM SUB, CUC and CUP EXPC is and EXPE (Single NIC, on a stick, without NAT) is
     In the Outside: is SRV resolved to 8443 -> OK!
                     is A resolved to -> OK!

     In the Inside: _cisco-uds._tcp.acme.corp is SRV resolved to -> OK!
                           _cuplogin._tcp.acme.corp is SRV resolved to -> OK!
                           exp.acme.corp is A resolved to -> OK!

     Generating the CSR on ExpC I get 'conference-2-StandAloneClusterb7095.acme.corp' auto-filled in the 'IM and Presence Chat Node Aliases'.

     Generating the CSR on ExpE I get 'exp.acme.corp' auto-filled in the 'Unified Communications domain'.

     How to proper fill these fields generating CSR? We're using OpenSSL to act as CA and sign the CSRs.

     About the CUCM, CUC and CUP certificates, do they have to be imported into ExpE and/or ExpC? Which certificate? tomcat.pem or tomcar-trust.pem?


Thanks in advance!


Did you get an answer on this question?  I am having the same issue


Vini, I hope this will answer some of your questions.

My first recommendation would be to use FQDN on your CUCM, CUC and CUP servers.

I would also point your SRV records to the FQDN once they are made.

To answer your question on which tomcat cert, use the tomcat.pem and only import them into the ExpC.

Are the domains on your expressways the same or different? e.i. ExpC: Internal domain ExpE:External domain

here is a doc that might shed some light (i know it helped me)


I had the same issue when trying to log in from outside. Once I had my SRVs pointing to the FQDN and set a domain under the ExpC to the IM/P domain I was able to log in externally.

Hope this helps




Thanks for sharing this link. The sample configuration that you shared with the link has been the most straightforward so far compared to looking through all the MRA documents for 8.2.   Much appreciated!


hi Phil,


your link was helpful for me too, and I used another blogpost which was useful too -


did you get your issue resolved, I am having the same issue.  Cannot seem to connect from the outside, if I put the wrong password for a user, I get the notification of wrong password.  But I cannot seem to connect and get cannot communicate with the server.


Make sure if you have the Advanced Networking Option key on the Expressway-E, and you are not making use of the second interface that the "Use dual network interfaces" is set to no. I found that having this set to yes but with no active connection on the second interface, did not impact normal operation or VC calls but it caused the MRA to fail with similar "cannot communicate with the server" errors.




hi folks,


I had the same issue and this discussion was very helpful for me -

especially this configuration example -

you can read my comment and find my mistakes, it may be helpful:

""I had the same issue and Paul gave me right direction.

I followed his link with that configuration example and in my case I haven't configured 2 different domains at VCS Expressway - one for external domain, another for internal domain where IM&P resides. it was first mistake, second was DNS misconfiguration decribed in previously mentioned configuration example.""

Content for Community-Ad