TMS - Endpoint IP updated to blank - Behind Firewall

Ronny Setereng · ‎06-14-2012

Some endpoints change fram an IP address to blank in TMS and the system is set behind firewall.

If i set IP on the system and change to reachable on LAN, everything works fine.

When applying a template, it changes IP to blank.

Any suggestions?

Magnus Ohm · ‎06-14-2012

Hi Ronny

Take a look in the new redundancy guide http://www.cisco.com/en/US/docs/telepresence/infrastructure/tms/config_guide/Cisco_TMS__Redundancy_Deployment_Guide_13-2.pdf

Page 5 through 6, it might help answering this question. It might also be useful to know where on the network this endpoint is located. Is it in fact behind firewall? Is it NAT'ed in some way?

/Magnus

Magnus Ohm · ‎06-14-2012

Also keep in mind we had some issues with the TC4.0, TC4.0.1 TMS 13.0 barrier where we saw some issues due to a change in how the endpoints require authentication for the status.xml which made TMS think the system was behind firewall. It should not be an issue on the newer software TC5.x and TMS 13.1 -->

/Magnus

robray_sc · ‎05-08-2013

Did you ever figure this out? Everything is on the local LAN so there is no firewall or NAT'ing, but after every reboot it changes back to "Behind Firewall" in TMS

Justin Ferello · ‎05-08-2013

Robray,

Do you have a load balancer on your network? Or do you have redundant TMSes with a LB in front of them?

Thank you,

Justin Ferello
Technical Support Specialist
KBZ, a Cisco Authorized Distributor
http://www.kbz.com
e/v: justin.ferello@kbz.com

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ

robray_sc · ‎05-08-2013

There is no load balancer on the network nor is there a redundant TMS. They have an email load balancer for their Exchange server but they wouldnt effect this...right?

Patrick Sparkman · ‎05-08-2013

It could be on the endpoints side as well, if TMS can't reach the endpoint directly, it will sometimes blank the address and set it to behind firewall.

Do you have a VCS in this deployment, if you do, you could check the endpoint's registration and see if the registration shows two different address.

Example:

Contact	sip:alias@10.36.56.22:5061;transport=tls
URI	sip:69.85.255.97:23784;transport=tls;apparent;ds;lr

10.36.56.22 is the local IP of the endpoint, and 69.85.255.97 is the public IP address. Their different, and when TMS see's this and it can't get to the local IP endpoint IP, it blanks out the address and sets it to behind firewall.

robray_sc · ‎05-08-2013

We do have a VCS and they both show the same internal IP\hostname. This video environment is internal only. We are not traversing a firewall or expressway

Contact: sip:Folly-SX20@10.10.10.155:5061;transport=tls

SIP URI: Folly-SX20

Nick Halbert-Lillyman · ‎05-08-2013

Just letting you know we've had the exact same issue. All endpoints internal with no firewalls or ACLs between, TMS 13.2 VCS 7.2. Endpoints are all TC5.1.4 or later, E20s TE4.1.1 or later (it's happened to both TC and TE endpoints).

It seems to happen randomly and I haven't been able to replicate it manually. It's only happened about 6 or 7 times out of 100+ endpoints so I haven't bothered looking into it that much.

EDIT: After reading through the TMS redundancy deployment guide about how if the reported IP address is different to the source address of the IP header then the system connectivity is changed to 'Behind Firewall', could it perhaps have something to do with DHCP and voice/data Vlan assignment?

As an example, a unit that has booted into the Data Vlan, got a template that told it to change its Vlan assignment to 'Auto' and subsequently got a new address in the Voice Vlan? Or maybe just a new DHCP address in the same Vlan?