I have one question about correct settings for TMS.
My customer has a lots of endpoints. Many are behind the fw, but we have pat for the https - so regarding the admin guide - I set reachable on public internet.
TMS push then own FQHN from the network configuration to the endpoits. But after few days TMS changed own configuration to the: "Reachable on lan"???
In the status.xml is local IP. Endpoint is communicating with the TMS from the public IP. Admin guide and also Magnus said, that after that, it is possible, that will TMS change settings to the behind the FW in the case that the HTTP and HTTPS ports are closed.
Https port is opened and TMS changed his configuration. Is there something that I miss?
I solved this with persistent template and correct configuration, but my question is why is TMS changing the connectivity settings to the: Reachable on lan.
TMS is also behind the FW with the pat.
Thanks for any idea.
Ok sounds like fun. So you have an endpoint on the public internet with a private ip?
If the ip is private on the endpoint, TMS defines this as lan. If it can communicate with this address then its reachable on lan pr definition. If that ip is not a private ip but a public then it will be reachable on the public internet.
But if you look at the communication in a wireshark trace, from what ip address does the packet come from, is this ip the same as the one ine the xml file?
Can you ping that private ip from the tms server?
I'm just a little confused with the local ip on the public network thin that you mentioned.
For the behind firewall the packet is
coming from an ip that does not
match the one in the xml
And tms cannot communicate
with that address.
Please let me know if im way off here
Sent from Cisco Technical Support iPhone App
sorry my mistake. I'll try explain my settings more detail:
TMS(10.0.0.2) - (10.0.0.1)FW1(18.104.22.168) - Internet - (22.214.171.124)FW2(192.168.1.1) - (192.168.1.2)EX90
FW1 https pat IP 126.96.36.199 -> 10.0.0.2
FW2 https pat IP 188.8.131.52 -> 192.168.1.2
EX90 //184.108.40.206/status.xml contain IP 192.168.1.219220.127.116.11, but in the TMS configuration we have 18.104.22.168. From TMS you are not able ping to the 192.168.1.2:-) but you are able make https connection to the 22.214.171.124 to reach the EX90.
In the wireshark is 126.96.36.199 like source address // local IP is not on the public network:-)
TMS is able communicate with IP 188.8.131.52, but this IP is different from the IP in the status.xml 192.168.1.2.
So the correct settings for this is behind FW?
I still have one more question. Admin guide 13.2:
Setting an endpoint in public
If your system is in public, not behind a firewall or behind a firewall that has opened up the HTTP or HTTPS ports, it is advised to change the system connectivity on the system to Reachable on Public Internet. This way it will also be possible for Cisco TMS to set up calls where the endpoint is calling out, and not only being called to.
So I think, that my settings are according to the admin guide.
My endpoints are behind the FW = status.xml and TMS IP for the endpoint are different(because the endpoint is behind the FW)
HTTPS port on the FW is opened = TMS has possibility communicate directly to the global IP(on the FW) to reach the endpoint.
But TMS every time change settings from the Reachable on Public Internet to the Reachable on LAN. Local IP from the status.xml is not reachable from the TMS (no VPN connectivity or something else).
Are you able explain me, why the TMS change settings for endpoint from Reachable on Public Internet to the Reachable on Lan? Or what I miss?
On the system that this is happening with. If you go in TMS and find the system. Go to the Connection tab, what IP is the TMS trying to reach the system on?
What system status does the system have? (Idle/No https response?)
in the connection tab is FW global IP 4X.XXX.XXX.XXX and Current Connection Status: OK
System Type:TANDBERG EX90
Connectivity:Reachable on LAN
do you have any idea?
Or give me only an information, if you think, that the problem is in my configuration, or in the system. I'll then open tac case or admin guide:-)
A TAC case might not be a bad idea since I would assume you would be able to set a reachable on the public internet in this case.