cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21200
Views
35
Helpful
17
Replies

Unable to login through MRA expressway

Remon Adel
Level 1
Level 1

Dear ,
I have MRA solution
1-Exp-C 8.10
2-EXP-E 8.10 (one port configuired with nated IP )
3-WatchGaurd (configuired with reflection nat)

UC traversal zone is active between EXP-C and EXP-E and added CUCM, IMP to EXP-C.
we have one internal domain and other external and two domain have been configired on EXP-C
when we try to login from outside this error appeared to us

2017-08-23T13:26:57.133+00:00traffic_server[21538]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="105.46.141.101" Dst-port="53919" UTCTime="2017-08-23 13:26:57,133"
2017-08-23T13:26:57.133+00:00traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="105.46.141.101" Src-port="53919" UTCTime="2017-08-23 13:26:57,132"
2017-08-23T13:26:56.862+00:00traffic_server[21538]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="105.46.141.101" Dst-port="53919" UTCTime="2017-08-23 13:26:56,862"
2017-08-23T13:26:56.862+00:00traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="105.46.141.101" Src-port="53919" UTCTime="2017-08-23 13:26:56,861"
17 Replies 17

christoph.hable
Level 1
Level 1
Hi!

Please check your setup with the Collaboration Solutions Analyzer to investigate your issue and post your findings there if you need further support.

https://cway.cisco.com/tools/CollaborationSolutionsAnalyzer/

BR,
Chris

Hi
when i check with this tool  this message appeared to me .

Edge Config

Failed to get edge config with status code 403. Make sure that user entered exists in UCM and you are entering the correct password and that the end user has the CCM EndUser role assigned. Verify that all CUCM Publishers can identify the correct Home Cluster for this user, and test that the enduser can authenticate to the Self Care Portal (or UCMUser) on every node within its home cluster.


But i checked all above and found  configuration is correct .

but  still when i try to login this error message appeared on EXP-E logs
traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="154.129.231.163" Src-port="35261" UTCTime="2017-08-25 12:28:36,447"

i checked EXP-C domaind and found External domain added secussefully .


Please Help me to solve this issue
Remon

Hi,

 

My suggestion, you can access the Expressway via cli and start a tcpdump -i  eth(x) port (specifiy ports mra). And validade if port is working fine. 

 

You can use ssh -p [port number]  userlogin@ip_address to force port and validate if firewall is blocking.

 

Share the configuration of MRA from Exp-C and Exp-E, you can hide the names and passwords before share with us. 

 

Best regards,

Daniel

Daniel Sobrinho

Have you enabled the domain "doubleclick.co.tz" for  MRA ? Last i worked on a simillar issue with one of the other person having same issue, he had a typo error on domain name.

 

But without logs its very difficult to tell you what is happening. 

 

regards,

Alok

CUCM/CUPIMP 10.5.2

EXP-C/EXP-E X8.10

 

I am facing the same issue too. Based on my analyze, the Expressway has big change on X8.10.x, It's "MRA Access Control with Authentication path".

 

By default, When you select MRA, it will enable "UCM/LDAP basic authentication" by default. But unfortunately, you can see Exp-C logs shows Exp-C request SSO info to CUCM.

 

===================

2017-12-07T14:10:18.007+08:00 edgeconfigprovisioning: Level="WARN" Event="Edge OAuth/SSO" Service="OAuth/SSO" Detail="Forbidden at authorization server" Dst-ip="127.0.0.1" Dst-port="34472" Local-ip="127.0.0.1" Local-port="22111" Code="403" Server="192.168.50.9" Username="sunny.zhang" UTCTime="2017-12-07 06:10:18,007"

 

2017-12-07T14:10:17.813+08:00 edgeconfigprovisioning: Level="INFO" Detail="Sending authorize_proxy request" Server="192.168.50.9" POST="https://ccmhq.example.com:8443/ssosp/token/authorize_proxy" UTCTime="2017-12-07 06:10:17,813"

 

2017-12-07T14:10:17.813+08:00 edgeconfigprovisioning: Level="INFO" Event="Edge SSO" Service="OAuth/SSO" Detail="Received local_authentication for Edge OAuth access" Local-ip="127.0.0.1" Local-port="22111" Src-ip="127.0.0.1" Src-port="34472" Username="sunny.zhang" UTCTime="2017-12-07 06:10:17,813"

 

===================

 

I am trying to disable it but new login request did not send it again.

 

===================

 

2017-12-07T15:19:35.813+08:00 traffic_server[14393]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="1.1.1.146" Dst-port="8512" UTCTime="2017-12-07 07:19:35,813"

 

 

2017-12-07T15:19:35.812+08:00 traffic_server[14393]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="example.com" Src-ip="1.1.1.146" Src-port="8512" UTCTime="2017-12-07 07:19:35,812"

 

 

2017-12-07T15:19:35.806+08:00 traffic_server[14393]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="1.1.1.146" Dst-port="8512" UTCTime="2017-12-07 07:19:35,806"

 

2017-12-07T15:19:35.806+08:00 traffic_server[14393]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="example.com" Src-ip="1.1.1.146" Src-port="8512" UTCTime="2017-12-07 07:19:35,806"

 

===================

 

Need to research it deeply.

 

I will try to downgrade to X8.9.2 test again.

 

Sunny

Dear Sunny. Have you downgraded? If yes was the issue resolved? I am asking as we are tackling with similar issue. 

TIA

Regards, Ahmet Hudai KOYUNCU CCNA Voice, CCNA Security

Hi, I downgraded to X8.9.2 and test again, it did not solved. I need sometime to research on it. Recent days, I am trying to upgrade to X8.10.3, the newest version and try. Sunny

Ashraf Ansari
Level 1
Level 1
any solution to this issue?

Denis Morin
Level 1
Level 1

I am getting the same error, did you ever find a solution for this?

Restart exp-e after 10m restart exp-c ,,then after exp-c came up deactivate UC zone  between exp-c and cucm and reactivate it again then test.

 

Before above steps make sure all configurations are correct 

traffic_server[17937]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported

geeting same error did you found the issue

I had the same issue. The reason was the configuration of the user authentication on edge server. I resolve it with teh deployment of the core of UCM/LDAP authentication.
Go to Configuration/Unified Communications/MRA Access control and put UCM/LDAP basic auth + authorize by user credential

this one worked for me, many thanks jcl1

Thank you jcl, this worked for me too.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: