cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

6830
Views
30
Helpful
14
Replies
R A Beginner
Beginner

Unable to login through MRA expressway

Dear ,
I have MRA solution
1-Exp-C 8.10
2-EXP-E 8.10 (one port configuired with nated IP )
3-WatchGaurd (configuired with reflection nat)

UC traversal zone is active between EXP-C and EXP-E and added CUCM, IMP to EXP-C.
we have one internal domain and other external and two domain have been configired on EXP-C
when we try to login from outside this error appeared to us

2017-08-23T13:26:57.133+00:00traffic_server[21538]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="105.46.141.101" Dst-port="53919" UTCTime="2017-08-23 13:26:57,133"
2017-08-23T13:26:57.133+00:00traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="105.46.141.101" Src-port="53919" UTCTime="2017-08-23 13:26:57,132"
2017-08-23T13:26:56.862+00:00traffic_server[21538]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="105.46.141.101" Dst-port="53919" UTCTime="2017-08-23 13:26:56,862"
2017-08-23T13:26:56.862+00:00traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="105.46.141.101" Src-port="53919" UTCTime="2017-08-23 13:26:56,861"
Everyone's tags (2)
14 REPLIES 14

Re: Unable to login through MRA expressway

Hi!

Please check your setup with the Collaboration Solutions Analyzer to investigate your issue and post your findings there if you need further support.

https://cway.cisco.com/tools/CollaborationSolutionsAnalyzer/

BR,
Chris
R A Beginner
Beginner

Re: Unable to login through MRA expressway

Hi
when i check with this tool  this message appeared to me .

Edge Config

Failed to get edge config with status code 403. Make sure that user entered exists in UCM and you are entering the correct password and that the end user has the CCM EndUser role assigned. Verify that all CUCM Publishers can identify the correct Home Cluster for this user, and test that the enduser can authenticate to the Self Care Portal (or UCMUser) on every node within its home cluster.


But i checked all above and found  configuration is correct .

but  still when i try to login this error message appeared on EXP-E logs
traffic_server[21538]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="doubleclick.co.tz" Src-ip="154.129.231.163" Src-port="35261" UTCTime="2017-08-25 12:28:36,447"

i checked EXP-C domaind and found External domain added secussefully .


Please Help me to solve this issue
Remon
Engager

Re: Unable to login through MRA expressway

Hi,

 

My suggestion, you can access the Expressway via cli and start a tcpdump -i  eth(x) port (specifiy ports mra). And validade if port is working fine. 

 

You can use ssh -p [port number]  userlogin@ip_address to force port and validate if firewall is blocking.

 

Share the configuration of MRA from Exp-C and Exp-E, you can hide the names and passwords before share with us. 

 

Best regards,

Daniel

Daniel Sobrinho
Enthusiast

Re: Unable to login through MRA expressway

Have you enabled the domain "doubleclick.co.tz" for  MRA ? Last i worked on a simillar issue with one of the other person having same issue, he had a typo error on domain name.

 

But without logs its very difficult to tell you what is happening. 

 

regards,

Alok

Beginner

Re: Unable to login through MRA expressway

CUCM/CUPIMP 10.5.2

EXP-C/EXP-E X8.10

 

I am facing the same issue too. Based on my analyze, the Expressway has big change on X8.10.x, It's "MRA Access Control with Authentication path".

 

By default, When you select MRA, it will enable "UCM/LDAP basic authentication" by default. But unfortunately, you can see Exp-C logs shows Exp-C request SSO info to CUCM.

 

===================

2017-12-07T14:10:18.007+08:00 edgeconfigprovisioning: Level="WARN" Event="Edge OAuth/SSO" Service="OAuth/SSO" Detail="Forbidden at authorization server" Dst-ip="127.0.0.1" Dst-port="34472" Local-ip="127.0.0.1" Local-port="22111" Code="403" Server="192.168.50.9" Username="sunny.zhang" UTCTime="2017-12-07 06:10:18,007"

 

2017-12-07T14:10:17.813+08:00 edgeconfigprovisioning: Level="INFO" Detail="Sending authorize_proxy request" Server="192.168.50.9" POST="https://ccmhq.example.com:8443/ssosp/token/authorize_proxy" UTCTime="2017-12-07 06:10:17,813"

 

2017-12-07T14:10:17.813+08:00 edgeconfigprovisioning: Level="INFO" Event="Edge SSO" Service="OAuth/SSO" Detail="Received local_authentication for Edge OAuth access" Local-ip="127.0.0.1" Local-port="22111" Src-ip="127.0.0.1" Src-port="34472" Username="sunny.zhang" UTCTime="2017-12-07 06:10:17,813"

 

===================

 

I am trying to disable it but new login request did not send it again.

 

===================

 

2017-12-07T15:19:35.813+08:00 traffic_server[14393]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="1.1.1.146" Dst-port="8512" UTCTime="2017-12-07 07:19:35,813"

 

 

2017-12-07T15:19:35.812+08:00 traffic_server[14393]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="example.com" Src-ip="1.1.1.146" Src-port="8512" UTCTime="2017-12-07 07:19:35,812"

 

 

2017-12-07T15:19:35.806+08:00 traffic_server[14393]: Event="Sending HTTP error response" Status="403" Reason="Forbidden" Dst-ip="1.1.1.146" Dst-port="8512" UTCTime="2017-12-07 07:19:35,806"

 

2017-12-07T15:19:35.806+08:00 traffic_server[14393]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported" Domain="example.com" Src-ip="1.1.1.146" Src-port="8512" UTCTime="2017-12-07 07:19:35,806"

 

===================

 

Need to research it deeply.

 

I will try to downgrade to X8.9.2 test again.

 

Sunny

Re: Unable to login through MRA expressway

Dear Sunny. Have you downgraded? If yes was the issue resolved? I am asking as we are tackling with similar issue. 

TIA

Regards, Ahmet Hudai KOYUNCU CCNA Voice, CCNA Security
Beginner

Re: Unable to login through MRA expressway

Hi, I downgraded to X8.9.2 and test again, it did not solved. I need sometime to research on it. Recent days, I am trying to upgrade to X8.10.3, the newest version and try. Sunny
Beginner

Re: Unable to login through MRA expressway

any solution to this issue?
Beginner

Re: Unable to login through MRA expressway

I am getting the same error, did you ever find a solution for this?

R A Beginner
Beginner

Re: Unable to login through MRA expressway

Restart exp-e after 10m restart exp-c ,,then after exp-c came up deactivate UC zone  between exp-c and cucm and reactivate it again then test.

 

Before above steps make sure all configurations are correct 

Beginner

Re: Unable to login through MRA expressway

traffic_server[17937]: Event="get_edge_sso" Detail="Access denied" Reason="MRA not supported

geeting same error did you found the issue

Enthusiast

Re: Unable to login through MRA expressway

I had the same issue. The reason was the configuration of the user authentication on edge server. I resolve it with teh deployment of the core of UCM/LDAP authentication.
Go to Configuration/Unified Communications/MRA Access control and put UCM/LDAP basic auth + authorize by user credential
Beginner

Re: Unable to login through MRA expressway

this one worked for me, many thanks jcl1

Beginner

Re: Unable to login through MRA expressway

Thank you jcl, this worked for me too.

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards